Fortinet Version 3.0 manual Enabling probes to detect FortiGate hardware failure

Page 13

 

 

 

FortiBridge operating principles

Normal mode operation

Table 1: FortiBridge probes and FortiGate firewall policy requirements (Continued)

 

 

FortiGate Firewall policy

Probe

Description

 

 

Direction

Service

 

 

 

 

POP3

POP3 packets are sent from a POP3 client

Internal ->External

POP3 or ANY

 

at the INT 2 interface to a POP3 server at

 

 

 

the EXT 2 interface. The POP3 server

 

 

 

sends a response from the EXT 2 interface

 

 

 

to the INT 2 interface.

 

 

 

 

 

 

SMTP

SMTP packets are sent from an SMTP

Internal ->External

SMTP or ANY

 

server at the INT 2 interface to an SMTP

 

 

 

server at the EXT 2 interface. The SMTP

 

 

 

server sends a response from the EXT 2

 

 

 

interface to the INT 2 interface.

 

 

 

 

 

 

IMAP

IMAP packets are sent from an IMAP client

Internal ->External

IMAP or ANY

 

at the INT 2 interface to an IMAP server at

 

 

 

the EXT 2 interface. The IMAP server sends

 

 

 

a response from the EXT 2 interface to the

 

 

 

INT 2 interface.

 

 

 

 

 

 

Enabling probes to detect FortiGate hardware failure

A FortiGate unit can stop processing network traffic because of a hardware failure such as the failure of a hardware component, a loss of power, or a loss of connectivity if a network cable is unplugged.

If a hardware failure occurs, the FortiGate unit stops processing all traffic. You can enable any FortiBridge probe for the FortiBridge unit to detect a FortiGate hardware failure.

Enabling probes to detect FortiGate software failure

A FortiGate unit can also stop processing network traffic because of a software failure. For example, a firmware issue could cause a specific software process to crash. Also, network traffic could increase to a point where the FortiGate unit cannot process all traffic. As a result, the FortiGate unit could stop processing some or all traffic without a hardware failure occurring.

To detect a FortiGate software failure, you can enable probes for FortiGate services that you want to provide fail open protection for. For example, if it is a high priority for your network to provide SMTP email services, you should enable the SMTP probe. If the SMTP probe detects a failure of SMTP traffic through the FortiGate unit, the FortiBridge unit switches to bypass mode to maintain SMTP traffic flow.

If you do not consider FTP traffic a high priority, you can leave the FTP probe disabled. In this configuration, if only FTP traffic fails, the FortiBridge does not switch to bypass mode.

Probe interval and probe threshold

For each probe, you set a probe interval and a probe threshold. The probe interval defines how often to test the connection. The probe threshold defines how many consecutive failed probes can occur before the FortiBridge considers the connection to have failed.

FortiBridge Version 3.0 Administration Guide

13

09-30000-0163-20061109

Page 12 Page 14
Image 13
Page 12 Page 14
Contents M i n i s t r a t i o n G u i d e Regulatory compliance TrademarksContents Using the CLI Configuration and operating proceduresConfig CLI commands Index Execute CLI commandsPage About this document About FortiBridgeFortinet documentation Customer service and technical supportFortinet tools and documentation CD Fortinet Knowledge CenterExample FortiBridge application FortiBridge operating principlesConnecting the FortiBridge-1000 copper gigabit ethernet Connecting the FortiBridge unitConnecting the FortiBridge-1000F fiber gigabit ethernet Normal mode operationHow the FortiBridge unit monitors the FortiGate unit Probes and FortiGate firewall policies Normal mode operationEnabling probes to detect FortiGate software failure Enabling probes to detect FortiGate hardware failureProbe interval and probe threshold FortiBridge power failure Bypass mode operationExample FortiGate HA cluster FortiBridge application Example configuration with other FortiGate interfaces Example configuration with other FortiGate interfaces Example configuration with other FortiGate interfaces FortiBridge unit basic information FortiBridge-1000 Package contentsMounting instructions FortiBridge-1000F Package contentsLED indicators Technical specificationsFactory default configuration ConnectorsConnecting and turning on the FortiBridge-1000 unit Connecting and turning on the FortiBridge unitTo connect and turn on the FortiBridge-1000 unit Connecting and turning on the FortiBridge-1000F unitTo connect and turn on the FortiBridge-1000F unit Connecting to the FortiBridge console Connecting to the command line interface CLIFortiBridge-1000 login To connect to the FortiBridge console for the first timeConnecting to the FortiBridge CLI using Telnet Completing the basic FortiBridge configurationTo connect to the CLI using Telnet Welcome FortiBridge-1000 #To add an administrator password Adding an administrator passwordChanging the management IP address To change the management IP addressAdding static routes Changing DNS server IP addressesTo change DNS server IP addresses To add static routesAdding administrator accounts Allowing management access to the EXT 1 interfaceChanging the system time and date Installing FortiBridge unit firmware Resetting to the factory default configurationTo reset to factory defaults from the FortiBridge CLI Execute restore image namestr tftpip To upgrade to a new firmware versionExecute restore image FBG1000-v10-build010-FORTINET.out Upgrading to a new firmware versionTo revert to a previous firmware version Reverting to a previous firmware versionTo install firmware from a system reboot Installing firmware from a system rebootHit any key to stop autoboot Enter Tftp server addressGet system status Enter firmware image file image.outExample network settings Configuration and operating proceduresConfiguring FortiBridge probes Configuring FortiBridge probesTo configure probe settings Probe settingsConfig probe probelist ping set status enable End To enable and configure FortiBridge probesEnabling probes Verifying that probes are functioning Config probe probelist Imap set status enable EndTo verify that probes are functioning Go to System Status SessionTuning the failure threshold and probe interval Configuring FortiBridge alertsConfig alertemail setting set server mail.myorg.com End To configure alert emailFortiBridge alert email FortiBridge syslogConfig log syslogd setting set server End To configure FortiBridge syslogFortiBridge Snmp To add and enable an Snmp community Recovering from a FortiGate failureConfig system snmp community edit Set name snmp1 End To resume normal operation from bypass modeBacking up and restoring the FortiBridge configuration Manually switching between FortiBridge operating modesExecute switch-mode To back up the FortiBridge configurationBacking up and restoring the FortiBridge configuration Backing up and restoring the FortiBridge configuration Setting administrative access for SSH or Telnet Connecting to the FortiBridge CLI using SSH or TelnetTo use the CLI to configure SSH or Telnet access CLI basicsConnecting to the FortiBridge CLI using SSH Other access methodsSet allowaccess ping telnet ssh Get system interface namestrTo connect to the CLI using SSH Connecting to the FortiBridge CLI using SSH or Telnet Config CLI commands Command syntax pattern Alertemail settingExamples Related Commands Example Log syslogd settingGet probe probelist Probe probelist ping http ftp pop3 smtp imapGet probe probelist http Show probe probelistSyslog Probe settingRw w System accprofileGet system accprofile policyprofile Get system accprofileShow system accprofile Password passwordstr System adminGet system admin newadmin Get system adminShow system admin System console Config system console set EndGet system console Show system consoleGet system dns System dnsShow system dns Get system status Failbypass System failcloseSystem failclose Minutesinteger System globalShow system global Get system globalGet system interface internal System interface internal externalShow system interface internal System manageip Config system manageip Set ip 192.168.2.80 255.255.255.0 endDistanceinteger System routeSystem snmp community Config hostsShow system snmp community Get system snmp communityExecute CLI commands Command syntax BackupExecute backup config filenamestr tftp-serveripv4 Execute backup config fbdg.cfgExecute date datestr datestr has the form mm/dd/yyyy, where DateExecute date 09/17/2004 Execute factoryreset FactoryresetExecute ping addressipv4 host-namestr PingExecute reboot RebootExecute restore config backupconfig RestoreSwitch-mode Execute time timestr TimeTime Index 09-30000-0163-20061109 Snmp SSH
Top Page Image Contents