FortiGate 800D fast path architecture
The FortiGate 800D includes one NP6 processor connected through an integrated switch fabric to all of the FortiGate 800D network interfaces. This hardware configuration supports NP6-accelerated fast path offloading for sessions between any of the FortiGate 800D interfaces.
The FortiGate 800D features the following front panel interfaces:
- Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2, not connected to the NP6 processors)
- Two 10/100/1000BASE-T Copper bypass pairs (WAN1 and 1 and WAN2 and 2)
- Eighteen 10/100/1000BASE-T Copper (3 to 22)
- Eight 1 GigE SFP (23 to 30)
- Two 10 GigE SFP+ (31 and 32)
You can use the following get command to display the FortiGate 800D NP6 configuration. The command output shows one NP6 named NP6_0. The output also shows all of the FortiGate 800D interfaces (ports) connected to NP6_0. You can also use the diagnose npu np6 port-list command to display this information.
get hardware npu np6 port-list
Chip XAUI Ports Max Cross-chip
Speed offloading
------ ---- ------- ----- ----------
np6_0 0 port31 10G Yes
1 wan1 1G Yes
1 port1 1G Yes
1 wan2 1G Yes
1 port2 1G Yes
1 port3 1G Yes
1 port4 1G Yes
1 port5 1G Yes
1 port6 1G Yes
1 port30 1G Yes
1 port29 1G Yes
1 port28 1G Yes
1 port27 1G Yes
1 port26 1G Yes
1 port25 1G Yes
1 port24 1G Yes
1 port23 1G Yes
2 port7 1G Yes
2 port8 1G Yes
2 port9 1G Yes
2 port10 1G Yes
2 port11 1G Yes
2 port12 1G Yes
2 port13 1G Yes
2 port14 1G Yes
2 port15 1G Yes
2 port16 1G Yes
2 port17 1G Yes
2 port18 1G Yes
2 port19 1G Yes
2 port20 1G Yes
2 port21 1G Yes
2 port22 1G Yes
3 port32 10G Yes
------ ---- ------- ----- ----------
Bypass interfaces (WAN1/1 and WAN2/2)
The FortiGate 800D includes two bypass interface pairs: WAN1 and 1 and WAN2 and 2 that provide fail open support. When a FortiGate 800D experiences a hardware failure or loses power, or when bypass mode is enabled, the bypass interface pairs operate in bypass mode. In bypass mode, WAN1 and 1 are directly connected and WAN2 and 2 are directly connected. Traffic can pass between WAN1 and 1 and between WAN2 and 2, bypassing the FortiOS firewall and the NP6 processor, but continuing to provide network connectivity.
In bypass mode, the bypass pairs act like patch cables, failing open and allowing all traffic to pass through. Traffic on the bypass interfaces that is using VLANs or other network extensions can only continue flowing if the connected network equipment is configured for these features.
The FortiGate 800D will continue to operate in bypass mode until the failed FortiGate 800D is replaced, power is restored, or bypass mode is disabled. If power is restored or bypass mode is disabled, the FortiGate 800D resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate 800D disrupts traffic as a technician physically replaces the failed FortiGate 800D with a new one.
Manually enabling bypass mode
You can manually enable bypass mode if the FortiGate 800D is operating in transparent mode. You can also manually enable bypass mode for a VDOM if WAN1 and 1 or WAN2 and 2 are both connected to the same VDOM operating in transparent mode.
Use the following command to enable bypass mode:
execute bypass-mode enable
This command changes the configuration, so bypass mode will still be enabled if the FortiGate 800D restarts.
You can use the following command to disable bypass mode:
execute bypass-mode disable
Configuring bypass settings
You can use the following command to configure how bypass operates.
config system bypass
set bypass-watchdog {disable | enable}
set poweroff-bypass {disable | enable}
end
bypass-watchdog enable to turn on bypass mode. When bypass mode is turned on, if the bypass watchdog detects a software or hardware failure, bypass mode will be activated.
poweroff-bypass if enabled, traffic will be able to pass between WAN1 and 1 and between WAN2 and 2 if the FortiGate 800D is powered off.