Fail-open is supported only: • in true transparent proxy mode or transparent inspection operation mode • in standalone mode (not HA) • for a bridge (V‑zone) between ports wired to a CP7 processor or other hardware which provides support for fail-to-wire • FortiWeb 1000C: port3 + port4 • FortiWeb 1000D: port3 + port4 and port5 + port6 • FortiWeb 3000C/D: port5 + port6 • FortiWeb 4000C/D: port5 + port6 and port7 + port8 • FortiWeb 3000CFsx: port5 + port6 and port7 + port8 • FortiWeb 3000DFsx: port5 + port6 FortiWeb 400B/400C, FortiWeb HA clusters, and ports not wired to a CP7/fail-open chip do not support fail-to-wire. |
In the case of HA, don’t use fail-open — instead, use a standby HA appliance to provide full fault tolerance. Bypass results in degraded security while FortiWeb is shut down, and therefore HA is usually a better solution: it ensures that degraded security does not occur if one of the appliances is shut down. If it is possible that both of your HA FortiWeb appliance could simultaneously lose power, you can add an external bypass device such as FortiBridge. |
Variable | Description | Default |
port3-port4 {poweroff‑bypass | poweroff-cutoff} | Select either: • poweroff-bypass — Behave like a wire when powered off, allowing connections to pass directly through from one port to the other, bypassing policy and profile filtering. • poweroff-keep — Interrupt connectivity when powered off. Note: The name of this setting varies by which ports are wired together for bypass in your specific hardware model. | poweroff-bypass |