Fortinet black logo

Hardware Acceleration

FortiGate 800D fast path architecture

FortiGate 800D fast path architecture

The FortiGate 800D includes one NP6 processor connected through an integrated switch fabric to all of the FortiGate 800D network interfaces. This hardware configuration supports NP6-accelerated fast path offloading for sessions between any of the FortiGate 800D interfaces.

The FortiGate 800D features the following front panel interfaces:

  • Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2, not connected to the NP6 processors)
  • Two 10/100/1000BASE-T Copper bypass pairs (WAN1 and 1 and WAN2 and 2)
  • Eighteen 10/100/1000BASE-T Copper (3 to 22)
  • Eight 1 GigE SFP (23 to 30)
  • Two 10 GigE SFP+ (31 and 32)

You can use the following get command to display the FortiGate 800D NP6 configuration. The command output shows one NP6 named NP6_0. The output also shows all of the FortiGate 800D interfaces (ports) connected to NP6_0. You can also use the diagnose npu np6 port-list command to display this information.

get hardware npu np6 port-list 
Chip   XAUI Ports   Max   Cross-chip 
                    Speed offloading 
------ ---- ------- ----- ---------- 
np6_0  0    port31  10G   Yes        
       1    wan1    1G    Yes        
       1    port1   1G    Yes        
       1    wan2    1G    Yes        
       1    port2   1G    Yes        
       1    port3   1G    Yes        
       1    port4   1G    Yes        
       1    port5   1G    Yes        
       1    port6   1G    Yes        
       1    port30  1G    Yes        
       1    port29  1G    Yes        
       1    port28  1G    Yes        
       1    port27  1G    Yes        
       1    port26  1G    Yes        
       1    port25  1G    Yes        
       1    port24  1G    Yes        
       1    port23  1G    Yes        
       2    port7   1G    Yes        
       2    port8   1G    Yes        
       2    port9   1G    Yes        
       2    port10  1G    Yes        
       2    port11  1G    Yes        
       2    port12  1G    Yes        
       2    port13  1G    Yes        
       2    port14  1G    Yes        
       2    port15  1G    Yes        
       2    port16  1G    Yes        
       2    port17  1G    Yes        
       2    port18  1G    Yes        
       2    port19  1G    Yes        
       2    port20  1G    Yes        
       2    port21  1G    Yes        
       2    port22  1G    Yes        
       3    port32  10G   Yes        
------ ---- ------- ----- ----------

Bypass interfaces (WAN1/1 and WAN2/2)

The FortiGate 800D includes two bypass interface pairs: WAN1 and 1 and WAN2 and 2 that provide fail open support. When a FortiGate 800D experiences a hardware failure or loses power, or when bypass mode is enabled, the bypass interface pairs operate in bypass mode. In bypass mode, WAN1 and 1 are directly connected and WAN2 and 2 are directly connected. Traffic can pass between WAN1 and 1 and between WAN2 and 2, bypassing the FortiOS firewall and the NP6 processor, but continuing to provide network connectivity.

In bypass mode, the bypass pairs act like patch cables, failing open and allowing all traffic to pass through. Traffic on the bypass interfaces that is using VLANs or other network extensions can only continue flowing if the connected network equipment is configured for these features.

The FortiGate 800D will continue to operate in bypass mode until the failed FortiGate 800D is replaced, power is restored, or bypass mode is disabled. If power is restored or bypass mode is disabled, the FortiGate 800D resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate 800D disrupts traffic as a technician physically replaces the failed FortiGate 800D with a new one.

Manually enabling bypass mode

You can manually enable bypass mode if the FortiGate 800D is operating in transparent mode. You can also manually enable bypass mode for a VDOM if WAN1 and 1 or WAN2 and 2 are both connected to the same VDOM operating in transparent mode.

Use the following command to enable bypass mode:

execute bypass-mode enable

This command changes the configuration, so bypass mode will still be enabled if the FortiGate 800D restarts.

You can use the following command to disable bypass mode:

execute bypass-mode disable

Configuring bypass settings

You can use the following command to configure how bypass operates.

config system bypass

set bypass-watchdog {disable | enable}

set poweroff-bypass {disable | enable}

end

bypass-watchdog enable to turn on bypass mode. When bypass mode is turned on, if the bypass watchdog detects a software or hardware failure, bypass mode will be activated.

poweroff-bypass if enabled, traffic will be able to pass between WAN1 and 1 and between WAN2 and 2 if the FortiGate 800D is powered off.

FortiGate 800D fast path architecture

The FortiGate 800D includes one NP6 processor connected through an integrated switch fabric to all of the FortiGate 800D network interfaces. This hardware configuration supports NP6-accelerated fast path offloading for sessions between any of the FortiGate 800D interfaces.

The FortiGate 800D features the following front panel interfaces:

  • Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2, not connected to the NP6 processors)
  • Two 10/100/1000BASE-T Copper bypass pairs (WAN1 and 1 and WAN2 and 2)
  • Eighteen 10/100/1000BASE-T Copper (3 to 22)
  • Eight 1 GigE SFP (23 to 30)
  • Two 10 GigE SFP+ (31 and 32)

You can use the following get command to display the FortiGate 800D NP6 configuration. The command output shows one NP6 named NP6_0. The output also shows all of the FortiGate 800D interfaces (ports) connected to NP6_0. You can also use the diagnose npu np6 port-list command to display this information.

get hardware npu np6 port-list 
Chip   XAUI Ports   Max   Cross-chip 
                    Speed offloading 
------ ---- ------- ----- ---------- 
np6_0  0    port31  10G   Yes        
       1    wan1    1G    Yes        
       1    port1   1G    Yes        
       1    wan2    1G    Yes        
       1    port2   1G    Yes        
       1    port3   1G    Yes        
       1    port4   1G    Yes        
       1    port5   1G    Yes        
       1    port6   1G    Yes        
       1    port30  1G    Yes        
       1    port29  1G    Yes        
       1    port28  1G    Yes        
       1    port27  1G    Yes        
       1    port26  1G    Yes        
       1    port25  1G    Yes        
       1    port24  1G    Yes        
       1    port23  1G    Yes        
       2    port7   1G    Yes        
       2    port8   1G    Yes        
       2    port9   1G    Yes        
       2    port10  1G    Yes        
       2    port11  1G    Yes        
       2    port12  1G    Yes        
       2    port13  1G    Yes        
       2    port14  1G    Yes        
       2    port15  1G    Yes        
       2    port16  1G    Yes        
       2    port17  1G    Yes        
       2    port18  1G    Yes        
       2    port19  1G    Yes        
       2    port20  1G    Yes        
       2    port21  1G    Yes        
       2    port22  1G    Yes        
       3    port32  10G   Yes        
------ ---- ------- ----- ----------

Bypass interfaces (WAN1/1 and WAN2/2)

The FortiGate 800D includes two bypass interface pairs: WAN1 and 1 and WAN2 and 2 that provide fail open support. When a FortiGate 800D experiences a hardware failure or loses power, or when bypass mode is enabled, the bypass interface pairs operate in bypass mode. In bypass mode, WAN1 and 1 are directly connected and WAN2 and 2 are directly connected. Traffic can pass between WAN1 and 1 and between WAN2 and 2, bypassing the FortiOS firewall and the NP6 processor, but continuing to provide network connectivity.

In bypass mode, the bypass pairs act like patch cables, failing open and allowing all traffic to pass through. Traffic on the bypass interfaces that is using VLANs or other network extensions can only continue flowing if the connected network equipment is configured for these features.

The FortiGate 800D will continue to operate in bypass mode until the failed FortiGate 800D is replaced, power is restored, or bypass mode is disabled. If power is restored or bypass mode is disabled, the FortiGate 800D resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate 800D disrupts traffic as a technician physically replaces the failed FortiGate 800D with a new one.

Manually enabling bypass mode

You can manually enable bypass mode if the FortiGate 800D is operating in transparent mode. You can also manually enable bypass mode for a VDOM if WAN1 and 1 or WAN2 and 2 are both connected to the same VDOM operating in transparent mode.

Use the following command to enable bypass mode:

execute bypass-mode enable

This command changes the configuration, so bypass mode will still be enabled if the FortiGate 800D restarts.

You can use the following command to disable bypass mode:

execute bypass-mode disable

Configuring bypass settings

You can use the following command to configure how bypass operates.

config system bypass

set bypass-watchdog {disable | enable}

set poweroff-bypass {disable | enable}

end

bypass-watchdog enable to turn on bypass mode. When bypass mode is turned on, if the bypass watchdog detects a software or hardware failure, bypass mode will be activated.

poweroff-bypass if enabled, traffic will be able to pass between WAN1 and 1 and between WAN2 and 2 if the FortiGate 800D is powered off.