When STP is disabled, fail-to-wire can quickly resume vzone traffic after a failover occurs. When STP is enabled, vzone traffic will resume only once the STP convergence process is complete.
If your appliance’s hardware model, network cabling, and configuration supports it, you can configure fail-to-wire/bypass behavior. This allows traffic to pass through unfiltered between 2 ports (a link pair) while the FortiWeb appliance is shut down, rebooting, or has unexpectedly lost power such as due to being accidentally unplugged or PSU failure.
Fail-to-wire may be useful if you are required by contract to provide uninterrupted connectivity, or if you consider connectivity interruption to be a greater risk than being open to attack during the power interruption.
Fail-to-wire is supported only:
FortiWeb-400B/400C, FortiWeb HA clusters, and ports not wired to a CP7/fail-open chip do not support fail-to-wire.
In the case of HA, don’t use fail-open—instead, use a standby HA appliance to provide full fault tolerance.
Bypass results in degraded security while FortiWeb is shut down, and therefore HA is usually a better solution: it ensures that degraded security does not occur if one of the appliances is shut down. If it is possible that both of your HA FortiWeb appliance could simultaneously lose power, you can add an external bypass device such as FortiBridge (http://docs.fortinet.com/fortibridge).
|
|
When STP is disabled, fail-to-wire can quickly resume vzone traffic after a failover occurs. When STP is enabled, vzone traffic will resume only once the STP convergence process is complete. |
Aside from the usual network topology requirements for the transparent operation modes, there are no special requirements for fail-to-wire. During setup, after setting the operation mode, you will simply go to System > Network > Fail-open and select either: