Fortinet black logo

Hardware Acceleration

FortiGate 80F, 81F, and 80F Bypass fast path architecture

FortiGate 80F, 81F, and 80F Bypass fast path architecture

The FortiGate 80F and 81F includes the SOC4 and uses the SOC4 CPU, NP6XLite processor, and CP9XLite processor. The SOC4 ISF connects all of the FortiGate 60F and 61F front panel data interfaces to the NP7Lite processor.

Interfaces SFP1 and WAN1 and SFP2 and WAN2 are shared SFP or Ethernet interfaces. Only one of each of these interface pairs can be connected to a network. This allows you to, for example, connect SFP1 to an SFP switch and WAN2 to 10/100/1000BASE-T Copper switch.

On the FortiGate 80F Bypass model, the WAN1 and 1 interfaces form a copper bypass pair. The SFP1 interface is not part of the bypass pair. On the GUI and CLI the 1 interface is named internal1.

The FortiGate 80F and 81F features the following front panel interfaces:

  • Two 1GigE SFP interfaces (SPF1 and SPF2) connected to the SOC4.
  • Two 10/100/1000BASE-T Copper interfaces (WAN1, WAN2) connected to the SOC4.
  • Eight 10/100/1000BASE-T Copper (1-6, A, and B) connected to the SOC4. A and B are FortiLink interfaces.
  • The FortiGate-80F Bypass includes two shared interfaces that can be either:
    • 1GigE SFP (SPF1 and SFP2)
    • 10/100/1000BASE-T Copper (WAN1 and WAN2)
Note

On the FortiGate 80F Bypass model, the WAN1 and 1 interfaces form a bypass pair. Interface 1 (internal1) is part of a hardware switch named internal. To enable bypass mode, you must remove internal1 from the hardware switch.

FortiGate 80F and 81F back panel

FortiGate 80F Bypass back panel

The SOC4 includes an integrated switch fabric (ISF) that connects all of the front panel network interfaces to the NP6XLite processor. The SOC4 ISF allows sessions passing between any FortiGate front panel interface pair to be offloaded by the NP6XLite processor. The SOC4 ISF also allows you to use the command config system virtual-switch to create a virtual hardware switch that can include any front panel interface connected to the SOC4.

Note

To add an interface to a hardware switch, its mode must be set to static and the interface can't be used in any other configuration. For example, you can't have a firewall policy that references the interface.

You can use the command diagnose npu np6xlite port-list to display the FortiGate 80F or 81F NP6XLite configuration.

diagnose npu np6xlite port-list
Chip   XAUI Ports            Max   Cross-chip 
                             Speed offloading 
------ ---- -------          ----- ---------- 
np6xlite_0
       14   wan1             1000M          NO
       13   wan2             1000M          NO
       7    internal1        1000M          NO
       8    internal2        1000M          NO
       9    internal3        1000M          NO
       10   internal4        1000M          NO
       3    internal5        1000M          NO
       4    internal6        1000M          NO
       5    a                1000M          NO
       6    b                1000M          NO

Bypass interfaces (WAN1 and 1)

The FortiGate 80F Bypass model includes a bypass interface pair, WAN1 and 1, that provides fail open support. When a FortiGate 80F Bypass model experiences a hardware failure or loses power, or when bypass mode is enabled, the bypass interface pair operates in bypass mode. In bypass mode, WAN1 and 1 are directly connected. Traffic can pass between WAN1 and 1 bypassing the FortiOS firewall and the NP6XLite processor, but continuing to provide network connectivity.

In bypass mode, the bypass pair acts like a patch cable, failing open and allowing all traffic to pass through. Traffic on the bypass interface that is using VLANs or other network extensions can only continue flowing if the connected network equipment is configured for these features.

The FortiGate 80F Bypass model will continue to operate in bypass mode until the failed FortiGate 80F Bypass model is replaced, power is restored, or bypass mode is disabled. If power is restored or bypass mode is disabled, the FortiGate 80F Bypass model resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate 80F Bypass model disrupts traffic as a technician physically replaces the failed FortiGate 80F Bypass model with a new one.

Manually enabling bypass mode

You can manually enable bypass mode if the FortiGate 80F Bypass model is operating in transparent mode. You can also manually enable bypass mode for a VDOM if WAN1 and 1 are both connected to the same VDOM operating in transparent mode.

By default, interface 1 (internal1) is part of a hardware switch named internal. Before you enable bypass mode, you must enter the following command s to edit the hardware switch and remove internal1 from the switch:

config system virtual-switch

edit internal

delete internal1

end

Then you can use the following command to enable bypass mode:

execute bypass-mode enable

This command changes the configuration, so bypass mode will still be enabled if the FortiGate 80F Bypass model restarts.

You can use the following command to disable bypass mode:

execute bypass-mode disable

Configuring bypass settings

You can use the following command to configure how bypass operates. To configure these settings, you must first remove the internal1 interface from the internal hardware switch.

config system bypass

set bypass-watchdog {disable | enable}

set poweroff-bypass {disable | enable}

end

bypass-watchdog enable to turn on bypass mode. When bypass mode is turned on, if the bypass watchdog detects a software or hardware failure, bypass mode will be activated.

poweroff-bypass if enabled, traffic will be able to pass between the wan1 and internal1 interfaces if the FortiGate 80F Bypass is powered off.

FortiGate 80F, 81F, and 80F Bypass fast path architecture

FortiGate 80F, 81F, and 80F Bypass fast path architecture

The FortiGate 80F and 81F includes the SOC4 and uses the SOC4 CPU, NP6XLite processor, and CP9XLite processor. The SOC4 ISF connects all of the FortiGate 60F and 61F front panel data interfaces to the NP7Lite processor.

Interfaces SFP1 and WAN1 and SFP2 and WAN2 are shared SFP or Ethernet interfaces. Only one of each of these interface pairs can be connected to a network. This allows you to, for example, connect SFP1 to an SFP switch and WAN2 to 10/100/1000BASE-T Copper switch.

On the FortiGate 80F Bypass model, the WAN1 and 1 interfaces form a copper bypass pair. The SFP1 interface is not part of the bypass pair. On the GUI and CLI the 1 interface is named internal1.

The FortiGate 80F and 81F features the following front panel interfaces:

  • Two 1GigE SFP interfaces (SPF1 and SPF2) connected to the SOC4.
  • Two 10/100/1000BASE-T Copper interfaces (WAN1, WAN2) connected to the SOC4.
  • Eight 10/100/1000BASE-T Copper (1-6, A, and B) connected to the SOC4. A and B are FortiLink interfaces.
  • The FortiGate-80F Bypass includes two shared interfaces that can be either:
    • 1GigE SFP (SPF1 and SFP2)
    • 10/100/1000BASE-T Copper (WAN1 and WAN2)
Note

On the FortiGate 80F Bypass model, the WAN1 and 1 interfaces form a bypass pair. Interface 1 (internal1) is part of a hardware switch named internal. To enable bypass mode, you must remove internal1 from the hardware switch.

FortiGate 80F and 81F back panel

FortiGate 80F Bypass back panel

The SOC4 includes an integrated switch fabric (ISF) that connects all of the front panel network interfaces to the NP6XLite processor. The SOC4 ISF allows sessions passing between any FortiGate front panel interface pair to be offloaded by the NP6XLite processor. The SOC4 ISF also allows you to use the command config system virtual-switch to create a virtual hardware switch that can include any front panel interface connected to the SOC4.

Note

To add an interface to a hardware switch, its mode must be set to static and the interface can't be used in any other configuration. For example, you can't have a firewall policy that references the interface.

You can use the command diagnose npu np6xlite port-list to display the FortiGate 80F or 81F NP6XLite configuration.

diagnose npu np6xlite port-list
Chip   XAUI Ports            Max   Cross-chip 
                             Speed offloading 
------ ---- -------          ----- ---------- 
np6xlite_0
       14   wan1             1000M          NO
       13   wan2             1000M          NO
       7    internal1        1000M          NO
       8    internal2        1000M          NO
       9    internal3        1000M          NO
       10   internal4        1000M          NO
       3    internal5        1000M          NO
       4    internal6        1000M          NO
       5    a                1000M          NO
       6    b                1000M          NO

Bypass interfaces (WAN1 and 1)

The FortiGate 80F Bypass model includes a bypass interface pair, WAN1 and 1, that provides fail open support. When a FortiGate 80F Bypass model experiences a hardware failure or loses power, or when bypass mode is enabled, the bypass interface pair operates in bypass mode. In bypass mode, WAN1 and 1 are directly connected. Traffic can pass between WAN1 and 1 bypassing the FortiOS firewall and the NP6XLite processor, but continuing to provide network connectivity.

In bypass mode, the bypass pair acts like a patch cable, failing open and allowing all traffic to pass through. Traffic on the bypass interface that is using VLANs or other network extensions can only continue flowing if the connected network equipment is configured for these features.

The FortiGate 80F Bypass model will continue to operate in bypass mode until the failed FortiGate 80F Bypass model is replaced, power is restored, or bypass mode is disabled. If power is restored or bypass mode is disabled, the FortiGate 80F Bypass model resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate 80F Bypass model disrupts traffic as a technician physically replaces the failed FortiGate 80F Bypass model with a new one.

Manually enabling bypass mode

You can manually enable bypass mode if the FortiGate 80F Bypass model is operating in transparent mode. You can also manually enable bypass mode for a VDOM if WAN1 and 1 are both connected to the same VDOM operating in transparent mode.

By default, interface 1 (internal1) is part of a hardware switch named internal. Before you enable bypass mode, you must enter the following command s to edit the hardware switch and remove internal1 from the switch:

config system virtual-switch

edit internal

delete internal1

end

Then you can use the following command to enable bypass mode:

execute bypass-mode enable

This command changes the configuration, so bypass mode will still be enabled if the FortiGate 80F Bypass model restarts.

You can use the following command to disable bypass mode:

execute bypass-mode disable

Configuring bypass settings

You can use the following command to configure how bypass operates. To configure these settings, you must first remove the internal1 interface from the internal hardware switch.

config system bypass

set bypass-watchdog {disable | enable}

set poweroff-bypass {disable | enable}

end

bypass-watchdog enable to turn on bypass mode. When bypass mode is turned on, if the bypass watchdog detects a software or hardware failure, bypass mode will be activated.

poweroff-bypass if enabled, traffic will be able to pass between the wan1 and internal1 interfaces if the FortiGate 80F Bypass is powered off.