Fortinet black logo

Handbook

Deployment

Copy Link
Copy Doc ID 369dfb00-033f-11ed-bb32-fa163e15d75b:976220
Download PDF

Deployment

You can use the deployment settings to configure where in the network the FortiDDoS appliance has to be deployed. You can set Asymmetric, tap mode, Bypass Mode and Bypass MAC list.

Before you begin:

  • You must have Read-Write permission for Global Settings.

Deployment

To configure deployment settings:
  1. Go to Global Protection > Deployment > Deployment.
  2. Configure the deployment settings according to the table below.
  3. Save the configuration.

Deployment settings

Settings

Guidelines

Asymmetric Mode

Enable when deployed in a network segment where traffic can take asymmetric routes. This option is not enabled by default. Special considerations and configuration changes are required. See Understanding FortiDDoS Asymmetric Mode.

Allow Inbound SYN/ACK

Enable only when you enable Asymmetric Mode. When there is asymmetric traffic, the system might receive inbound SYN/ACK packets. When this option is enabled, these packets are treated as if there is a valid connection on which to accept data (if the connection does not already exist).

Tap Mode

Enable when deployed out-of-path in conjunction with a bypass bridge appliance. This option is not enabled by default. Note: The system is rebooted when you change this setting. Special considerations and configuration changes are required. See Tap Mode deployments.

Power Fail Bypass Mode

Fail OpenFail Open is default Setting. 200F has bypass ports 1-8 and 13-16 and 1500F has bypass ports 5-8. See Built-in fail-open bypass.

Fail Closed—Use with an external bypass unit or (usually) for the primary node in an HA active-passive deployment. When the interfaces are Fail Closed, they do not pass traffic. The external bypass system can detect the outage and forward traffic around the FortiDDoS. As above, 200F ports 9-12 and 1500F ports 1-4 are ONLY ‘Fail Closed’. See Built-in fail-open bypass.

Tooltip

To configure using the CLI:

config ddos global deployment

set asymmetric-mode {enable|disable}

set asymmetric-mode-allow-inbound-synack {enable|disable}

set tap-mode {enable|disable}

set power-fail-bypass-mode {fail-open|fail-closed}

end

Bypass MAC

In a deployment with a bypass bridge, the bridge passes heartbeat packets to test the health of the FortiDDoS traffic interfaces. If the heartbeats packets are not passed, bypass mode is triggered.

In most cases, the bypass bridge will expose the MAC addresses of its Monitor ports that are sending the heartbeat packets. It is recommended that these MAC addresses be entered in FortiDDoS Bypass MAC address list to ensure that packets from these MAC addresses are never blocked by FortiDDoS.

Each FortiDDoS model supports the following number of Bypass MAC addresses:

  • VM04/VM08/VM16/200F/1500F– 8
Caution

Bypass MAC is used only when you are using an external Bypass Bridge that generates heartbeats between its Monitor interfaces to determine the FortiDDoS appliance health.

Do not enter the MAC addresses of connected Switches or Routers. It is unnecessary and results in all traffic bypassing the FortiDDoS mitigation systems.

Before you begin:

  • You must know the MAC addresses for the bypass switch.
  • You must have Read-Write permission for Global Settings.
To configure a bypass MAC address list:
  1. Go to Global Protection > Deployment > Bypass MAC.
  2. Click Add to display the configuration editor.
  3. Complete the configuration as described in the following table.
  4. Save the configuration.
Bypass MAC address list configuration

Settings

Guidelines

Name

Configuration name. Must not contain spaces.

MAC address

Specify the MAC address.

Note: You can view MAC addresses of the bypass switch on its status page. If the bypass switches are from the same vendor, the most significant 24-bits of their MAC addresses are the same.

Tooltip

To configure using the CLI:

config ddos global bypass-mac

edit <name>

set mac <address>

end

Deployment

You can use the deployment settings to configure where in the network the FortiDDoS appliance has to be deployed. You can set Asymmetric, tap mode, Bypass Mode and Bypass MAC list.

Before you begin:

  • You must have Read-Write permission for Global Settings.

Deployment

To configure deployment settings:
  1. Go to Global Protection > Deployment > Deployment.
  2. Configure the deployment settings according to the table below.
  3. Save the configuration.

Deployment settings

Settings

Guidelines

Asymmetric Mode

Enable when deployed in a network segment where traffic can take asymmetric routes. This option is not enabled by default. Special considerations and configuration changes are required. See Understanding FortiDDoS Asymmetric Mode.

Allow Inbound SYN/ACK

Enable only when you enable Asymmetric Mode. When there is asymmetric traffic, the system might receive inbound SYN/ACK packets. When this option is enabled, these packets are treated as if there is a valid connection on which to accept data (if the connection does not already exist).

Tap Mode

Enable when deployed out-of-path in conjunction with a bypass bridge appliance. This option is not enabled by default. Note: The system is rebooted when you change this setting. Special considerations and configuration changes are required. See Tap Mode deployments.

Power Fail Bypass Mode

Fail OpenFail Open is default Setting. 200F has bypass ports 1-8 and 13-16 and 1500F has bypass ports 5-8. See Built-in fail-open bypass.

Fail Closed—Use with an external bypass unit or (usually) for the primary node in an HA active-passive deployment. When the interfaces are Fail Closed, they do not pass traffic. The external bypass system can detect the outage and forward traffic around the FortiDDoS. As above, 200F ports 9-12 and 1500F ports 1-4 are ONLY ‘Fail Closed’. See Built-in fail-open bypass.

Tooltip

To configure using the CLI:

config ddos global deployment

set asymmetric-mode {enable|disable}

set asymmetric-mode-allow-inbound-synack {enable|disable}

set tap-mode {enable|disable}

set power-fail-bypass-mode {fail-open|fail-closed}

end

Bypass MAC

In a deployment with a bypass bridge, the bridge passes heartbeat packets to test the health of the FortiDDoS traffic interfaces. If the heartbeats packets are not passed, bypass mode is triggered.

In most cases, the bypass bridge will expose the MAC addresses of its Monitor ports that are sending the heartbeat packets. It is recommended that these MAC addresses be entered in FortiDDoS Bypass MAC address list to ensure that packets from these MAC addresses are never blocked by FortiDDoS.

Each FortiDDoS model supports the following number of Bypass MAC addresses:

  • VM04/VM08/VM16/200F/1500F– 8
Caution

Bypass MAC is used only when you are using an external Bypass Bridge that generates heartbeats between its Monitor interfaces to determine the FortiDDoS appliance health.

Do not enter the MAC addresses of connected Switches or Routers. It is unnecessary and results in all traffic bypassing the FortiDDoS mitigation systems.

Before you begin:

  • You must know the MAC addresses for the bypass switch.
  • You must have Read-Write permission for Global Settings.
To configure a bypass MAC address list:
  1. Go to Global Protection > Deployment > Bypass MAC.
  2. Click Add to display the configuration editor.
  3. Complete the configuration as described in the following table.
  4. Save the configuration.
Bypass MAC address list configuration

Settings

Guidelines

Name

Configuration name. Must not contain spaces.

MAC address

Specify the MAC address.

Note: You can view MAC addresses of the bypass switch on its status page. If the bypass switches are from the same vendor, the most significant 24-bits of their MAC addresses are the same.

Tooltip

To configure using the CLI:

config ddos global bypass-mac

edit <name>

set mac <address>

end