Fortinet FortiGate 5001A-SW, FortiGate 5001A-DW User Manual
5001A-SW
FortiGate-5001A
FortiGate-5001A-DW
Security System Guide
FortiGate-5001A-SW
A detailed guide to the FortiGate-5001A-DW and FortiGate-5001A-SW Security Systems. This FortiGate-5001A
Security System Guide describes FortiGate-5001A hardware features, how to inst all a FortiGate-5001A board in a
FortiGate-5000 series chassis, and how to configure the FortiGate-5001A security system for your network.
The most recent versions of this and all FortiGate-5000 series documents are availa ble from the FortiGate-5000 page of
the Fortinet Technical Documentation web site (http://docs.forticare.com).
Visit http://support.fortinet.com to register your FortiGate-5001A security system. By registering you can r eceive product
updates, technical support, and FortiGuard services.
FortiGate-5001A Security System Guide
01-30000-83456-20081023
Warnings and cautions
!
!
Only trained and qualified personnel should be allowed to install or maintain FortiGate-5000 series
equipment. Read and comply with all warnings, cautions and notices in this document.
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According
to the Instructions.
Caution: You should be aware of the following cautions and warnings before installing FortiGate-5000 series
hardware
• Turning of f all powe r switches may not turn o f f all power to the FortiGate- 5000 series equip ment. Some
circuitry in the FortiGate-5000 series equipment may continue to operate even though all power
switches are off.
• Many FortiGate-5000 components are ho t swapp able a nd can be inst alled or removed while the power
is on. But some of the procedures in this document may require power to be turned off and completely
disconnected. Follow all instructions in the procedures in this document that describe di sconnecting
FortiGate-5000 series equipment from power sources, telecommunications links and networks before
installing, or removing FortiGate-5000 series components, or performing other maintenance tasks.
Failure to follow the instructions in this document can result in personal injury or equipment damage.
• Install FortiGate-5000 series chassis at the lower positions of a rack to avoid making the rack top-heavy
and unstable.
• Do not insert metal objects or tools into open chassis slots.
• Electrostatic discharge (ESD) can damage FortiGate-5000 series equipment. Only perform the
procedures described in this document from an ESD workstation. If no such station is available, you
can provide some ESD protection by wearing an anti-static wrist strap and attaching it to an available
ESD connector such as the ESD sockets provided on FortiGate-5000 series chassis.
• Make sure all FortiGate-5000 series components have reliable grounding. Fortinet recommends direct
connections to the building ground.
• If you install a FortiGate-5000 series component in a closed or multi-unit rack assembly, the operating
ambient temperature of the rack environment may be greater than room ambient. Make sure the
operating ambient temperature does not exceed Fortinet’s maximum rated ambient temperature.
• Installing FortiGate-5000 series equipment in a rack should be such that the amount of airflow required
for safe operation of the equipment is not compromised.
• FortiGate-5000 series chassis should be installed by a qualified electrician.
• FortiGate-5000 series equipment shall be installed and connected to an electrical supply source in
accordance with the applicable codes and re gu la tio ns for the location in which it is installed. Particular
attention shall be paid to use of correct wire type and size to comply with the applicable codes and
regulations for the installation / location. Connection of the supply wiring to the terminal block on the
equipment may be accomplished using Listed wire compression lugs, for example, Pressure Terminal
Connector made by Ideal Industries Inc. or equivalent which is suitable for A WG 10. Par ticular atten tion
shall be given to use of the appropriate compre ss ion too l spe cifie d by the co mp re ss ion lug
manufacturer, if one is specified.
FortiGate-5001A Security System Guide
01-30000-83456-20081023
Contents
Contents
Warnings and cautions..................................................................................... 2
FortiGate-5001A security system..................................... 5
Front panel LEDs and connectors................................................................... 6
LEDs ............................................................................................................. 7
Connectors.................................................................................................... 8
Base backplane communication...................................................................... 8
Fabric backplane communication.................................................................... 8
FortiGate-RTM-XB2 ...................................................................................... 9
AMC modules..................................................................................................... 9
Hardware installation....................................................... 11
Changing FortiGate-5001A SW11 switch settings........................................ 12
FortiGate-5001A mounting components....................................................... 14
Inserting a FortiGate-5001A board......................... ... .... ... .............................. 15
Removing a FortiGate-5001A board............................................................... 18
Resetting a FortiGate-5001A board................................................................ 20
Installing and removing AMC modules .... .... ... ... ... ....................................... . 20
Inserting AMC slot filler panels.................................................................... 21
Inserting AMC modules............................................................................... 21
Removing AMC modules ............................................................................ 22
Troubleshooting .............................................................................................. 23
FortiGate-5001A does not start up.............................................................. 23
FortiGate-5001A status LED is flashing during system operation....... .... ... . 24
FortiGate AMC modules not detected by FortiGate-5001A board .............. 24
Quick Configuration Guide ............................................. 25
Registering your Fortinet product ................................................................. 25
Planning the configuration ............................................................................. 25
NAT/Route mode ........................................................................................ 26
Transparent mode....................................................................................... 26
Choosing the configuration tool.................................................................... 27
Web-based manager................................................................................... 27
Command Line Interface (CLI).................................................................... 28
Factory default settings.................................................................................. 28
Configuring NAT/Route mode........................................................................ 28
Using the web-based manager to configure NAT/Route mode................... 29
Using the CLI to configure NAT/Route mode.............................................. 30
FortiGate-5001A Security System Guide
01-30000-83456-20081023 3
Contents
Configuring Transparent mode..................................... ....... ... ... ... ... .... ... ... ... . 31
Using the web-based manager to configure Transparent mode................. 31
Using the CLI to configure Transparent mode............................................ 32
Upgrading FortiGate-5001A firmware............................................................ 33
FortiGate-5001A base backplane data communication............................... 34
FortiGate-5001A fabric backplane data communication ............................. 36
Powering off the FortiGate-5001A board................................... ... ... .... ...... ... . 37
For more information ...................................................... 39
Fortinet documentation .................................................................................. 39
Fortinet Tools and Documentation CD........................................................ 39
Fortinet Knowledge Center ........................................................................ 39
Comments on Fortinet technical documentation ........................................ 39
Customer service and technical support...................................................... 39
Register your Fortinet product....................................................................... 39
FortiGate-5001A Security System Guide
4 01-30000-83456-20081023
FortiGate-5001A security system
FortiGate-5001A security system
The FortiGate-5001A security system is a high-performance Advanced
Telecommunications Computing Architecture (ACTA) comp liant FortiGate
security system that can be installed in any ACTA chassis including the
FortiGate-5140, FortiGate-5050 , or For tiG at e- 50 2 0 chassis.
Two FortiGate-5001A models are available:
• The FortiGate-5001A-DW (double-width) board includes a double-width
Advanced Mezzanine Card (AMC) opening. You can install a supported
FortiGate ADM module such as the FortiGate-ADM-XB2 or the
FortiGate-ADM-FB8 in the AMC opening. The FortiGate-ADM-XB2 adds two
accelerated 10-gigabit interfaces to the FortiGate-5001A board and the
FortiGate-ADM-FB8 adds 8 accelerated 1-gigabit interfaces.
• The FortiGate-5001A-SW (single-width) includes a single-width AMC opening.
You can install a supported FortiGate ASM module such as the
FortiGate-ASM-FB4 or the FortiGate-ASM-S08 in the AMC opening. The
FortiGate-ASM-FB4 adds four accelerated 1-gigabit interfaces to the
FortiGate-5001A board and the FortiGate-ADM-S08 adds a removable hard
disk that you can use to store log files and content archives.
Other than the double-width and single-width AMC openings, the
FortiGate-5001A-DW and SW models have the same fun ct ion a lity an d
performance.
The FortiGate-5001A security system contains two front p anel 1-gigabit ethernet
interfaces, two base backplane 1-gigabit interfaces, and two fabric backplane
1-gigabit interfaces. Use the front panel interfaces for connections to your
networks and the backplane interfaces fo r com m u nica tio n acro ss th e ACTA
chassis backplane.
If you install a FortiGate-RTM-XB2 module for each FortiGate-5001A board, the
FortiGate-5001A fabric interfaces can operate at 10 Gbps. The
FortiGate-RTM-XB2 also provides NP2-accelerated network processing for
eligible traffic passing throug h the FortiGate-RTM-XB2 interfaces.
You can also configure two or more FortiGate-5001A boards to create a high
availability (HA) cluster using the base or fabric backplane interfaces for HA
heartbeat communication through the chassis backplane, leavin g front panel
interfaces available for network connections.
Note: In most cases the base backplane interfaces are used for HA heartbeat
communication and the fabric backplane interfaces are used for data communication.
The FortiGate-5001A board also supports high-end FortiGate features including
802.1Q VLANs, multiple virtual domains, 802.3ad aggregate interfaces, and
FortiOS Carrier.
FortiGate-5001A Security System Guide
01-30000-83456-20081023 5
Front panel LEDs and connectors FortiGate-5001A security system
Fabri
RJ-4
Fabri
RJ-4
Figure 1: FortiGate-5001A-DW front panel
Double-width AMC
opening
5
Console
c and Base
network activity
LEDs
USB
Retention
Screw
Extraction
Lever
port1 and port2
10/100/1000
Copper Interfaces
IPM
LED
(board
position)
ACC
OOS
Power
Status
LEDs
Retention
Extraction
Lever
Figure 2: FortiGate-5001A-SW front panel
c and Base
network activity
LEDs
USB
IPM
LED
(board
position)
ACC
OOS
Power
Status
LEDs
Retention
Extraction
Lever
Retention
Screw
Extraction
Lever
5001A-SW
Single-width AMC
opening
Console
port1 and port2
10/100/1000
Copper Interfaces
5
The FortiGate-5001A board includes the following features:
• Two front panel 10/100/1000Base-T copper 1-gigabit ethernet interfaces.
• Two base backplane 1-gigabit interfaces (base CH0 and Base CH1 on the
front panel and base1 and base2 in the firmware) for HA heartbeat and data
communications across the FortiGate-5000 chassis backplane.
• Two fabric b ackplane interfaces (Fabric CH0 and Fabric CH1 on the front
panel and fabric1 and fabric2 in the firmware) for HA heartbeat and data
communications across the FortiGate-5000 chassis backplane. Th e fabric
backplane interfaces operate at 1 Gbps. If you install a FortiGate-RTM-XB2
module the fabric backplane interfaces operate at 10 Gbps.
• One double-width AMC opening (FortiGate-5001A-DW board).
• One single-width AMC opening (FortiGate-5001A-SW board).
• RJ-45 RS-232 serial console connection.
• 2 USB connectors.
• Mounting hardware.
• LED status indicators.
Screw
Screw
Front panel LEDs and connectors
From the FortiGate-5001A font panel you can view the status of the front panel
LEDs to verify that the board is functioning normally. You also connect the
FortiGate-5001A board to your network through the front panel 10/100/1000
ethernet connectors. The front panel also includes the RJ-45 console port for
connecting to the FortiOS CLI and two USB ports. The USB ports can be used
with any USB key for backing up and restoring configuration files. For information
about using the using a USB key with a FortiGate unit, see the FortiGate-5000
Series Firmware and FortiUSB Guide.
6 01-30000-83456-20081023
FortiGate-5001A Security System Guide
FortiGate-5001A security system Front panel LEDs and connectors
LEDs
Table 1 lists and describes the FortiGate-5001A LEDs.
Table 1: FortiGate-5001A LEDs
LED State Description
1, 2
(Left LED)
1, 2
(Right LED)
Base CH0 Green Base backplane interface 0 (base1) is connected at 1 Gbps.
Base CH1 Green Base backplane interface 1 (base2) is connected at 1 Gbps.
Fabric CH0 Off Fabric backplane interface 0 (fabric1) is connected at 10
Fabric CH1 Off Fabric backplane interface 1 (fabric2) is connected at 10
ACC
OOS
(Out of
Service)
Power
Green The correct cable is connected to the interface and the
Flashing
Green
Off No link is established.
Green Connection at 1 Gbps.
Amber Connection at 100 Mbps.
Off Connection at 10 Mbps.
Flashing
Green
Flashing
Green
Flashing
Green
Flashing
Green
Off or
Flashing
green
Off Normal operation.
Green A fault condition exists and the FortiGate-5001A blade is out
Green The FortiGate-5001A board is powered on.
connected equipment has power.
Network activity at the interface.
Network activity at base backplane interface 0.
Network activity at base backplane interface 1.
Gbps.
Network activity at fabric backplane interface 0.
Gbps.
Network activity at fabric backplane interface 1.
The ACC LED flashes green when the FortiGate-5001A
board accesses the FortiOS flash disk. The FortiOS flash
disk stores the current FortiOS firmware build and
configuration files. The system accesses the flash disk when
starting up, during a firmware upgrade, or when an
administrator is using the CLI or GUI to change the FortiOS
configuration. Under normal operating conditions this LED
flashes occasionally, but is mostly off.
of service (OOS). This LED may also flash very briefly during
normal startup.
Status
IPM
FortiGate-5001A Security System Guide
01-30000-83456-20081023 7
Off The FortiGate-5001A board is powered on.
Flashing
Green
Blue The FortiGate-5001A is ready to be hot-swapped (removed
Flashing
Blue
Off Normal operation. The FortiGate-5001A board is in contact
The FortiGate-5001A is starting up. If this LED is flashing at
any time other than system startup, a fault condition may
exist.
from the chassis). If the IPM light is blue and no other LEDs
are lit the FortiGate-5001A board has lost power.
The FortiGate-5001A is changing from hot swap to running
mode or from running mode to hot swap. This happens when
the FortiGate-5001A board is starting up or shutting down.
with the chassis backplane.
Base backplane communication FortiGate-5001A security system
Connectors
Table 2 lists and describes the FortiGate- 50 01 A con n ect or s.
Table 2: FortiGate-5001A connectors
Connector Type Speed Protocol Description
1, 2 RJ-45 10/100/1000
Base-T
CONSOLE RJ-45 9600 bps
8/N/1
USB USB FortiUSB key firmware updates and
Ethernet Copper 1-gigabit connection to
RS-232
serial
10/100/1000Base-T copper networks.
Serial connection to the command line
interface.
configuration backup.
Base backplane communication
The FortiGate-5001A base backplane 1-gigabit interfaces can be used for HA
heartbeat communication between FortiGate-5001A boards installed in the same
or in different FortiGate-5000 chassis. You can also configure FortiGate-5001A
boards to use the base backplane interfaces for data communication between
FortiGate boards. To support base backplane communications your
FortiGate-5140 or FortiGate-5050 chassis must include one or more
FortiSwitch-5003 boards, FortiSwitch-5003A boards, or other 1-gigabit base
backplane switching boards installed in the chassis in base slots 1 and 2. The
FortiGate-5020 chassis supports base backplane communication with no
additions or changes to the chassis.
For information about base backplane communication in FortiGate-5140 and
FortiGate-5050 chassis, see the FortiGate-5000 Backplane Communication
Guide. For information about the FortiSwitch-5003 board, see the
FortiSwitch-5003 System Guide. For information about the FortiSwitc h-5003A
board, see the FortiSwitch-5003A System Guide.
Fabric backplane communication
The FortiGate-5001A fabric backplane interfaces can be used for data
communication or HA heartbeat communication between FortiGat e-5001A boards
installed in the same or in different FortiGate-5000 chassis. To support 1-gigabit
fabric backplane communications your FortiGate-5140 or FortiGate-5050 chassis
must include one or more FortiSwitch-5003A boards or other 1-gigabit fabric
backplane switching boards installed in the chassis in fabric slots 1 and 2. The
FortiGate-5020 chassis does not support fabric backplane communications.
For information about fabric backplane communication in FortiGate-5140 and
FortiGate-5050 chassis, see the FortiGate-5000 Backplane Communication
Guide. For information about the FortiSwitch-5003A board, see the
FortiSwitch-5003A System Guide.
FortiGate-5001A Security System Guide
8 01-30000-83456-20081023
FortiGate-5001A security system AMC modules
ADM-XB2
LINK
ACT
1 2
HS
OOS
PWR
OT
LINK
ACT
FortiGate-RTM-XB2
The FortiGate-RTM-XB2 module provides two 10-gigabit fabric backplane
interfaces and NP2 processor acceleration for FortiGate-5001A fabric interfaces.
For 10-gigabit fabric backplane communications, each FortiGate-5001A board
requires one FortiGate-RTM-XB2 module. The FortiGate-RTM-XB2 module is an
ATCA rear transition module (RTM) that installs into an RTM slot at the back of a
FortiGate-5140 and FortiGate-5050 chassis.
To support 10-gigabit fabric backplane communications your FortiGate-5140 or
FortiGate-5050 chassis must also include one or more FortiSwitch-5003A boards
or other 10-gigabit fabric backplane switching boards installed in the chassis in
fabric slots 1 and 2.
Note: On some versions of the FortiGate-5001A firmware, when a FortiGate-5001A board
starts up with a FortiGate-RTM-XB2 module installed, the fabric1 and fabric2 interfaces are
replaced with interfaces that are named RTM/1 and RTM/2 to indicate the presence of the
FortiGate-RTM-XB2 module. Configuration settings that include the fabric1 and fabric2
interface names will have to be changed to use the RTM/1 and RTM/2 interface names.
Figure 3: FortiGat e- RTM-XB2 front panel
AMC modules
Retention
Retention
Screw
Handle
Power
LED
Screw
Handle
The FortiGate-RTM-XB2 NP2 processors provide hardware accelerated network
processing for eligible traffic passing through the FortiGate-RTM-XB2 interfaces.
For information about Fortinet NP2 processor acceleration, see the Fortinet
Hardware Acceleration Technical Note.
Follow the instructions in the FortiGate-RTM-XB2 System Guide to install the
FortiGate-RTM-XB2 module.
You can install one FortiGate AMC Double width Module (ADM) in the
FortiGate-5001A-DW front panel AMC double-width opening. For example:
• The FortiGate-ADM-XB2, provides 2 NP2 accelerated XFP 10-gigabit
interfaces.
• The FortiGate-ADM-FB8, provides 8 NP2 accelerated SFP 1-gigabit
interfaces.
Figure 4: FortiGate-ADM-XB 2
You can install one FortiGate AMC Single width Module (ASM) in the
FortiGate-5001A-SW front panel AMC single-width opening. For example:
FortiGate-5001A Security System Guide
01-30000-83456-20081023 9
AMC modules FortiGate-5001A security system
• The FortiGate-ASM-FB4, provides 4 NP2 accelerated SFP 1-gigabit
interfaces.
• The FortiGate-ASM-S08, provides adds a removable hard disk that you can
use to store log files and content archives.
Figure 5: FortiGate-ASM-FB4
HS
OOS
PWR
OT
1234
LINK ACT
ASM-FB4
Note: You can operate a FortiGate-5001A board with both a FortiGate-RTM-XB2 module
and a supported FortiGate AMC module installed at the same time.
LINK ACT LINK ACT LINK
ACT
FortiGate-5001A Security System Guide
10 01-30000-83456-20081023
Hardware installation
!
!
!
Hardware installation
Before use, the FortiGate-5001A board must be correctly inserted into an
Advanced Telecommunications Computing Architecture (ACTA) chassis such as
the FortiGate-5140, FortiGate-5050, or FortiGate-5020 chassis.
Before inserting the board into a chassis you should make sure the SW-11 switch
is set correctly.
In the available Advanced Mezzanine Card (AMC) double-width module (ADM)
opening on the FortiGate-5001A-DW front panel you can install a supported
FortiGate ADM module such as the FortiGate-ADM-XB2 or the
FortiGate-ADM-FB8.
In the available AMC single-width module (ASM) opening on the
FortiGate-5001A-SW front panel you can inst all a supported ASM module such as
the FortiGate-ASM-FB4 or the FortiGate-ASM-S08.
Caution: If you are installing a FortiGate-RTM-XB2 module you should install the
FortiGate-RTM-XB2 module first, before you install the FortiGate-5001A board to avoid
possible damage. Follow the instructions in the FortiGate-RTM-XB2 System Guide to
install the FortiGate-RTM-XB2 module.
Caution: Because FortiGate-5001A boards do not support hot swapping AMC modules,
the FortiGate-5001A board must be disconnected from power before you install a FortiGate
AMC module. Also, the FortiGate-5001A-DW left (top) handle must be opened to install a
FortiGate AMC module. See “Installing and removing AMC modules” on page 20.
Caution: Do not operate the FortiGate-5001A board with an open AMC opening. For
optimum cooling performance and safety, the AMC opening must contain an AMC slot filler
panel or a FortiGate AMC module.
Note: FortiGate-5001A boards are hot swappable even if the FortiGate-5001A board
contains an AMC module and you have installed a FortiGate-RTM-XB2 module for the
FortiGate-5001A board.
This section describes:
• Changing FortiGate-5001A SW11 switch settings
• FortiGate-5001A mounting components
• Inserting a FortiGate-5001A board
• Removing a FortiGate-5001A board
• Resetting a FortiGate-5001A board
• Installing and removing AMC modules
• Troubleshooting
FortiGate-5001A Security System Guide
01-30000-83456-20081023 11
Changing FortiGate-5001A SW11 switch settings Hardware installation
Changing FortiGate-5001A SW11 switch settings
The SW1 1 switch on the FortiGate-5001A boar d is factory set by Fortinet to detect
a shelf manager (Figure 6). This is the correct setting if you are installing the
FortiGate-5001A board in a chassis that contains an operating shelf manager
(such as the FortiGate-5140 or FortiGate-5050 chassis).
Figure 6: FortiGate-5140 and 5050 setting for SW11 (factory default shelf manager
mode)
Factory Default (Shelf Manager Required)
ON
SW11
3421
1 Off
2 On
3 Off
4 Off
By default a FortiGate-5001A board will not start up if the board is installed in a
chassis, such as a FortiGate-5020, that does not contain a shelf manager or that
contains a shelf manager that is not operating. Before installing a
FortiGate-5001A in a FortiGate-5020 chassis or a chassis that does not contain
an operating shelf manager you must change the SW11 switch setting as shown
in Figure 7.
Figure 7: FortiGate-5020 setting for SW11 (standalone mode)
Standalone Mode for FortiGate-5020
(no Shelf Manager)
ON
SW11
3421
1 Off
2 On
3 On
4 Off
In all cases you should confirm that you have the correct SW11 setting before
installing the board in a chassis.
Table 3: FortiGate-5001A SW11 settings for different chassis
Chassis Correct SW11
Setting
FortiGate-5140 or 5050 or any
ACTA chassis with an
operating shelf manager
(factory default shelf manager
mode).
FortiGate-5020 or any ACTA
chassis without an operating
shelf manager (standalone
mode).
Note: If the shelf manager in a FortiGate-5140 or FortiGate-5050 chassis is missing or not
functioning, FortiGate-5001A boards with factory default SW11 settings will not start up.
12 01-30000-83456-20081023
1OffShelf manager cannot find
2On
3Off
4Off
1OffFortiGate-5001A board will not start up.
2On
3On
4Off
Result of wrong jumper setting
FortiGate-5001A board. No shelf
manager information about the
FortiGate-5001A board available.
FortiGate-5001A Security System Guide
Loading...