Built-in bypass
The following FortiDDoS network interface connections have a built-in bypass mechanism:
• Any copper (RJ-45) network connections (for example, the RJ-45 connections for ports 1-16 on FortiDDoS 400B or 800B)
• Ports 17-20 on the FortiDDoS 2000B, which are fixed LC connectors
This automatic bypass functionality is not available for the other fiber-optic connections on the FortiDDoS 2000B (ports 1-17) or for any of the fiber-optic connections found on other models.
Bypass is activated under the following conditions:
• The appliance is not powered up or is starting up or rebooting
• The appliance’s FortiASIC processor or integrated switch fabric fail
You can use the Global Settings > Settings page to configure the internal bypass mechanism to fail open or fail closed.
By default, the interfaces are configured to fail open. This means that interfaces pass traffic through without performing any monitoring or prevention tasks. Packets that arrive at ingress ports are simply transferred to the corresponding egress ports, just like a wire.
If you use an external bypass solution, configure the interfaces to fail closed. This means traffic is not forwarded through the interfaces. An external bypass system can detect the outage and forward traffic around the FortiDDoS.
If you deploy an active-passive cluster, configure the interfaces on the primary node to fail closed so the adjacent switches can select the secondary node. The secondary unit can be set to fail closed or fail open, depending on how you want to handle the situation if both FortiDDoS nodes are down.
Table 81 summarizes bypass behavior for a sequence of system states. During boot up, daemons and drivers are started. When boot up is complete and all memory tables are clean, the TP2-ASIC is ready for packet processing, and the appliance exits the bypass state. Traffic is routed through the TP2-ASIC, it is monitored, and policies enforced. In the event of failure, manual reboot, or graceful shutdown, system services are unavailable because they are either being restarted or shut down, and the appliance enters the bypass state.
Table 81: System state and bypass
User Option | State 1 Power Off | State 2 Just Powered Up | State 3 Boot Up Process | State 4 System Ready | State 5 Failure, Reboot, or Graceful Shutdown | State 6 Power Off |
Fail Open | Bypass | Bypass | Bypass | Bypass off | Bypass | Bypass |
Fail Close | Closed | Closed | Closed | Bypass off | Closed | Closed |