FortiGate Rugged 70F fast path architecture
The FortiGate Rugged 70F includes the SOC4 and uses the SOC4 CPU, NP6XLite processor, and CP9XLite processor. The SOC4 includes an integrated switch fabric (ISF) that connects all of the front panel network interfaces to the NP6XLite processor. All data traffic passes from the data interfaces through the ISF to the NP6XLite processor. All supported traffic passing between any two data interfaces can be offloaded by the NP6XLite processor. Data traffic processed by the CPU takes a dedicated data path through the ISF and the NP6XLite processor to the CPU.
The FortiGate Rugged 70F includes the SOC4 and uses the SOC4 CPU, NP6XLite processor, and CP9XLite processor. The SOC4 ISF connects all of the FortiGate Rugged 70F front panel data interfaces to the NP6XLite processor.
The 3 and 4 interfaces form a copper bypass pair. On the GUI and CLI these interfaces are is named lan3 and lan4.
The FortiGate Rugged 70F features the following front panel interfaces:
- Four 10/100/1000BASE-T Copper (1-4) connected to the SOC4.
- Two 10/100/1000BASE-T Copper (WAN1 and WAN2) connected to the SOC4.
- Two 1GigE SFP interfaces (SFP1 and SFP2) connected to the SOC4.
The SOC4 ISF allows you to use the command config system virtual-switch
to create a virtual hardware switch that can include any front panel interface connected to the SOC4.
To add an interface to a hardware switch, its |
You can use the command diagnose npu np6xlite port-list
to display the FortiGate Rugged 70F NP6XLite configuration.
diagnose npu np6xlite port-list Chip XAUI Ports Max Cross-chip Speed offloading ------ ---- ------- ----- ---------- np6xlite_0 11 sfp1 1000M NO 10 sfp2 1000M NO 12 wan1 1000M NO 13 wan2 1000M NO 6 lan1 1000M NO 7 lan2 1000M NO 8 lan3 1000M NO 9 lan4 1000M NO
Bypass interfaces (3 and 4)
The FortiGate Rugged 70F includes a bypass interface pair, 3 and 4, that provides fail open support. When a FortiGate Rugged 70F experiences a hardware failure or loses power, or when bypass mode is enabled, the bypass interface pair operates in bypass mode. In bypass mode, 3 and 4 are directly connected. Traffic can pass between 3 and 4 bypassing the FortiOS firewall and the NP6XLite processor, but continuing to provide network connectivity.
In bypass mode, the bypass pair acts like a patch cable, failing open and allowing all traffic to pass through. Traffic on the bypass interface that is using VLANs or other network extensions can only continue flowing if the connected network equipment is configured for these features.
The FortiGate Rugged 70F will continue to operate in bypass mode until the failed FortiGate Rugged 70F is replaced, power is restored, or bypass mode is disabled. If power is restored or bypass mode is disabled, the FortiGate Rugged 70F resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate Rugged 70F disrupts traffic as a technician physically replaces the failed FortiGate Rugged 70F with a new one.
Manually enabling bypass mode
You can manually enable bypass mode if the FortiGate Rugged 70F is operating in transparent mode. You can also manually enable bypass mode for a VDOM if 3 and 4 are both connected to the same VDOM operating in transparent mode.
By default, interfaces 3 and 4 (lan3 and lan4) are part of a hardware switch named internal. Before you enable bypass mode, you must enter the following command s to edit the hardware switch and remove lan3 and lan4 from the switch:
config system virtual-switch
edit internal
delete lan3
delete lan4
end
Then you can use the following command to enable bypass mode:
execute bypass-mode enable
This command changes the configuration, so bypass mode will still be enabled if the FortiGate Rugged 70F restarts.
You can use the following command to disable bypass mode:
execute bypass-mode disable
Configuring bypass settings
You can use the following command to configure how bypass operates. To configure these settings, you must first remove the internal4f interface from the internal hardware switch.
config system bypass
set bypass-watchdog {disable | enable}
set poweroff-bypass {disable | enable}
end
bypass-watchdog
enable to turn on bypass mode. When bypass mode is turned on, if the bypass watchdog detects a software or hardware failure, bypass mode will be activated.
poweroff-bypass
if enabled, traffic will be able to pass between the lan3 and lan4 interfaces if the FortiGate Rugged 70F is powered off.