If your appliance’s hardware model, network cabling, and configuration supports it, you can configure fail-to-wire/bypass behavior. This allows traffic to pass through unfiltered between 2 ports (a link pair) while the FortiWeb appliance is shut down, rebooting, or has unexpectedly lost power such as due to being accidentally unplugged or PSU failure.
Fail-open is supported only:
- when the operation mode is True Transparent Proxy, Transparent Inspection, or WCCP
- in standalone mode (not HA)
- for a bridge (V-zone) between ports wired to a CP7 processor or other hardware which provides support for fail-to-wire
- FortiWeb 600D: port1 + port2
- FortiWeb1000C: port3 + port4
- FortiWeb 1000D: port3 + port4 or port5 + port6
- FortiWeb 1000E: port3 + port4 + port5 + port6
- FortiWeb 2000E: port1 + port2 or port3 + port4
- FortiWeb3000C/D: port5 + port6
- FortiWeb3000E/4000E: port9 + port10, port11 + port12, port13 + port14, or port15 + port16
- FortiWeb 3010E: port3 + port4, port9 + port10, port11 + port12, port13 + port14 or port15 + port16
- FortiWeb4000C/D: port5 + port6 or port7 + port8
- FortiWeb3000CFsx/DFsx: port5 + port6 or port7 + port8
FortiWeb-400B/400C, FortiWeb HA clusters, and ports not wired to a CP7/fail-open chip do not support fail-to-wire.
In the case of HA, don’t use fail-open—instead, use a standby HA appliance to provide full fault tolerance.
Bypass results in degraded security while FortiWeb is shut down, and therefore HA is usually a better solution: it ensures that degraded security does not occur if one of the appliances is shut down. If it is possible that both of your HA FortiWeb appliance could simultaneously lose power, you can add an external bypass device such as FortiBridge.
Fail-to-wire may be useful if you are required by contract to provide uninterrupted connectivity, or if you consider connectivity interruption to be a greater risk than being open to attack during the power interruption.
To use this command, your administrator account’s access control profile must have either
rw permission to the
sysgrp area. For details, see Permissions.
Note: The name of this setting varies by which ports are wired together for bypass in your specific hardware model.