Fortinet 520 FortiWeb 5.0 Patch 6 Administration Guide
Fail-to-wire for power loss/rebootsIf your appliance’s hardware model, network cabling, and configuration supports it, you can
configure fail-to-wire/bypass behavior. This allows traffic to pass through unfiltered between 2
ports (a link pair) while the FortiWeb appliance is shut down, rebooting, or has unexpectedly lost
power such as due to being accidentally unplugged or PSU failure.
Fail-to-wire may be useful if you are required by contract to provide uninterrupted connectivity,
or if you consider connectivity interruption to be a greater risk than being open to attack during
the power interruption.
Aside from the usual network topology requirements for the transparent operation modes, there
are no special requirements for fail-to-wire. During setup, after setting the operation mode, you
will simply go to System > Network > Fail-open then select either:
•PowerOff-Bypass — Behave as a wire when the FortiWeb appliance is powered off, allowing
connections to pass directly through from one port to the other, bypassing all policy scans
and modifications.
•PowerOff-Cutoff — Interrupt connectivity when the FortiWeb appliance is powered off.
Bypass is disabled. This is the default.
Fail-open is supported only:
• in true transparent proxy mode or transparent inspection operation mode
• in standalone mode (not HA)
• for a bridge (V-zone) between ports wired to a CP7 processor or other hardware which
provides support for fail-to-wire
• FortiWeb 1000C: port3 + port4
• FortiWeb 3000C/D: port5 + port6
• FortiWeb 4000C/D: port5 + port6 or port7 + port8
• FortiWeb 3000CFsx/DFsx: port5 + port6 or port7 + port8
FortiWeb-400B/400C, FortiWeb HA clusters, and ports not wired to a CP7/fail-open chip do not
support fail-to-wire.
In the case of HA, don’t use fail-open — instead, use a standby HA appliance to provide full
fault tolerance.
Bypass results in degraded security while FortiWeb is shut down, and therefore HA is usually a
better solution: it ensures that degraded security does not occur if one of the appliances is shut
down. If it is possible that both of your HA FortiWeb appliance could simultaneously lose
power, you can add an external bypass device such as FortiBridge.