Fortinet FortiBridge User Manual
Administration Guide
FortiBridge
Version 3.0
www.fortinet.com
FortiBridge Administration Guide
Version 3.0
9 November 2006
09-30000-0163-20061109
© Copyright 2006 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
ABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGuard, FortiGuardAntispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, Fortinet,
FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are
trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies
and products mentioned herein may be the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
Caution: If you install a battery that is not the correct type, it could
!
explode. Dispose of used batteries according to local regulations.
Contents
Contents
Introduction........................................................................................ 7
About FortiBridge.............................................................................................. 7
About this document......................................................................................... 7
Fortinet documentation..................................................................................... 8
Fortinet tools and documentation CD............................................................ 8
Fortinet Knowledge Center ........................................................................... 8
Comments on Fortinet technical documentation........................................... 8
Customer service and technical support........................................................ 8
FortiBridge operating principles ...................................................... 9
Example FortiBridge application...................................................................... 9
Connecting the FortiBridge unit................................................................... 10
Normal mode operation .................................................................................. 11
How the FortiBridge unit monitors the FortiGate unit.................................. 11
Probes and FortiGate firewall policies......................................................... 12
Enabling probes to detect FortiGate hardware failure................................. 13
Enabling probes to detect FortiGate software failure.................... ... ........... 13
Probe interval and probe threshold............................................................. 13
Bypass mode operation.................................................................................. 14
FortiBridge power failure................................................................................ 14
Example FortiGate HA cluster FortiBridge application.................. ... ... ........ 15
Connecting the FortiBridge-1000 (copper gigabit ethernet)........................ 15
Connecting the FortiBridge-1000F (fiber gigabit ethernet).......................... 16
Example configuration with other FortiGate interfaces............................... 16
Setting up FortiBridge units............................................................ 19
FortiBridge unit basic information ... ... ... ........................................................ 19
FortiBridge-1000 Package contents............................................................ 19
FortiBridge-1000F Package contents.......................................................... 20
Mounting instructions .................................................................................. 20
Technical specifications .............................................................................. 21
LED indicators............................................................................................. 21
Connectors.................................................................................................. 22
Factory default configuration....................................................................... 22
Connecting and turning on the FortiBridge unit .......................................... 23
Connecting and turning on the FortiBridge-1000 unit ................................. 23
Connecting and turning on the FortiBridge-1000F unit ............................... 24
Connecting to the command line interface (CLI).......................................... 25
Connecting to the FortiBridge console........................................................ 25
Connecting to the FortiBridge CLI using Telnet ......................... ... ... ... ........ 26
FortiBridge Version 3.0 Administration Guide
09-30000-0163-20061109 3
Contents
Completing the basic FortiBridge configuration.......................................... 26
Adding an administrator password.............................................................. 27
Changing the management IP address ........ ... .... ... ... ... .... ... ... ... ... .... ... ... ... . 27
Changing DNS server IP addresses................................. ... ... ... ... .... ... ... ... . 28
Adding static routes .................................................................................... 28
Allowing management access to the EXT 1 interface................................. 29
Changing the system time and date ........................................................... 29
Adding administrator accounts.................................................................... 29
Resetting to the factory default configuration.............................................. 30
Installing FortiBridge unit firmware............................................................... 30
Upgrading to a new firmware version ......................................................... 31
Reverting to a previous firmware version.................................................... 32
Installing firmware from a system reboot .................................................... 33
Configuration and operating procedures...................................... 35
Example network settings.............................................................................. 35
Configuring FortiBridge probes.......................... .... ... ... ... .... ... ... ... ... .... ... ... ... . 36
Probe settings............................................................................................. 37
Enabling probes.......................................................................................... 38
Verifying that probes are functioning .......................................................... 39
Tuning the failure threshold and probe interval........................................... 40
Configuring FortiBridge alerts ......... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ... . 40
FortiBridge alert email................................................................................. 41
FortiBridge syslog ....................................................................................... 41
FortiBridge SNMP....................................................................................... 42
Recovering from a FortiGate failure .............................................................. 43
Manually switching between FortiBridge operating modes........................ 44
Backing up and restoring the FortiBridge configuration ............................ 44
Using the CLI.................................................................................... 47
CLI basics......................................................................................................... 47
Connecting to the FortiBridge CLI using SSH or Telnet....................... ... ... . 47
Setting administrative access for SSH or Telnet.. ... ... ... .............................. 47
Connecting to the FortiBridge CLI using SSH............................................. 48
config CLI commands ..................................................................... 51
alertemail setting............................................................................................. 52
log syslogd setting.......................................................................................... 54
probe probe_list {ping | http | ftp | pop3 | smtp | imap}............................... 55
probe setting.................................................................................................... 56
system accprofile................. ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ....................... 57
system admin.................................. ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... ... .............. 59
FortiBridge Version 3.0 Administration Guide
4 09-30000-0163-20061109
Contents
system console................................................................................................ 61
system dns....................................................................................................... 62
get system status ............................................................................................ 63
system fail_close............................................................................................. 64
system global................................................................................................... 66
system interface {internal | external}............................................................. 68
system manageip............................................................................................. 69
system route .................................................................................................... 70
system snmp community................................................................................ 71
config hosts............................ ....................................... ... ... .... ... ................. 71
execute CLI commands................................................................... 73
backup.............................................................................................................. 74
date ................................................................................................................... 75
factoryreset...................................................................................................... 76
ping................................................................................................................... 77
reboot................................................................................................................ 78
restore............................................................................................................... 79
switch-mode..................................................................................................... 80
time ................................................................................................................... 81
Index.................................................................................................. 83
FortiBridge Version 3.0 Administration Guide
09-30000-0163-20061109 5
Contents
FortiBridge Version 3.0 Administration Guide
6 09-30000-0163-20061109
Introduction About FortiBridge
Introduction
This chapter introduces you to the FortiBridge-1000 and FortiBridge-1000F
products that provide fail open protection for FortiGate Antivirus Firewalls
operating in transparent mode. Fail open protection keeps network traffic flowing
in the event of a FortiGate unit failure. This chapter contains the following topics:
• About FortiBridge
• About this document
• Fortinet documentation
• Customer service and technical support
About FortiBridge
The FortiBridge products are a solution for enterprise or ganizations to provide fail
open protection for FortiGate units deployed inline in transparent mode. The
FortiBridge products use multiple probe protocols to detect failures in the
FortiGate unit. FortiBridge zero power fail open technology means that the
FortiBridge unit also fails open if a power failure occurs.
Figure 1: FortiBridge unit
A FortiBridge unit functions as a pass-through device when a FortiGate unit or
FortiGate HA cluster operating in transparent mode fails or loses power. The
FortiBridge unit bypasses the FortiGate unit to make sur e th at the ne tw or k can
continue processing traffic. The FortiBridge unit is not a firewall or antivirus
device. FortiGate services are not applied when the FortiBridge unit bypasses
traffic.
About this document
This document describes how to install, configure and maintain the
FortiBridge-1000 and the FortiBridge-1000F products.
This document contains the following chapters:
• FortiBridge operating principles contains general information about how
FortiBridge units work.
• Setting up FortiBridge units contains hardware reference and general
installation procedures for FortiBridge units.
• Configuration and operating procedures contains procedures for connecting
and configuring FortiBridge units.
PWR
INT 1
INT 2
EscEnter
FortiGate
EXT 1
EXT 2
BYPASS MODE
NORMAL
MODE FACTORY RESET
FortiBridge Version 3.0 Administration Guide
09-30000-0163-20061109 7
Fortinet documentation Introduction
• Using the CLI describes how to use the FortiBridge CLI.
• config CLI commands is the FortiBridge config CLI command reference.
• execute CLI commands is the FortiBridge execute CLI command reference.
Fortinet documentation
The most up-to-date publications and previous releases of Fortinet product
documentation are available from the Fortinet Technical Documentation web site
at http://docs.forticare.com.
The following FortiBridge product documentation is available:
• FortiBridge QuickStart Guides
Provide basic information about connecting and installing a FortiBridge unit.
• FortiBridge Administration Guide
Describes how to install, configure, and manage a FortiBri dge unit.
Fortinet tools and documentation CD
All Fortinet documentation is available from the Fortine t Tools and Documentation
CD shipped with your Fortinet product. The documents on this CD are current for
your product at shipping time. For the latest versions of all Fortinet document ation
see the Fortinet Technical Documentation web site at http://docs.forticare.com.
Fortinet Knowledge Center
Additional Fortinet technical documentation is available from the Fortinet
Knowledge Center. The knowledge center contains troubleshooting and how-to
articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at
http://kc.forticare.com.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@fortinet.com.
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your
Fortinet systems install quickly, configure easily, and operate reliably in your
network.
Please visit the Fortinet Technical Support web site at http://support.fortinet.com
to learn about the technical support services that Fortinet provides.
FortiBridge Version 3.0 Administration Guide
8 09-30000-0163-20061109
FortiBridge operating principles Example FortiBridge application
FortiBridge operating principles
This chapter describes a typical transparent mode FortiGate network and how to
add a FortiBridge unit to this network to provide fail open protection. This chapter
also contains detailed information about how FortiBridge units operate and
concludes with descriptions of adding a FortiBridge unit to an HA cluster and
connecting a FortiBridge unit other FortiGate interfaces.
This chapter contains the following sections:
• Example FortiBridge application
• Normal mode operation
• Bypass mode operation
• FortiBridge power failure
• Example FortiGate HA cluster FortiBridge application
• Example configuration with other FortiGate interfaces
Example FortiBridge application
A typical application of a FortiGate unit operating in transparent mode is to insert
the FortiGate unit into an internal network, between the network and the router
that connects the network to the Internet. In this configuration, the FortiGate unit
can provide security services for all traffic passing between the internal network
and the internet. These security services can include:
• applying firewall policies and IPS attack prevention to all traffic,
• applying virus scanning to HTTP, FTP, POP3, SMTP, and IMAP traffic,
• applying web filtering to HTTP traffic,
• applying Sp am filtering to POP3, SMTP, and IMAP traffic.
The internal network is connected to the FortiGate unit internal interface. The
router is connected to the FortiGate unit external interface. The FortiGate unit can
be added to the network without changing the configuration of the network (except
to add the FortiGate management IP address).
Figure 2: Example transparent mode network
Internal network
Internal External
(Transparent mode)
Internet
Router
To allow users on the internal network to connect to resources on the Internet, add
Internal -> External firewall policies to the FortiGate unit. Add protection profiles
to the firewall policies to apply security services such as virus scanning, web
filtering, spam filtering and IPS to the traffic that passes through the FortiGate unit.
FortiBridge Version 3.0 Administration Guide
09-30000-0163-20061109 9
Example FortiBridge application FortiBridge operating principles
The FortiGate unit acts as an extra layer of protection for your internal network.
While it is operating, the FortiGate unit protects the internal network from threats
originating on the Internet. All users on the internal network connect through the
FortiGate unit to the Internet. This also means that if a failure or other interruption
caused the FortiGate unit to stop functioning, users on the inter nal network woul d
not be able to connect to the Internet.
You can install a FortiBridge unit to maintain internet connectivity for the internal
network if the FortiGate unit stops functioning. The FortiBridge unit provides fail
open protection for your network by bypassing the FortiGate unit if a failure
occurs.
Connecting the FortiBridge unit
Operating in normal mode, the FortiBridge unit functions like a layer-2 bridge,
passing all traffic to the FortiGate unit. The FortiGate unit processes the traffic,
which then passes through the FortiBridge unit again and then to its final
destination.
In most cases, you do not have to make changes to the FortiGate unit
configuration or to the network to add a FortiBridge unit. The only network
requirement for FortiBridge is the availability of a single management IP address
for the FortiBridge unit. The FortiBridge management IP address is required in
addition to the FortiGate management IP address.
The connection procedure is different depending on whether the FortiBridge unit
uses copper gigabit ethernet network connections or fiber giga bit ethernet network
connections. This section includes the following connection procedures:
• Connecting the FortiBridge-1000 (copper gig abit ethernet)
• Connecting the FortiBridge-1000F (fiber gigabit ethernet)
Figure 3: FortiBridge unit providing fail open protection
(Normal mode)
Internal network
INT 1
INT 2
Internal
(Transparent mode)
EXT 1
EXT 2
External
Internet
Router
Connecting the FortiBridge-1000 (copper gigabit ethernet)
The FortiBridge-1000 unit contains 4 auto-sensing 10/100/1000 Ethern e t
interfaces that connect to the internal and external networks and to the FortiGate
interfaces that were connected to these networks. Use the following steps to
connect a FortiBridge-1000 unit to the network as shown in Figure 3.
Note: Normally, you would use straight-through ethernet cables to connect the
FortiBridge-1000 unit to the FortiGate unit and to your networks. However, for some
connections you may need a crossover ethernet cable (for example, for compatibility with
network devices that do not support Auto MDI/MDIX).
FortiBridge Version 3.0 Administration Guide
10 09-30000-0163-20061109
FortiBridge operating principles Normal mode operation
1 Connect the FortiBridge-1000 INT 2 interface to the FortiGate internal interface.
2 Connect the FortiGate external interface to the FortiBridge-1000 EXT 2 interface.
3 Connect the internal network to the FortiBridge-1000 INT 1 interface.
4 Connect the FortiBridge-1000 EXT 1 interface to the router.
Connecting the FortiBridge-1000F (fiber gigabit ethernet)
The FortiBridge-1000F unit contains 4 multimode fiber optic gigab it interfaces that
connect to the internal and external networks and to the FortiGate interfaces that
were connected to these networks. Use the following steps to connect a
FortiBridge-1000F unit to the network as shown in Figure 3.
1 Connect the FortiBridge-1000F INT 2 interface to the FortiGate internal interface.
2 Connect the FortiGate external interface to the FortiBridge-1000F EXT 2
interface.
3 Connect the internal network to the FortiBridge-1000F INT 1 interface.
4 Connect the FortiBridge-1000F EXT 1 interface to the router.
Normal mode operation
If the FortiGate unit is operating normally, the FortiBridge unit operates in Normal
mode. Traf fic from the internal network enter s the FortiBridg e INT 1 interface then
exits the INT 2 interface to the Fort iGate unit. The traffic from the FortiBridge
INT 2 interface enters the FortiGate internal interface. Firewall policies and
protection profiles are applied to the traffic by the FortiGate unit. Accepted traffic
then exits the FortiGate External interface and enters the FortiBridge EXT 2
interface. The traffic then exits the FortiBrid ge EXT 1 interface and goes to the
external network. Traffic from the external network reverses this sequence .
Figure 4: Normal mode traffic flow
Internal network
(Normal mode)
INT 1
INT 2
Internal
(Transparent mode)
EXT 1
EXT 2
External
Internet
Router
How the FortiBridge unit monitors the FortiGate unit
To monitor the FortiGate unit for failure, you must enable probes on the
FortiBridge unit. When you enable a probe, the FortiBridge unit sends packets
from the FortiBridge INT 2 interface, through the FortiGate unit to the FortiBridge
EXT 2 interface. If the EXT 2 interface receives the probe packets, the FortiGate
unit is operating normally. If the EXT 2 interface does not receive probe packets
the FortiBridge unit assumes that the FortiGate unit has failed.
FortiBridge Version 3.0 Administration Guide
09-30000-0163-20061109 11
Normal mode operation FortiBridge operating principles
Figure 5: FortiBridge unit operating in normal mode sending probe packets
Internal network
You can enable ICMP (ping), HTTP, FTP, POP3, SMTP, and IMAP probes to test
connectivity through the FortiGate unit for each of these protocols. The
FortiBridge unit simultaneously tests connectivity through the FortiGate unit for
each probe that is enabled.
The first probe that registers a failure causes the FortiBridge unit to stop sending
all probe packets. The FortiBridge unit responds to the failure according to the
action on failure that you configure. The actio n on failu re can inc lud e fa il ope n,
send alert email, send a syslog message, and send an SNMP trap. You can
enable any combination of these actions on failure. Fail open switches the
FortiBridge unit to bypass mode. Other actions on failure alert system
administrators that the FortiBridge has determined that a failure occurred.
Probes and FortiGate firewall policies
(Normal mode)
INT 1
INT 2
Internal External
(Transparent mode)
EXT 2
EXT 1
Internet
Router
Probe packets
Probe packets are accepted and passed through the FortiGate unit by firewall
policies added to the FortiGate unit. When enabling probes, you must make sure
that the firewall policies added to the FortiGate unit can acce pt probe p acket s. For
example, if your FortiGate unit does not accept FTP packets, you should not
enable the FTP probe. Table 1 describes FortiGate firewall policy requirements for
each FortiBridge probe.
Table 1: FortiBridge probes and FortiGate firewall policy requirements
FortiGate Firewall policy
Probe Description
Ping ICMP packets are sent from the INT 2
interface to the EXT 2 interface. The EXT 2
interface responds to the ping.
HTTP HTTP requests are sent from an HTTP
client at the INT 2 interface to a web server
at the EXT 2 interface. The web server
sends a response from the EXT 2 interface
to the INT 2 interface.
FTP FTP requests are sent from an FTP client at
the INT 2 interface to an FTP server at the
EXT 2 interface. The FTP server sends a
response from the EXT 2 interface to the
INT 2 interface.
Direction Service
Internal -> External ICMP or ANY
Internal -> External HTTP or ANY
Internal -> External FTP or ANY
FortiBridge Version 3.0 Administration Guide
12 09-30000-0163-20061109
FortiBridge operating principles Normal mode operation
Table 1: FortiBridge probes and FortiGate firewall policy requirements (Continued)
FortiGate Firewall policy
Probe Description
POP3 POP3 packets are sent from a POP3 client
at the INT 2 interface to a POP3 server at
the EXT 2 interface. The POP3 server
sends a response from the EXT 2 interface
to the INT 2 interface.
SMTP SMTP packets are sent from an SMTP
server at the INT 2 interface to an SMTP
server at the EXT 2 interface. The SMTP
server sends a response from the EXT 2
interface to the INT 2 interface.
IMAP IMAP packets are sent from an IMAP client
at the INT 2 interface to an IMAP server at
the EXT 2 interface. The IMAP server sends
a response from the EXT 2 interface to the
INT 2 interface.
Direction Service
Internal -> External POP3 or ANY
Internal -> External SMTP or ANY
Internal -> External IMAP or ANY
Enabling probes to detect FortiGate hardware failure
A FortiGate unit can stop processing network traffic be cause of a hardwa re failure
such as the failure of a hardware component, a loss of power, or a loss of
connectivity if a network cable is unplugged.
If a hardware failure occurs, the FortiGate unit stops processing all traffic. You can
enable any FortiBridge probe for the FortiBridge unit to detect a FortiGate
hardware failure.
Enabling probes to detect FortiGate software failure
A FortiGate unit can also stop processing network traffic because of a software
failure. For example, a firmware issue could cause a specific software process to
crash. Also, network traffic could increase to a point where the FortiGate unit
cannot process all traffic. As a result, the FortiGate unit could stop processing
some or all traffic without a hardware failure occurring.
To detect a FortiGate software failure, you can enable probes for FortiGate
services that you want to provide fail open protection for. For example, if it is a
high priority for your network to provide SMTP email services, you should enable
the SMTP probe. If the SMTP probe detects a failure of SMTP traffic through the
FortiGate unit, the FortiBridge unit switches to bypass mode to maintain SMTP
traffic flow.
If you do not consider FTP traffic a high priority, you can leave the FTP probe
disabled. In this configuration, if only FTP traffic fails, the FortiBridge does not
switch to bypass mode.
Probe interval and probe threshold
For each probe, you set a probe interval and a probe threshold. The probe interval
defines how often to test the connection. The probe threshold defines how many
consecutive failed probes can occur before the FortiBridge considers the
connection to have failed.
FortiBridge Version 3.0 Administration Guide
09-30000-0163-20061109 13
Bypass mode operation FortiBridge operating principles
Bypass mode operation
When the FortiBridge unit operates in bypass mode, the FortiBridge INT 1 and
EXT 1 interfaces are directly connected. All traffic between the internal and
external network segments flows, whether or not the FortiGate unit is operating
normally.
Because the INT 1 and EXT 1 interfaces are directly connected, you cannot use
Telnet or SSH to connect to the FortiBridge CLI. Instead you must use a console
connection.
The FortiBridge unit remains in bypass mode even if the FortiGate unit recovers.
To restore the FortiGate unit, you must manually switch the FortiBridge unit back
to normal mode. You can switch the FortiBridge unit to normal mode by pressing
the mode switch on the FortiBridge front pa nel or by using a console con nection to
the CLI and entering the command execute switch-mode. You can also use
the mode switch and the execute switch-mode command to manually switch
the FortiBridge unit from normal mode to bypass mode.
Figure 6: FortiBridge unit operating in bypass mode
Internal network
When the FortiBridge unit is operating in bypass mode you can still connect to the
FortiBridge CLI and manage the FortiBridge unit (for example to switch the
FortiBridge unit to normal mode). When the FortiBridge unit operates in bypass
mode, you cannot connect to the FortiGate interfaces that are connected to the
FortiBridge unit.
FortiBridge power failure
If a power failure occurs and the FortiBridg e unit loses power , zero power fail open
technology causes FortiBridge unit to fail open. T he For tiBridg e unit bypasses the
FortiGate unit and all traffic passes between the FortiBridge INT 1 and EXT 1
interfaces. If power is restored to the FortiBridge unit, it starts up in bypass mode
and then switches to normal mode when its start up sequence is complete,
reconnecting the FortiGate unit to the network.
(Bypass mode)
INT 1
INT 2
Internal
(Transparent mode)
EXT 1
EXT 2
External
Internet
Router
Note: The FortiBridge-1000F contains a battery to keep the fibers lit in fail open mode. If
the FortiBridge-1000F unit loses power, the battery will power the fail open condition for
approximately three hours. When power is restored, the battery requires approximately
three hours to recharge if completely drained. The FortiBridge-1000 unit does not use a
battery and can maintain a fail open condition indefinitely.
FortiBridge Version 3.0 Administration Guide
14 09-30000-0163-20061109
FortiBridge operating principles Example FortiGate HA cluster FortiBridge application
Example FortiGate HA cluster FortiBridge application
A FortiBridge unit can provide fail open protection for a FortiGate HA cluster
operating in transparent mode in much the same way as for a sta ndalone
FortiGate unit. To provide fail open protection for an HA cluster, connect the
FortiBridge unit to the switches that connect the internal and external interfaces of
the cluster. Use the following step s to conn ect a F ortiBridge un it to the HA clu ster,
as shown in Figure 7:
Figure 7: FortiBridge unit providing fail open protection for a FortiGate HA cluster
(Normal mode)
Internal network
INT 1
EXT 1
Internet
INT 2
Internal External
HA cluster
(Transparent mode)
EXT 2
Router
Probe packets
The network configuration and FortiBridge configuration are the same fo r a cluster
and for a standalone FortiGate unit. In normal mode, packets pass through the
FortiBridge unit and through the FortiG ate HA cluster and back through the
FortiBridge unit. For the cluster to process this traffic, you must add
Internal -> External firewall policies to the cluster configuration. If a failure occurs
and the cluster no longer processes traffic, the Fort iBridge unit switches to bypass
mode, bypassing the cluster.
The connection procedure is different depending on whether the FortiBridge unit
uses copper gigabit ethernet netw o rk co nn ec tio ns or fi be r gig ab it et he rn et
network connections. This section includes the following connection procedures:
• Connecting the FortiBridge-1000 (copper gigabit ethernet)
• Connecting the FortiBridge-1000F (fiber gigabit ethernet)
Connecting the FortiBridge-1000 (copper gigabit ethernet)
The FortiBridge-1000 unit contains 4 auto-sensing 10/100/1000 Ethernet
interfaces that connect to the internal and external networks and to the cluster
interfaces that were connected to these networks. Use the following steps to
connect a FortiBridge-1000 unit to the network as shown in Figure 7.
Note: Normally, you would use straight-through ethernet cables to connect the
FortiBridge-1000 unit to the FortiGate unit and to your networks. However, for some
connections you may need a crossover ethernet cable (for example, for compatibility with
network devices that do not support Auto MDI/MDIX).
FortiBridge Version 3.0 Administration Guide
09-30000-0163-20061109 15
Example configuration with ot he r Fo rti Gate interfaces FortiBridge operating principles
1 Connect the FortiBridge-1000 INT 2 interface to th e switc h co nn ec te d to the HA
cluster internal interface.
2 Connect the switch connected to the HA cluster external interface to the
FortiBridge-1000 EXT 2 interface.
3 Connect the internal network to the FortiBridge-1000 INT 1 interface.
4 Connect the FortiBridge-1000 EXT 1 interface to the router.
Connecting the FortiBridge-1000F (fiber gigabit ethernet)
The FortiBridge-1000F unit conta ins 4 mult imode fi ber optic giga bit interfaces that
connect to the internal and external networks and to the FortiGate cluster
interfaces that were connected to these networks. Use the following steps to
connect a FortiBridge-1000F unit to the network as shown in Figure 3.
1 Connect the FortiBridge-1000F INT 2 interface to the switch conne cted to the HA
cluster internal interface.
2 Connect the switch connected to the HA cluster external interface to the
FortiBridge-1000F EXT 2 interface.
3 Connect the internal network to the FortiBridge-1000F INT 1 interface.
4 Connect the FortiBridge-1000F EXT 1 interface to the router.
Example configuration with other FortiGate interfaces
All of the examples in this chapter describe using the FortiBridge unit to provide
fail open protection for traffic passing between the FortiGate unit internal and
external interfaces. You can actually use a FortiBridge unit to provide fail open
protection for any two FortiGate unit interfaces. No limitation is implied by naming
the FortiBridge interfaces INT and EXT. These names are used to simplify
installation procedures. Figure 8 shows a FortiBridge-1000 unit providing fail open
protection for network traffic between ports 5 and 6 of a FortiGate-500A unit.
Figure 8: FortiBridge unit providing fail open protection for a single FortiGate unit
(Normal mode)
Internal network
INT 1
INT 2
Port 5
(Transparent mode)
EXT 1
EXT 2
Port 6
-500A
Router
Internet
To connect a FortiBridge-1000 unit to the network shown in Figure 8:
1 Connect the FortiBridge-1000 INT 2 interface to the FortiGate-500A port 5
interface.
2 Connect the FortiGate-500A port 6 interface to the FortiBridg e-1000 EXT 2
interface.
FortiBridge Version 3.0 Administration Guide
16 09-30000-0163-20061109
FortiBridge operating principles Example configuration with other FortiGate interfaces
3 Connect the internal network to the FortiBridge-1000 INT 1 interface.
4 Connect the FortiBridge-1000 EXT 1 interface to the router.
You must add port 5 -> port 6 firewall policies to the FortiGate-50 0A un it
configuration.
FortiBridge Version 3.0 Administration Guide
09-30000-0163-20061109 17
Example configuration with ot he r Fo rti Gate interfaces FortiBridge operating principles
FortiBridge Version 3.0 Administration Guide
18 09-30000-0163-20061109
Setting up FortiBridge units FortiBridge unit basic information
Setting up FortiBridge units
This chapter contains the information you need to un pack, connect, an d configure
your FortiBridge unit:
• FortiBridge unit basic information
• Connecting and turning on the FortiBridge unit
• Connecting to the command line interface (CLI)
• Completing the basic FortiBridge configuration
• Resetting to the factory default configuration
• Installing FortiBridge unit firmware
When you complete the procedures in this chapter, the FortiBridge unit will be
operating and connected to your network and to your FortiGate unit. See
“Configuration and operating procedur es” on p a ge 35 to configure the FortiBridge
unit to monitor the status of the FortiGate unit and to fail open if the FortiBridge
unit detects that the FortiGate unit has failed.
FortiBridge unit basic information
This section describes the following basic information about the FortiBridge units:
• FortiBridge-1000 Package contents
• Mounting instructions
• Technical specifications
• LED indicators
• Connectors
• Factory default configuration
FortiBridge-1000 Package contents
The FortiBridge-1000 package contains the follo wing items:
• the FortiBridge-1000 unit
• two orange crossover Ethernet cables (Fortinet part number CC300248)
• one RJ-45 to DB-9 serial cable (Fortinet part number CC300302)
• FortiBridge-1000 QuickStart Guide
• CD containing the Fortinet user documentation
• one AC adapter
FortiBridge Version 3.0 Administration Guide
09-30000-0163-20061109 19
FortiBridge unit basic information Setting up FortiBridge units
Change
Bypass
Figure 9: FortiBridge-1000 package contents
Front
PWR STATUS
PWR
Power
INT 1
INT 2
Back
DC+5V
PWR
Power
CONSOLE
Console
EXT 2
Connection
FortiGate unit
connections
FortiBridge-1000F Package contents
The FortiBridge-1000F package contai ns the following items:
• the FortiBridge-1000F unit
• one RJ-45 to DB-9 serial cable (Fortinet part number CC300302)
• four 1000Base-SX SFP Transceivers
• FortiBridge QuickStart Guide
• CD containing the Fortinet user documentation
• one AC adapter
INT 1
INT 2
TO FORTIGATE
EXT 2
EscEnter
FortiGate
EXT 1
EXT 2
INT 2
INT 2
Mode
EXT 1
EXT 2
Mode
BYPASS MODE
MODE FACTORY RESET
NORMAL
Normal
Mode
INT 1EXT 1
EXT 1
INT 1
Network
connections
Factory
Reset
Power Cable
USER MANUAL
Documentation
2 Orange Crossover
Ethernet Cables
Power Supply
RJ-45 to
DB-9 Serial Cable
FortiBridge-1000
INT 1
EXT 1
BYPASS MODE
MODE FACTORY RESET
EscEnter
NORMAL
PWR
FortiGate
INT 2
EXT 2
QuickStart Guide
Copyright 2005 Fortinet Incorporated. All rights reserved.
Trademarks
Products mentioned in this document are trademarks.
Figure 10: FortiBridge-1000F package contents
DC+5V
PWR
Power
Mounting instructions
Install the FortiBridge unit on any stable surface. Make sure that the unit has at
least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and
cooling.
F
Management
CONSOLE
Console
PWR
Power
MODEM
Modem
Front
INT 1
MANAGEMENT
INT 2
INT 1
INT 2
Back
TO FORTIGATE
INT 2
FortiGate unit
connections
EscEnter
FortiGate
EXT 1
EXT 2
EXT 2INT 2
EXT 2
Bypass
Mode
EXT 1
EXT 2
INT 1
INT 1
Change
Mode
BYPASS MODE
MODE
NORMAL
EXT 1
Factory
Reset
MANAGEMENT
Normal
Mode
Management
EXT 1
Network
connections
FACTORY RESET
Power Cable
Documentation
Power Supply
RJ-45 to
DB-9 Serial Cable
4 1000Base-SX
SFP Transceivers
FortiBridge-1000
INT 1
EXT 1
BYPASS MODE
MODE FACTORY RESET
EscEnter
NORMAL
PWR
FortiGate
INT 2
EXT 2
QuickStart Guide
Copyright 2005 Fortinet Incorporated. All rights reserved.
Trademarks
Products mentioned in this document are trademarks.
FortiBridge Version 3.0 Administration Guide
20 09-30000-0163-20061109
Setting up FortiBridge units FortiBridge unit basic information
Technical specifications
Table 2: FortiBridge-1000 and 1000F technical specifications
Dimensions 8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm)
Weight 1.5 lb. (0.68 kg)
Power
Requirements
Environmental
specifications
DC input voltage: 5 V
DC input current: 5 A
Operating temperature: 32 to 104°F (0 to 40°C)
Storage temperature: -13 to 158°F (-25 to 70°C)
Humidity: 5 to 95% non-condensing
LED indicators
Table 3: FortiBridge-1000 LED indicato rs
LED State Description
PWR Green The FortiBridge unit is powered on.
Off The FortiBridge unit is powered off.
INT 1
INT 2
EXT 1
EXT 2
INT 1
INT 2
EXT 1
EXT 2
(back)
Green The correct cable is in use and the connected equipment
has power .
Flashing Green Network activity at this interface.
Off No link established or the interface has been turned off.
Green The correct cable is in use, and the connected equipment
has power .
Flashing amber Network activity at this interface.
Off No link established.
Table 4: FortiBridge-1000F LED indicators
LED State Description
PWR Green The FortiBridge unit is powered on.
Off The FortiBridge unit is powered off.
INT 1,
INT 2,
EXT 1, and
EXT 2
FortiBridge Version 3.0 Administration Guide
09-30000-0163-20061109 21
Green The correct optical fiber patch cable is connected to the
gigabit fiber interface.
Flashing Network activity at the gigabit fiber interface.
FortiBridge unit basic information Setting up FortiBridge units
Connectors
Table 5: FortiBridge-1000 connectors
Connector Type Speed Protocol Description
INT 1 RJ- 45 10/100/1000
Base-T
EXT 1 RJ-45 10/100/1000
Base-T
INT 2 RJ- 45 10/100/1000
Base-T
EXT 2 RJ-45 10/100/1000
Base-T
CONSOLE RJ-45 9600 bps RS-232
Table 6: FortiBridge-1000F connectors
Ethernet Copper gigabit ethernet connection to the internal
Ethernet Copper gigabit ethernet connection to the
Ethernet Copper gigabit ethernet connection to the
Ethernet Copper gigabit ethernet connection to the
serial
network.
external network.
FortiGate unit internal interface.
FortiGate unit external interface.
Optional connection to the management
computer.
Provides access to the command line interface
(CLI).
Connector Type Speed Protocol Description
INT 1, INT 2,
LC SFP 1000Base-SX Ethernet Multimode fiber optic connections
EXT 1,
EXT 2, and
management
CONSOLE RJ-45 9600 bps RS-232
Factory default configuration
Table 7: FortiBridge-1000 and 1000F unit factory default network configuration
Administrator account admin
Password (none)
Management IP/Netmask 192.168.1.99/255.255.255.0
Management Access Telnet, SSH and ping access to the INT 1
Routes (none)
Primary DNS 65.39.139.53
Secondary DNS 65.39.139.63
to gigabit optical networks. The
FortiBridge-1000F is shipped with
4 1000Base-SX Small Formfactor
Pluggable (SFP) transceivers that
you must insert into the INT 1, INT
2, EXT 1, and EXT 2 sockets on
the back panel. The management
connection is optional.
Console connection to the
serial
command line interface (CLI).
interface. No management access to the EXT 1
interface.
FortiBridge Version 3.0 Administration Guide
22 09-30000-0163-20061109
Setting up FortiBridge units Connecting and turning on the FortiBridge unit
p
Connecting and turning on the FortiBridge unit
In most cases, you can connect the FortiBridge unit without making any
configuration changes to your network or your FortiGate unit. All that is required is
to move and reconnect network cables.
Note: The default FortiBridge management IP address is 192.1 68.1.99. If this IP address
conflicts with an IP address on your network, you can use the procedure “Changing the
management IP address” on page 27 to change this IP address.
Right out of the box you can connect, power on, and configu re the FortiBridge unit
without interrupting network traffic (except for the interruption required to move
and re-connect network cables). When connected and powered on, the
FortiBridge unit operates in Normal mode. Probes are not configured. The
FortiBridge unit does not provide fail open protection until probes are configured.
Connecting and turning on the FortiBridge-1000 unit
Note: This procedure describes how to connect a FortiBridge-1000 unit to provide fail open
protection for network traffic passing between FortiGate unit internal and external
interfaces. If the FortiBridge-1000 unit provides fail open protection for traffic between
different FortiGate interfaces, you can use the same procedure but substitute FortiGate
interface names as required.
The FortiBridge-1000 unit contains 4 auto-sensing 10/100/1000 Ethernet
interfaces that connect to the internal and external networks and to the FortiGate
interfaces that were connected to these networks. Use the following steps to
connect a FortiBridge-1000 unit to the network as shown in Figure 11.
Figure 11: Connecting the FortiBridge-1000 unit
Power cable connects to power supply
Optional RJ-45 serial cable connects to management computer
INT 1
INT 2
Internal
(Trans
TO FORTIGATE
INT 2
EXT 2
arent mode)
INT 1EXT 1
Ethernet connection to Internal network
Ethernet connection to External network
EXT 1
EXT 2
External
Switch
Router
Internet
DC+5V
PWR
Ethernet connection to FortiGate External interface
Ethernet connection to FortiGate Internal interface
Internal network
CONSOLE
Switch
Note: Normally, you would use straight-through ethernet cables to connect the
FortiBridge-1000 unit to the FortiGate unit and to your networks. However, for some
connections you may need a crossover ethernet cable (for example, for compatibility with
network devices that do not support Auto MDI/MDIX).
FortiBridge Version 3.0 Administration Guide
09-30000-0163-20061109 23
Connecting and turning on the FortiBridge unit Setting up FortiBridge units
To connect and turn on the FortiBridge-1000 unit
1 Connect the FortiBridge-1000 INT 2 interface to the FortiGate unit internal
interface.
2 Connect the FortiBridge-1000 EXT 2 interface to the FortiGate unit external
interface.
3 Connect the FortiBridge-1000 INT 1 interface to the internal network.
4 Connect the FortiBridge-1000 EXT 1 interface to the external network.
5 Turn on the FortiGate unit and any network equipment that was turned off.
6 Connect the AC adapter to the power connection at the back of the
FortiBridge-1000 unit and to a power outlet.
The FortiBridge-1000 unit start s. The PWR and Bypass Mode LEDs turn on. After
a short time, the FortiBridge unit switches to Normal mode. The Bypass LED goes
out and the Normal LED turns on.
If the FortiGate unit and connected ne tw or k c om p on en ts are turn ed on th e
FortiBridge-1000 INT 1, INT 2, EXT 1, and EXT 2 LEDs are also on.
Connecting and turning on the FortiBridge-1000F unit
Note: This procedure describes how to connect a FortiBridge-1000F unit to provide fail
open protection for network traffic passing between FortiGate unit internal and extern al
interfaces. If the FortiBridge-1000F unit provides fail open protection for traffic between
different FortiGate interfaces, you can use the same procedure but subst i tu te Fort iGate
interface names as required.
The FortiBridge-1000F unit conta ins 4 mult imode fi ber optic giga bit interfaces that
connect to the internal and external networks and to the FortiGate interfaces that
were connected to these networks. Use the following steps to connect a
FortiBridge-1000F unit to the network as shown in Figure 12.
Figure 12: Connecting the FortiBridge-1000F unit
Power cable connects to power supply
Optional RJ-45 serial cable connects to management computer
MODEM
INT 1
INT 2
Gigabit
Fiber
Internal
TO FORTIGATE
EXT 2INT 2
MANAGEMENT
EXT 1
INT 1
Gigabit Fiber connection to External network
Gigabit Fiber connection to Internal network
EXT 1
Gigabit
Fiber
EXT 2
Gigabit
Fiber
External
Optional Gigabit Fiber connection
for out of band management
Switch
Internet
Router
DC+5V
CONSOLE
PWR
Gigabit Fiber connection to FortiGate Internal interface
Gigabit Fiber connection to FortiGate External interface
Internal network
Gigabit
Switch
Fiber
(Transparent mode)
To connect and turn on the FortiBridge-1000F unit
1 Connect the FortiBridge-1000F INT 2 interface to the FortiGate internal interface.
2 Connect the FortiGate external interface to the FortiBridge -1000F EXT 2 interface.
FortiBridge Version 3.0 Administration Guide
24 09-30000-0163-20061109
Setting up FortiBridge units Connecting to the command line interface (CLI)
3 Connect the internal network to the FortiBridge-1000F INT 1 interface.
4 Connect the FortiBridge-1000F EXT 1 interface to the router.
Connecting to the command line interface (CLI)
Y ou configure and manage the FortiBridge unit from the FortiBr idge command line
interface (CLI). You can use a direct console connection, SSH, or Telnet to
connect to the FortiBridge CLI. This section describes how to connect directly to
the FortiBridge console and how to connect to the FortiBridge CLI across an
ethernet network using Telnet. See also “Connecting to the FortiBridge CLI using
Telnet” on page 26 for more information about connecting to the FortiBridge CLI.
Connecting to the FortiBridge console
You require:
• A computer with an available communications port,
• An RJ-45 to DB-9 serial cable,
• Terminal emulation software such as HyperTerminal for Windows.
Note: The following procedure describes how to connect to the FortiBridge CLI using
Windows HyperTerminal software. You can use any terminal emulation software.
To connect to the FortiBridge console for the first time
1 Connect the FortiBridge console port to the available communications port on
your computer.
2 Make sure the FortiBridge unit is powered on.
3 Start HyperTerminal, enter a name for the connection, and select OK.
4 Configure HyperTerminal to connect directly to the communications port on the
computer to which you have connected the FortiBridge console port.
5 Select OK.
6 Select the following port settings and select OK.
Bits per second 9600
Data bits 8
Parity None
Stop b its 1
Flow control None
7 Press the escape key (Esc) to connect to the FortiBridge CLI.
A prompt similar to the following appears (shown for the FortiBridge-1000):
FortiBridge-1000 login:
8 Type a valid administrator name and press Enter.
The default administrator account is admin.
FortiBridge Version 3.0 Administration Guide
09-30000-0163-20061109 25
Completing the basic FortiBridge configuration Setting up FortiBridge units
9 Type the password for this administrator and press Enter.
The default admin account does not require a password. For improved security,
you should add a password for this account as soon as possible. Use the
procedure “Adding an administrator password” on page 27 to add a password.
The following prompt appears:
Welcome !
FortiBridge-1000 #
You have connected to the FortiBridge CLI, and you can enter CLI commands.
Connecting to the FortiBridge CLI using Telnet
By default, you can use a Telnet client running on a management computer to
connect to the FortiBridge CLI. The management computer must be connected to
the same network as the FortiBridge INT 1 interface.
The default FortiBridge management IP address is 192.168.1.99. Your
management PC should be configured to connect to this IP address. Alternatively,
you can connect to the FortiBridge console and use the procedure “Changing the
management IP address” on page 27 to change the management IP address.
Note: A maximum of 5 Telnet connections to the FortiBridge unit can be open at the same
time.
To connect to the CLI using Telnet
1 On the management computer, Telnet to the IP address 192.168.1.99.
If you have changed the management IP address, Telnet to this address instead.
2 Type a valid administrator name and press Enter.
The default administrator account is admin.
3 Type the password for this administrator and press Enter.
The default admin account does not require a password. For improved security,
you should add a password for this account as soon as possible. Use the
procedure “Adding an administrator password” on page 27 to add a password.
The following prompt appears:
Welcome !
FortiBridge-1000 #
You have connected to the FortiBridge CLI, and you can enter CLI commands.
Completing the basic FortiBridge configuration
Now that you have connected the FortiBridge unit to your network and connected
to the FortiBridge CLI, use the following procedures to complete the basic
configuration of the FortiBridge unit.
FortiBridge Version 3.0 Administration Guide
26 09-30000-0163-20061109
Setting up FortiBridge units Completing the basic FortiBridge configuration
Note: Not all of the following procedures are required to complete the basic FortiBridge unit
configuration. Choose the procedures that apply to your installation.
• Adding an administrator password
• Changing the management IP address
• Changing DNS server IP addresses
• Adding static routes
• Allowing management access to the EXT 1 interface
• Changing the system time and date
• Adding administrator accounts
Adding an administrator password
Add an administrator password to the default admin administrator account to
prevent unauthorized users from connecting to and managing the FortiBridge uni t.
To add an administrator password
1 Log in to the CLI.
2 Change the admin administrator password. Enter:
config system admin
edit admin
set password <psswrd>
end
For example:
config system admin
edit admin
set password passWORD
end
Changing the management IP address
Change the FortiBridge unit management IP address so that you can connect to
the FortiBridge CLI from your network (instead of be ing req u ire d to use a dir ec t
console connection). The management IP should be a valid IP address for your
network.
To change the management IP address
1 Log in to the CLI.
2 Change management IP address. Enter:
config system manageip
set ip <address_ipv4mask>
end
For example:
config system manageip
set ip 192.168.20.23/24
end
FortiBridge Version 3.0 Administration Guide
09-30000-0163-20061109 27
Loading...