Fortinet 5.0 Patch 6 Fail-to-wire for power loss/reboots

Fortinet 520 FortiWeb 5.0 Patch 6 Administration Guide

Fail-to-wire for power loss/reboots

If your appliance’s hardware model, network cabling, and configuration supports it, you can

configure fail-to-wire/bypass behavior. This allows traffic to pass through unfiltered between 2

ports (a link pair) while the FortiWeb appliance is shut down, rebooting, or has unexpectedly lost

power such as due to being accidentally unplugged or PSU failure.

Fail-to-wire may be useful if you are required by contract to provide uninterrupted connectivity,

or if you consider connectivity interruption to be a greater risk than being open to attack during

the power interruption.

Aside from the usual network topology requirements for the transparent operation modes, there

are no special requirements for fail-to-wire. During setup, after setting the operation mode, you

will simply go to System > Network > Fail-open then select either:

•PowerOff-Bypass — Behave as a wire when the FortiWeb appliance is powered off, allowing

connections to pass directly through from one port to the other, bypassing all policy scans

and modifications.

•PowerOff-Cutoff — Interrupt connectivity when the FortiWeb appliance is powered off.

Bypass is disabled. This is the default.

Fail-open is supported only:

• in true transparent proxy mode or transparent inspection operation mode

• in standalone mode (not HA)

• for a bridge (V-zone) between ports wired to a CP7 processor or other hardware which

provides support for fail-to-wire

• FortiWeb 1000C: port3 + port4

• FortiWeb 3000C/D: port5 + port6

• FortiWeb 4000C/D: port5 + port6 or port7 + port8

• FortiWeb 3000CFsx/DFsx: port5 + port6 or port7 + port8

FortiWeb-400B/400C, FortiWeb HA clusters, and ports not wired to a CP7/fail-open chip do not

support fail-to-wire.

In the case of HA, don’t use fail-open — instead, use a standby HA appliance to provide full

fault tolerance.

Bypass results in degraded security while FortiWeb is shut down, and therefore HA is usually a

better solution: it ensures that degraded security does not occur if one of the appliances is shut

down. If it is possible that both of your HA FortiWeb appliance could simultaneously lose

power, you can add an external bypass device such as FortiBridge.