Fortinet white logo
Fortinet white logo

Handbook

Built-in fail-open bypass

Built-in fail-open bypass

The following FortiDDoS-F network interface connections have a built-in bypass mechanism:

  • Active copper fail-open bypass on copper (RJ-45) network connections 1-8 on FortiDDoS-200F. Fail-open is operation at any speed to 1Gbps but both link speeds must match.
  • Active optical fail-open bypass on Ports 13-16 on the FortiDDoS-200F. Ports support GE Short-Range, Multi-Mode fiber only on LC connectors. SFPs are built-in to the chassis.
  • Active optical fail-open bypass on Ports 5-8 on the FortiDDoS-1400F. Ports support 10GE Short-Range, Multi-Mode fiber only on LC connectors. SFP+s are built-in to the chassis.
  • All other ports on any F-Series model do not support fail-open. An external bypass bridge/switch will be required if extra fail-open ports are needed.

You can use the Global Protection > Deployment > Deployment tab to configure the internal bypass mechanism to fail open or fail closed for F-Series appliances.

By default, the interfaces are configured to fail open. This means that interfaces pass traffic through without performing any monitoring or prevention tasks. Packets that arrive at ingress ports are simply transferred to the corresponding egress ports, just like a wire or optical cable.

If you use an external bypass solution, configure the interfaces to fail closed. This means traffic is not forwarded through the interfaces when FortiDDoS fails. An external bypass system detects the outage and routes traffic around the FortiDDoS.

If you deploy an active-passive cluster, configure the interfaces on the primary node to fail closed so the adjacent switches can select the secondary node. The secondary unit can be set to fail closed or fail open, depending on how you want to handle the situation if both FortiDDoS nodes are down.

The table below summarizes bypass behavior for a sequence of system states. During boot up, system processes are started. When boot up is complete the appliance exits the bypass state. Traffic is routed through the system, is monitored, and policies enforced.

In the event of failure, manual or system-caused reboot, system processes are unavailable because they are either being restarted or shut down, and the appliance enters the bypass state.

System state and bypass

User Option State 1 Power Off State 2 Just Powered Up State 3 Boot Up Process State 4 System Ready State 5 Failure or Reboot State 6 Power Off
Fail Open Bypass Bypass Bypass Traffic Processed Bypass Bypass
Fail Closed Closed Closed Closed Traffic Processed Closed Closed

In addition to the automatic bypass settings, the following models support manual bypass with the following CLI command:

execute bypass-traffic {enable | disable}

This command forces the appliance interfaces to fail open. This command does not have an option to force a fail closed.

Note: If you use the CLI command to initiate bypass, you must use the CLI command to disable that state.

Use carefully since there is currently no status check to confirm the bypass state.

The manual bypass-traffic enable state is not persistent after reboot. If the appliance is rebooted, it will return inline.

Built-in fail-open bypass

Built-in fail-open bypass

The following FortiDDoS-F network interface connections have a built-in bypass mechanism:

  • Active copper fail-open bypass on copper (RJ-45) network connections 1-8 on FortiDDoS-200F. Fail-open is operation at any speed to 1Gbps but both link speeds must match.
  • Active optical fail-open bypass on Ports 13-16 on the FortiDDoS-200F. Ports support GE Short-Range, Multi-Mode fiber only on LC connectors. SFPs are built-in to the chassis.
  • Active optical fail-open bypass on Ports 5-8 on the FortiDDoS-1400F. Ports support 10GE Short-Range, Multi-Mode fiber only on LC connectors. SFP+s are built-in to the chassis.
  • All other ports on any F-Series model do not support fail-open. An external bypass bridge/switch will be required if extra fail-open ports are needed.

You can use the Global Protection > Deployment > Deployment tab to configure the internal bypass mechanism to fail open or fail closed for F-Series appliances.

By default, the interfaces are configured to fail open. This means that interfaces pass traffic through without performing any monitoring or prevention tasks. Packets that arrive at ingress ports are simply transferred to the corresponding egress ports, just like a wire or optical cable.

If you use an external bypass solution, configure the interfaces to fail closed. This means traffic is not forwarded through the interfaces when FortiDDoS fails. An external bypass system detects the outage and routes traffic around the FortiDDoS.

If you deploy an active-passive cluster, configure the interfaces on the primary node to fail closed so the adjacent switches can select the secondary node. The secondary unit can be set to fail closed or fail open, depending on how you want to handle the situation if both FortiDDoS nodes are down.

The table below summarizes bypass behavior for a sequence of system states. During boot up, system processes are started. When boot up is complete the appliance exits the bypass state. Traffic is routed through the system, is monitored, and policies enforced.

In the event of failure, manual or system-caused reboot, system processes are unavailable because they are either being restarted or shut down, and the appliance enters the bypass state.

System state and bypass

User Option State 1 Power Off State 2 Just Powered Up State 3 Boot Up Process State 4 System Ready State 5 Failure or Reboot State 6 Power Off
Fail Open Bypass Bypass Bypass Traffic Processed Bypass Bypass
Fail Closed Closed Closed Closed Traffic Processed Closed Closed

In addition to the automatic bypass settings, the following models support manual bypass with the following CLI command:

execute bypass-traffic {enable | disable}

This command forces the appliance interfaces to fail open. This command does not have an option to force a fail closed.

Note: If you use the CLI command to initiate bypass, you must use the CLI command to disable that state.

Use carefully since there is currently no status check to confirm the bypass state.

The manual bypass-traffic enable state is not persistent after reboot. If the appliance is rebooted, it will return inline.