System Guide
FortiController-5208
DATA CONTROL
9
5
X 1
X 2
X 1 X 2
STATUS
PAYLOAD OPERATION
1
10
6
2
11
7
3
12
8
4
10/100/1000 MBPS ETHERNET ACTIVITY
9
5
1
13
14
15
D
16
D
13
10
6
2
14
1/2 3/4 D15/D16 C15/C16
11
7
3
15
C
12
8
4
16
C
1
2
3
4
MANAGEMENT
COM 1 COM 2
IPM
A detailed guide to the FortiController-5208 module. This document describes the module LEDs and connectors,
describes how to install the module in a FortiGate-5000 series chassis, and contains a brief troubleshooting section
to help you diagnose and fix problems with the module.
The most recent versions of this and all FortiGate-5000 series documents are available from the FortiGate-5000
page of the Fortinet Technical Documentation web site (http://docs.forticare.com).
Visit http://support.fortinet.com to register your FortiController-5208 system. By registering you can receive product
updates, technical support, and FortiGuard services.
FortiController-5208 System Guide
01-30000-0376-20070615
www.fortinet.com
About this guide
This guide provides information on how to install the module in a FortiGate-5000 series chassis, what the
FortiController-5208 front panel LEDs indicate, and how to make connections to the front panel.
Note: Though the FortiController-5208 is used as part of a FortiGate-5005-DIST security system, this
document concentrates on the set up and configuration of the FortiController-5208 only. See the
FortiGate-5005-DIST Security System Administration Guide for detailed information on the configuration of
the system as a whole.
The most recent version of this document is available from the FortiGate-5000 page of the Fortinet
Technical Documentation web site. The information in this document is also available in a slightly different
form as FortiController-5208 web-based manager online help.
You can find more information about FortiOS v3.0 from the FortiGate page of the Fortinet Technical
Documentation web site as well as from the Fortinet Knowledge Center.
15 June 2007
01-30000-0376-20070615
Warnings and cautions
Only trained and qualified personnel should be allowed to install or maintain FortiGate-5000 series
equipment. Read and comply with all warnings, cautions and notices in this document.
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According
!
to the Instructions.
Caution: You should be aware of the following cautions and warnings before installing FortiGate-5000 series
!
hardware
• Fo rtiController-520 8 modules must be protected fro m st atic discharge and physical shock. Only handle
or work with FortiController-5208 modules at a static-free workstation. Always wear a grounded
electrostatic discharge (ESD) preventive wrist or ankle strap when handling FortiController-5208
modules.
• Do not carry the FortiController-5208 module by holding the extraction levers. When inserting or
removing the FortiController-5208 module from a chassis slot, handle the module by the front panel.
The extraction levers are designed for positioning and locking the FortiController-5208 module into a
slot in a chassis only and should not be used for handling the module. If the extraction levers become
bent or damaged the FortiController-5208 module may not align correctly in the chassis slot.
Contents
Contents
About this guide................................................................. 2
FortiController-5208 module............................................. 5
Hardware installation......................................................... 9
FortiController-5208 Firmware........................................ 17
For more information....................................................... 27
FortiController-5208 System Guide
01-30000-0376-20070615 3
Contents
FortiController-5208 System Guide
4 01-30000-0376-20070615
FortiController-5208 module
FortiController-5208 module
You can create a FortiGate-5005-DIST high-throughput multi-threat network
security system using one or two FortiController-5208 modules and multiple
FortiGate-5005 modules in a FortiGate-5050 or FortiGate-5140 chassis.
A FortiGate-5020 chassis cannot be used to create a FortiGate-5005-DIST
system. Functionally, one or two FortiController-5208 modules using the
processing power of multiple FortiGate-500 5 mo d ules fun ctio n muc h like a single
FortiGate unit, but with far greater capacity.
In a FortiGate-5005-DIST configuration, the FortiGate-5005F A2 modules are used
only for their processing power. The FortiController-5208 assigns tasks to each
FortiGate-5005FA2 module and provides all external connections to the network.
Given this division of labor, the FortiController-5208 module is also called the
I/O module and the FortiGate-5005FA2 modules are also called the worker
modules.
The FortiController-5208 module provides two 10 gigabit interfaces and four
1 gigabit interfaces for network traffic. The FortiControlle r-5208 front panel also
contains an additional four 1-gigabit interfaces for inter-chassis HA and future
use. Optionally, you can double the number of available of network interfaces by
adding a second FortiController-5208.
Once initial set-up is complete, all subsequent administration and configuration of
the FortiController-5208 modules and FortiGate-5005 modules is done through
the primary FortiController-5208 mod ule .
The FortiGate-5005 modules are administered as a single unit, and therefore
configured identically. All traffic is distributed to the FortiGate modules using the
backplane interfaces so no front panel connections are required for the FortiGate
modules.
The FortiController-5208 module includes the following features:
• Two 10 gigabit in terfaces that can accept fiber or copper 10 gigabit Sm all Form
factor Pluggable (XFP) fiber or copper transceivers.
• Eight 1 gigabit front panel network interfaces that can accept Small Form
factor Pluggable (SFP) fiber or copper transceivers. Four of these interfaces
are for data, two for inter-chassis high-availability (HA) connections, and two
for future use.
• One fabric and two base backplane gigabit interfaces.
• Two RJ-45 RS-232 serial console management connections.
• A n RJ-45 Ethernet management connection.
• Mounting hardware
• LED status indicators
Before you can connect any FortiController-5208 front panel interfaces, you must
insert the XFP or SFP transceivers into the FortiController-5208 front panel cage
slots.
This chapter includes the following information about the FortiController-5208
module:
• Front panel LEDs and connectors
• Backplane gigabit interfaces
• Installing XFP and SFP transceivers
FortiController-5208 System Guide
01-30000-0376-20070615 5
Front panel LEDs and connectors FortiController-5208 module
p
• Inserting a FortiController-5208 module into a chassis
• Removing a FortiController-5208 module from a chassis
• Troubleshooting
Front panel LEDs and connectors
From the FortiController-5208 front panel you can view the status of the module
LEDs to verify that the module is functioning normally. LEDs also indicate
connections and traffic for the front panel and backplane interfaces. You also
connect the FortiController-5208 module to your network through the front panel
XFP and SFP connections. The front panel also includes two RJ-45 serial consol e
ports for connecting to the FortiController -5208 CLI and an Etherne t RJ-45 port for
connecting to the CLI and GUI management interfaces over a network.
Figure 1: FortiController-5208 front panel
SFP Gigabit
Fiber or Copper
X1 X2 XFP 10 Gigabit
Fiber or Copper
D15
3
1
C15
Management
RJ-45 Serial
LEDs
DATA CONTROL
9
5
9
1
13
13
10
6
10
2
14
14
11
15
D
12
16
D
7
3
8
4
1/2 3/4 D15/D16 C15/C16
11
15
C
12
16
C
42
D16
1
2
3
4
C16
Management
MANAGEMENT
IPM
COM 1 COM 2
IPM
Mounting
Knot
Extraction
Lever
RJ-45 Ethernet
Mounting
Knot
Extraction
Lever
X 1
X 2
Link/
Traff ic
X 1 X 2
STATUS
Status
Payload
O
PAYLOAD OPERATION
eration
5
1
6
2
7
3
8
4
10/100/1000 MBPS ETHERNET ACTIVITY
Link/Traffic
Table 1 lists and describes the FortiController-5208 module LEDs.
Ta bl e 1 : FortiCon trol le r-5208 module LEDs
LED State Description
X1, X2 Green The correct cable is connected to the 10 gigabit
STATUS Off The STATUS LED is always off, even when the
PAYLOAD OPERATION Green
DATA 1-16 Green The data LEDs display base backplane connections
XFP interface.
FortiController-5208 module is starting or operating
normally.
of the FortiController-5208 module and the 5005
modules, over which the load-balanced traffic is
sent. LED 1 corresponds to the FortiController-5208
module’s connection, LEDs 3 through 14 are for
connections to the corresponding slots in a 5050 or
5140 chassis. LEDs 15 and 16 are for the HA ports
D15/D16 on the front panel. Due to the organization
of the backplane, LED 2 will always be off, even if
an operating FortiController-5208 is in slot 2.
FortiController-5208 System Guide
6 01-30000-0376-20070615
FortiController-5208 module Front panel LEDs and connectors
Table 1: FortiController-5208 module LEDs (Continued)
LED State Description
CONTROL 1-16 Green The control LEDs display the fabric backplane
Flashing Management communication activity on the fabric
1, 2, 3, 4 Green The correct cable is connected to the gigabit SFP
Flashing Network activity at the gigabit SFP interface.
IPM Blue The FortiController-5208 is ready to be hot-
Flashing
Blue
Off Normal operation. The FortiController-5208 module
MANAGEMENT Link
LED
Speed
LED
Amber The correct cable is inserted into this interface and
Flashing Network activity at this interface.
Green The interface is connected at 1000 Mbps.
Amber The interface is connected at 100 Mbps.
Unlit The interface is connected at 10 Mbps.
connections of the FortiController-5208 module,
an optional secondary FortiController-5208 module,
and all the 5005 modules, over which management
communication is sent. LED 1 is for the
FortiController-5208 module’s connection. LEDs 2
through 14 are for connections to the corresponding
slots in a 5050 or 5140. LEDs 15 and 16 are for
future use.
backplane connection.
interface.
swapped (removed from the chassis). If the IPM
light is blue and no other LEDs are lit the
FortiController-5208 module has lost power. See
“Inserting a FortiController-5208 module into a
chassis” on page 10 for more information.
The FortiController-5208 is changing from hot swap
to running mode or from running mode to hot swap.
is in contact with the chassis backplane.
the connected equipment has power.
The control LEDs of a secondary FortiController-5208 module will be
synchronized to the control LEDs of the primary because all the installed modules
use the same fabric backplane network to communicate. Each
FortiController-5208 module has its own base backplane network with which to
exchange data traffic with the worker modules so the data LEDs of each
FortiController-5208 module will indicate only its own communication.
Connectors
Table 2 lists and describes the FortiController-5208 module connectors.
Table 2: FortiController-5208 connectors
Connector Type Speed Protocol Description
X1, X2 XFP 10 Gbps Ethernet Two 10 gigabit XFP interfaces that
FortiController-5208 System Guide
01-30000-0376-20070615 7
can accept fiber or copper
transceivers. These interfaces
operate only at 10 Gbps. See
“Installing XFP and SFP transceivers”
on page 9 for more information.
Backplane gigabit interfaces FortiController-5208 module
Ta ble 2: FortiController-5208 connectors (Continued )
Connector Type Speed Protocol Description
1, 2, 3, 4 LC SFP 1000 Mbps Ethernet Four 1 gigabit SFP interfaces that can
D15, D16 LC SFP 1000 Mbps Ethernet Two 1 gigabit SFP interfaces used for
C15, C16 LC SFP For future use.
COM1, COM2 RJ-45 9600 bps RS-232
serial
MANAGEMENT RJ-45 1000 Mbps Ethernet Ethernet management connection to
accept fiber or copper transceivers.
These interfaces operate only at
1000Mbps. See “Installing XFP and
SFP transceivers” on page 9 for more
information.
inter-chassis high-availability (HA)
connections.
Serial connection to the command line
interface.
the FortiController-5208 web-based
manager and command line interface.
Backplane gigabit interfaces
The FortiController-5208 module uses the chassis backplane gigabit interfaces for
all communication with modules installed in the chassis. This communication
includes:
• Management communication between the primary FortiController-5208, the
optional secondary FortiController-5208, and the FortiGate-5005FA2 modules.
• Delivery of traffic data to the FortiGate-5005FA2 modules for processing.
• Rece iving processed traffic from the FortiGate-5005FA2 modules.
• If inst alled, the secondary FortiController -5208 module also delivers data traf fic
to the FortiGate-5005FA2 modules and receives the processed traffic from
them.
No front panel cables are required for connections betwe en the inst alled modu les.
Once the FortiController-5208 module is configured as the primary, and the
FortiGate-5005FA2 modules are configured to use the LDB firmware, all
communication between the installed modules is aut om a tic and re qu ire s no
configuration.
FortiController-5208 System Guide
8 01-30000-0376-20070615
Hardware installation Installing XFP and SFP transceivers
Hardware installation
Before use, the FortiController-5208 module must be correctly inserted into a
FortiGate-5140 or FortiGate-5050 chassis. XFP and SFP transceivers must also
be installed before the module can be connected to other network devices.
This chapter describes:
• Installing XFP and SFP transceivers
• Inserting a FortiController-5208 module into a chassis
• Removing a FortiController-5208 module from a chassis
• Troubleshooting
Installing XFP and SFP transceivers
The FortiController-5208 module ships with XFP and SFP transceivers that you
must install for normal operation of the FortiController-5208 module. The XFP
transceivers are inserted into the cage sockets labeled X1 and X2 on the module
front panel. The SFP transceivers are inserted into the cage sockets numbered
D15, D16, and 1 to 4. You can install the transceivers before or after inserting the
FortiController-5208 module into a FortiGate chassis.
You can install the following types of XFP transceivers for connectors X1 and X2:
• X FP fiber transceivers
•
• X FP fiber transceivers
•
You can install the following types of SFP transceivers for connectors 1 to 8:
• S FP fiber transceivers
• SFP 1000Base-LX, SM module
• SFP 1000Base-SX, MM module (multimode)
• SFP copper transceivers
• S FP 1000Base-T, SERDES version only (SGMII version not supported)
To install XFP and SFP transceivers
To complete this procedure, you need:
• A FortiController-5208 module
• Two XFP transceivers
• Four SFP transceivers
• An electrostatic discharge (ESD) preventive wrist or ankle strap with
connection cord
Caution: The FortiController-5208 modules must be protected from static discharge and
physical shock. Only handle or work with FortiController-5208 modules at a static-free
!
workstation. Always wear a grounded electrostatic discharge (ESD) preventive wrist or
ankle strap when handling FortiController-5208 modules.
FortiController-5208 System Guide
01-30000-0376-20070615 9
Loading...