Fortinet black logo

Handbook

Home FortiDDoS-F 6.3.3 Handbook

External bypass

6.3.3
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1
Copy Link
Copy Doc ID 369dfb00-033f-11ed-bb32-fa163e15d75b:601009
Download PDF

External bypass

Most FortiDDoS models offer built-in bypass for at least 2 links. However, FortiDDoS can be deployed with an external bypass mechanism, such as a bypass switch. When both the FortiDDoS-F appliance and the failover switch share the same power supply, external connectivity is maintained during a power failure. Most bypass switches also employ a heartbeat monitor that checks for traffic flow through the FortiDDoS and fails open (fails to bypass) if the heartbeat fails.

The following figure shows a bypass deployment when bypass is not active. The inline traffic flows through the FortiDDoS-F appliance.

Bypass ready but not active

The following figure shows a bypass deployment when bypass is active. All inline traffic is routed through the switch until FortiDDoS is back online.

Active bypass

When using an external bypass switch with heartbeat, obtain the MAC addresses of the Monitor ports (the ports facing the FortiDDoS) and add them to Global Protections > Deployment > Bypass MAC. This ensures that no heartbeat traffic from/to the bypass switch monitor ports is blocked by FortiDDoS, unless it is not processing any traffic (failure or power down).

Contact your Sales Engineer for recommendations on supported bypass switches.

Previous
Next

External bypass

Most FortiDDoS models offer built-in bypass for at least 2 links. However, FortiDDoS can be deployed with an external bypass mechanism, such as a bypass switch. When both the FortiDDoS-F appliance and the failover switch share the same power supply, external connectivity is maintained during a power failure. Most bypass switches also employ a heartbeat monitor that checks for traffic flow through the FortiDDoS and fails open (fails to bypass) if the heartbeat fails.

The following figure shows a bypass deployment when bypass is not active. The inline traffic flows through the FortiDDoS-F appliance.

Bypass ready but not active

The following figure shows a bypass deployment when bypass is active. All inline traffic is routed through the switch until FortiDDoS is back online.

Active bypass

When using an external bypass switch with heartbeat, obtain the MAC addresses of the Monitor ports (the ports facing the FortiDDoS) and add them to Global Protections > Deployment > Bypass MAC. This ensures that no heartbeat traffic from/to the bypass switch monitor ports is blocked by FortiDDoS, unless it is not processing any traffic (failure or power down).

Contact your Sales Engineer for recommendations on supported bypass switches.

Previous
Next