Configuring bypass in Safety mode

This section explains how bypass in Safety mode functions, and how to configure it in the SNS firewall web administration interface.

Understanding how Safety mode functions

Safety mode prioritizes service continuity. When this mode is enabled:

The bypass mechanism is enabled (ready to be triggered) on all bypass segments that have been configured to use it,
When a triggering event occurs, the bypass mechanism is triggered, which switches the bypass's communication mode to bypass,
Once the bypass mechanism has been triggered, the only way to switch the communication mode from bypass to normal is to reset the bypass mechanism.

If the Safety mode is not enabled, Security mode will be used. In this mode, the bypass function remains permanently disabled, even during a critical failure.

Events that trigger the bypass mechanism in Safety mode

The bypass mechanism is triggered whenever one of the following events occurs:

When the SNS firewall experiences an electrical failure or power outage,
When the SNS firewall restarts, once the BIOS has been initialized.

NOTE
The bypass mechanism will be automatically reset once the SNS firewall restarts.
During a software failure, especially when the SNS firewall's operating system has stopped responding or is saturated, after the watchdog has timed out.

Recovery time

This is the time required to ensure service continuity. Depending on the triggering event, you need to add up all the times in the table, or only some to determine the theoretical recovery time.

Item	Time required for recovery (to be added up)
Watchdog timer	1 to 4 minutes, depending on the duration set in the Safety mode configuration. The timer starts when the status of the watchdog can no longer be refreshed by the SNS firewall hardware manager, especially during a software failure. When the timer is at zero, this means that the idle timeout has been reached, and the bypass mechanism will be enabled (communication in bypass mode).
Switch time	Approximately 100 ms. This is the time required to switch the bypass's communication mode.
Remote device detection time	Generally between 3 and 10 seconds. After a switch, this is the time that remote devices need to detect the change in status ("DOWN" or "UP") on interfaces in the bypass segment. The duration varies by remote device and the version installed on the SNS firewall.

Item

Time required for recovery (to be added up)

Watchdog timer

1 to 4 minutes, depending on the duration set in the Safety mode configuration.

The timer starts when the status of the watchdog can no longer be refreshed by the SNS firewall hardware manager, especially during a software failure. When the timer is at zero, this means that the idle timeout has been reached, and the bypass mechanism will be enabled (communication in bypass mode).

Switch time

Approximately 100 ms.

This is the time required to switch the bypass's communication mode.

Remote device detection time

Generally between 3 and 10 seconds.

After a switch, this is the time that remote devices need to detect the change in status ("DOWN" or "UP") on interfaces in the bypass segment. The duration varies by remote device and the version installed on the SNS firewall.

Accessing Safety mode configuration

Go to Configuration > System > Configuration, General configuration tab.
Expand the Advanced properties section.

Safety mode settings can be found in the Hardware section.

On SNS 4.3 LTSB versions, the interface is slightly different, but Safety mode is configured in the same way.

Enabling or disabling Safety mode

Reminder: Safety mode cannot be enabled on SNS firewalls in high availability.

Go to the Safety mode settings.

On SNS firewalls that have several bypass segments, a list shows the bypass segments on which Safety mode will be enabled.
Select or unselect the Enable safety mode checkbox.
Click on Apply.

Setting the watchdog timer (idle timeout)

Go to the Safety mode settings.
In the drop-down list below the Enable safety mode checkbox, select the desired timeout. The selectable values range from 1 to 4 minutes.
Click on Apply.

Resetting the bypass mechanism (resetting Safety mode)

Once the bypass mechanism is triggered, the only way for the SNS firewall to analyze traffic again is to reset the bypass mechanism. Resetting the bypass mechanism switches the communication mode to normal mode, which will then involve a recovery time that corresponds to the switch time and remote device detection time.

The bypass mechanism will be automatically reset when the SNS firewall completes its startup phase.

You can manually reset the bypass mechanism in the SNS firewall web administration interface.

Go to the Safety mode settings.
Click on Reset safety mode.
In the window that appears, confirm that you want to reset Safety mode.

IMPORTANT
After a manual reset, check whether network traffic is functioning properly, as connections that are initiated during the active phase of the bypass mechanism will be shut down, and have to be set up again by remote devices.