Fail open ports enable your hardware firewall to maintain its connection despite
power or operating system failure.
Where Can I Use This?
What Do I Need?
NGFW (Managed by PAN-OS or Panorama)
Fail open, or fail-to-wire, is a functionality on certain firewall models that enables
them to process traffic even when the device is powered off. This is possible due to the
use of bypass relays that allow traffic to pass through specialized fail open ports
(also known as bypass pairs) instead of the firewall. By default, fail open is disabled
on these ports.
You can configure fail open using the Firewall Web Interface or the CLI. Once
configured, if a power outage or system failure occurs, the fail open ports will
automatically initiate the bypass relays and begin to process traffic. After PAN-OS is
reinitialized, fail open functionality will go into standby until the next outage
occurs.
Since the firewall has to be powered off for fail
open to trigger, the bypass relays process traffic without any policies, filters, and
settings you have configured on the firewall.
The bypass relays are not utilized in the case of
soft reboots, crashes, or maintenance mode.
The following table lists the firewalls that support fail open as well as the port
numbers that are used as bypass pairs.
