FortiGate 80F, 81F, and 80F Bypass fast path architecture
The FortiGate 80F and 81F includes the SOC4 and uses the SOC4 CPU, NP6XLite processor, and CP9XLite processor. The SOC4 ISF connects all of the FortiGate 60F and 61F front panel data interfaces to the NP7Lite processor.
Interfaces SFP1 and WAN1 and SFP2 and WAN2 are shared SFP or Ethernet interfaces. Only one of each of these interface pairs can be connected to a network. This allows you to, for example, connect SFP1 to an SFP switch and WAN2 to 10/100/1000BASE-T Copper switch.
On the FortiGate 80F Bypass model, the WAN1 and 1 interfaces form a copper bypass pair. The SFP1 interface is not part of the bypass pair. On the GUI and CLI the 1 interface is named internal1.
The FortiGate 80F and 81F features the following front panel interfaces:
- Two 1GigE SFP interfaces (SPF1 and SPF2) connected to the SOC4.
- Two 10/100/1000BASE-T Copper interfaces (WAN1, WAN2) connected to the SOC4.
- Eight 10/100/1000BASE-T Copper (1-6, A, and B) connected to the SOC4. A and B are FortiLink interfaces.
- The FortiGate-80F Bypass includes two shared interfaces that can be either:
- 1GigE SFP (SPF1 and SFP2)
- 10/100/1000BASE-T Copper (WAN1 and WAN2)
On the FortiGate 80F Bypass model, the WAN1 and 1 interfaces form a bypass pair. Interface 1 (internal1) is part of a hardware switch named internal. To enable bypass mode, you must remove internal1 from the hardware switch. |
FortiGate 80F and 81F back panel
FortiGate 80F Bypass back panel
The SOC4 includes an integrated switch fabric (ISF) that connects all of the front panel network interfaces to the NP6XLite processor. The SOC4 ISF allows sessions passing between any FortiGate front panel interface pair to be offloaded by the NP6XLite processor. The SOC4 ISF also allows you to use the command config system virtual-switch
to create a virtual hardware switch that can include any front panel interface connected to the SOC4.
To add an interface to a hardware switch, its |
You can use the command diagnose npu np6xlite port-list
to display the FortiGate 80F or 81F NP6XLite configuration.
diagnose npu np6xlite port-list Chip XAUI Ports Max Cross-chip Speed offloading ------ ---- ------- ----- ---------- np6xlite_0 14 wan1 1000M NO 13 wan2 1000M NO 7 internal1 1000M NO 8 internal2 1000M NO 9 internal3 1000M NO 10 internal4 1000M NO 3 internal5 1000M NO 4 internal6 1000M NO 5 a 1000M NO 6 b 1000M NO
Bypass interfaces (WAN1 and 1)
The FortiGate 80F Bypass model includes a bypass interface pair, WAN1 and 1, that provides fail open support. When a FortiGate 80F Bypass model experiences a hardware failure or loses power, or when bypass mode is enabled, the bypass interface pair operates in bypass mode. In bypass mode, WAN1 and 1 are directly connected. Traffic can pass between WAN1 and 1 bypassing the FortiOS firewall and the NP6XLite processor, but continuing to provide network connectivity.
In bypass mode, the bypass pair acts like a patch cable, failing open and allowing all traffic to pass through. Traffic on the bypass interface that is using VLANs or other network extensions can only continue flowing if the connected network equipment is configured for these features.
The FortiGate 80F Bypass model will continue to operate in bypass mode until the failed FortiGate 80F Bypass model is replaced, power is restored, or bypass mode is disabled. If power is restored or bypass mode is disabled, the FortiGate 80F Bypass model resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate 80F Bypass model disrupts traffic as a technician physically replaces the failed FortiGate 80F Bypass model with a new one.
Manually enabling bypass mode
You can manually enable bypass mode if the FortiGate 80F Bypass model is operating in transparent mode. You can also manually enable bypass mode for a VDOM if WAN1 and 1 are both connected to the same VDOM operating in transparent mode.
By default, interface 1 (internal1) is part of a hardware switch named internal. Before you enable bypass mode, you must enter the following command s to edit the hardware switch and remove internal1 from the switch:
config system virtual-switch
edit internal
delete internal1
end
Then you can use the following command to enable bypass mode:
execute bypass-mode enable
This command changes the configuration, so bypass mode will still be enabled if the FortiGate 80F Bypass model restarts.
You can use the following command to disable bypass mode:
execute bypass-mode disable
Configuring bypass settings
You can use the following command to configure how bypass operates. To configure these settings, you must first remove the internal1 interface from the internal hardware switch.
config system bypass
set bypass-watchdog {disable | enable}
set poweroff-bypass {disable | enable}
end
bypass-watchdog
enable to turn on bypass mode. When bypass mode is turned on, if the bypass watchdog detects a software or hardware failure, bypass mode will be activated.
poweroff-bypass
if enabled, traffic will be able to pass between the wan1 and internal1 interfaces if the FortiGate 80F Bypass is powered off.