Fortinet FortiGate-5001FA2 User Manual
Security System Guide
PWR
ACC
STA IPM
CONSOLE
USB
3 4
1 2
5 6 7 8
FortiGate-5001FA2
A detailed guide to the FortiGate-5001FA2 Security System. This FortiGate-5001FA2 Security System Guide
describes FortiGate-5001FA2 hardware features, how to install the FortiGate-5001FA2 board in a FortiGate-5000
series chassis, how to configure the FortiGate-5001FA2 security system for your network, and contains
troubleshooting information to help you diagnose and fix problems.
The most recent versions of this and all FortiGate-5000 series documents are available from the FortiGate-5000
page of the Fortinet Technical Documentation web site (http://docs.forticare.com).
Visit http://support.fortinet.com to register your FortiGate-5001FA2 system. By registering you can receive product
updates, technical support, and FortiGuard services.
www.fortinet.com
FortiGate-5001FA2 Security System Guide
01-30000-0379-20080606
Warnings and cautions
!
!
Only trained and qualified personnel should be allowed to install or maintain FortiGate-5000 series
equipment. Read and comply with all warnings, cautions and notices in this document.
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According
to the Instructions.
Caution: You should be aware of the following cautions and warnings before installing FortiGate-5000 series
hardware
• Turning off all power switches may not turn off all power to the FortiGate-5000 series equipment.
Except where noted, disconnect the FortiGate-5000 series equipment from all power sources,
telecommunications links and networks before installing, or removing FortiGate-5000 series
components, or performing other maintenance tasks. Failure to do this can result in personal injury or
equipment damage. Some circuitry in the FortiGate-5000 series equipment may continue to operate
even though all power switches are off.
• An easily accessible disconnect device, such as a circuit breaker, should be incorporated into the data
center wiring that connects power to the FortiGate-5000 series equipment.
• Install FortiGate-5000 series chassis at the lower positions of a rack to avoid making the rack top-heavy
and unstable.
• Do not insert metal objects or tools into open chassis slots.
• Electrostatic discharge (ESD) can damage FortiGate-5000 series equipment. Only perform the
procedures described in this document from an ESD workstation. If no such station is available, you
can provide some ESD protection by wearing an anti-static wrist strap and attaching it to an ESD
connector or to a metal part of a FortiGate chassis.
• Some FortiGate-5000 series components may overload your supply circuit and impact your overcurrent
protection and supply wiring. Refer to nameplate ratings to address this concern.
• Make sure all FortiGate-5000 series components have reliable grounding. Fortinet recommends direct
connections to the branch circuit.
• If you install a FortiGate-5000 series component in a closed or multi-unit rack assembly, the operating
ambient temperature of the rack environment may be greater than room ambient. Make sure the
operating ambient temperature does not exceed the manufacturer's maximum rated ambient
temperature.
• Installing FortiGate-5000 series equipment in a rack should be such that the amount of airflow required
for safe operation of the equipment is not compromised. Refer to the ATCA specification for more
information about cooling and airflow requirements.
• This equipment is for installation only in a Restricted Access Location (dedicated equipment room,
service closet or the like), in accordance with the National Electrical Code.
• Per the National Electrical Code, sizing of a Listed circuit breaker or branch circuit fuse and the supply
conductors to the equipment is based on the marked input current rating. A product with a marked input
current rating of 25 A is required to be placed on a 40 A branch circuit. The supply conductors will also
be sized according to the input current rating and also derated for the maximum rated operating
ambient temperature, Tma, of the equipment.
• FortiGate-5000 series equipment shall be installed and connected to an electrical supply source in
accordance with the applicable codes and regulations for the location in which it is installed. Particular
attention shall be paid to use of correct wire type and size to comply with the applicable codes and
regulations for the installation / location. Connection of the supply wiring to the terminal block on the
equipment may be accomplished using Listed wire compression lugs, for example, Pressure Terminal
Connector made by Ideal Industries Inc. or equivalent which is suitable for AWG 10. Particular attention
shall be given to use of the appropriate compression tool specified by the compression lug
manufacturer, if one is specified.
FortiGate-5001FA2 Security System Guide
01-30000-0379-20080606
Contents
Contents
Warnings and cautions ..................................................................................... 2
FortiGate-5001FA2 security system................................. 5
Front panel LEDs and connectors ................................................................... 6
LEDs ............................................................................................................. 6
Connectors.................................................................................................... 7
Accelerated packet forwarding and policy enforcement ............................... 7
FA2 interfaces and active-active HA performance ........................................ 8
Base backplane gigabit communication ......................................................... 8
Hardware installation......................................................... 9
RAM DIMMs ........................................................................................................ 9
Installing SFP transceivers............................................................................. 10
Changing FortiGate-5001FA2 jumper settings ............................................. 11
Inserting a FortiGate-5001FA2 board into a chassis.................................... 13
Before inserting the FortiGate-5001FA2 board in a chassis ....................... 14
Insertion procedure ..................................................................................... 14
Removing a FortiGate-5001FA2 board from a chassis ................................ 17
Troubleshooting .............................................................................................. 18
FortiGate-5001FA2 does not startup........................................................... 18
FortiGate-5001FA2 cannot display chassis information.............................. 20
Quick Configuration Guide ............................................. 21
Registering your Fortinet product ................................................................. 21
Planning the configuration ............................................................................. 21
NAT/Route mode ........................................................................................ 22
Transparent mode....................................................................................... 22
Choosing the configuration tool .................................................................... 23
Web-based manager................................................................................... 23
Command Line Interface (CLI).................................................................... 23
Factory default settings .................................................................................. 24
Configuring NAT/Route mode ........................................................................ 24
Using the web-based manager to configure NAT/Route mode................... 25
Using the CLI to configure NAT/Route mode .............................................. 26
Configuring Transparent mode ...................................................................... 27
Using the web-based manager to configure Transparent mode ................. 27
Using the CLI to configure Transparent mode ............................................ 28
Upgrading FortiGate-5001FA2 firmware........................................................ 28
FortiGate-5001FA2 base backplane data communication ........................... 30
Powering off the FortiGate-5001FA2 board................................................... 31
FortiGate-5001FA2 Security System Guide
01-30000-0379-20080606 3
Contents
For more information ...................................................... 33
Fortinet documentation .................................................................................. 33
Fortinet Tools and Documentation CD........................................................ 33
Fortinet Knowledge Center ........................................................................ 33
Comments on Fortinet technical documentation ........................................ 33
Customer service and technical support ...................................................... 33
Register your Fortinet product....................................................................... 33
FortiGate-5001FA2 Security System Guide
4 01-30000-0379-20080606
FortiGate-5001FA2 security system
FortiGate-5001FA2 security system
The FortiGate-5001FA2 security system is a high-performance FortiGate security
system with a total of 8 front panel gigabit ethernet interfaces and two base
backplane interfaces. Use the front panel interfaces for connections to your
networks and the backplane interfaces for communication between
FortiGate-5000 series boards over the FortiGate-5000 chassis backplane.
You can also configure two or more FortiGate-5001FA2 boards to create a high
availability (HA) cluster using the base backplane interfaces for HA heartbeat
communication through chassis backplane, leaving all eight front panel gigabit
interfaces available for network connections.
FortiGate-5001FA2 front panel interfaces 1 and 2 also include accelerated packet
forwarding and policy enforcement for faster small packet performance.
The FortiGate-5001FA2 board also supports high-end FortiGate features
including 802.1Q VLANs, multiple virtual domains, 802.3ad aggregate interfaces,
and FortiGate-5000 chassis monitoring.
Figure 1: FortiGate-5001FA2 front panel
Screw
Flash Disk
Access
Power
PWR
HandleRetention
ACC
CONSOLE
RS-232
Serial
USB
USB
1 2 Optical or Copper
Link/Traffic
1 2
3 4 Optical or Copper
SFP Gigabit
Accelerated
3 4
SFP Gigabit
5 6 7 8
5 6 7 8
Gigabit Copper
Module
Position
Status
STA IPM
Handle
Retention
Screw
The FortiGate-5001FA2 board includes the following features:
• A total of eight front panel gigabit interfaces
• Two accelerated packet forwarding and policy enforcement gigabit
interfaces that can accept optical Small Formfactor Pluggable (SFP) or
copper SFP gigabit transceivers (interfaces 1 and 2)
• Two gigabit interfaces that can accept optical or copper SFP gigabit
transceivers (interfaces 3 and 4)
• Four 10/100/1000Base-T gigabit copper network interfaces (interfaces 5, 6,
7, 8)
• Two base backplane gigabit interfaces (port9 and port10) for HA heartbeat and
data communications across the FortiGate-5000 chassis backplane.
• DB-9 RS-232 serial console connection
• One USB connector
• Mounting hardware
• LED status indicators
FortiGate-5001FA2 Security System Guide
01-30000-0379-20080606 5
Front panel LEDs and connectors FortiGate-5001FA2 security system
The FortiGate-5001FA2 board comes supplied with four optical or four copper
SFP transceivers. Before you can connect FortiGate-5001FA2 interfaces 1 to 4,
you must insert the SFP transceivers into the FortiGate-5001FA2 front panel cage
slots numbered 1 to 4.
The FortiGate-5001FA2 board ships with two RAM DIMMs installed on the
FortiGate-5001FA2 circuit board. You should confirm that the RAM DIMMs are
installed correctly before inserting the FortiGate-5001FA2 board into a chassis.
Front panel LEDs and connectors
From the FortiGate-5001FA2 font panel you can view the status of the front panel
LEDs to verify that the board is functioning normally. You also connect the
FortiGate-5001FA2 board to your network through the front panel ethernet
connectors. The front panel also includes the RS-232 console port for connecting
to the FortiOS CLI and a USB port. The USB port can be used with a Fortinet USB
key. For information about using the FortiUSB key, see the FortiGate-5000 Series
Firmware and FortiUSB Guide.
LEDs
Tab le 1 lists and describes the FortiGate-5001FA2 board LEDs.
Table 1: FortiGate-5001FA2 board LEDs
LED State Description
PWR Green The FortiGate-50012FA2 board is powered on.
ACC Off or
Flashing
red
STA Green Normal operation.
Red The FortiGate-5001FA2 is booting or a fault condition exists.
IPM Blue The FortiGate-5001FA2 is ready to be hot-swapped (removed
Flashing
Blue
Off Normal operation. The FortiGate-5001FA2 board is in contact
1, 2, 3, 4 Green The correct cable is connected to the gigabit SFP interface.
Flashing Network activity at the gigabit SFP interface.
The ACC LED flashes red when the FortiGate-5001FA2 board
accesses the FortiOS flash disk. The FortiOS flash disk stores
the current FortiOS firmware build and configuration files. The
system accesses the flash disk when starting up, during a
firmware upgrade, or when an administrator is using the CLI
or GUI to change the FortiOS configuration. Under normal
operating conditions this LED flashes occasionally, but is
mostly off.
from the chassis). If the IPM light is blue and no other LEDs
are lit the FortiGate-5001FA2 board has lost power, possibly
because of a loose or incorrectly aligned left handle. See
“Inserting a FortiGate-5001FA2 board into a chassis” on
page 13 for more information.
The FortiGate-5001FA2 is changing from hot swap to running
mode or from running mode to hot swap.
with the chassis backplane.
FortiGate-5001FA2 Security System Guide
6 01-30000-0379-20080606
FortiGate-5001FA2 security system Accelerated packet forwarding and policy enforcement
Table 1: FortiGate-5001FA2 board LEDs (Continued)
LED State Description
5, 6,
7, 8
Link
LED
Speed
LED
Green The correct cable is inserted into this interface and the
connected equipment has power.
Flashing Network activity at this interface.
Green The interface is connected at 1000 Mbps.
Amber The interface is connected at 100 Mbps.
Unlit The interface is connected at 10 Mbps.
Connectors
Ta bl e 2 lists and describes the FortiGate-5001FA2 connectors.
Table 2: FortiGate-5001FA2 connectors
Connector Type Speed Protocol Description
1 and 2 LC SFP 1000Base-SX Ethernet Two accelerated gigabit SFP interfaces
3 and 4 LC SFP 1000Base-SX Ethernet Two gigabit SFP interfaces that can
5, 6, 7, 8 RJ-45 10/100/1000
Base-T
CONSOLE DB-9 9600 bps RS-232
USB USB FortiUSB key firmware updates and
Ethernet Copper gigabit connection to
serial
that can accept optical or copper gigabit
transceivers. These interfaces only
operate at 1000Mbps. The accelerated
interface connectors are inverted
compared to connectors 3 and 4. See
“Installing SFP transceivers” on
page 10 for more information.
accept optical or copper gigabit
transceivers. These interfaces only
operate at 1000Mbps. See “Installing
SFP transceivers” on page 10 for more
information.
10/100/1000Base-T copper networks.
Serial connection to the command line
interface.
configuration backup.
Accelerated packet forwarding and policy enforcement
FortiGate-5001FA2 Accelerated packet forwarding and policy enforcement results
in accelerated small packet performance required for voice, video, and other
multimedia streaming applications. The following traffic scenarios are
recommended for the accelerated interfaces:
• Small packet applications, such as voice over IP (VoIP).
The FortiGate-5001FA2 accelerated interfaces provide wire speed
performance for small packet applications.
• Latency sensitive applications, such as multimedia.
The FortiGate-5001FA2 accelerated interfaces add much less latency than
normal (non-accelerated) interfaces.
FortiGate-5001FA2 Security System Guide
01-30000-0379-20080606 7
Base backplane gigabit communication FortiGate-5001FA2 security system
• Session Oriented Traffic with long session lifetime, such as FTP sessions.
Packet size does not affect performance for traffic with long session lifetime.
For long sessions, processing that would otherwise be handled by the
FortiGate-5001FA2 CPUs is off-loaded to the acceleration module.
• Firewall and intrusion protection (IPS), when there is a reasonable percentage
of P2P packets.
• Firewall, intrusion protection (IPS), and antivirus, when there is a reasonable
percentage of P2P packets.
• Firewall and IPSec VPN applications.
The following traffic scenarios should be handled by the normal (or nonaccelerated) FortiGate-5001FA2 interfaces:
• Session oriented traffic when the session lifetime is very short.
• Firewall and antivirus only applications.
Traffic will not be off-loaded to the FortiGate-5001FA2 accelerator module. The
result will be high CPU usage because of the high CPU requirement for
antivirus scanning.
FA2 interfaces and active-active HA performance
FortiOS v3.0 MR4 firmware can also use FA2 acceleration to improve
active-active HA load balancing performance. See the FortiGate HA Overview or
the FortiGate HA Guide for more information.
Base backplane gigabit communication
The FortiGate-5001FA2 port9 and port10 base backplane gigabit interfaces can
be used for HA heartbeat communication between FortiGate-5001FA2 boards
installed in the same or in different FortiGate-5000 chassis. You can also
configure FortiGate-5001FA2 boards to use the base backplane interfaces for
data communication between FortiGate boards. To support base backplane
communications your FortiGate-5140 or 5050 chassis must include one or more
FortiSwitch-5003 boards. FortiSwitch-5003 boards are installed in chassis slots 1
and 2. The FortiGate-5020 chassis supports base backplane communication with
no additions or changes to the chassis.
For information about base backplane communication in FortiGate-5140 and
FortiGate-5050 chassis, see the FortiGate-5000 Base Backplane Communication
Guide. For information about the FortiSwitch-5003 board, see the
FortiSwitch-5003 Guide.
FortiGate-5001FA2 Security System Guide
8 01-30000-0379-20080606
Hardware installation RAM DIMMs
!
!
Hardware installation
Before use, the FortiGate-5001FA2 board must be correctly inserted into an
Advanced Telecommunications Computing Architecture (ACTA) chassis such as
the FortiGate-5140, FortiGate-5050, or FortiGate-5020 chassis.
Before inserting the board into a chassis you should make sure RAM DIMMS are
installed and FortiGate-5001FA2 jumpers are set. SFP transceivers must also be
installed for interfaces 1 to 4 before these interfaces can be connected to network
devices.
This section describes:
• RAM DIMMs
• Installing SFP transceivers
• Changing FortiGate-5001FA2 jumper settings
• Inserting a FortiGate-5001FA2 board into a chassis
• Removing a FortiGate-5001FA2 board from a chassis
• Troubleshooting
RAM DIMMs
The FortiGate-5001FA2 board ships with two RAM DIMMs installed on the
FortiGate-5001FA2 circuit board. You should confirm that the RAM DIMMs are
installed correctly before inserting the FortiGate-5001FA2 board into a chassis.
To install FortiGate-5001FA2 RAM DIMMs
To complete this procedure, you need:
• A FortiGate-5001FA2 board
• Two RAM DIMMs to be installed into the FortiGate-5001FA2 board RAM DIMM
slots
• An electrostatic discharge (ESD) preventive wrist strap with connection cord
Caution: FortiGate-5001FA2 boards must be protected from static discharge and physical
shock. Only handle or work with FortiGate-5001FA2 boards at a static-free workstation.
Always wear a grounded electrostatic discharge (ESD) preventive wrist strap when
handling FortiGate-5001FA2 boards.
1 Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal
surface on a chassis or frame.
Caution: Handle DIMMs by the edges only. DIMMs are ESD-sensitive components that
can be damaged by mishandling.
2 Remove RAM DIMMs from their antistatic packaging.
FortiGate-5001FA2 Security System Guide
01-30000-0379-20080606 9
Installing SFP transceivers Hardware installation
Figure 2: Location of FortiGate-5001FA2 RAM DIMM slots
RAM DIMM
slots
JP2
JP1
JP3
3 Insert each RAM DIMM perpendicular to the RAM DIMM slots. Push the DIMM
firmly into place using the minimum amount of force required. When the DIMM is
properly seated, the socket guide posts click into place.
Do not use excessive force when installing a DIMM.
The RAM slots allow only one alignment of each RAM DIM. If you cannot lock the
locking levers the DIM is not aligned correctly or is in upside-down.
Installing SFP transceivers
The FortiGate-5001FA2 board ships with four SFP transceivers that you must
install for normal operation of the FortiGate-5001FA2 board. The SFP transceivers
are inserted into cage sockets numbered 1 to 4 on the FortiGate-5001FA2 front
panel. You can install the SFP transceivers before or after inserting the
FortiGate-5001FA2 board into a FortiGate chassis.
Note: Cage slots 1 and 2 are rotated 180 degrees. Install the transceivers in slots 1 and 2
inverted compared to the orientation of the transceivers in slots 3 and 4.
Front Faceplate
FortiGate-5001FA2 Security System Guide
10 01-30000-0379-20080606
Hardware installation Changing FortiGate-5001FA2 jumper settings
!
!
You can install the following types of SFP transceivers for connectors 1, 2, 3,
and 4:
• optical SFP transceivers
• SFP 1000Base-LX, SM module
• SFP 1000Base-SX, MM module (multimode)
• copper SFP transceivers
• SFP 1000Base-T, SERDES version only (SGMII version not supported)
To install SFP transceivers
To complete this procedure, you need:
• A FortiGate-5001FA2 board
• Four SFP transceivers
• An electrostatic discharge (ESD) preventive wrist strap with connection cord
Caution: FortiGate-5001FA2 boards must be protected from static discharge and physical
shock. Only handle or work with FortiGate-5001FA2 boards at a static-free workstation.
Always wear a grounded electrostatic discharge (ESD) preventive wrist strap when
handling FortiGate-5001FA2 boards.
1 Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal
surface on the chassis or frame.
2 Remove the caps from SFP cage sockets on the FortiGate-5001FA2 front panel.
Caution: Handling the SFP transceivers by holding the release Latch can damage the
connector. Do not force the SFP transceivers into the cage slots. If the transceiver does not
easily slide in and click into place, it may not be aligned correctly. If this happens, remove
the SFP transceiver, realign it and slide it in again.
3 For cage slots 1 and 2, hold the sides of the SFP transceiver and slide SFP
transceiver into the cage socket until it clicks into place.
4 For cage slots 3 to 8, turn each SFP transceiver over before sliding it into the cage
slot until it locks into place.
Changing FortiGate-5001FA2 jumper settings
The JP3 jumper on the FortiGate-5001FA2 board is factory set by Fortinet into
one of two positions (see Figure 3 on page 12):
• For a FortiGate-5140 or FortiGate-5050 chassis, the jumper connects pins 2
and 3
• For a FortiGate-5020 chassis, the jumper connects pins 1 and 2
The jumper must connect pins 2 and 3 if the chassis contains a shelf manager.
Both the FortiGate-5140 and the FortiGate-5050 contain shelf managers, and the
FortiGate-5020 does not.
If the JP3 jumper settings are incorrect, when you insert the FortiGate-5001FA2
board into a chassis the board may not start up or may not be able to
communicate with the chassis shelf manager.
FortiGate-5001FA2 Security System Guide
01-30000-0379-20080606 11
Loading...