Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.4.0
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    External bypass

    External bypass

    Most FortiDDoS models offer built-in bypass for at least 2 links. However, FortiDDoS can be deployed with an external bypass mechanism, such as a bypass switch. When both the FortiDDoS-F appliance and the failover switch share the same power supply, external connectivity is maintained during a power failure. Most bypass switches also employ a heartbeat monitor that checks for traffic flow through the FortiDDoS and fails open (fails to bypass) if the heartbeat fails.

    The following figure shows a bypass deployment when bypass is not active. The inline traffic flows through the FortiDDoS-F appliance.

    Bypass ready but not active

    The following figure shows a bypass deployment when bypass is active. All inline traffic is routed through the switch until FortiDDoS is back online.

    Active bypass

    When using an external bypass switch with heartbeat, obtain the MAC addresses of the Monitor ports (the ports facing the FortiDDoS) and add them to Global Protections > Deployment > Bypass MAC. This ensures that no heartbeat traffic from/to the bypass switch monitor ports is blocked by FortiDDoS, unless it is not processing any traffic (failure or power down).

    Contact your Sales Engineer for recommendations on supported bypass switches.

    Previous
    Next

    External bypass

    External bypass

    Most FortiDDoS models offer built-in bypass for at least 2 links. However, FortiDDoS can be deployed with an external bypass mechanism, such as a bypass switch. When both the FortiDDoS-F appliance and the failover switch share the same power supply, external connectivity is maintained during a power failure. Most bypass switches also employ a heartbeat monitor that checks for traffic flow through the FortiDDoS and fails open (fails to bypass) if the heartbeat fails.

    The following figure shows a bypass deployment when bypass is not active. The inline traffic flows through the FortiDDoS-F appliance.

    Bypass ready but not active

    The following figure shows a bypass deployment when bypass is active. All inline traffic is routed through the switch until FortiDDoS is back online.

    Active bypass

    When using an external bypass switch with heartbeat, obtain the MAC addresses of the Monitor ports (the ports facing the FortiDDoS) and add them to Global Protections > Deployment > Bypass MAC. This ensures that no heartbeat traffic from/to the bypass switch monitor ports is blocked by FortiDDoS, unless it is not processing any traffic (failure or power down).

    Contact your Sales Engineer for recommendations on supported bypass switches.

    Previous
    Next