Page 1
System Guide
FortiController-5208
DATA CONTROL
9
5
X 1
X 2
X 1 X 2
STATUS
PAYLOAD OPERATION
1
10
6
2
11
7
3
12
8
4
10/100/1000 MBPS ETHERNET ACTIVITY
9
5
1
13
14
15
D
16
D
13
10
6
2
14
1/2 3/4 D15/D16 C15/C16
11
7
3
15
C
12
8
4
16
C
1
2
3
4
MANAGEMENT
COM 1 COM 2
IPM
A detailed guide to the FortiController-5208 module. This document describes the module LEDs and connectors,
describes how to install the module in a FortiGate-5000 series chassis, and contains a brief troubleshooting section
to help you diagnose and fix problems with the module.
The most recent versions of this and all FortiGate-5000 series documents are available from the FortiGate-5000
page of the Fortinet Technical Documentation web site (http://docs.forticare.com).
Visit http://support.fortinet.com to register your FortiController-5208 system. By registering you can receive product
updates, technical support, and FortiGuard services.
FortiController-5208 System Guide
01-30000-0376-20070615
www.fortinet.com
Page 2
About this guide
This guide provides information on how to install the module in a FortiGate-5000 series chassis, what the
FortiController-5208 front panel LEDs indicate, and how to make connections to the front panel.
Note: Though the FortiController-5208 is used as part of a FortiGate-5005-DIST security system, this
document concentrates on the set up and configuration of the FortiController-5208 only. See the
FortiGate-5005-DIST Security System Administration Guide for detailed information on the configuration of
the system as a whole.
The most recent version of this document is available from the FortiGate-5000 page of the Fortinet
Technical Documentation web site. The information in this document is also available in a slightly different
form as FortiController-5208 web-based manager online help.
You can find more information about FortiOS v3.0 from the FortiGate page of the Fortinet Technical
Documentation web site as well as from the Fortinet Knowledge Center.
15 June 2007
01-30000-0376-20070615
Warnings and cautions
Only trained and qualified personnel should be allowed to install or maintain FortiGate-5000 series
equipment. Read and comply with all warnings, cautions and notices in this document.
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According
!
to the Instructions.
Caution: You should be aware of the following cautions and warnings before installing FortiGate-5000 series
!
hardware
• Fo rtiController-520 8 modules must be protected fro m st atic discharge and physical shock. Only handle
or work with FortiController-5208 modules at a static-free workstation. Always wear a grounded
electrostatic discharge (ESD) preventive wrist or ankle strap when handling FortiController-5208
modules.
• Do not carry the FortiController-5208 module by holding the extraction levers. When inserting or
removing the FortiController-5208 module from a chassis slot, handle the module by the front panel.
The extraction levers are designed for positioning and locking the FortiController-5208 module into a
slot in a chassis only and should not be used for handling the module. If the extraction levers become
bent or damaged the FortiController-5208 module may not align correctly in the chassis slot.
Page 3
Contents
Contents
About this guide................................................................. 2
FortiController-5208 module............................................. 5
Hardware installation......................................................... 9
FortiController-5208 Firmware........................................ 17
For more information....................................................... 27
FortiController-5208 System Guide
01-30000-0376-20070615 3
Page 4
Contents
FortiController-5208 System Guide
4 01-30000-0376-20070615
Page 5
FortiController-5208 module
FortiController-5208 module
You can create a FortiGate-5005-DIST high-throughput multi-threat network
security system using one or two FortiController-5208 modules and multiple
FortiGate-5005 modules in a FortiGate-5050 or FortiGate-5140 chassis.
A FortiGate-5020 chassis cannot be used to create a FortiGate-5005-DIST
system. Functionally, one or two FortiController-5208 modules using the
processing power of multiple FortiGate-500 5 mo d ules fun ctio n muc h like a single
FortiGate unit, but with far greater capacity.
In a FortiGate-5005-DIST configuration, the FortiGate-5005F A2 modules are used
only for their processing power. The FortiController-5208 assigns tasks to each
FortiGate-5005FA2 module and provides all external connections to the network.
Given this division of labor, the FortiController-5208 module is also called the
I/O module and the FortiGate-5005FA2 modules are also called the worker
modules.
The FortiController-5208 module provides two 10 gigabit interfaces and four
1 gigabit interfaces for network traffic. The FortiControlle r-5208 front panel also
contains an additional four 1-gigabit interfaces for inter-chassis HA and future
use. Optionally, you can double the number of available of network interfaces by
adding a second FortiController-5208.
Once initial set-up is complete, all subsequent administration and configuration of
the FortiController-5208 modules and FortiGate-5005 modules is done through
the primary FortiController-5208 mod ule .
The FortiGate-5005 modules are administered as a single unit, and therefore
configured identically. All traffic is distributed to the FortiGate modules using the
backplane interfaces so no front panel connections are required for the FortiGate
modules.
The FortiController-5208 module includes the following features:
• Two 10 gigabit in terfaces that can accept fiber or copper 10 gigabit Sm all Form
factor Pluggable (XFP) fiber or copper transceivers.
• Eight 1 gigabit front panel network interfaces that can accept Small Form
factor Pluggable (SFP) fiber or copper transceivers. Four of these interfaces
are for data, two for inter-chassis high-availability (HA) connections, and two
for future use.
• One fabric and two base backplane gigabit interfaces.
• Two RJ-45 RS-232 serial console management connections.
• A n RJ-45 Ethernet management connection.
• Mounting hardware
• LED status indicators
Before you can connect any FortiController-5208 front panel interfaces, you must
insert the XFP or SFP transceivers into the FortiController-5208 front panel cage
slots.
This chapter includes the following information about the FortiController-5208
module:
• Front panel LEDs and connectors
• Backplane gigabit interfaces
• Installing XFP and SFP transceivers
FortiController-5208 System Guide
01-30000-0376-20070615 5
Page 6
Front panel LEDs and connectors FortiController-5208 module
p
• Inserting a FortiController-5208 module into a chassis
• Removing a FortiController-5208 module from a chassis
• Troubleshooting
Front panel LEDs and connectors
From the FortiController-5208 front panel you can view the status of the module
LEDs to verify that the module is functioning normally. LEDs also indicate
connections and traffic for the front panel and backplane interfaces. You also
connect the FortiController-5208 module to your network through the front panel
XFP and SFP connections. The front panel also includes two RJ-45 serial consol e
ports for connecting to the FortiController -5208 CLI and an Etherne t RJ-45 port for
connecting to the CLI and GUI management interfaces over a network.
Figure 1: FortiController-5208 front panel
SFP Gigabit
Fiber or Copper
X1 X2 XFP 10 Gigabit
Fiber or Copper
D15
3
1
C15
Management
RJ-45 Serial
LEDs
DATA CONTROL
9
5
9
1
13
13
10
6
10
2
14
14
11
15
D
12
16
D
7
3
8
4
1/2 3/4 D15/D16 C15/C16
11
15
C
12
16
C
42
D16
1
2
3
4
C16
Management
MANAGEMENT
IPM
COM 1 COM 2
IPM
Mounting
Knot
Extraction
Lever
RJ-45 Ethernet
Mounting
Knot
Extraction
Lever
X 1
X 2
Link/
Traff ic
X 1 X 2
STATUS
Status
Payload
O
PAYLOAD OPERATION
eration
5
1
6
2
7
3
8
4
10/100/1000 MBPS ETHERNET ACTIVITY
Link/Traffic
Table 1 lists and describes the FortiController-5208 module LEDs.
Ta bl e 1 : FortiCon trol le r-5208 module LEDs
LED State Description
X1, X2 Green The correct cable is connected to the 10 gigabit
STATUS Off The STATUS LED is always off, even when the
PAYLOAD OPERATION Green
DATA 1-16 Green The data LEDs display base backplane connections
XFP interface.
FortiController-5208 module is starting or operating
normally.
of the FortiController-5208 module and the 5005
modules, over which the load-balanced traffic is
sent. LED 1 corresponds to the FortiController-5208
module’s connection, LEDs 3 through 14 are for
connections to the corresponding slots in a 5050 or
5140 chassis. LEDs 15 and 16 are for the HA ports
D15/D16 on the front panel. Due to the organization
of the backplane, LED 2 will always be off, even if
an operating FortiController-5208 is in slot 2.
FortiController-5208 System Guide
6 01-30000-0376-20070615
Page 7
FortiController-5208 module Front panel LEDs and connectors
Table 1: FortiController-5208 module LEDs (Continued)
LED State Description
CONTROL 1-16 Green The control LEDs display the fabric backplane
Flashing Management communication activity on the fabric
1, 2, 3, 4 Green The correct cable is connected to the gigabit SFP
Flashing Network activity at the gigabit SFP interface.
IPM Blue The FortiController-5208 is ready to be hot-
Flashing
Blue
Off Normal operation. The FortiController-5208 module
MANAGEMENT Link
LED
Speed
LED
Amber The correct cable is inserted into this interface and
Flashing Network activity at this interface.
Green The interface is connected at 1000 Mbps.
Amber The interface is connected at 100 Mbps.
Unlit The interface is connected at 10 Mbps.
connections of the FortiController-5208 module,
an optional secondary FortiController-5208 module,
and all the 5005 modules, over which management
communication is sent. LED 1 is for the
FortiController-5208 module’s connection. LEDs 2
through 14 are for connections to the corresponding
slots in a 5050 or 5140. LEDs 15 and 16 are for
future use.
backplane connection.
interface.
swapped (removed from the chassis). If the IPM
light is blue and no other LEDs are lit the
FortiController-5208 module has lost power. See
“Inserting a FortiController-5208 module into a
chassis” on page 10 for more information.
The FortiController-5208 is changing from hot swap
to running mode or from running mode to hot swap.
is in contact with the chassis backplane.
the connected equipment has power.
The control LEDs of a secondary FortiController-5208 module will be
synchronized to the control LEDs of the primary because all the installed modules
use the same fabric backplane network to communicate. Each
FortiController-5208 module has its own base backplane network with which to
exchange data traffic with the worker modules so the data LEDs of each
FortiController-5208 module will indicate only its own communication.
Connectors
Table 2 lists and describes the FortiController-5208 module connectors.
Table 2: FortiController-5208 connectors
Connector Type Speed Protocol Description
X1, X2 XFP 10 Gbps Ethernet Two 10 gigabit XFP interfaces that
FortiController-5208 System Guide
01-30000-0376-20070615 7
can accept fiber or copper
transceivers. These interfaces
operate only at 10 Gbps. See
“Installing XFP and SFP transceivers”
on page 9 for more information.
Page 8
Backplane gigabit interfaces FortiController-5208 module
Ta ble 2: FortiController-5208 connectors (Continued )
Connector Type Speed Protocol Description
1, 2, 3, 4 LC SFP 1000 Mbps Ethernet Four 1 gigabit SFP interfaces that can
D15, D16 LC SFP 1000 Mbps Ethernet Two 1 gigabit SFP interfaces used for
C15, C16 LC SFP For future use.
COM1, COM2 RJ-45 9600 bps RS-232
serial
MANAGEMENT RJ-45 1000 Mbps Ethernet Ethernet management connection to
accept fiber or copper transceivers.
These interfaces operate only at
1000Mbps. See “Installing XFP and
SFP transceivers” on page 9 for more
information.
inter-chassis high-availability (HA)
connections.
Serial connection to the command line
interface.
the FortiController-5208 web-based
manager and command line interface.
Backplane gigabit interfaces
The FortiController-5208 module uses the chassis backplane gigabit interfaces for
all communication with modules installed in the chassis. This communication
includes:
• Management communication between the primary FortiController-5208, the
optional secondary FortiController-5208, and the FortiGate-5005FA2 modules.
• Delivery of traffic data to the FortiGate-5005FA2 modules for processing.
• Rece iving processed traffic from the FortiGate-5005FA2 modules.
• If inst alled, the secondary FortiController -5208 module also delivers data traf fic
to the FortiGate-5005FA2 modules and receives the processed traffic from
them.
No front panel cables are required for connections betwe en the inst alled modu les.
Once the FortiController-5208 module is configured as the primary, and the
FortiGate-5005FA2 modules are configured to use the LDB firmware, all
communication between the installed modules is aut om a tic and re qu ire s no
configuration.
FortiController-5208 System Guide
8 01-30000-0376-20070615
Page 9
Hardware installation Installing XFP and SFP transceivers
Hardware installation
Before use, the FortiController-5208 module must be correctly inserted into a
FortiGate-5140 or FortiGate-5050 chassis. XFP and SFP transceivers must also
be installed before the module can be connected to other network devices.
This chapter describes:
• Installing XFP and SFP transceivers
• Inserting a FortiController-5208 module into a chassis
• Removing a FortiController-5208 module from a chassis
• Troubleshooting
Installing XFP and SFP transceivers
The FortiController-5208 module ships with XFP and SFP transceivers that you
must install for normal operation of the FortiController-5208 module. The XFP
transceivers are inserted into the cage sockets labeled X1 and X2 on the module
front panel. The SFP transceivers are inserted into the cage sockets numbered
D15, D16, and 1 to 4. You can install the transceivers before or after inserting the
FortiController-5208 module into a FortiGate chassis.
You can install the following types of XFP transceivers for connectors X1 and X2:
• X FP fiber transceivers
•
• X FP fiber transceivers
•
You can install the following types of SFP transceivers for connectors 1 to 8:
• S FP fiber transceivers
• SFP 1000Base-LX, SM module
• SFP 1000Base-SX, MM module (multimode)
• SFP copper transceivers
• S FP 1000Base-T, SERDES version only (SGMII version not supported)
To install XFP and SFP transceivers
To complete this procedure, you need:
• A FortiController-5208 module
• Two XFP transceivers
• Four SFP transceivers
• An electrostatic discharge (ESD) preventive wrist or ankle strap with
connection cord
Caution: The FortiController-5208 modules must be protected from static discharge and
physical shock. Only handle or work with FortiController-5208 modules at a static-free
!
workstation. Always wear a grounded electrostatic discharge (ESD) preventive wrist or
ankle strap when handling FortiController-5208 modules.
FortiController-5208 System Guide
01-30000-0376-20070615 9
Page 10
Inserting a FortiController-5208 module into a chassis Hardware installation
1 Attach the ESD wrist or ankle strap to your wrist or ankle and to an ESD socket or
to a bare metal surface on the chassis or frame.
2 Remove the caps from XFP and SFP cage sockets on the FortiController-5208
front panel.
Caution: Handling the transceivers by holding the release latch can damage the connector.
Do not force the transceivers into the cage slots. If the transceiver does not easily slide in
!
and click into place, it may not be aligned correctly. If this happens, remove the transceiver,
realign it, and slide it in again.
3 For cage slots X1 and X2, hold the sides of the XFP transceiver and slide the XFP
transceiver into the cage socket until it clicks into place.
4 For cage slots 1 to 4, hold the sides of the SFP transceiver and slide the SFP
transceiver into the cage socket until it clicks into place.
Inserting a FortiController-5208 module into a chassis
The FortiController-5208 module must be fully installed in a FortiGate-5140 or
FortiGate-5050 chassis slot, with extraction levers closed and locked, and
mounting knots fully tightened for the FortiController-5208 module to receive
power and operate normally. If the FortiController-5208 module is not receiving
power, the IPM LED glows solid blue and all other LEDs remain off.
It is important to carefully seat the FortiController-5208 module all the way into the
chassis, to not use too much force on the extraction levers, and to make sure that
the extraction levers are properly locked. Only then will the FortiController-5208
module power-on and start up correctly.
Figure 2: FortiController-5208 module mounting components
Closed
Alignment Pin
Alignment Pin
Mounting
Knot
Extraction
Lever
Lock
Mounting
Knot
Open
Alignment Pin
Alignment Pin
Mounting
Knot
Extraction
Lever
Lock
Mounting
Knot
Extraction
Lever
Lock
Extraction
Lever
Lock
FortiController-5208 System Guide
10 01-30000-0376-20070615
Page 11
Hardware installation Inserting a FortiController-5208 module into a chassis
You can install the XFP and SFP transceivers into the FortiController-5208 front
cage slots either before or after installing the module into a chassis. See
“Installing XFP and SFP transceivers” on page 9.
Module placement
When assembling a FortiGate-5005-DIST system, module placement is
important. The primary FortiController-5208 module must occupy slot 1 of the
FortiGate chassis. If a secondary FortiController-5208 is used, it must occupy
slot 2. The FortiGate-5005FA2 modules may be placed in any remaining chassis
slots.
If a secondary FortiController is not required wh en usin g a 50 50 cha ssis , a
FortiGate-5005FA2 may be placed in slot 2. The FortiGate-5005FA2 will detect
the chassis and slot, and configure itself to allow a connection to the primary
FortiController-5208.
If a secondary FortiController-5208 module is not required when using a 5140
chassis, a FortiGate-5005FA2 must not be placed in slot 2. A FortiGate-5005FA2
in slot 2 will not have access to the backplane base network the primary
FortiController-5208 uses to distribute data traffic. Therefore, the FortiGate
module will be isolated and cannot be used as part of the FortiGate-5005-DIST
system installed in the chassis.
Insertion procedure
FortiController-5208 modules are hot swappable. The procedure for inserting
the FortiController-5208 module into a FortiGate-5000 series chassis slot is the
same whether or not the FortiGate-5000 series chassis is powered on or not.
To insert a FortiController-5208 module into a FortiGate-5000 series chassis
Caution: Do not carry the FortiController-5208 module by holding the extraction levers.
When inserting or removing the FortiController-5208 module from a chassis slot, handle
!
the module by the front panel. The extraction levers are designed only for positioning and
locking the FortiController-5208 module into a slot in a chassis and should not be used for
handling the module. If the extraction levers become bent or damaged the
FortiController-5208 module may not align correctly in the chassis slot.
To complete this procedure, you need:
• A FortiController-5208 module
• A FortiGate-5140 or FortiGate-5050 chassis with an empty slot 1 for the
primary FortiController-5208 module, and optionally, an empty slot 2 for a
secondary FortiController-5208 module. See “Module placement” on page 11
for more details.
• An electrostatic discharge (ESD) preventive wrist or ankle strap with
connection cord
Caution: The FortiController-5208 modules must be protected from static discharge and
physical shock. Only handle or work with FortiController-5208 modules at a static-free
!
workstation. Always wear a grounded electrostatic discharge (ESD) preventive wrist or
ankle strap when handling FortiController-5208 modules.
1 Attach the ESD wrist or ankle strap to your wrist or ankle and to an ESD socket or
to a bare metal surface on the chassis or frame.
FortiController-5208 System Guide
01-30000-0376-20070615 11
Page 12
Inserting a FortiController-5208 module into a chassis Hardware installation
A
A
2 Unlock the left and right extraction levers by squeezing the extraction lever locks.
Extraction
Lever
Unlock
3 Open the left and right extraction levers to their fully open positions.
Alignment Pin
lignment Pin
Extraction
Extraction
Lever
Open
Lock
Lever
4 Insert the FortiController-5208 module into the empty slot in the chassis.
5 Carefully guide the module into the chassis using the rails in the slot.
Insert the module by applying moderate force to the front faceplate (not the
extraction levers) to slide the module into the slot. The module should glide
smoothly into the chassis. If you encounter any resistance while sliding the
module in, the module could be aligned incorrectly. Pull the module back out and
try inserting it again.
6 Slide the module in until the alignment pins are inserted half way into their sockets
in the chassis.
7 Turn both extraction levers to their fully-closed positions.
The extraction levers should hook into the sides of the chassis slot. Closing the
extraction levers draws the FortiController-5208 module into place in the chassis
slot and into full contact with the chassis backplane. The FortiController-5208
module front panel should be in contact with the chassis front panel. When the
extraction levers are fully-closed, they lock into place.
lignment Pin
Alignment Pin
Close
Extraction
Lever
12 01-30000-0376-20070615
Extraction
Lever
Fully Closed
and Locked
FortiController-5208 System Guide
Page 13
Hardware installation Removing a FortiController-5208 module from a chassis
If the chassis is powered on, as the module slides into place the IPM LED starts
flashing blue. If the module is aligned correctly, inserted all the way into the slot,
and the extraction levers are properly locked the IPM LED flashes blue for a few
seconds. At the same time the ST ATUS LED turns amber, and the interface LEDs
flash green. After a few seconds the IPM LED goes out and the
FortiController-5208 module firmware starts up. If the module is operating
correctly, the front panel LEDs are lit as described in Table 3.
If the module has not been inserted properly the IPM LED changes to solid blue
and all other LEDS turn off. If this occurs, squeeze and open the extraction levers,
slide the module part way out, and repeat the insertion process.
8 Fully tighten the left and right mounting knots to lock the FortiController-5208
module into position in the chassis slot.
Mounting
Knot
Tighten
Table 3: FortiController-5208 normal operating LEDs
LED State
PAYLOAD OPERATION Green
STA TUS Off
IPM Off
Removing a FortiController-5208 module from a chassis
The following procedure describes how to correctly use the FortiController-5208
mounting components shown in Figure 2 to remove a FortiCo nt ro ller -5 20 8
module from a FortiGate-5140 or FortiGate-5050 chassis slot.
To remove a FortiController-5208 module from a FortiGate-5000 series
chassis
FortiController-5208 modules are hot swappable. The procedure for removing
the FortiController-5208 module from a FortiGate-5140 or FortiGate-50 50 chassis
slot is the same whether or not the chassis is powered on or not.
Caution: Do not carry the FortiController-5208 module by holding the extraction levers.
When inserting or removing the FortiController-5208 module from a chassis slot, handle
!
the module by the front panel. The extraction levers are designed only for positioning and
locking the FortiController-5208 module into a slot in a chassis and should not be used for
handling the module. If the extraction levers become bent or damaged the
FortiController-5208 module may not align correctly in the chassis slot.
FortiController-5208 System Guide
01-30000-0376-20070615 13
Page 14
Removing a FortiController-5208 module from a chassis Hardware installation
A
To complete this procedure, you need:
• A FortiGate-5140 or FortiGate-5050 chassis with a FortiController-5208
module installed
• An electrostatic discharge (ESD) preventive wrist or ankle strap with
connection cord
Caution: The FortiController-5208 modules must be protected from static discharge and
physical shock. Only handle or work with FortiController-5208 modules at a static-free
!
workstation. Always wear a grounded electrostatic discharge (ESD) preventive wrist or
ankle strap when handling FortiController-5208 modules.
1 Attach the ESD wrist or ankle strap to your wrist or ankle and to an ESD socket or
to a bare metal surface on the chassis or frame.
2 Disconnect all cables from the FortiController-5208 module, including all network
cables, and console cables.
3 Fully loosen the mounting knots on the left and right sides of the
FortiController-5208 module front panel.
Mounting
Knot
Loosen
4 Unlock the left and right extraction levers by squeezing the extraction lever locks.
5 Open the left and right extraction levers to their fully open positions.
Opening the extraction levers slides the module a short distance out of the slot,
disconnecting the module from the chassis backplane.
The IPM LED turns solid blue. All other LEDs turn off.
Alignment Pin
lignment Pin
Extraction
Extraction
Lever
Open
Lock
Lever
6 Pull the module about half way out.
All LEDs turn off.
FortiController-5208 System Guide
14 01-30000-0376-20070615
Page 15
Hardware installation Troubleshooting
7 Turn both extraction levers to their fully-closed positions.
When the extraction levers are fully-closed they lock into place.
Alignment Pin
Alignment Pin
Close
Extraction
Lever
Extraction
Lever
Fully Closed
and Locked
8 Carefully slide the module completely out of the slot.
Troubleshooting
This section describes the following troubleshooting topics:
• FortiController-5208 module does not start up
FortiController-5208 module does not start up
This section describes how to fix a number of problems that would prevent a
FortiController-5208 from starting up.
All chassis: extraction levers not fully closed
If the extractions lever are damaged or positi on e d incorr e ctly, the
FortiController-5208 module will not start up. Make sure the extraction levers are
correctly aligned, fully inserted, and locked.
All chassis: shelf manager not installed or not functioning
The FortiController-5208 module will not start up if a shelf manager is not installed
or is not operating correctly.
When you insert a FortiController-5208 module, the module attempts to
communicate with the shelf manager. If the FortiController-5208 module cannot
communicate with the shelf manager, the module will not start up.
If a shelf manager is installed, make sure it is functioning normally (the S t atus LED
is green and all other LEDs are off). If the shelf manager is not functioning
normally, you can try removing it from the chassis and reinstalling it. If this does
not solve the problem, contact Fortinet Technical Support.
All chassis: Firmware problem
If the FortiController-5208 module is receiving power, the extraction levers are
fully closed, and the FortiController-5208 still does not start up, the problem could
be with the firmware. Connect to the FortiController-5208 module console and try
cycling the power to the module. If the BIOS starts up, interrupt the BIOS startup
and install a new firmware image. For details about installing a new firmware
image in this way, see “Inst alling firmware images from a system reboot using the
CLI” on page 20.
If this does not solve the problem, contact Fortinet Technical Support.
FortiController-5208 System Guide
01-30000-0376-20070615 15
Page 16
T roubleshooting Hardware installation
FortiController-5208 System Guide
16 01-30000-0376-20070615
Page 17
FortiController-5208 Firmware Upgrading the FortiControll er-5208 to a new firmware version
FortiController-5208 Firmware
Fortinet periodically updates the FortiController-5208 firmware to include
enhancements and address issues. After you have registered your
FortiController-5208, firmware is available for download at the support web site,
http://support.fortinet.com.
Only the FortiController-5208 admin user can change the firmware.
All FortiController-5208 modules are configured as a secondary when shipped.
When configured as a secondary, HTTPS, HTTP, Telnet, and SSH connections to
the management interface are denied. CLI commands can only be issued when
connected to the console interface.
This section includes the following topics:
• Upgrading the FortiController-5208 to a new firmware version
• Reverting the FortiController-5208 to a previous firmware version
• Installing firmware images from a system reboot using the CLI
• Testing a new firmware image before installing it
Upgrading the FortiController-5208 to a new firmware version
Use the web-based manager or CLI procedure to upg rade to a new firmware
version or to a more recent build of the same firmware version.
Upgrading the firmware using the web-based manager
Use the following procedures to upgrade the primar y FortiController- 5208 mod ule
to a new firmware version. A secondary FortiController-5208 module can only be
upgraded using the CLI procedure.
Note: To use this procedure, you must log in using the admin administrator account, or an
administrator account that has system configuration read and write privileges.
To upgrade the firmware using the web-based manager
1 Copy the firmware image file to your management computer.
2 Log into the web-based manager as the admin administrative user.
3 Go to System > Status.
4 Under I/O Blade Status > Firmware Version, select Update.
5 Type the path and filename of the firmware image file, or select Browse and locate
the file.
6 Select OK.
The FortiController-5208 module uploads the firmware image file, upgrades to the
new firmware version, restarts, and displays the FortiController-5208 login. This
process takes a few minutes.
7 Log into the web-based manager.
8 Go to System > Status and check the Firmware Version to confirm the firmware
upgrade is successfully installed.
FortiController-5208 System Guide
01-30000-0376-20070615 17
Page 18
Reverting the FortiController-5 20 8 to a previous firmware version FortiController-5208 Firmware
Upgrading the firmware using the CLI
To use the following procedure, you must have a TFTP server available on a
network connected to the FortiController-5208 module management interface.
Note: To use this procedure, you must log in using th e admin administrator account, or an
administrator account that has system configuration read and write privileges.
To upgrade the firmware using the CLI
1 Make sure the TFTP server is running.
2 Copy the new firmware image file to the root directory of th e TF T P ser v e r.
3 Log into the CLI.
4 Make sure the FortiController-5208 module can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP
server. For example, if the IP address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
5 Enter the following command to copy the firmware image from the TFTP server to
the FortiController-5208 module:
execute restore image io <name_str> <tftp_ip4>
Where <name_str> is the name of the firmware image file and <tftp_ipv4> is
the IP address of the TFTP server . For examp le, if the firmware image file nam e is
image.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image io image.out 192.168.1.168
The FortiController-5208 module re sp on ds with the message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
6 Type y.
The FortiController-5208 module uploads the firmware image file, upgrades to the
new firmware version, and restarts. This process takes a few minutes.
7 Reconnect to the CLI.
8 To confirm the firmware image is successfully installed, enter:
get system status
Reverting the FortiController-5208 to a previous firmware
version
Use the web-based manager or CLI procedure to revert to a previous firmware
version. This procedure reverts the FortiController-5208 module to its factory
default configuration.
Reverting to a previous firmware version using the web-based manager
The following procedures revert the FortiController-5208 module to its factory
default configuration.
FortiController-5208 System Guide
18 01-30000-0376-20070615
Page 19
FortiController-5208 Firmware Reverting the FortiController-5208 to a previous firmware version
Before beginning this procedures, it is recommended that you back up the
FortiController-5208 module configuration.
If you are reverting to a previous firmware version, you might not be able to
restore the previous configuration from the backup configuration file.
Note: To use this procedure, you must log in using the admin administrator account, or an
administrator account that has system configuration read and write privileges.
To revert to a previous firmware version using the web-based manager
1 Copy the firmware image file to the management computer.
2 Log into the FortiController-5208 web-based manager.
3 Go to System > Status.
4 Under I/O Blade Status > Firmware Version, select Update.
5 Type the path and filename of the firmware image file, or select Browse and locate
the file.
6 Select OK.
The FortiController-5208 module uploads the firmware image file, reverts to the
old firmware version, resets the configuration, restarts, and displays the
FortiController-5208 login. This process takes a few minutes.
7 Log into the web-based manager.
8 Go to System > Status and check the Firmware Version to confirm the firmware
is successfully installed.
9 Restore your configuration.
Reverting to a previous firmware version using the CLI
This procedure reverts the FortiController-5208 module to its factory default
configuration.
Before beginning this procedure, it is recommended that you back up the
FortiController-5208 module system configuration using the command execute
backup allconfig.
If you are reverting to a previous firmware version, you might not be able to
restore the previous configuration from the backup configuration file
.
Note: To use this procedure, you must log in using the admin administrator account, or an
administrator account that has system configuration read and write privileges.
To use the following procedure, you must have a TFTP server the
FortiController-5208 module can connect to.
To revert to a previous firmware version using the CLI
1 Make sure the TFTP server is running
2 Copy the firmware image file to the root directory of the TFTP server.
3 Log into the FortiGate CLI.
FortiController-5208 System Guide
01-30000-0376-20070615 19
Page 20
Installing firmware images from a system reboot using the CLI FortiController-5208 Firmware
4 Make sure the FortiController-5208 module can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP
server. For example, if the TFTP server’s IP address is 192.168.1.168:
execute ping 192.168.1.168
5 Enter the following command to copy the firmware image from the TFTP server to
the FortiController-5208 module:
execute restore image io <name_str> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ipv4> is
the IP address of the TFTP server . For examp le, if the firmware image file nam e is
image.out and the IP address of the TFTP server is 192168.1.68, enter:
execute restore image io image.out 192.168.1.168
The FortiController-5208 module re sp on ds with th is mes sa ge :
This operation will replace the current firmware version!
Do you want to continue? (y/n)
6 Type y.
The FortiController-5208 module uploads the firmware image file. Afte r the file
uploads, a message similar to the following is displayed:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
7 Type y.
The FortiController-5208 module reverts to the old firmware version, resets the
configuration to factory defaults, and restarts. This process takes a few minutes.
8 Reconnect to the CLI.
9 To confirm the new firmware image has been loaded, enter:
get system status
10 To restore your previous configuration, if needed, use the command:
execute restore allconfig <name_str> <tftp_ip4>
Installing firmware images from a system reboot using the CLI
This procedure installs a specified firmware image and resets the
FortiController-5208 module to default settings. You can use this procedure to
upgrade to a new firmware version, revert to an older firmware version, or reinstall the current firmware version.
To use this procedure, you must connect to the CLI using the FortiController-5208
console port and a RJ-45 to DB-9 serial cable. This procedure reverts the
FortiController-5208 module to its factory default configuration.
For this procedure you:
• Access the CLI by connecting to the FortiGate console port using a RJ-45 to
DB-9 serial cable.
FortiController-5208 System Guide
20 01-30000-0376-20070615
Page 21
FortiController-5208 Firmware Installing firmware images from a system reboot using the CLI
• Install a TFTP server that you can connect to from the FortiGate internal
interface. The TFTP server should be on the same subnet as the internal
interface.
Before beginning this procedure, it is recommended that you back up the
FortiController-5208 module configuration
If you are reverting to a previous firmware version, you might not be able to
restore the previous configuration from the backup configuration file.
To install firmware from a system reboot
1 Connect to the CLI using the RJ-45 to DB-9 serial cable port and
FortiController-5208 console port.
2 Make sure the TFTP server is running.
3 Copy the new firmware image file to the root directory of the TFTP server.
4 Make sure one of the FortiController-5208 module interfaces is connected to the
same network as the TFTP server.
5 To confirm the FortiController-5208 module can connect to the TFTP server, use
the following command to ping the computer running the TFTP server. For
example, if the IP address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
6 Enter the following command to restart the FortiController-5208 module.
execute reboot
The FortiController-5208 module responds with the following message:
This operation will reboot the system!
Do you want to continue? (y/n)
7 Type y.
As the FortiController-5208 module start s, a series of system st artup messag es is
displayed. When the following messages appears:
Press any key to display configuration menu..........
......
Immediately press any key to interrupt the system startup.
.
Note: You have only 3 seconds to press any key. If you do not press a key soon enough,
the FortiController-5208 module reboots and you must log in and repeat the execute
reboot command.
If you successfully interrupt the startup process, the following menu appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[I]: Configuration and information.
[Q]: Quit menu and continue to boot with default
firmware.
[H]: Display this list of options.
Enter G,F,B,I,Q,or H:
FortiController-5208 System Guide
01-30000-0376-20070615 21
Page 22
Installing firmware images from a system reboot using the CLI FortiController-5208 Firmware
8 Type I and the Configuration and information menu is displayed:
[S]: Set serial port baudrate(will take effect on next
boot).
[T]: Set image download port.
[C]: Set DHCP enable (will take effect on next boot).
[D]: Set bootup debug message display (will take effect
on next boot).
[I]: Display hardware information.
[Q]: Quit this menu.
[H]: Display this list of options.
Enter S,T,C,D,I,Q,or H:
9 Type T to set the image download port. The following message will appear:
Enter image download port number [1]:
10 Enter the port number used to connect to the network shared with the TFTP
server and press Enter.
11 Type Q to return to the boot menu.
12 Type G to get to the new firmware image form the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
13 Type the address of the TFTP server and press Enter:
The following message appears:
Enter Local Address [192.168.1.188]:
14 Type an IP address the FortiController-5208 module can use to connect to the
TFTP server. The IP address can be any IP address that is valid for the network
the interface is connected to. Make sure you do not enter the IP address of
another device on this network.
The following message appears:
Enter File Name [image.out]:
15 Enter the firmware image filename and press Enter.
The TFTP server uploads the firmware image file to the FortiController-5208
module and messages similar to the following are displayed:
Save as Default firmware/Backup firmware/Run image without
saving: [D/B/R]
16 Type D.
The FortiController-5208 module installs the new firmware image and restarts.
The installation might take a few minutes to complete.
Restoring the previous configuration
Change the internal interface address, if required. You can do this from the CLI
using the following command:
FortiController-5208 System Guide
22 01-30000-0376-20070615
Page 23
FortiController-5208 Firmware Testing a new firmware image before installing it
config system interface
edit internal
set ip <address_ip4mask>
set allowaccess {ping https ssh telnet http}
end
After changing the interface address, you can access the FortiController-5208
module from the web-based manager and restore the configuration.
If you are reverting to a previous firmware version, you might not be able to
restore the previous configuration from the backup configuration file.
Testing a new firmware image before installing it
Y ou can test a new firmware image by inst alling the firmware image from a system
reboot and saving it to system memory. After completing this procedure, the
FortiController-5208 module operates using the new firmware image with the
current configuration. This new firmware image is not permanently installed. The
next time the FortiController-5208 module restarts, it operates with the originally
installed firmware image using the current configuration. If the new firmware
image operates successfully, you can install it permanently using the procedure
“Upgrading the FortiController-5208 to a new firmware version” on page 17.
Use this procedure to test a new firmware image before installing it. To use this
procedure, you must connect to the CLI using the FortiGate console port and a
RJ-45 to DB-9 serial cable. This procedure temporarily installs a new firmware
image using your current configuration.
For this procedure you:
• Access the CLI by connecting to the FortiGate console port using a RJ-45 to
DB-9 serial cable.
• Install a TFTP server that you can connect to from the FortiGate internal
interface. The TFTP server should be on the same subnet as the internal
interface.
To test the new firmware image
1 Connect to the CLI using the RJ-45 to DB-9 serial cable port and Fort iGate
console port.
2 Make sure the TFTP server is running.
3 Copy the new firmware image file to the root directory of the TFTP server.
4 Make sure one of the FortiController-5208 module interfaces is connected to the
same network as the TFTP server.
5 To confirm the FortiController-5208 module can connect to the TFTP server, use
the following command to ping the computer running the TFTP server. For
example, if the IP address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
FortiController-5208 System Guide
01-30000-0376-20070615 23
Page 24
Testi ng a new firmware image before installing it FortiController-5208 Firmware
6 Enter the following command to restart the FortiController-5208 module.
execute reboot
The FortiController-5208 module re spon ds with the following message:
This operation will reboot the system!
Do you want to continue? (y/n)
7 Type y.
As the FortiController-5208 module start s, a series of system sta rtup messages is
displayed. When the following messages appears:
Press any key to display configuration menu..........
......
Immediately press any key to interrupt the system startup.
.
Note: You ha ve only 3 seconds to press any key. If you do not press a key soon enough,
the FortiController-5208 module reboots and you must log in and repeat the execute
reboot command.
If you successfully interrupt the startup process, th e follo wing m en u ap p ears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[I]: Configuration and information.
[Q]: Quit menu and continue to boot with default
firmware.
[H]: Display this list of options.
Enter G,F,B,I,Q,or H:
8 Type I and the Configuration and information menu is displayed:
[S]: Set serial port baudrate(will take effect on next
boot).
[T]: Set image download port.
[C]: Set DHCP enable (will take effect on next boot).
[D]: Set bootup debug message display (will take effect
on next boot).
[I]: Display hardware information.
[Q]: Quit this menu.
[H]: Display this list of options.
Enter S,T,C,D,I,Q,or H:
9 Type T to set the image download port. The following message will appear:
Enter image download port number [1]:
10 Enter the port number used to connect to the network shared with the TFTP
server and press Enter.
11 Type Q to return to the boot menu.
12 Type G to get to the new firmware image form the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
FortiController-5208 System Guide
24 01-30000-0376-20070615
Page 25
FortiController-5208 Firmware Testing a new firmware image before installing it
13 Type the address of the TFTP server and press Enter:
The following message appears:
Enter Local Address [192.168.1.188]:
14 Type an IP address the FortiController-5208 module can use to connect to the
TFTP server. The IP address can be any IP address that is valid for the network
the interface is connected to. Make sure you do not enter the IP address of
another device on this network.
The following message appears:
Enter File Name [image.out]:
15 Enter the firmware image filename and press Enter.
The TFTP server uploads the firmware image file to the FortiController-5208
module and messages similar to the following are displayed:
Save as Default firmware/Backup firmware/Run image without
saving: [D/B/R]
16 Type R.
The FortiGate image is installed to system memory and the FortiController-5208
module starts running the new firmware image, but with its current configuration.
17 You can log into the CLI or the web-based manager using any administrative
account.
18 To confirm the new firmware image has been loaded from the CLI, enter:
get system status
You can test the new firmware image as required.
FortiController-5208 System Guide
01-30000-0376-20070615 25
Page 26
Testi ng a new firmware image before installing it FortiController-5208 Firmware
FortiController-5208 System Guide
26 01-30000-0376-20070615
Page 27
For more information Fortinet documentation
For more information
Support for your Fortinet product is availab le as onlin e he lp fr om within the
web-based manager, from the Tools and Documentation CD included with the
product, on the Fortinet Technical Documentation web site, from the Fortinet
Knowledge Center web site, as well as from Fortinet Technical Support.
Fortinet documentation
The most up-to-date publications and previous releases of Fortinet product
documentation are available from the Fortinet Technical Documentation web site
at http://docs.forticare.com. FortiGate-5000 series documentation is located in its
own section of the site at http://docs.forticare.com/fgt5k.html.
Fortinet Tools and Documentation CD
All Fortinet documentation is available from th e Fortinet Tools and Document ation
CD shipped with your Fortinet product. The documents on this CD are current for
your product at shipping time. For the latest versions of all Fortinet documentation
see the Fortinet Technical Documentation web site at http://docs.forticare.com.
Fortinet Knowledge Center
Additional Fortinet technical documentation is available from the Fortinet
Knowledge Center. The knowledge center contains troubleshooting and how-to
articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at
http://kc.forticare.com.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@fortinet.com.
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your
Fortinet systems install quickly, configure easily, and operate reliably in your
network.
Please visit the Fortinet Technical Support web site at http://support.fortinet.com
to learn about the technical support services that Fortinet provides.
Register your Fortinet product
Register your Fortinet product to receive Fortinet customer services such as
product updates and technical support. You must also register your product for
FortiGuard services such as FortiGuard Antivirus and Intrusion Prevention
updates and for FortiGuard Web Filtering and AntiSpam.
Register your product by visiting http://support.fortinet.com and selecting Product
Registration.
To register, enter your contact information and the serial numbers of the Fortinet
products that you or your organization have purchased. You can register multiple
Fortinet products in a single session without re-entering your contact information.
FortiController-5208 System Guide
01-30000-0376-20070615 27
Page 28
© Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication
including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical,
manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS,
FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System,
FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion,
FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS,
FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP,
and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other
countries. The names of actual comp anies and products mentio ned herein may be
the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
www.fortinet.com
FortiController-5208 System Guide
01-30000-0376-20070615
Loading...