Fortinet FortiGate-5001B User Manual
FortiGate-5001B
Security System Guide
This FortiGate-5001B Security System Guide describes FortiGate-5001B hardware features, how to install a
FortiGate-5001B board in a FortiGate-5000 series chassis, and how to configure the FortiGate-5001B security system for
your network.
The most recent versions of this and all FortiGate-5000 series documents are available from the FortiGate-5000 page of
the Fortinet Technical Documentation web site (http://docs.fortinet.com).
Visit https://support.fortinet.com to register your FortiGate-5001B security system. By registering you can receive product
updates, customer support, and FortiGuard services.
FortiGate-5001B Security System Guide
01-400-134818-20120216
Warnings and cautions
Only trained and qualified personnel should be allowed to install or maintain
FortiGate-5000 series equipment. Read and comply with all warnings, cautions and
notices in this document.
• Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used
Batteries According to the Instructions.
• Turning off all power switches may not turn off all power to the FortiGate-5000 series
equipment. Some circuitry in the FortiGate-5000 series equipment may continue to
operate even though all power switches are off.
• FortiGate-5000 equipment must be protected by a readily accessible disconnect
device or circuit breaker that can be used for product power down emergencies.
• Many FortiGate-5000 components are hot swappable and can be installed or
removed while the power is on. But some of the procedures in this document may
require power to be turned off and completely disconnected. Follow all instructions in
the procedures in this document that describe disconnecting FortiGate-5000 series
equipment from power sources, telecommunications links and networks before
installing, or removing FortiGate-5000 series components, or performing other
maintenance tasks. Failure to follow the instructions in this document can result in
personal injury or equipment damage.
• Install FortiGate-5000 series chassis at the lower positions of a rack to avoid making
the rack top-heavy and unstable.
• Do not insert metal objects or tools into open chassis slots.
• Electrostatic discharge (ESD) can damage FortiGate-5000 series equipment. Only
perform the procedures described in this document from an ESD workstation. If no
such station is available, you can provide some ESD protection by wearing an
anti-static wrist strap and attaching it to an available ESD connector such as the ESD
sockets provided on FortiGate-5000 series chassis.
• Make sure all FortiGate-5000 series components have reliable grounding. Fortinet
recommends direct connections to the building ground.
• If you install a FortiGate-5000 series component in a closed or multi-unit rack
assembly, the operating ambient temperature of the rack environment may be greater
than room ambient. Make sure the operating ambient temperature does not exceed
Fortinet’s maximum rated ambient temperature.
• Installing FortiGate-5000 series equipment in a rack should be such that the amount
of airflow required for safe operation of the equipment is not compromised.
• FortiGate-5000 series chassis should be installed by a qualified electrician.
• FortiGate-5000 series equipment shall be installed and connected to an electrical
supply source in accordance with the applicable codes and regulations for the
location in which it is installed. Particular attention shall be paid to use of correct wire
type and size to comply with the applicable codes and regulations for the installation /
location. Connection of the supply wiring to the terminal block on the equipment may
be accomplished using Listed wire compression lugs, for example, Pressure Terminal
Connector made by Ideal Industries Inc. or equivalent which is suitable for AWG-10.
Particular attention shall be given to use of the appropriate compression tool specified
by the compression lug manufacturer, if one is specified.
• This product is only intended for use in a Restricted Access Location.
FortiGate-5001B Security System Guide
01-400-134818-20120216
http://docs.fortinet.com/
FortiGate-5001B
Contents
Warnings and cautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
FortiGate-5001B security system 5
Physical description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Front panel components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
NMI switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Base backplane communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Fabric backplane communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Accelerated packet forwarding and policy enforcement (NP4
network processors) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Hardware installation 11
Installing SFP+ transceivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Changing FortiGate-5001B SW2 switch settings . . . . . . . . . . . . . . . . . . . 12
FortiGate-5001B mounting components . . . . . . . . . . . . . . . . . . . . . . . . 14
Inserting a FortiGate-5001B board . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Shutting down and removing a FortiGate-5001B board . . . . . . . . . . . . . . . . 17
Power cycling a FortiGate-5001B board . . . . . . . . . . . . . . . . . . . . . . . . 19
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
FortiGate-5001B board does not start up . . . . . . . . . . . . . . . . . . . . . 20
FortiGate-5001B STA (status) LED is flashing during system operation. . . . . . 21
Quick Configuration Guide 23
Registering your Fortinet product . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Planning the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
NAT/Route mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Transparent mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Choosing the configuration tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Web-based manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Command Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Factory default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configuring NAT/Route mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Using the web-based manager to configure NAT/Route mode . . . . . . . . . . 27
Using the CLI to configure NAT/Route mode . . . . . . . . . . . . . . . . . . . 28
FortiGate-5001B Security System Guide
01-400-134818-20120216 3
http://docs.fortinet.com/
Contents
Configuring Transparent mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Using the web-based manager to configure Transparent mode . . . . . . . . . 29
Using the CLI to configure Transparent mode . . . . . . . . . . . . . . . . . . . 30
Upgrading FortiGate-5001B firmware . . . . . . . . . . . . . . . . . . . . . . . . . 30
FortiGate-5001B base backplane data communication . . . . . . . . . . . . . . . . 32
FortiGate-5001B fabric backplane data communication. . . . . . . . . . . . . . . . 32
For more information 35
Training Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Technical Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . . 35
Customer service and support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . . 35
4 01-400-134818-20120216
FortiGate-5001B Security System Guide
http://docs.fortinet.com/
FortiGate-5001B
FortiGate-5001B security system
The FortiGate-5001B security system is a high-performance Advanced
Telecommunications Computing Architecture (ATCA) compliant FortiGate security system
that can be installed in any ATCA chassis that can provide sufficient power and cooling.
You can install FortiGate-5001B boards in a FortiGate-5060 chassis and in selected
versions of the NEBS-compliant FortiGate-5140-R chassis. Table 1 lists FortiGate-5000
series chassis that can support the FortiGate-5001B board. For most up-to-date list of all
chassis that can support the FortiGate-5001B board see the FortiGate-5001B Release
Notes.
Table 1: FortiGate-5000 series chassis that support the FortiGate-5001B board
Chassis
Model
Hardware ID System Part Number Serial Number
FG-5140B C4GL51-01BD-0000 P09297-01 FG514B3Y12000xxx
FG-5060 C4FN27-01AA-0000 P08588-01 FG50603S1XXXXXXX
FG-5140 C4GL51-01BC-0000 P05355-01 FG51403S0900000X
FG-5140 C4GL51-02BC-0000 P05355-02 FG51403S090010XX
FG-5140 C4DH67-01AA-0000 P05853-01 FG51403S090020XX
FG-5140 C4DH67-02AA-0000 P05853-02 FG51403S1003XXXX
For more information about FortiGate-5000 series chassis see the FortiGate-5000
Chassis Guides page of the Fortinet Technical Documentation web site.
The FortiGate-5001B security system contains eight front panel 10-gigabit SFP+
interfaces, two base backplane 1-gigabit interfaces, and two fabric backplane 10-gigabit
interfaces. The front panel interfaces can also operate as 1-gigabit SFP interfaces. Use
the front panel interfaces for connections to your networks and the backplane interfaces
for communication across the ATCA chassis backplane. The FortiGate-5001B also
includes two front panel RJ45 10/100/1000 management Ethernet interfaces, one RJ45
front panel serial management port, and one front panel USB port.
Figure 1: FortiGate-5001B front panel
Factory Use
NMI Switch
Fabric and Base
network activity
LEDs
RJ-45
Console
USB
1 to 8
10 Gig
SFP+ Interfaces
IPM
LED
(board
position)
Retention
Screw
Extraction
Lever
FortiGate-5001B Security System Guide
01-400-134818-20120216 5
http://docs.fortinet.com/
OOS
LED
PWR
LED
STA
LED
ACC
LED
Retention
Screw
Extraction
Lever
MGMT 1 and MGMT 2
10/100/1000 Copper
Management Interfaces
Physical description FortiGate-5001B security system
The FortiGate-5001B front panel 10-gigabit interfaces and fabric backplane interfaces
also provide NP4-accelerated network processing for eligible traffic passing through
these interfaces.
You can also configure two or more FortiGate-5001B boards to create a high availability
(HA) cluster using the base or fabric backplane interfaces for HA heartbeat
communication through the chassis backplane, leaving front panel interfaces available
for network connections.
In most cases the base backplane interfaces are used for HA heartbeat communication
and the fabric backplane interfaces are used for data communication.
The FortiGate-5001B board also supports high-end FortiGate features including 802.1Q
VLANs, multiple virtual domains, 802.3ad aggregate interfaces, and FortiOS Carrier.
The FortiGate-5001B board includes the following features:
• Eight front panel SFP+ 10-gigabit interfaces (port1 to port8) accelerated by two
FortiASIC NP4 network processors. Can also be configured as SFP 1-gigabit
interfaces.
• Two front panel 10/100/1000Base-T copper 1-gigabit management Ethernet
interfaces (mgmt1 and mgmt2). These interfaces are for management purposes only
and cannot forward traffic.
• Two base backplane 1-gigabit interfaces (base1 and base2) for HA heartbeat
communications across the FortiGate-5000 chassis base backplane.
• Two fabric backplane 10-gigabit interfaces (fabric1 and fabric2) for data
communications across the FortiGate-5000 chassis fabric backplane.
• Two NP4 network processors that provide firewall and IPsec VPN acceleration for the
port1 to port8 interfaces.
• Internal 64 GByte SSD for storing log messages, DLP archives, SQL log message
database, historic reports, IPS packet archiving, file quarantine, WAN Optimization
byte caching and web caching.
• One RJ-45 RS-232 serial console connection.
• 1 USB connector.
• NMI switch (for troubleshooting boards with part number P10633-01 and up, as
recommended by Fortinet Support).
• Mounting hardware.
• LED status indicators.
Physical description
Table 2: FortiGate-5001B board physical description
Dimensions
Weight 8.6 lb. (3.9 kg)
Operating Temperature 32 to 104°F (0 to 40°C)
Storage Temperature -13 to 158°F (-35 to 70°C)
Relative Humidity 5 to 90% (Non-condensing)
Power consumption Maximum: 225WDC; Average: 187 WDC
Max Current 4.69A
Heat Dissipation 768 BTU/h
6 01-400-134818-20120216
1.21 x 11.52 x 13.8 in. (3.1 x 29.3 x 35.1 cm) (Height x Width
x Depth)
FortiGate-5001B Security System Guide
http://docs.fortinet.com/
FortiGate-5001B security system Front panel components
Front panel components
From the FortiGate-5001B front panel you can view the status of the front panel LEDs to
verify that the board is functioning normally. You also connect the FortiGate-5001B board
to your 10-gigabit network using the 1 to 8 front panel SFP+ or SFP connectors. The front
panel also includes two Ethernet management interfaces, an RJ-45 console port for
connecting to the FortiOS CLI and a USB port. The USB port can be used with any USB
key for backing up and restoring configuration files.
LEDs
Table 3: FortiGate-5001B LEDs
LED State Description
Off Fabric backplane interface 1 or 2 (fabric1 or fabric2) is
Fabric 1 and 2
Base 1 and 2
OOS
(Out of Service)
PWR (Power) Green The FortiGate-5001B board is powered on.
STA (Status)
ACC (Disk
activity)
1 to 8
Flashing
Green
Green Base backplane interface 1 or 2 (base1 or base2) is
Flashing
Green
Off Normal operation.
Amber A fault condition exists and the FortiGate-5001B blade
Off The FortiGate-5001B board is powered on.
Flashing
Green
Off or
Flashing
green
Green The correct cable is connected to the port1 to port8
Flashing
Green
Off No link is established.
connected at 10 Gbps.
Network activity at fabric backplane interface 1 or 2
(fabric1 or fabric2).
connected at 1 Gbps.
Network activity at base backplane interface 1 or 2
(base1 or base2).
is out of service (OOS). This LED may also flash very
briefly during normal startup.
The FortiGate-5001B is starting up. If this LED is
flashing at any time other than system startup, a fault
condition may exist.
The ACC LED flashes green when the FortiGate-5001B
board accesses the FortiOS flash disk. The FortiOS
flash disk stores the current FortiOS firmware build and
configuration files. The system accesses the flash disk
when starting up, during a firmware upgrade, or when
an administrator is using the CLI or GUI to change the
FortiOS configuration. Under normal operating
conditions this LED flashes occasionally, but is mostly
off.
interface and the connected equipment has power.
Network activity at the interface.
FortiGate-5001B Security System Guide
01-400-134818-20120216 7
http://docs.fortinet.com/
Front panel components FortiGate-5001B security system
Table 3: FortiGate-5001B LEDs (Continued)
LED State Description
Link/Act
(Left
LED)
MGMT 1
and
MGMT 2
Speed
(Right
LED)
Solid
Green
Indicates the management interface (mgmt1 or mgmt2)
is connected with the correct cable and the attached
network device has power.
Blinking
Indicates network traffic on this interface.
Green
Off No Link
Green Connection at 1 Gbps.
Amber Connection at 100 Mbps.
Off Connection at 10 Mbps.
Blue The FortiGate-5001B board is ready to be hot-swapped
(removed from the chassis). If the IPM light is blue and
no other LEDs are lit the FortiGate-5001B board has lost
power
IPM
Flashing
Blue
The FortiGate-5001B board is changing from hot swap
to running mode or from running mode to hot swap. This
happens when the FortiGate-5001B board is starting up
or shutting down.
Off Normal operation. The FortiGate-5001B board is in
contact with the chassis backplane.
Connectors
Table 4: FortiGate-5001B connectors
Connector Type Speed Protocol Description
CONSOLE
RJ-45 9600 bps
8/N/1
RS-232
serial
Serial connection to the command
line interface.
SFP+ 10-gigabit/auto Ethernet 10-Gigabit SFP+ connection to
1 to 8
10-Gigabit networks (port1 to
port8). Small form-factor pluggable
transceiver.
SFP 1-gigabit/auto Ethernet 1-Gigabit SFP+ connection to
1 to 8
1-Gigabit networks (port1 to
port8). Small form-factor pluggable
transceiver.
MGMT 1
and MGMT
2
USB
RJ-45 10/100/1000
Base-T
USB USB key for firmware updates and
Ethernet Copper 1-gigabit connection to
10/100/1000Base-T copper
networks for management or
system administration.
configuration backup.
8 01-400-134818-20120216
FortiGate-5001B Security System Guide
http://docs.fortinet.com/
FortiGate-5001B security system Base backplane communication
NMI switch
When working with Fortinet Support to troubleshoot problems with FortiGate-5001B
boards with part number P10633-01 and up you can use the front panel non-maskable
interrupt (NMI) switch to assist with troubleshooting. Pressing this switch causes the
software to dump registers/backtraces to the console. After the data is dumped the
board reboots. While the board is rebooting, traffic is temporarily blocked. The board
should restart normally and traffic can resume once its up and running.
Base backplane communication
The FortiGate-5001B base backplane 1-gigabit interfaces (base1 and base2) are typically
used for HA heartbeat or other management communication between FortiGate-5001B
boards installed in the same or in different FortiGate-5000 series chassis. You can also
configure FortiGate-5001B boards to use the base backplane interfaces for data
communication between FortiGate boards. To support base backplane communications
your FortiGate-series chassis must include one or more FortiSwitch-5000 series or other
1-gigabit base backplane switches installed in the chassis in base slots 1 and 2.
For information about base backplane communication in FortiGate-5000 series chassis,
see the FortiSwitch Backplane Communication Guide. For information about
FortiSwitch-5000 series boards, see the FortiSwitch-5000 Series documents on the
FortiSwitch page of the Fortinet Technical Documentation website.
Fabric backplane communication
The FortiGate-5001B fabric backplane interfaces (fabric1 and fabric2) are typically used
for data communication between FortiGate-5001B boards installed in the same or in
different FortiGate-5000 series chassis. To support 10-gigabit fabric backplane
communications your FortiGate-5000 series chassis must include one or more
FortiSwitch-5003A or FortiSwitch-5003B boards or other 10-gigabit fabric backplane
switching boards installed in the chassis in fabric slots 1 and 2.
For information about base backplane communication in FortiGate-5000 series chassis,
see the FortiSwitch Backplane Communication Guide. For information about
FortiSwitch-5000 series boards, see the FortiSwitch-5000 Series documents on the
FortiSwitch page of the Fortinet Technical Documentation website.
Accelerated packet forwarding and policy enforcement (NP4
network processors)
The FortiGate-5001B board includes two NP4 processors that provide accelerated
packet forwarding and policy enforcement for all FortiGate-5001B front panel and
backplane interfaces. Accelerated packet forwarding and policy enforcement results in
accelerated small packet performance required for voice, video, and other multimedia
streaming applications.
The following traffic scenarios are recommended for the accelerated interfaces:
• Small packet applications, such as voice over IP (VoIP).
The FortiGate-5001B accelerated interfaces provide wire speed performance for small
packet applications.
FortiGate-5001B Security System Guide
01-400-134818-20120216 9
http://docs.fortinet.com/
Accelerated packet forwarding and policy enforcement (NP4 network processors) FortiGate-5001B security system
• Latency sensitive applications, such as multimedia.
The FortiGate-5001B accelerated interfaces add much less latency than normal (nonaccelerated) interfaces.
• Session Oriented Traffic with long session lifetime, such as FTP sessions.
Packet size does not affect performance for traffic with long session lifetime. For long
sessions, processing that would otherwise be handled by the FortiGate-5001B CPUs
is off-loaded to the acceleration module.
• Firewall, intrusion protection (IPS), and antivirus, when there is a reasonable
percentage of P2P packets.
• Firewall and IPsec VPN applications.
Figure 2: FortiGate-5001B NP4 to interface mapping
fabric1
base1
fabric2
base2
Ethernet Switch
FortiASIC
NP4
FortiASIC
NP4
System Bus
CPUCP7
Traffic between interfaces that use the same NP4 processor experiences the highest
acceleration.
• The port1, port2, port3, port4, fabric1 and base1 interfaces are connected to one NP4
processor.
• The port5, port6, port7, port8, fabric2 and base2 interfaces are connected to the other
NP4 processor.
For example, for maximum NP4 acceleration of traffic received on port1 the traffic must
exit the FortiGate-5001B board on port2, port3, port4, or fabric1. Also, for maximum
acceleration of traffic received on port5 the traffic must exit the FortiGate-5001B board
on port6, port7, port8, or fabric2.
10 01-400-134818-20120216
FortiGate-5001B Security System Guide
http://docs.fortinet.com/
FortiGate-5001B
Hardware installation
Before use, the FortiGate-5001B board must be correctly inserted into an Advanced
Telecommunications Computing Architecture (ATCA) chassis that can provide sufficient
power and cooling (for example, the FortiGate-5060 chassis or the NEBS-compliant
FortiGate-5140-R chassis).
This section describes:
• Installing SFP+ transceivers
• Changing FortiGate-5001B SW2 switch settings
• FortiGate-5001B mounting components
• Inserting a FortiGate-5001B board
• Shutting down and removing a FortiGate-5001B board
• Power cycling a FortiGate-5001B board
• Installing SFP+ transceivers
• Troubleshooting
Installing SFP+ transceivers
The FortiGate-5001B board ships with two SR SFP+ transceivers that you must install for
normal operation of the FortiGate-5001B front panel interfaces (port1 to port8). Since the
board is shipped with 2 SPT+ interfaces, if you want to connect more than 2 front panel
interfaces you should purchase and install additional compatible SFP+ transceivers for
these interfaces. You can also configure front panel interfaces to operated at 1-gigabit
and install SFP transceivers.
The SFP transceivers are inserted into cage sockets numbered 1 to 8 on the
FortiGate-5001B front panel. You can install the SFP transceivers before or after inserting
the FortiGate-5001B board into a FortiGate-5000 series or other ATCA chassis.
You can install the following types of SFP transceivers for connectors 1 to 8:
• SFP+ SR (10 gigabits)
• SFP+ LR (10 gigabits)
• SFP (1gigabit)
To install SFP+ transceivers
To complete this procedure, you need:
• A FortiGate-5001B board
• Two or more SFP+ or SFP transceivers
• An electrostatic discharge (ESD) preventive wrist or ankle strap with connection cord
FortiGate-5001B boards must be protected from static discharge and physical shock.
Only handle or work with FortiGate-5001B boards at a static-free workstation. Always
wear a grounded electrostatic discharge (ESD) preventive wrist strap when handling
FortiGate-5001B boards.
FortiGate-5001B Security System Guide
01-400-134818-20120216 11
http://docs.fortinet.com/
Loading...