Fortinet black logo

Handbook

6.6.3
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Built-in fail-open bypass

Built-in fail-open bypass

The following FortiDDoS-F models built-in copper and/or optical bypass (fail-open) mechanisms:

  • FortiDDoS-200F

    • Active fail-open bypass on copper (RJ-45) network connections 1-8. Fail-open operates at any speed up to 1Gbps but both link speeds must match.

    • Active optical fail-open bypass on Ports 13-16. Bypass ports support GE Short-Range, Multi-Mode fiber only, with LC connectors. GE transceivers are built-in to the chassis.

  • FortiDDoS-1500F - Active optical fail-open bypass on Ports 5-8. Ports support 10GE Short-Range, Multi-Mode fiber only, with LC connectors. 10GE transceivers are built-in to the chassis.

  • FortiDDoS-1500F-LR - Active optical fail-open bypass on Ports 5-8. Ports support 10GE Long-Range, Single Mode fiber only, with LC connectors. 10GE transceivers are built-in to the chassis.

  • FortiDDoS-2000F - Passive optical fail-open bypass ports support two fail-open links when cross-connected to any two port pairs from 1-2 or 3-4 (10GE) and/or from 5-6 or 7-8 (40GE). Transceivers in ports 1-8 must be 10GE or 40GE, Single Mode fiber only, with LC connectors. The bypass ports will support any LR or ZR transceiver using 1310 or 1550nm optics. ER reach optics may not work and may require ZR with attenuation.

  • FortiDDoS-3000F - Passive optical fail-open bypass ports support two fail-open links when cross-connected to any two port pairs from 1-2 or 7-8 (40GE/100GE) and/or from 3-4 or 5-6 (10GE). Transceivers in ports 1-8 must be 10GE, 40GE or 100GE, Single Mode fiber only, with LC connectors. The bypass ports will support any DR, LR, ER or ZR transceiver using 1310 or 1550nm optics.

  • All other ports on any F-Series model do not support fail-open. An external bypass bridge/switch is required if extra fail-open ports are needed.

You can use the Global Protection > Deployment > Deployment tab to configure the internal bypass mechanism to fail open or fail closed for F-Series appliances.

By default, the interfaces are configured to fail open. This means that under failure conditions the interfaces pass traffic through without performing any monitoring or prevention tasks. Packets that arrive at ingress ports are simply transferred to the corresponding egress ports, just like a wire or optical cable.

If you use an external bypass solution, configure the interfaces to fail closed. This means traffic is not forwarded through the interfaces when FortiDDoS fails. An external bypass system detects the outage and routes traffic around the FortiDDoS.

If you deploy an active-passive cluster, configure the interfaces on the Primary node to fail closed so the adjacent switches can select the secondary node. The secondary unit can be set to fail closed or fail open, depending on how you want to handle the situation if both FortiDDoS nodes are down.

The table below summarizes bypass behavior for a sequence of system states. During boot up, system processes are started. When boot up is complete the appliance exits the bypass state. Traffic is routed through the system, is monitored, and policies enforced.

In the event of failure, manual or system-caused reboot, system processes are unavailable because they are either being restarted or shut down, and the appliance enters the bypass state.

System state and bypass

User Option State 1 Power Off State 2 Just Powered Up State 3 Boot Up Process State 4 System Ready State 5 Failure or Reboot State 6 Power Off
Fail Open Bypass Bypass Bypass Traffic Processed Bypass Bypass
Fail Closed Closed Closed Closed Traffic Processed Closed Closed

Manual Bypass

In versions 6.5.x and 6.6.0/1 of the release, when FortiDDoS Power Off Bypass Mode is set to Fail Closed, a manual bypass (fail open) can be initiated. However, a bug exists where, during power failure or reboot scenarios, the Fail Closed condition becomes transient, shifting to Fail Open (bypass) within a few seconds. This transient state can lead to undesired outcomes, such as BGP flapping.

In 6.6.3, Fail Closed works as stated in the System state and bypass table but manual forced fail open is no longer available unless a multi-step process is followed:

  1. Change the Power Off Bypass Mode from Fail Closed to Fail Open.

  2. Force Bypass using GUI or CLI.

    Force Bypass from GUI

    1. Go to Dashboard and see the System Information Panel, Bypass Status line.

    2. Click the “Inline” link. The system will ask for confirmation before bypassing traffic.

    3. The “Inline” link will change to “Bypass”

    4. Click the “Bypass” link and confirm to return Inline.

    5. Force Bypass from CLI

      In addition to the automatic bypass settings, the applicable models support manual bypass with the following CLI command:

      execute bypass-traffic {enable | disable}

      This command is available only when the Power Off Bypass Mode is "Fail Open"; for "Fail Closed," follow the instructions for Force Bypass from GUI.

      When using the CLI, the GUI Dashboard > Status > System Information panel will display the current Inline/Bypass status. Keep in mind that manual bypass-traffic enable state doesn't persist after a reboot—after a reboot, the appliance returns to inline mode.

  3. When finished, revert the system to Inline via GUI or CLI

  4. Change the Power Off Bypass Mode from Fail Open to Fail Closed.

Previous
Next

Built-in fail-open bypass

The following FortiDDoS-F models built-in copper and/or optical bypass (fail-open) mechanisms:

  • FortiDDoS-200F

    • Active fail-open bypass on copper (RJ-45) network connections 1-8. Fail-open operates at any speed up to 1Gbps but both link speeds must match.

    • Active optical fail-open bypass on Ports 13-16. Bypass ports support GE Short-Range, Multi-Mode fiber only, with LC connectors. GE transceivers are built-in to the chassis.

  • FortiDDoS-1500F - Active optical fail-open bypass on Ports 5-8. Ports support 10GE Short-Range, Multi-Mode fiber only, with LC connectors. 10GE transceivers are built-in to the chassis.

  • FortiDDoS-1500F-LR - Active optical fail-open bypass on Ports 5-8. Ports support 10GE Long-Range, Single Mode fiber only, with LC connectors. 10GE transceivers are built-in to the chassis.

  • FortiDDoS-2000F - Passive optical fail-open bypass ports support two fail-open links when cross-connected to any two port pairs from 1-2 or 3-4 (10GE) and/or from 5-6 or 7-8 (40GE). Transceivers in ports 1-8 must be 10GE or 40GE, Single Mode fiber only, with LC connectors. The bypass ports will support any LR or ZR transceiver using 1310 or 1550nm optics. ER reach optics may not work and may require ZR with attenuation.

  • FortiDDoS-3000F - Passive optical fail-open bypass ports support two fail-open links when cross-connected to any two port pairs from 1-2 or 7-8 (40GE/100GE) and/or from 3-4 or 5-6 (10GE). Transceivers in ports 1-8 must be 10GE, 40GE or 100GE, Single Mode fiber only, with LC connectors. The bypass ports will support any DR, LR, ER or ZR transceiver using 1310 or 1550nm optics.

  • All other ports on any F-Series model do not support fail-open. An external bypass bridge/switch is required if extra fail-open ports are needed.

You can use the Global Protection > Deployment > Deployment tab to configure the internal bypass mechanism to fail open or fail closed for F-Series appliances.

By default, the interfaces are configured to fail open. This means that under failure conditions the interfaces pass traffic through without performing any monitoring or prevention tasks. Packets that arrive at ingress ports are simply transferred to the corresponding egress ports, just like a wire or optical cable.

If you use an external bypass solution, configure the interfaces to fail closed. This means traffic is not forwarded through the interfaces when FortiDDoS fails. An external bypass system detects the outage and routes traffic around the FortiDDoS.

If you deploy an active-passive cluster, configure the interfaces on the Primary node to fail closed so the adjacent switches can select the secondary node. The secondary unit can be set to fail closed or fail open, depending on how you want to handle the situation if both FortiDDoS nodes are down.

The table below summarizes bypass behavior for a sequence of system states. During boot up, system processes are started. When boot up is complete the appliance exits the bypass state. Traffic is routed through the system, is monitored, and policies enforced.

In the event of failure, manual or system-caused reboot, system processes are unavailable because they are either being restarted or shut down, and the appliance enters the bypass state.

System state and bypass

User Option State 1 Power Off State 2 Just Powered Up State 3 Boot Up Process State 4 System Ready State 5 Failure or Reboot State 6 Power Off
Fail Open Bypass Bypass Bypass Traffic Processed Bypass Bypass
Fail Closed Closed Closed Closed Traffic Processed Closed Closed

Manual Bypass

In versions 6.5.x and 6.6.0/1 of the release, when FortiDDoS Power Off Bypass Mode is set to Fail Closed, a manual bypass (fail open) can be initiated. However, a bug exists where, during power failure or reboot scenarios, the Fail Closed condition becomes transient, shifting to Fail Open (bypass) within a few seconds. This transient state can lead to undesired outcomes, such as BGP flapping.

In 6.6.3, Fail Closed works as stated in the System state and bypass table but manual forced fail open is no longer available unless a multi-step process is followed:

  1. Change the Power Off Bypass Mode from Fail Closed to Fail Open.

  2. Force Bypass using GUI or CLI.

    Force Bypass from GUI

    1. Go to Dashboard and see the System Information Panel, Bypass Status line.

    2. Click the “Inline” link. The system will ask for confirmation before bypassing traffic.

    3. The “Inline” link will change to “Bypass”

    4. Click the “Bypass” link and confirm to return Inline.

    5. Force Bypass from CLI

      In addition to the automatic bypass settings, the applicable models support manual bypass with the following CLI command:

      execute bypass-traffic {enable | disable}

      This command is available only when the Power Off Bypass Mode is "Fail Open"; for "Fail Closed," follow the instructions for Force Bypass from GUI.

      When using the CLI, the GUI Dashboard > Status > System Information panel will display the current Inline/Bypass status. Keep in mind that manual bypass-traffic enable state doesn't persist after a reboot—after a reboot, the appliance returns to inline mode.

  3. When finished, revert the system to Inline via GUI or CLI

  4. Change the Power Off Bypass Mode from Fail Open to Fail Closed.

Previous
Next