FortiGate 400E Bypass fast path architecture
The FortiGate 400E Bypass includes one NP6 processor. All supported traffic passing between any two data interfaces can be offloaded by the NP6 processor. Data traffic to be processed by the CPU takes a dedicated data path through the NP6 processor to the CPU. Interfaces 1 to 16 connect to an integrated switch fabric to allow these sixteen interfaces to share two XAUI ports that connect to the NP6 processor. Interfaces 17 to 20, 21 to 24, 25 to 28, and 29 to 32 each connect to one of four QSGMII ports that connect them to the NP6 processor.
The FortiGate 400E Bypass model features the following front panel interfaces:
- Two 10/100/1000BASE-T Copper (MGMT and HA, not connected to the NP6 processor)
- Thirty-two 10/100/1000BASE-T Copper (1 to 32) that make up sixteen copper virtual wire bypass pairs
The following diagram also shows the XAUI and QSGMII port connections between the NP6 processor and the integrated switch fabric.
The MGMT interface is not connected to the NP6 processor. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. The HA interface is also not connected to the NP6 processors. To help provide better HA stability and resiliency, HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing. The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.
You can use the following command to display the FortiGate 400E Bypass NP6 configuration. You can also use the diagnose npu np6 port-list
command to display this information.
get hardware npu np6 port-list Chip XAUI Ports Max Cross-chip Speed offloading ------ ---- ------- ----- ---------- np6_0 0 port1 1G Yes 0 port2 1G Yes 0 port3 1G Yes 0 port4 1G Yes 0 port5 1G Yes 0 port6 1G Yes 0 port7 1G Yes 0 port8 1G Yes 1 port9 1G Yes 1 port10 1G Yes 1 port11 1G Yes 1 port12 1G Yes 1 port13 1G Yes 1 port14 1G Yes 1 port15 1G Yes 1 port16 1G Yes 2 port17 1G Yes 2 port18 1G Yes 2 port19 1G Yes 2 port20 1G Yes 2 port21 1G Yes 2 port22 1G Yes 2 port23 1G Yes 2 port24 1G Yes 3 port25 1G Yes 3 port26 1G Yes 3 port27 1G Yes 3 port28 1G Yes 3 port29 1G Yes 3 port30 1G Yes 3 port31 1G Yes 3 port32 1G Yes ------ ---- ------- ----- ----------
Bypass interfaces
The FortiGate 400E Bypass includes sixteen bypass interface pairs that can provide fail open support for up to sixteen networks. Each consecutively numbered pair of interfaces can be configured to operate as a bypass pair by adding the interfaces to a virtual wire bypass pair. Interface 1 and 2, interface 3 and 4, interface 5 and interface 6, and so on can form virtual wire bypass pairs.
When bypass mode is activated, the interfaces in each virtual wire bypass pair are directly connected. Traffic can pass between these interfaces, bypassing the FortiOS firewall and the NP6 processor, but continuing to provide network connectivity.
In bypass mode, each virtual wire bypass pair acts like a patch cable, failing open and allowing all traffic to pass through. Traffic on the virtual wire bypass pair interfaces that are using VLANs or other network extensions can only continue flowing if the connected network equipment is configured for these features.
If the FortiGate 400E Bypass fails or looses power, the virtual wire bypass pairs will contunue to operate in bypass mode until the failed device is replaced or power is restored. If power is restored and the FortiGate 400E Bypass starts up, the device resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate 400E Bypass disrupts traffic while the technician physically replaces the failed device with a new one.
If bypass mode is enabled because of a software or hardware failure, the virtual wire bypass pairs continue to operate in bypass mode until the FortiGate 400E Bypass restarts. You can configure the FortiGate 400E Bypass to resume normal operation after a restart or to keep the virtual wire bypass pairs operating in bypass mode after a restart.
Configuring bypass settings
You can use the following command to configure how bypass operates.
config system bypass
set bypass-watchdog {disable | enable}
set bypass-timeout {1 | 10 | 60}
set auto-recover {disable | enable}
end
bypass-watchdog
enable to turn on the bypass watchdog. The bypass watchdog monitors traffic passing between interfaces in each of the virtual wire bypass pairs. If the watchdog detects that traffic is blocked on any virtual wire bypass pair, that virtual wire bypass pair switches to bypass mode.
bypass-timeout
select the amount of time the bypass watchdog waits after detecting a failure before enabling bypass mode. You can select to wait 1, 10, or 60 seconds. The default timeout is 10 seconds.
auto-recover
enable to cause all virtual wire bypass pairs to return to normal operation after bypass mode has been turned on and then the FortiGate 400E Bypass has restarted. Disable to keep virtual wire bypass pairs in bypass mode, if bypass mode was turned on and the FortiGate 400E Bypass has restarted.
Creating a virtual wire bypass pair
Use the following command to configure two interfaces to act as a virtual wire bypass pair. FortiGate 400E Bypass interfaces that are not configured in this way will operate in the same way as any FortiGate interfaces and not as bypass pairs.
config system virtual-wire-pair
edit <name>
set member <interface> <interface>
set poweron-bypass {disable | enable}
set poweroff-bypass {disable | enable}
end
<interface> <interface>
the interfaces in the virtual wire bypass pair have to be two interfaces that can form a bypass pair. For example port1 and port2, port3 and port4, and so on can form virtual wire bypass pairs.
poweron-bypass
enable bypass mode for this virtual wire bypass pair when the FortiGate 400E Bypass is powered on. With this mode enabled, the virtual wire bypass pair can switch to bypass mode if the bypass watchdog detects a failure while the FortiGate 400E Bypass is operating.
poweroff-bypass
enable bypass mode for this virtual wire bypass pair when the FortiGate 400E Bypass looses power or is powered off.
For example, use the following command to configure port5 and port6 to operate as a virtual wire bypass pair that will switch to bypass mode if the bypass watchdog detects a failure or if the FortiGate 400E bypass is powered off.
config system virtual-wire-pair
edit <name>
set member port5 port6
set poweron-bypass enable
set poweroff-bypass enable
end