FortiBridge operating principles

Normal mode operation

Table 1: FortiBridge probes and FortiGate firewall policy requirements (Continued)

 

 

FortiGate Firewall policy

Probe

Description

 

 

Direction

Service

 

 

 

 

POP3

POP3 packets are sent from a POP3 client

Internal ->External

POP3 or ANY

 

at the INT 2 interface to a POP3 server at

 

 

 

the EXT 2 interface. The POP3 server

 

 

 

sends a response from the EXT 2 interface

 

 

 

to the INT 2 interface.

 

 

 

 

 

 

SMTP

SMTP packets are sent from an SMTP

Internal ->External

SMTP or ANY

 

server at the INT 2 interface to an SMTP

 

 

 

server at the EXT 2 interface. The SMTP

 

 

 

server sends a response from the EXT 2

 

 

 

interface to the INT 2 interface.

 

 

 

 

 

 

IMAP

IMAP packets are sent from an IMAP client

Internal ->External

IMAP or ANY

 

at the INT 2 interface to an IMAP server at

 

 

 

the EXT 2 interface. The IMAP server sends

 

 

 

a response from the EXT 2 interface to the

 

 

 

INT 2 interface.

 

 

 

 

 

 

Enabling probes to detect FortiGate hardware failure

A FortiGate unit can stop processing network traffic because of a hardware failure such as the failure of a hardware component, a loss of power, or a loss of connectivity if a network cable is unplugged.

If a hardware failure occurs, the FortiGate unit stops processing all traffic. You can enable any FortiBridge probe for the FortiBridge unit to detect a FortiGate hardware failure.

Enabling probes to detect FortiGate software failure

A FortiGate unit can also stop processing network traffic because of a software failure. For example, a firmware issue could cause a specific software process to crash. Also, network traffic could increase to a point where the FortiGate unit cannot process all traffic. As a result, the FortiGate unit could stop processing some or all traffic without a hardware failure occurring.

To detect a FortiGate software failure, you can enable probes for FortiGate services that you want to provide fail open protection for. For example, if it is a high priority for your network to provide SMTP email services, you should enable the SMTP probe. If the SMTP probe detects a failure of SMTP traffic through the FortiGate unit, the FortiBridge unit switches to bypass mode to maintain SMTP traffic flow.

If you do not consider FTP traffic a high priority, you can leave the FTP probe disabled. In this configuration, if only FTP traffic fails, the FortiBridge does not switch to bypass mode.

Probe interval and probe threshold

For each probe, you set a probe interval and a probe threshold. The probe interval defines how often to test the connection. The probe threshold defines how many consecutive failed probes can occur before the FortiBridge considers the connection to have failed.

FortiBridge Version 3.0 Administration Guide

13

09-30000-0163-20061109

Page 13
Image 13
Fortinet Version 3.0 manual Enabling probes to detect FortiGate hardware failure, Probe interval and probe threshold