Basic and Advanced Network Topologies : Built-in bypass
 
Built-in bypass
The following FortiDDoS network interface connections have a built-in bypass mechanism:
Any copper (RJ-45) network connections (for example, the RJ-45 connections for ports 1-16 on FortiDDoS 400B or 800B)
Ports 17-20 on the FortiDDoS 2000B, which are fixed LC connectors
This automatic bypass functionality is not available for the other fiber-optic connections on the FortiDDoS 2000B (ports 1-17) or for any of the fiber-optic connections found on other models.
Bypass is activated under the following conditions:
The appliance is not powered up or is starting up or rebooting
The appliance’s FortiASIC processor or integrated switch fabric fail
You can use the Global Settings > Settings page to configure the internal bypass mechanism to fail open or fail closed.
By default, the interfaces are configured to fail open. This means that interfaces pass traffic through without performing any monitoring or prevention tasks. Packets that arrive at ingress ports are simply transferred to the corresponding egress ports, just like a wire.
If you use an external bypass solution, configure the interfaces to fail closed. This means traffic is not forwarded through the interfaces. An external bypass system can detect the outage and forward traffic around the FortiDDoS.
If you deploy an active-passive cluster, configure the interfaces on the primary node to fail closed so the adjacent switches can select the secondary node. The secondary unit can be set to fail closed or fail open, depending on how you want to handle the situation if both FortiDDoS nodes are down.
Table 82 summarizes bypass behavior for a sequence of system states. During boot up, daemons and drivers are started. When boot up is complete and all memory tables are clean, the TP2-ASIC is ready for packet processing, and the appliance exits the bypass state. Traffic is routed through the TP2-ASIC, it is monitored, and policies enforced. In the event of failure, manual reboot, or graceful shutdown, system services are unavailable because they are either being restarted or shut down, and the appliance enters the bypass state.
Table 82: System state and bypass
User Option
State 1
Power Off
State 2
Just Powered Up
State 3
Boot Up Process
State 4
System Ready
State 5
Failure, Reboot, or Graceful Shutdown
State 6
Power Off
Fail Open
Bypass
Bypass
Bypass
Bypass off
Bypass
Bypass
Fail Close
Closed
Closed
Closed
Bypass off
Closed
Closed
 
 
In addition to the automatic bypass settings, FortiDDoS 200B, 400B, and 800B support manual bypass (for copper ports) with the following CLI command:
execute bypass-traffic {enable|disable}
This command forces the appliance interfaces to fail open. This command does not have an option to fail closed.
Note that if you use the CLI command to initiate bypass, you must use the CLI command to disable that state.
After you have executed this command, go to the System Dashboard to confirm the bypass state for the interfaces. If not all of the interfaces have gone to bypass state or returned from bypass state, execute the command a second time.