the firewall bridge must be physically located between the client network and the protected database, the only
possible network path from the client to the database must be through the firewall bridge. You have the
firewall apparently on the same subnet as the protected database, which is a requirement, so that part
is ok, but you may need to check the wiring in your data center to check if the firewall is really inline.
In a virtualized environment you must have the firewall bridge on the two NICs on different internal networks
that form a connection between the client and the database, in essence this would not be different
than real physical hosts,