Enabling Probes To Detect Fortigate Hardware Failure; Enabling Probes To Detect Fortigate Software Failure; Probe Interval And Probe Threshold - Fortinet Version 3.0 Administration Manual

FortiBridge operating principles

Enabling probes to detect FortiGate hardware failure

Enabling probes to detect FortiGate software failure

Probe interval and probe threshold

FortiBridge Version 3.0 Administration Guide
09-30000-0163-20061109
Table 1: FortiBridge probes and FortiGate firewall policy requirements (Continued)
Probe Description
POP3 POP3 packets are sent from a POP3 client
at the INT 2 interface to a POP3 server at
the EXT 2 interface. The POP3 server
sends a response from the EXT 2 interface
to the INT 2 interface.
SMTP SMTP packets are sent from an SMTP
server at the INT 2 interface to an SMTP
server at the EXT 2 interface. The SMTP
server sends a response from the EXT 2
interface to the INT 2 interface.
IMAP IMAP packets are sent from an IMAP client
at the INT 2 interface to an IMAP server at
the EXT 2 interface. The IMAP server sends
a response from the EXT 2 interface to the
INT 2 interface.
A FortiGate unit can stop processing network traffic because of a hardware failure
such as the failure of a hardware component, a loss of power, or a loss of
connectivity if a network cable is unplugged.
If a hardware failure occurs, the FortiGate unit stops processing all traffic. You can
enable any FortiBridge probe for the FortiBridge unit to detect a FortiGate
hardware failure.
A FortiGate unit can also stop processing network traffic because of a software
failure. For example, a firmware issue could cause a specific software process to
crash. Also, network traffic could increase to a point where the FortiGate unit
cannot process all traffic. As a result, the FortiGate unit could stop processing
some or all traffic without a hardware failure occurring.
To detect a FortiGate software failure, you can enable probes for FortiGate
services that you want to provide fail open protection for. For example, if it is a
high priority for your network to provide SMTP email services, you should enable
the SMTP probe. If the SMTP probe detects a failure of SMTP traffic through the
FortiGate unit, the FortiBridge unit switches to bypass mode to maintain SMTP
traffic flow.
If you do not consider FTP traffic a high priority, you can leave the FTP probe
disabled. In this configuration, if only FTP traffic fails, the FortiBridge does not
switch to bypass mode.
For each probe, you set a probe interval and a probe threshold. The probe interval
defines how often to test the connection. The probe threshold defines how many
consecutive failed probes can occur before the FortiBridge considers the
connection to have failed.
Normal mode operation
FortiGate Firewall policy
Direction Service
Internal -> External POP3 or ANY
Internal -> External SMTP or ANY
Internal -> External IMAP or ANY
13