Fortinet white logo
Fortinet white logo

Hardware Acceleration

FortiGate 400E Bypass fast path architecture

FortiGate 400E Bypass fast path architecture

The FortiGate 400E Bypass model features the following front panel interfaces:

  • Two 10/100/1000BASE-T Copper (MGMT and HA, not connected to the NP6 processor)
  • Thirty-two 10/100/1000BASE-T Copper (1 to 32) that make up sixteen copper virtual wire bypass pairs

The following diagram also shows the XAUI and QSGMII port connections between the NP6 processor and the integrated switch fabric.

The FortiGate 400E Bypass includes one NP6 processor. All supported traffic passing between any two data interfaces can be offloaded by the NP6 processor. Data traffic to be processed by the CPU takes a dedicated data path through the NP6 processor to the CPU. Interfaces 1 to 16 connect to an integrated switch fabric to allow these sixteen interfaces to share two XAUI ports that connect to the NP6 processor. Interfaces 17 to 20, 21 to 24, 25 to 28, and 29 to 32 each connect to one of four QSFMII ports that connect them to the NP6 processor.

The MGMT interface is not connected to the NP6 processor. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. The HA interface is also not connected to the NP6 processors. To help provide better HA stability and resiliency, HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing. The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.

You can use the following command to display the FortiGate 400E Bypass NP6 configuration. You can also use the diagnose npu np6 port-list command to display this information.

get hardware npu np6 port-list 
Chip   XAUI Ports        Max  Cross-chip 
                        Speed offloading 
------ ---- -------     ----- ---------- 
np6_0   0   port1        1G   Yes 
        0   port2        1G   Yes 
        0   port3        1G   Yes 
        0   port4        1G   Yes 
        0   port5        1G   Yes 
        0   port6        1G   Yes 
        0   port7        1G   Yes 
        0   port8        1G   Yes 
        1   port9        1G   Yes 
        1   port10       1G   Yes 
        1   port11       1G   Yes 
        1   port12       1G   Yes 
        1   port13       1G   Yes 
        1   port14       1G   Yes 
        1   port15       1G   Yes 
        1   port16       1G   Yes 
        2   port17       1G   Yes 
        2   port18       1G   Yes 
        2   port19       1G   Yes 
        2   port20       1G   Yes 
        2   port21       1G   Yes 
        2   port22       1G   Yes 
        2   port23       1G   Yes 
        2   port24       1G   Yes 
        3   port25       1G   Yes 
        3   port26       1G   Yes 
        3   port27       1G   Yes 
        3   port28       1G   Yes 
        3   port29       1G   Yes
        3   port30       1G   Yes 
        3   port31       1G   Yes 
        3   port32       1G   Yes 
------ ---- ------- ----- ----------

Bypass interfaces

The FortiGate 400E Bypass includes sixteen bypass interface pairs that can provide fail open support for up to sixteen networks. Each consecutively numbered pair of interfaces can be configured to operate as a bypass pair by adding the interfaces to a virtual wire bypass pair. Interface 1 and 2, interface 3 and 4, interface 5 and interface 6, and so on can form virtual wire bypass pairs.

When bypass mode is activated, the interfaces in each virtual wire bypass pair are directly connected. Traffic can pass between these interfaces, bypassing the FortiOS firewall and the NP6 processor, but continuing to provide network connectivity.

In bypass mode, each virtual wire bypass pair acts like a patch cable, failing open and allowing all traffic to pass through. Traffic on the virtual wire bypass pair interfaces that are using VLANs or other network extensions can only continue flowing if the connected network equipment is configured for these features.

If the FortiGate 400E Bypass fails or looses power, the virtual wire bypass pairs will contunue to operate in bypass mode until the failed device is replaced or power is restored. If power is restored and the FortiGate 400E Bypass starts up, the device resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate 400E Bypass disrupts traffic while the technician physically replaces the failed device with a new one.

If bypass mode is enabled because of a software or hardware failure, the virtual wire bypass pairs continue to operate in bypass mode until the FortiGate 400E Bypass restarts. You can configure the FortiGate 400E Bypass to resume normal operation after a restart or to keep the virtual wire bypass pairs operating in bypass mode after a restart.

Configuring bypass settings

You can use the following command to configure how bypass operates.

config system bypass

set bypass-watchdog {disable | enable}

set bypass-timeout {1 | 10 | 60}

set auto-recover {disable | enable}

end

bypass-watchdog enable to turn on the bypass watchdog. The bypass watchdog monitors traffic passing between interfaces in each of the virtual wire bypass pairs. If the watchdog detects that traffic is blocked on any virtual wire bypass pair, that virtual wire bypass pair switches to bypass mode.

bypass-timeout select the amount of time the bypass watchdog waits after detecting a failure before enabling bypass mode. You can select to wait 1, 10, or 60 seconds. The default timeout is 10 seconds.

auto-recover enable to cause all virtual wire bypass pairs to return to normal operation after bypass mode has been turned on and then the FortiGate 400E Bypass has restarted. Disable to keep virtual wire bypass pairs in bypass mode, if bypass mode was turned on and the FortiGate 400E Bypass has restarted.

Creating a virtual wire bypass pair

Use the following command to configure two interfaces to act as a virtual wire bypass pair. FortiGate 400E Bypass interfaces that are not configured in this way will operate in the same way as any FortiGate interfaces and not as bypass pairs.

config system virtual-wire-pair

edit <name>

set member <interface> <interface>

set poweron-bypass {disable | enable}

set poweroff-bypass {disable | enable}

end

<interface> <interface> the interfaces in the virtual wire bypass pair have to be two interfaces that can form a bypass pair. For example port1 and port2, port3 and port4, and so on can form virtual wire bypass pairs.

poweron-bypass enable bypass mode for this virtual wire bypass pair when the FortiGate 400E Bypass is powered on. With this mode enabled, the virtual wire bypass pair can switch to bypass mode if the bypass watchdog detects a failure while the FortiGate 400E Bypass is operating.

poweroff-bypass enable bypass mode for this virtual wire bypass pair when the FortiGate 400E Bypass looses power or is powered off.

For example, use the following command to configure port5 and port6 to operate as a virtual wire bypass pair that will switch to bypass mode if the bypass watchdog detects a failure or if the FortiGate 400E bypass is powered off.

config system virtual-wire-pair

edit <name>

set member port5 port6

set poweron-bypass enable

set poweroff-bypass enable

end

FortiGate 400E Bypass fast path architecture

FortiGate 400E Bypass fast path architecture

The FortiGate 400E Bypass model features the following front panel interfaces:

  • Two 10/100/1000BASE-T Copper (MGMT and HA, not connected to the NP6 processor)
  • Thirty-two 10/100/1000BASE-T Copper (1 to 32) that make up sixteen copper virtual wire bypass pairs

The following diagram also shows the XAUI and QSGMII port connections between the NP6 processor and the integrated switch fabric.

The FortiGate 400E Bypass includes one NP6 processor. All supported traffic passing between any two data interfaces can be offloaded by the NP6 processor. Data traffic to be processed by the CPU takes a dedicated data path through the NP6 processor to the CPU. Interfaces 1 to 16 connect to an integrated switch fabric to allow these sixteen interfaces to share two XAUI ports that connect to the NP6 processor. Interfaces 17 to 20, 21 to 24, 25 to 28, and 29 to 32 each connect to one of four QSFMII ports that connect them to the NP6 processor.

The MGMT interface is not connected to the NP6 processor. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. The HA interface is also not connected to the NP6 processors. To help provide better HA stability and resiliency, HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing. The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.

You can use the following command to display the FortiGate 400E Bypass NP6 configuration. You can also use the diagnose npu np6 port-list command to display this information.

get hardware npu np6 port-list 
Chip   XAUI Ports        Max  Cross-chip 
                        Speed offloading 
------ ---- -------     ----- ---------- 
np6_0   0   port1        1G   Yes 
        0   port2        1G   Yes 
        0   port3        1G   Yes 
        0   port4        1G   Yes 
        0   port5        1G   Yes 
        0   port6        1G   Yes 
        0   port7        1G   Yes 
        0   port8        1G   Yes 
        1   port9        1G   Yes 
        1   port10       1G   Yes 
        1   port11       1G   Yes 
        1   port12       1G   Yes 
        1   port13       1G   Yes 
        1   port14       1G   Yes 
        1   port15       1G   Yes 
        1   port16       1G   Yes 
        2   port17       1G   Yes 
        2   port18       1G   Yes 
        2   port19       1G   Yes 
        2   port20       1G   Yes 
        2   port21       1G   Yes 
        2   port22       1G   Yes 
        2   port23       1G   Yes 
        2   port24       1G   Yes 
        3   port25       1G   Yes 
        3   port26       1G   Yes 
        3   port27       1G   Yes 
        3   port28       1G   Yes 
        3   port29       1G   Yes
        3   port30       1G   Yes 
        3   port31       1G   Yes 
        3   port32       1G   Yes 
------ ---- ------- ----- ----------

Bypass interfaces

The FortiGate 400E Bypass includes sixteen bypass interface pairs that can provide fail open support for up to sixteen networks. Each consecutively numbered pair of interfaces can be configured to operate as a bypass pair by adding the interfaces to a virtual wire bypass pair. Interface 1 and 2, interface 3 and 4, interface 5 and interface 6, and so on can form virtual wire bypass pairs.

When bypass mode is activated, the interfaces in each virtual wire bypass pair are directly connected. Traffic can pass between these interfaces, bypassing the FortiOS firewall and the NP6 processor, but continuing to provide network connectivity.

In bypass mode, each virtual wire bypass pair acts like a patch cable, failing open and allowing all traffic to pass through. Traffic on the virtual wire bypass pair interfaces that are using VLANs or other network extensions can only continue flowing if the connected network equipment is configured for these features.

If the FortiGate 400E Bypass fails or looses power, the virtual wire bypass pairs will contunue to operate in bypass mode until the failed device is replaced or power is restored. If power is restored and the FortiGate 400E Bypass starts up, the device resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate 400E Bypass disrupts traffic while the technician physically replaces the failed device with a new one.

If bypass mode is enabled because of a software or hardware failure, the virtual wire bypass pairs continue to operate in bypass mode until the FortiGate 400E Bypass restarts. You can configure the FortiGate 400E Bypass to resume normal operation after a restart or to keep the virtual wire bypass pairs operating in bypass mode after a restart.

Configuring bypass settings

You can use the following command to configure how bypass operates.

config system bypass

set bypass-watchdog {disable | enable}

set bypass-timeout {1 | 10 | 60}

set auto-recover {disable | enable}

end

bypass-watchdog enable to turn on the bypass watchdog. The bypass watchdog monitors traffic passing between interfaces in each of the virtual wire bypass pairs. If the watchdog detects that traffic is blocked on any virtual wire bypass pair, that virtual wire bypass pair switches to bypass mode.

bypass-timeout select the amount of time the bypass watchdog waits after detecting a failure before enabling bypass mode. You can select to wait 1, 10, or 60 seconds. The default timeout is 10 seconds.

auto-recover enable to cause all virtual wire bypass pairs to return to normal operation after bypass mode has been turned on and then the FortiGate 400E Bypass has restarted. Disable to keep virtual wire bypass pairs in bypass mode, if bypass mode was turned on and the FortiGate 400E Bypass has restarted.

Creating a virtual wire bypass pair

Use the following command to configure two interfaces to act as a virtual wire bypass pair. FortiGate 400E Bypass interfaces that are not configured in this way will operate in the same way as any FortiGate interfaces and not as bypass pairs.

config system virtual-wire-pair

edit <name>

set member <interface> <interface>

set poweron-bypass {disable | enable}

set poweroff-bypass {disable | enable}

end

<interface> <interface> the interfaces in the virtual wire bypass pair have to be two interfaces that can form a bypass pair. For example port1 and port2, port3 and port4, and so on can form virtual wire bypass pairs.

poweron-bypass enable bypass mode for this virtual wire bypass pair when the FortiGate 400E Bypass is powered on. With this mode enabled, the virtual wire bypass pair can switch to bypass mode if the bypass watchdog detects a failure while the FortiGate 400E Bypass is operating.

poweroff-bypass enable bypass mode for this virtual wire bypass pair when the FortiGate 400E Bypass looses power or is powered off.

For example, use the following command to configure port5 and port6 to operate as a virtual wire bypass pair that will switch to bypass mode if the bypass watchdog detects a failure or if the FortiGate 400E bypass is powered off.

config system virtual-wire-pair

edit <name>

set member port5 port6

set poweron-bypass enable

set poweroff-bypass enable

end