Transparent Firewall Mode and Bridge Group Routes
For traffic that originates on the threat defense device and is destined through a bridge group member interface for a non-directly connected network, you need to configure either a default route or static routes so the threat defense device knows out of which bridge group member interface to send traffic. Traffic that originates on the threat defense device might include communications to a syslog server or SNMP server. If you have servers that cannot all be reached through a single default route, then you must configure static routes. For transparent mode, you cannot specify the BVI as the gateway interface; only member interfaces can be used. For bridge groups in routed mode, you must specify the BVI in a static route; you cannot specify a member interface. See c_mac_address_vs_route_lookups.html#ID-2106-0000005d for more information.