Fortinet FortiGate-5001D User Manual

FortiGate-5001D

Security System Guide

This FortiGate-5001D Security System Guide describes FortiGate-5001D hardware features, how to install a
FortiGate-5001D board in a FortiGate-5000 series chassis, and how to configure the FortiGate-5001D security system for
your network.

The most recent versions of this and all FortiGate-5000 series documents are available from the FortiGate-5000 page of
the Fortinet Technical Documentation web site (http://docs.fortinet.com).

Visit https://support.fortinet.com to register your FortiGate-5001D security system. By registering you can receive product
updates, customer support, and FortiGuard services.

FortiGate-5001D Security System Guide

01-500-0242101-20151109

Cautions and Warnings

Environmental specifications

Operating Temperature – If this device is installed in a closed or multi-unit rack assembly, the rack’s ambient temperature

may be greater than the room’s ambient temperature. Make sure the rack environment is compatible with the manufacturer’s
maximum rated ambient temperature (Tma).

Température ambiante élevée — Si cet appareil est installé dans un cabinet fermé, la température ambiante du cabinet peut
être supérieure à la température ambiante de la pièce. Assurez- vous que l’environnement dans le cabinet est compatible avec
la température ambiante maximale du fabricant (Tma).

Air flow – For rack installation, make sure that the amount of air flow required for safe operation of the equipment is not
compromised. For free-standing installation, make sure that the appliance has at least 2 inches (5 cm) of clearance on each
side to allow for adequate air flow and cooling.

Ventilation — Pour une installation dans un cabinet, assurez-vous que la ventilation nécessaire au fonctionnement de
l’équipement n’est pas compromise. Pour une installation autonome, assurez-vous que l’appareil dispose d’au moins 2
pouces (5 cm) de dégagement de chaque côté pour permettre l’écoulement de l’air et un refroidissement adéquat.

Circuit overloading – To avoid overloading, use the ratings on the label. Consider the equipment’s connection to the supply
circuit and the effect that circuit overloading might have on current protection and supply wiring.

For redundant power sources, connect each to an IEC/UL Listed power source whose output rating is greater than or equal to
the equipment.

Surtension – Pour éviter de surcharger le circuit d’alimentation, référez-vous aux notes sur l’étiquette de l’équipement .
Envisagez l’effet que la surtension du circuit pourrait avoir sur la protection de surtension et le câblage d’alimentation .

Pour les sources d'alimentation redondantes, connectez chacun à une source d'alimentation Mis CEI / UL dont la cote de
rendement est supérieur ou égal à l'équipement.

Reliable earthing – Make sure all rack-mounted equipment is grounded. This includes supply connections (e .g . power
strips), not only direct connections to the branch circuit.

Mise à la terre – Assurez-vous que tout l’équipement est mis à la terre . Ceci comprend les connexions d’alimentation (par
exemple, les barres d’alimentation) en plus des connexions directes au circuit de dérivation.

Interference – If possible, use Shielded Twisted Pair (STP) Ethernet cables instead of Unshielded Twisted Pair (UTP) .
Interférence – Si possible, utilisez des câbles Ethernet de paire torsadée blindée (STP) plutôt que de paire torsadée non

blindée (UTP).
Mechanical loading – To avoid personal injury or damage to the appliance, Fortinet recommends that 2 or more people

together install the appliance into the rack. Balance the equipment to avoid uneven mechanical loading and tipping. Do not
place heavy objects on the appliance.

Installation – Pour éviter des blessures ou des dommages à l’appareil, Fortinet recommande que deux personnes ou plus
installent ensemble cet équipement dans un cabinet. L’installation du matériel à l’intérieur de la baie doit être effectuée de
façon à éviter toute situation dangereuse liée à une installation non conforme . Ne placez pas d’objets lourds sur l’appareil,
celui-ci n’étant pas conçu pour soutenir un poids additionnel.

Refer to specific Product Model Data Sheet for Environmental Specifications (Operating Temperature, Storage Temperature,
Humidity, and Altitude)

Safety

Moving parts — Hazardous moving parts. Keep away from moving fan blades.
Pièces mobiles – Pièces mobiles dangerouses. Se tenir éloigné des pales de ventilateurs mobiles.

Do not install this equipment in a home or public area accessible to the general population. When installed in schools, this
equipment must be installed in a location where access is restricted to trained personnel.

Dans les écoles, ce matériel doit être installé en lieu sûr, de façon à le rendre accessible seulement aux personnels qualifies.
Battery – Risk of explosion if the battery is replaced by an incorrect type. Do not dispose of batteries in a fire. They may

explode. Dispose of used batteries according to your local regulations. IMPORTANT: Switzerland: Annex 4.10 of SR814.013
applies to batteries.

Batterie – Risque d’explosion si vous remplacez la batterie par un modèle incompatible. Jetez les piles usagées selon les
réglementations locales en vigueur. IMPORTANT: Suisse: Annexe 4.10 de SR814.013 s’appliquant aux batteries.

警告

本電池如果更換不正確會有爆炸的危險

請依製造商說明書處理⽤過之電池

FortiGate-5001D Security System Guide

01-500-0242101-20151109

http://docs.fortinet.com/

FortiGate-5001D

Contents

Cautions and Warnings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Environmental specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Safety. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

FortiGate-5001D security system 5

Front panel components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

NMI switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Base backplane communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Fabric backplane communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Accelerated packet forwarding and policy enforcement (NP6 network processors) . 10

Accelerated IPS, SSL VPN, and IPsec VPN (CP8 content processors) . . . . . . . . 10

Splitting the FortiGate-5001D front panel port1 and port2 interfaces . . . . . . . . . 11

Hardware installation 13

Installing QSFP+ and SFP+ transceivers . . . . . . . . . . . . . . . . . . . . . . . . 13

Changing FortiGate-5001D SW6 switch settings . . . . . . . . . . . . . . . . . . . 14

FortiGate-5001D mounting components . . . . . . . . . . . . . . . . . . . . . . . . 16

Inserting a FortiGate-5001D board . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Shutting down and removing a FortiGate-5001D board . . . . . . . . . . . . . . . . 19

Power cycling a FortiGate-5001D board . . . . . . . . . . . . . . . . . . . . . . . . 21

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

FortiGate-5001D board does not start up . . . . . . . . . . . . . . . . . . . . . 22

FortiGate-5001D STA (status) LED is flashing during system operation. . . . . . 22

The FortiGate-5001D can’t join a FortiController-5903 SALB cluster and other fabric

backplane communication problems . . . . . . . . . . . . . . . . . . . . . . . 23

Quick Configuration Guide 25

Registering your Fortinet product . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Planning the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

NAT/Route mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Transparent mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Choosing the configuration tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Web-based manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Command Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Factory default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Configuring NAT/Route mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Using the web-based manager to configure NAT/Route mode . . . . . . . . . . 29

FortiGate-5001D Security System Guide
01-500-0242101-20151109 3

http://docs.fortinet.com/

Contents

Using the CLI to configure NAT/Route mode . . . . . . . . . . . . . . . . . . . 30

Configuring Transparent mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Using the web-based manager to configure Transparent mode . . . . . . . . . 31

Using the CLI to configure Transparent mode . . . . . . . . . . . . . . . . . . . 32

Upgrading FortiGate-5001D firmware . . . . . . . . . . . . . . . . . . . . . . . . . 32

FortiGate-5001D base backplane data communication . . . . . . . . . . . . . . . . 33

FortiGate-5001D fabric backplane data communication. . . . . . . . . . . . . . . . 35

For more information 36

Training Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Technical Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . . . . 36

Customer service and support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . . 36

Regulatory Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Federal Communication Commission (FCC) – USA . . . . . . . . . . . . . . . . 38

Industry Canada Equipment Standard for Digital Equipment (ICES) – Canada . . 38

Voluntary Control Council for Interference (VCCI) – Japan . . . . . . . . . . . . 38

Bureau of Standards Metrology and Inspection (BSMI) – Taiwan . . . . . . . . . 38

China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

European Conformity (CE) - EU . . . . . . . . . . . . . . . . . . . . . . . . . . 38

4 01-500-0242101-20151109

FortiGate-5001D Security System Guide

http://docs.fortinet.com/

FortiGate-5001D

MGMT 1 and MGMT 2

10/100/1000 Copper

Management Interfaces

3 and 4

10 Gig

SFP+ Network

Interfaces

Base and Fabric

network activity

LEDs

RJ-45

Console

Extraction

Lever

Retention

Screw

US B

Extraction

Lever

Retention

Screw

IPM
LED

(board

position)

OOS
LED

STA
LED

PWR
LED

ACC
LED

Factory Use

NMI Switch

1 and 2

40 Gig

QSFP+ Network

Interfaces

FortiGate-5001D security system

The FortiGate-5001D security system is a high-performance Advanced
Telecommunications Computing Architecture (ATCA) compliant FortiGate security system
that can be installed in any ATCA chassis that can provide sufficient power and cooling.

Fortinet’s FortiGate-5144C chassis is recommended because it has a 40-gigabit fabric
backplane and the FortiGate-5001D has 40-gigabit fabric interfaces. You can also install
the FortiGate-5001D in a FortiGate-5060 or FortiGate-5140B chassis; both of which have
10-gigabit fabric backplanes.

See the FortiGate-5000 Compatability Guide for up-to-date information about
FortiGate-5000 series chassis and other components that are compatible with the
FortiGate-5001D.

The FortiGate-5001D security system contains two front panel 40-gigabit QSFP+
interfaces, two front panel 10-gigabit SFP+ interfaces, two base backplane 1-gigabit
interfaces, and two fabric backplane 40-gigabit interfaces. The front panel SFP+
interfaces can also operate as 1-gigabit SFP interfaces. Use the front panel interfaces for
connections to your networks and the backplane interfaces for communication across
the ATCA chassis backplane. The FortiGate-5001D also includes two front panel RJ45
10/100/1000 management Ethernet interfaces, one RJ45 front panel serial console port,
and one front panel USB port.

Figure 1: FortiGate-5001D front panel

The FortiGate-5001D front panel QSFP+ 40-gigabit, SFP+ 10-gigabit interfaces and
fabric backplane interfaces also provide NP6-accelerated network processing for eligible
traffic passing through these interfaces.

You can also configure two or more FortiGate-5001D boards to create a high availability
(HA) cluster using the base or fabric backplane interfaces for HA heartbeat
communication through the chassis backplane, leaving front panel interfaces available
for network connections.

In most cases the base backplane interfaces are used for HA heartbeat communication
and the fabric backplane interfaces are used for data communication.

01-500-0242101-20151109 5

http://docs.fortinet.com/

FortiGate-5001D Security System Guide

Front panel components FortiGate-5001D security system

The FortiGate-5001D board also supports high-end FortiGate features including 802.1Q
VLANs, multiple virtual domains, 802.3ad aggregate interfaces, and FortiOS Carrier.

The FortiGate-5001D board includes the following features:

• Two front panel QSFP+ 40-gigabit interfaces (port1 and port2) accelerated by
FortiASIC NP6 network processors. port1 and port2 can each be split into four
10-gigabit ports using the config system global set split-port command.

• Two front panel SFP+ 10-gigabit interfaces (port3 and port4) also accelerated by
FortiASIC NP6 network processors. Can also be configured as SFP 1-gigabit
interfaces.

• Two front panel 10/100/1000Base-T copper 1-gigabit management ethernet
interfaces (mgmt1 and mgmt2).

• Two base backplane 1-gigabit interfaces (base1 and base2) for HA heartbeat
communications across the FortiGate-5000 chassis base backplane.

• Two fabric backplane 40-gigabit interfaces (fabric1 and fabric2) for data
communications across the FortiGate-5000 chassis fabric backplane.

• Two NP6 network processors that accelerate traffic on the interfaces port1, port2,
port3, port4, fabirc1, and fabric2.

• Four CP8 content processors that accelerate IPS, SSL VPN, and IPsec VPN.

• Internal 200 GByte SSD for storing log messages, DLP archives, historic reports, IPS
packet archiving, file quarantine, WAN Optimization byte caching and web caching.

• One RJ-45 RS-232 serial console connection.

•1 USB connector.

• NMI switch for troubleshooting as recommended by Fortinet Support.

• Mounting hardware.

• LED status indicators.

Front panel components

From the FortiGate-5001D front panel you can view the status of the front panel LEDs to
verify that the board is functioning normally. You also connect the FortiGate-5001D board
to your 40-gigabit network using the front panel QSFP+ connectors and to your
10-gigabit network using the front panel SFP+ or SFP connectors. The front panel also
includes two Ethernet management interfaces, an RJ-45 console port for connecting to
the FortiOS CLI and a USB port. The USB port can be used with any USB key for backing
up and restoring configuration files.

LEDs

Ports 1 and 2 can operate in 40-gigabit mode or 4 x 10-gigabit mode. The LEDs function
differently in each mode

Table 1: FortiGate-5001D Port 1 and 2 LEDs (40-gigabit mode)

Green LED (left) Amber LED (right) Description

On Off The correct cable is connected to the

Off Off No link is established.

interface and the connected equipment has
power.

6 01-500-0242101-20151109

FortiGate-5001D Security System Guide

http://docs.fortinet.com/

FortiGate-5001D security system Front panel components

Table 2: FortiGate-5001D Port 1 and 2 LEDs (4 x 10-gigabit mode)

Green LED (left) Amber LED (right) Description

Flashing On The correct cable is connected to the

interface and the connected equipment has
power and all 10-gigabit connections are
connected.

Flashing Flashing The correct cable is connected to the

interface and the connected equipment has
power and only some of the 10-gigabit
connections are connected.

Off Off No link is established.

Table 3: Other FortiGate-5001D LEDs

LED State Description

Green The correct cable is connected to the interface and the

connected equipment has power.

3 and 4

Flashing

Network activity at the interface.

Green

Off No link is established.

Off Fabric backplane interface 1 or 2 (fabric1 or fabric2) is

connected at 10 Gbps.

Fabric 1 and 2

Flashing
Green

Network activity at fabric backplane interface 1 or 2
(fabric1 or fabric2).

Green Base backplane interface 1 or 2 (base1 or base2) is

connected at 1 Gbps.

Base 1 and 2

Flashing
Green

Network activity at base backplane interface 1 or 2
(base1 or base2).

Off Normal operation.

OOS
(Out of Service)

Amber A fault condition exists and the FortiGate-5001D blade

is out of service (OOS). This LED may also flash very
briefly during normal startup.

PWR (Power) Green The FortiGate-5001D board is powered on.

On The FortiGate-5001D board is powered on.

STA (Status)

Flashing
Green

The FortiGate-5001D is starting up. If this LED is
flashing at any time other than system startup, a fault
condition may exist.

FortiGate-5001D Security System Guide
01-500-0242101-20151109 7

http://docs.fortinet.com/

Front panel components FortiGate-5001D security system

Table 3: Other FortiGate-5001D LEDs (Continued)

LED State Description

ACC (Disk
activity)

MGMT 1
and
MGMT 2

IPM

Link/Act
(Left
LED)

Speed
(Right
LED)

Off or
Flashing
green

The ACC LED flashes green when the FortiGate-5001D
board accesses the FortiOS flash disk. The FortiOS
flash disk stores the current FortiOS firmware build and
configuration files. The system accesses the flash disk
when starting up, during a firmware upgrade, or when
an administrator is using the CLI or GUI to change the
FortiOS configuration. Under normal operating
conditions this LED flashes occasionally, but is mostly
off.

Solid
Green

Indicates the management interface (mgmt1 or mgmt2)
is connected with the correct cable and the attached
network device has power.

Blinking

Indicates network traffic on this interface.

Green

Off No Link

Green Connection at 1 Gbps.

Amber Connection at 100 Mbps.

Off Connection at 10 Mbps.

Blue The FortiGate-5001D board is ready to be hot-swapped

(removed from the chassis). If the IPM light is blue and
no other LEDs are lit the FortiGate-5001D board has lost
power

Flashing
Blue

The FortiGate-5001D board is changing from hot swap
to running mode or from running mode to hot swap. This
happens when the FortiGate-5001D board is starting up
or shutting down.

Off Normal operation. The FortiGate-5001D board is in

contact with the chassis backplane.

Connectors

Table 4: FortiGate-5001D connectors

Connector Type Speed Protocol Description

CONSOLE

1 and 2

3 and 4

8 01-500-0242101-20151109

RJ-45 9600 bps

8/N/1

QSFP+ (40
gigabit),

40-gigabit full

10-gigabit full
SFP+ (10
gigabit)

SFP+ (10
gigabit) or
SFP (1

10-gigabit full

1-gigabit auto

1-gigabit full
gigabit)

RS-232
serial

Serial connection to the
command line interface.

Ethernet 40-gigabit QSFP+ connection to

40-gigabit networks or 10-gigabit
SFP+ connection to 10-gigabit
networks. Quad small form-factor
pluggable transceiver.

Ethernet 10-gigabit SFP+ connection to

10-gigabit networks or 1-gigabit
SFP connection to 1-gigabit
networks. Small form-factor
pluggable transceiver.

FortiGate-5001D Security System Guide

http://docs.fortinet.com/

FortiGate-5001D security system Base backplane communication

Table 4: FortiGate-5001D connectors

Connector Type Speed Protocol Description

MGMT 1
and
MGMT 2

USB

RJ-45 10/100/1000

Base-T

USB USB key for firmware updates

NMI switch

When working with Fortinet Support to troubleshoot problems with the FortiGate-5001D
board you can use the front panel non-maskable interrupt (NMI) switch to assist with
troubleshooting. Pressing this switch causes the software to dump registers/backtraces
to the console. After the data is dumped the board reboots. While the board is rebooting,
traffic is temporarily blocked. The board should restart normally and traffic can resume
once its up and running.

Base backplane communication

The FortiGate-5001D base backplane 1-gigabit interfaces (base1 and base2) are typically
used for HA heartbeat or other management communication between FortiGate-5001D
boards installed in the same or in different FortiGate-5000 series chassis. You can also
configure FortiGate-5001D boards to use the base backplane interfaces for data
communication between FortiGate boards. To support base backplane communications
your FortiGate-series chassis must include one or more FortiSwitch or
FortiController-5000 series or other 1-gigabit base backplane switches installed in the
chassis in base slots 1 and 2.

For information about FortiSwitch and FortiController-5000 series boards, see the

FortiGate-5000 page of the Fortinet Technical Documentation website.

Ethernet Copper 1-gigabit connection to

10/100/1000Base-T copper
networks for management or
system administration.

and configuration backup.

Fabric backplane communication

The FortiGate-5001D fabric backplane interfaces (fabric1 and fabric2) are typically used
for data communication between FortiGate-5001D boards installed in the same or in
different FortiGate-5000 series chassis. These interfaces can operate as 40-gigabit or
10-gigabit interfaces

To support 40-gigabit fabric backplane communications your FortiGate-5000 series
chassis must include one or more FortiController-5903C boards or other 40-gigabit fabric
backplane switching boards installed in the chassis in fabric slots 1 and 2.

To support 10-gigabit fabric backplane communications your FortiGate-5000 series
chassis must include one or more FortiSwitch-5003B or FortiController-5903C boards or
other 10-gigabit fabric backplane switching boards installed in the chassis in fabric slots
1 and 2.

For information about FortiSwitch and FortiController-5000 series boards, see the

FortiGate-5000 page of the Fortinet Technical Documentation website.

FortiGate-5001D Security System Guide
01-500-0242101-20151109 9

http://docs.fortinet.com/

Accelerated packet forwarding and policy enforcement (NP6 network processors) FortiGate-5001D security system

Accelerated packet forwarding and policy enforcement (NP6
network processors)

The FortiGate-5001D board includes two NP6 processors and an integrated switch fabric
that provides fastpath acceleration by offloading communication sessions from the
FortiGate CPU. All traffic from the front panel and backplane interfaces can be
accelerated. The result is enhanced network performance provided by the NP6 processor
plus the network processing load is removed from the CPU. The NP6 processor can also
handle some CPU intensive tasks, like IPsec VPN encryption/decryption. Because of the
integrated switch fabric, all sessions are fast-pathed and accelerated.

Figure 2: FortiGate-5001D NP6 to interface mapping

fabric1

base1

Integrated Switch Fabric

FortiASIC

NP6

CP8

CPU

CP8

FortiASIC

fabric2

base2

NP6

System Bus

CP8

CP8

The FortiGate-5001D features two NP6 processors.

• port1, port3, fabric1 and base1 share connections to the first NP6 processor.

• port2, port4, fabric2 and base2 share connections to the second NP6 processor.

Accelerated IPS, SSL VPN, and IPsec VPN (CP8 content
processors)

The FortiGate-5001D board includes four CP8 processors that provide the following
performance enhancements:

• Over 10Gbps throughput IPS content processor for packet content matching with
signatures

10 01-500-0242101-20151109

FortiGate-5001D Security System Guide

http://docs.fortinet.com/

FortiGate-5001D security system Splitting the FortiGate-5001D front panel port1 and port2 interfaces

• High performance VPN bulk data engine

• IPSEC and SSL/TLS protocol processor

• DES/3DES/AES in accordance with FIPS46-3/FIPS81/FIPS197

• ARC4 in compliance with RC4

• MD5/SHA-1/SHA256 with RFC1321 and FIPS180

• HMAC in accordance with RFC2104/2403/2404 and FIPS198

• Key Exchange Processor support high performance IKE and RSA computation

• Public key exponentiation engine with hardware CRT support

• Primarily checking for RSA key generation

• Handshake accelerator with automatic key material generation

• Random Number generator compliance with ANSI X9.31

• Sub public key engine (PKCE) to support up to 4094 bit operation directly

• Message authentication module offers high performance cryptographic engine for
calculating SHA256/SHA1/MD5 of data up to 4G bytes (used by any application like
WAN opt.)

Splitting the FortiGate-5001D front panel port1 and port2
interfaces

You can use the following command to split the 40-gigabit front panel port1 interface into
a 4 x 10-gigabit interface:

config system global

set split-port port1

end

The FortiGate-5001D reboots and when it does you can see four new interfaces named
port1/1, port1/2, port1/3, and port1/4.

FortiGate-5001D Security System Guide
01-500-0242101-20151109 11

http://docs.fortinet.com/

Splitting the FortiGate-5001D front panel port1 and port2 interfaces FortiGate-5001D security system

12 01-500-0242101-20151109

FortiGate-5001D Security System Guide

http://docs.fortinet.com/