Inline Mode
Description
In Inline mode, the FortiBridge segment does not send any traffic directly between the network ports. All incoming traffic from the network ports is diverted to the monitoring ports. The inline network device (connected to the monitoring ports) must bridge the traffic between the monitoring ports.
The inline device can inspect and modify the traffic. Because the device is inline, the network path will be affected by any packet delays or disruptions introduced by the inline device.
You must use Inline mode if the inline network device is intended to alter the traffic (such as discarding packets, rewriting packet headers, etc). Inline mode is suitable for active monitoring of the network traffic, such as security threat detection with response/remediation.
The following diagram shows the packet flow for Inline mode. The grey arrows show traffic flow from left to right (ingress at Net0), and the green arrows show the traffic flow from right to left (ingress at Net1):
Failure Detection and Recovery
FortiBridge provides the following failure detection mechanisms, to ensure that traffic flow through the network is not impacted by a failure in the inline path:
l Heartbeat Probe l System Power Failure
The following sections provide details about these failure actions and the associated recovery actions for each mechanism.
Heartbeat Probe
The Heartbeat probe ensures that traffic is flowing successfully between the monitoring ports (through the inline network device). The system sends heartbeat packets from the sending monitor port to the inline network device, which bridges the heartbeat packets to the receiving monitor port.
The network segment remains in inline mode as long as it continues to receive the heartbeat packets. You can configure the interval time between heartbeat packets, as well as the maximum time that the segment will wait for a heartbeat packet.
If the heartbeat timer expires before a heartbeat is detected, the system raises the heartbeat expiry event and transitions the segment to one of the bypass modes (Bypass, TAP or Fail-cutoff), depending on the configured value of the heartbeat expiry mode.
System Power Failure
If the FortiBridge experiences a power loss, each network segment transitions to passive bypass mode.
Recovery
By default,the network segment will automatically recover from Bypass, TAP or Fail-cutoff mode to inline mode when it detects that the heartbeat mechanism has been restored. This behavior is configurable.
Manual Actions
Using the CLI, you can manually set a segment into bypass, TAP or Fail-cutoff mode.
You can also do a manual restoration to inline mode. With the default configuration, the segment will not stay in inline mode unless the heartbeat probe is running. You can override this behavior using the CLI (set_hb_active disable).
State Transitions
The following diagram illustrates the state transitions that relate to inline mode.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!