Fortinet white logo
Fortinet white logo

CLI Reference

system fail-open

system fail-open

If your appliance’s hardware model, network cabling, and configuration supports it, you can configure fail-to-wire/bypass behavior. This allows traffic to pass through unfiltered between 2 ports (a link pair) while the FortiWeb appliance is shut down, rebooting, or has unexpectedly lost power such as due to being accidentally unplugged or PSU failure.

Fail-open is supported only:

  • when the operation mode is True Transparent Proxy, Transparent Inspection, or WCCP
  • in standalone mode (not HA)
  • for a bridge (V-zone) between ports wired to a CP7 processor or other hardware which provides support for fail-to-wire
    • FortiWeb 600D: port1 + port2
    • FortiWeb 1000D: port3 + port4 or port5 + port6
    • FortiWeb 1000E: port3 + port4 + port5 + port6
    • FortiWeb 2000E: port1 + port2 or port3 + port4
    • FortiWeb3000E/4000E: port9 + port10, port11 + port12, port13 + port14, or port15 + port16
    • FortiWeb 3010E: port3 + port4, port9 + port10, port11 + port12, port13 + port14 or port15 + port16
    • FortiWeb 600F: port3 + port4

    • FortiWeb 1000F: port1 + port2, port3 + port4, port5 + port6 or port7 + port8

    • FortiWeb 2000F: port1 + port2 or port3 + port4

    • FortiWeb 3000F: port5 + port6, port11 + port12, port13 + port14, port15 + port16 or port17 + port18

    • FortiWeb 4000F: port1 + port2, port3 + port4, port13 + port14, port15 + port16, port17 + port18 or port19 + port20

FortiWeb HA clusters, and ports not wired to a CP7/fail-open chip do not support fail-to-wire.

In the case of HA, don’t use fail-open—instead, use a standby HA appliance to provide full fault tolerance.

Bypass results in degraded security while FortiWeb is shut down, and therefore HA is usually a better solution: it ensures that degraded security does not occur if one of the appliances is shut down. If it is possible that both of your HA FortiWeb appliance could simultaneously lose power, you can add an external bypass device such as FortiBridge.

Fail-to-wire may be useful if you are required by contract to provide uninterrupted connectivity, or if you consider connectivity interruption to be a greater risk than being open to attack during the power interruption.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system fail-open

set port3-port4 {poweroff-bypass | poweroff-cutoff}

end

Variable Description Default

port3-port4 {poweroff-bypass | poweroff-cutoff}

Select either:

  • poweroff-bypass—Behave like a wire when powered off, allowing connections to pass directly through from one port to the other, bypassing policy and profile filtering.
  • poweroff-keep—Interrupt connectivity when powered off.

Note: The name of this setting varies by which ports are wired together for bypass in your specific hardware model.

poweroff-bypass

Related topics

system fail-open

system fail-open

If your appliance’s hardware model, network cabling, and configuration supports it, you can configure fail-to-wire/bypass behavior. This allows traffic to pass through unfiltered between 2 ports (a link pair) while the FortiWeb appliance is shut down, rebooting, or has unexpectedly lost power such as due to being accidentally unplugged or PSU failure.

Fail-open is supported only:

  • when the operation mode is True Transparent Proxy, Transparent Inspection, or WCCP
  • in standalone mode (not HA)
  • for a bridge (V-zone) between ports wired to a CP7 processor or other hardware which provides support for fail-to-wire
    • FortiWeb 600D: port1 + port2
    • FortiWeb 1000D: port3 + port4 or port5 + port6
    • FortiWeb 1000E: port3 + port4 + port5 + port6
    • FortiWeb 2000E: port1 + port2 or port3 + port4
    • FortiWeb3000E/4000E: port9 + port10, port11 + port12, port13 + port14, or port15 + port16
    • FortiWeb 3010E: port3 + port4, port9 + port10, port11 + port12, port13 + port14 or port15 + port16
    • FortiWeb 600F: port3 + port4

    • FortiWeb 1000F: port1 + port2, port3 + port4, port5 + port6 or port7 + port8

    • FortiWeb 2000F: port1 + port2 or port3 + port4

    • FortiWeb 3000F: port5 + port6, port11 + port12, port13 + port14, port15 + port16 or port17 + port18

    • FortiWeb 4000F: port1 + port2, port3 + port4, port13 + port14, port15 + port16, port17 + port18 or port19 + port20

FortiWeb HA clusters, and ports not wired to a CP7/fail-open chip do not support fail-to-wire.

In the case of HA, don’t use fail-open—instead, use a standby HA appliance to provide full fault tolerance.

Bypass results in degraded security while FortiWeb is shut down, and therefore HA is usually a better solution: it ensures that degraded security does not occur if one of the appliances is shut down. If it is possible that both of your HA FortiWeb appliance could simultaneously lose power, you can add an external bypass device such as FortiBridge.

Fail-to-wire may be useful if you are required by contract to provide uninterrupted connectivity, or if you consider connectivity interruption to be a greater risk than being open to attack during the power interruption.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system fail-open

set port3-port4 {poweroff-bypass | poweroff-cutoff}

end

Variable Description Default

port3-port4 {poweroff-bypass | poweroff-cutoff}

Select either:

  • poweroff-bypass—Behave like a wire when powered off, allowing connections to pass directly through from one port to the other, bypassing policy and profile filtering.
  • poweroff-keep—Interrupt connectivity when powered off.

Note: The name of this setting varies by which ports are wired together for bypass in your specific hardware model.

poweroff-bypass

Related topics