About Hardware Bypass for Inline Sets
For certain interface modules on the Firepower 9300, 4100, and 2100 series (see Prerequisites for Inline Sets), you can enable the Hardware Bypass feature. Hardware Bypass ensures that traffic continues to flow between an inline interface pair during a power outage. This feature can be used to maintain network connectivity in the case of software or hardware failures.
Hardware Bypass Triggers
Hardware Bypass can be triggered in the following scenarios:
FTD application crash
FTD application reboot
Security Module reboot
Firepower chassis crash
Firepower chassis reboot or upgrade
Firepower chassis power loss
Security Module power loss
Hardware bypass is intended for unplanned/unexpected failure scenarios, and is not automatically triggered during planned software upgrades. Hardware bypass only engages at the end of a planned upgrade process, when the FTD application reboots.
Hardware Bypass Switchover
When switching from normal operation to hardware bypass or from hardware bypass back to normal operation, traffic may be interrupted for several seconds. A number of factors can affect the length of the interruption; for example, copper port auto-negotiation; behavior of the optical link partner such as how it handles link faults and de-bounce timing; spanning tree protocol convergence; dynamic routing protocol convergence; and so on. During this time, you may experience dropped connections.
You may also experience dropped connections due to application identification errors when analyzing connections midstream after the return to normal operations.
Snort Fail Open vs. Hardware Bypass
For inline sets other than those in tap mode, you can use the Snort Fail Open option to either drop traffic or allow traffic to pass without inspection when the Snort process is busy or down. Snort Fail Open is supported on all inline sets except those in tap mode, not just on interfaces that support Hardware Bypass.
The Hardware Bypass functionality allows traffic to flow during a hardware failure, including a complete power outage, and certain limited software failures. A software failure that triggers Snort Fail Open does not trigger a Hardware Bypass.
Hardware Bypass Status
If the system has power, then the Bypass LED indicates the Hardware Bypass status. See the Firepower chassis hardware installation guide for LED descriptions.