Fortinet FortiGate-7000, FortiGate-7040E, FortiGate-7904E, FortiGate-7901E, FortiGate-7030E Handbook

...

FortiOS™ Handbook - FortiGate-7000

7000

VERSION 5.4.5

FORTINET DOCUMENTLIBRARY

http://docs.fortinet.com

FORTINETVIDEOGUIDE

http://video.fortinet.com

FORTINETBLOG

https://blog.fortinet.com

CUSTOMERSERVICE&SUPPORT

https://support.fortinet.com

http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

FORTIGATECOOKBOOK

http://cookbook.fortinet.com

FORTINETTRAININGSERVICES

http://www.fortinet.com/training

FORTIGUARDCENTER

http://www.fortiguard.com

FORTICAST

http://forticast.fortinet.com

ENDUSER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FORTINET PRIVACY POLICY

https://www.fortinet.com/corporate/about-us/privacy.html

FEEDBACK

Email: techdocs@fortinet.com

December 20, 2017

FortiOS™ Handbook - FortiGate-7000

01-545-3966550-20171220

TABLEOFCONTENTS

Change Log 7 Introduction 8

What's new in for FortiGate-7000 v5.4.5 8

M1 and M2 interfaces can use different VLANs for heartbeat traffic (408386) 8 GTP load balancing 8 FSSO user authentication is synchronized 8 HA Link failure threshold changes (422264 ) 9 FortiGate-7000s running FortiOS v5.4.5 can be configured as dialup IPsec VPN servers 9

FortiGate-7000 overview 11

Licenses, Device Registration, and Support 11

FortiGate-7060E 12

FortiGate-7060E front panel 12 FortiGate-7060E schematic 13 FortiGate-7040E 14

FortiGate-7040E front panel 14 FortiGate-7040E schematic 15

FortiGate-7030E 15

FortiGate-7030E front panel 16 FortiGate-7030E schematic 16

FIM-7901E interface module 18

FIM-7901E schematic 19

FIM-7904E interface module 20

Splitting the FIM-7904E B1 to B8 interfaces 21 FIM-7904E hardware schematic 21

FIM-7910E interface module 22

Splitting the FIM-7910E C1 to C4 interfaces 23 FIM-7910E hardware schematic 24

FIM-7920E interface module 24

Changing the interface type and splitting the FIM-7920E C1 to C4 interfaces 25

Splitting the C1 to C4 interfaces 26 FIM-7920E hardware schematic 26 FPM-7620E processing module 27

NP6 network processors - offloading load balancing and network traffic 28

Accelerated IPS, SSL VPN, and IPsec VPN (CP9 content processors) 30

Getting started with FortiGate-7000 31

Managing individual modules 32

Managing individual modules from the CLI 33 Connecting to module CLIs using the management module 33

Connecting to the FortiOS CLI of the FIM module in slot 1 34 Default VDOM configuration 35

Default management VDOM 35 Firmware upgrades 35 Restarting the FortiGate-7000 35 Load balancing 36

Traffic that cannot be load balanced 36 Recommended configuration for traffic that cannot be load balanced 37 Configuration synchronization 39 Failover in a standalone FortiGate-7000 39 Replacing a failed FPMor FIMmodule 39

Replacing a failed module in a standalone FortiGate-7000 chassis 39

Replacing a failed module in a FortiGate-7000 chassis inan HAcluster 40 Installing firmware on an FIM or FPM module from the BIOS using a TFTP server 41

Uploading firmware from a TFTP server to an FIMmodule 41

Uploading firmware from a TFTP server to an FPMmodule 43

Operating a FortiGate-7000 45

Failover in a standalone FortiGate-7000 45 Replacing a failed FPMor FIMmodule 45

Replacing a failed module in a standalone FortiGate-7000 chassis 45

Replacing a failed module in a FortiGate-7000 chassis inan HAcluster 46 Installing firmware on an FIM or FPM module from the BIOS using a TFTP server 46

Uploading firmware from a TFTP server to an FIMmodule 47

Uploading firmware from a TFTP server to an FPMmodule 48

IPsec VPN 51

Adding source and destination subnets to IPsec VPN phase 2 configurations 51

Example basic IPsec VPN Phase 2 configuration 51

Example multiple subnet IPsec VPN Phase 2 configuration 52 Configuring the FortiGate-7000 as a dialup IPsec VPN server 53

Example dialup IPsec VPN configuration 53 Troubleshooting 54

High Availability 57

Before you begin configuring HA 57 Connect the M1 and M2 interfaces for HA heartbeat communication 58 HA configuration 60

Setting up HA on the FIM interface modules in the first FortiGate-7000 (chassis 1) 60 HA management configuration 62

Managing individual modules in HAmode 63 Firmware upgrade 64 Session failover (session-pickup) 64

Enabling session pickup for TCP and UDP 65

If session pickup is disabled 65 Primary unit selection and failover criteria 66

Verifying primary chassis selection 68 How link and module failures affect primary chassis selection 68

FIM module failures 70

Management link failures 70 Link failure threshold and board failover tolerance 70

Link failure threshold 70

Board failover tolerance 70 Priority and primary chassis selection 71 Override and primary chassis selection 71

FortiGate-7000 v5.4.5 special features and limitations 72

Managing the FortiGate-7000 72

Default management VDOM 72 Firewall 72 IP Multicast 72 HighAvailability 73 Shelf Manager Module 73 FortiOS features that are not supported by FortiGate-7000 v5.4.5 74 IPsec VPN tunnels terminated by the FortiGate-7000 74 SSL VPN 75 Traffic shaping and DDoS policies 75 Sniffer mode (one-arm sniffer) 75 FortiGuard Web Filtering 75 Log messages include a slot field 75 FortiOS Carrier 75 Special notice for new deployment connectivity testing 75

FortiGate-7000 v5.4.3 special features and limitations 77

Managing the FortiGate-7000 77

Default management VDOM 77 Firewall 77 Link monitoring and health checking 77 IP Multicast 78 HighAvailability 78 Shelf Manager Module 79 FortiOS features that are not supported by FortiGate-7000 v5.4.3 79 IPsec VPN tunnels terminated by the FortiGate-7000 79

More about IPsec VPN routing limitations 80

SSL VPN 80 Authentication 80 Traffic shaping and DDoS policies 81 Sniffer mode (one-arm sniffer) 81 FortiGuard Web Filtering 81 Log messages include a slot field 81 FortiOS Carrier 81 Special notice for new deployment connectivity testing 81

FortiGate-7000 Load balancing commands 82

config load-balance flow-rule 82

Syntax 82

status {disable | enable} 83

src-interface <interface-name> [interface-name>...} 83

vlan <vlan-id> 83

ether-type {any | arp | ip | ipv4 | ipv6} 83

{src-addr-ipv4 | dst-addr-ipv4 | src-addr-ipv6 | dst-addr-ipv6} <ip-address> <netmask> 83

protocol {any | icmp | tcp | udp | igmp | sctp | gre | esp | ah | ospf | pim | vrrp} 83

{src-l4port | dst-l4port} <start>[-<end>] 83

action {forward | mirror-ingress | mirror-egress | stats | drop} 83

set mirror-interface <interface-name> 84

forward-slot {master | all | load-balance | FPM3 | FPM4 | FPM5 | FPM6} 84

priority <number> 84

comment <text> 84 config load-balance setting 84

gtp-load-balance {disable | enable} 84

max-miss-heartbeats <heartbeats> 85

max-miss-mgmt-heartbeats <heartbeats> 85

weighted-load-balance {disable | enable} 85

dp-load-distribution-method {round-robin | src-ip | dst-ip | src-dst-ip | src-ip-sport | dst-

ip-dport | src-dst-ip-sport-dport} 85

config workers 85

Change Log

Date Change Description

December 20, 2017 Updated for FortiGate-7000 v5.4.5. New sections include What's new in for

FortiGate-7000 v5.4.5 on page 8, FortiGate-7000 v5.4.5 special features and limitations on page 72, IPsec VPN on page 51, gtp-load-balance {disable | enable} on page 84, and Operating a FortiGate-7000 on page 45. Also, changes to High Availability on page 57. New section Recommended configuration for traffic that cannot be load balanced on page 37.Additional changes and fixes throughout the

document.

Changes to Installing firmware on an FIM or FPM module from the BIOS using a

November 7, 2017

November 2, 2017 Updated with new information throughout the document including a new HA chapter.

TFTP server on page 41. Also added a note about the MGMT interface being a static

aggregate and not an LACP aggregate.

Change Log

August 30, 2017 Updated with new information throughout the document.

December 1, 2016 Initial Release

7 FortiGate-7000

Fortinet Technologies Inc.

Introduction What's new in for FortiGate-7000 v5.4.5

Introduction

This document describes what you need to know to get started using a FortiGate-7000 product. Also included are details about CLI commands that are specific to FortiGate-7000 products.

This FortiOS Handbook chapter contains the following sections:

FortiGate-7000 overview provides a quick overview of FortiGate-7000 components.

Getting started with FortiGate-7000 describes how to get started with managing and configuring your FortiGate-

7000 product.

FortiGate-7000 Load balancing commands describes FortiGate-7000 load balancing CLI commands.

What's new in for FortiGate-7000 v5.4.5

The following new features have been added to FortiGate-7000 v5.4.5.

M1 and M2 interfaces can use different VLANs for heartbeat traffic (408386)

The M1 and M2 interfaces can be configured to use different VLANs for HA heartbeat traffic.

The following command now configures the VLAN used by the M1 interface (default 999):

config system ha

set hbdev-vlan-id 999

end

The following new command configures the VLAN used by the M2 interface (default 1999):

config system ha

set hbdev-second-vlan-id 1999

end

GTP load balancing

GTP load balancing is supported for FortiGate-7000 configurations licensed for FortiOSCarrier. You can use the following command to enable GTP load balancing. This command is only available after you have licensed the FortiGate-7000 for FortiOSCarrier.

config load-balance setting

set gtp-load-balance enable

end

FSSO user authentication is synchronized

FSSO user authentication is synchronized to all FIM and FPMmodules. FSSO users are no longer required to reauthenticate when sessions are processed by a different FIM or FPM module.

FortiGate-7000 Fortinet Technologies Inc.

What's new in for FortiGate-7000 v5.4.5 Introduction

HA Link failure threshold changes (422264 )

The link failure threshold is now determined based on the all FIM modules in a chassis. This means that the chassis with the fewest active links will become the backup chassis.

FortiGate-7000s running FortiOS v5.4.5 can be configured as dialup IPsec VPN servers

The following shows how to setup a dialup IPsec VPN configuration where the FortiGate-7000 running v5.4.5 acts as a dialup IPsec VPN server.

Configure the phase1, set type to dynamic.

config vpn ipsec phase1-interface

edit dialup-server

set type dynamic set interface "v0020" set peertype any set psksecret <password>

end

Configure the phase 2, to support dialup IPsec VPN, set the destination subnet to 0.0.0.0 0.0.0.0.

config vpn ipsec phase2-interface

edit dialup-server

set phase1name dialup-server set src-subnet 4.2.0.0 255.255.0.0 set dst-subnet 0.0.0.0 0.0.0.0

end

To configure the remote FortiGate as a dialup IPsec VPN client

The dialup IPsec VPN client should advertise its local subnet(s) using the phase 2 src-subnet option.

If there are multiple local subnets create a phase 2 for each one. Each phase 2 only advertises one local subnet to the dialup IPsec VPN server. If more than one local subnet is added to the phase 2, only the first one is advertised to the server.

Dialup client configuration:

config vpn ipsec phase1-interface

9 FortiGate-7000

Fortinet Technologies Inc.

Introduction What's new in for FortiGate-7000 v5.4.5

edit "to-fgt7k"

set interface "v0020" set peertype any set remote-gw 1.2.0.1 set psksecret <password>

end

config vpn ipsec phase2-interface

edit "to-fgt7k"

set phase1name "to-fgt7k" set src-subnet 4.2.6.0 255.255.255.0

set dst-subnet 4.2.0.0 255.255.0.0 next edit "to-fgt7k-2"

set phase1name "to-fgt7k"

set src-subnet 4.2.7.0 255.255.255.0

set dst-subnet 4.2.0.0 255.255.0.0 end

FortiGate-7000 Fortinet Technologies Inc.

Licenses, Device Registration, and Support FortiGate-7000 overview

FortiGate-7000 overview

A FortiGate-7000 product consists of a FortiGate-7000 series chassis (for example, the FortiGate-7040E) with FortiGate-7000 modules installed in the chassis slots. A FortiGate-7040E chassis comes with two interface modules (FIM) to be installed in slots 1 and 2 to provide network connections and session-aware load balancing to two processor modules (FPM) to be installed in slots 3 and 4.

FortiGate-7000 products are sold and licensed as packages that include the chassis as well as the modules to be included in the chassis. When you receive your FortiGate-7000 series product the chassis has to be installed in a rack and the modules installed in the chassis. Interface modules always go in slots 1 and 2 and processor modules in slots 3 and up.

If your FortiGate-7000 product includes two different interfaces modules, for optimal configuration you should install the module with the lower model number in slot 1 and the module with the higher model number in slot 2. For example, if your chassis includes a FIM-7901E and a FIM-7904E, install the FIM-7901E in chassis slot 1 and the FIM-7904E in chassis slot 2. This applies to any combination of two different interface modules.

As an administrator, when you browse to the FortiGate-7000 management IP address you log into the interface module in slot 1 (the primary or master interface module or FIM) to view the status of the FortiGate-7000 and make configuration changes. The FortiOS firmware running on each module has the same configuration and when you make configuration changes to the primary interface module, the configuration changes are synchronized to all modules.

The same FortiOS firmware build runs on each module in the chassis. You can upgrade FortiGate-7000 firmware by logging into the primary interface module and performing a firmware upgrade as you would for any FortiGate. During the upgrade process the firmware of all of the modules in the chassis upgrades in one step. Firmware upgrades should be done during a quiet time because traffic will briefly be interrupted during the upgrade process.

Licenses, Device Registration, and Support

A FortiGate-7000 product is made up of a FortiGate-7000 series chassis, one or two FIM interface modules and two to four FPM processor modules. The entire package is licensed and configured as a single product under the FortiGate-7000 chassis serial number. When you receive a new FortiGate-7000 product you register it on

https://support.fortinet.com using the chassis serial number. Use the chassis serial number when requesting

support from Fortinet for the product.

All Fortinet licensing, including FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOM) is for the entire FortiGate-7000 product and not for individual components.

If an individual component, such as a single interface or processor fails you can RMA and replace just that component.

11 FortiGate-7000

Fortinet Technologies Inc.

FortiGate-7060E FortiGate-7060E front panel

FortiGate-7060E

The FortiGate-7060E is a 8U 19-inch rackmount 6-slot chassis with a 80Gbps fabric and 1Gbps base backplane designed by Fortinet. The fabric backplane provides network data communication and the base backplane provides management and synch communication among the chassis slots.

FortiGate-7060E front panel

The chassis is managed by two redundant management modules. Each module includes an Ethernet connection as well as two switchable console ports that provide console connections to the modules in the chassis slots. The active management module controls chassis cooling and power management and provides an interface for managing the modules installed in the chassis.

FortiGate-7060E front panel, (example module configuration)

FortiGate-7000 Fortinet Technologies Inc.

FortiGate-7060E schematic FortiGate-7060E

Power is provided to the chassis using four hot swappable 3+1 redundant 100-240 VAC, 50-60 Hz power supply units (PSUs). You can also optionally add up to six PSUs to provide 3+3 redundancy. The FortiGate-7060E can also be equipped with DC PSUs allowing you to connect the chassis to -48V DC power

The standard configuration of the FortiGate-7060E includes two FIM (interface) modules in chassis slots 1 and 2 and up to four FPM (processing) modules in chassis slots 3 to 6.

FortiGate-7060E schematic

The FortiGate-7060E chassis schematic below shows the communication channels between chassis components including the management modules (MGMT), the FIM modules (called FIM1 and FIM2) and the FPM modules (FPM3, FPM4, FPM5, and FPM6).

By default MGMT2 is the active management module and MGMT1 is inactive. The active management module always has the IPMB address 0x20 and the inactive management module always has the IPMB address 0x22.

The active management module communicates with all modules in the chassis over the base backplane. Each module, including the management modules has a Shelf Management Controller (SMC). These SMCs support Intelligent Platform Management Bus (IPMB) communication between the active management module and the FIM and FPM modules for storing and sharing sensor data that the management module uses to control chassis cooling and power distribution. The base backplane also supports serial communications to allow console access from the management module to all modules, and 1Gbps Ethernet communication for management and heartbeat communication betweenmodules.

13 FortiGate-7000

Fortinet Technologies Inc.

FortiGate-7060E FortiGate-7040E

(ISF) to the NP6 processors in the FPMmodules. Data sessions are communicated to the FPM modules over the 80Gbps chassis fabric backplane.

FPM03, FPM04, FPM05, and FPM06 (IPMB addresses 0x86, 0x88, 0x8A, and 0x8C) are the FPM processor modules in slots 3 to 6. These worker modules process sessions distributed to them by the FIMmodules. FPMmodules include NP6 processors to offload sessions from the FPM CPU and CP9 processors that accelerate content processing.

FortiGate-7040E

The FortiGate-7040E is a 6U 19-inch rackmount 4-slot chassis with a 80Gbps fabric and 1Gbps base backplane designed by Fortinet. The fabric backplane provides network data communication and the base backplane provides management and synch communication among the chassis slots.

FortiGate-7040E front panel

The FortiGate-7040E chassis is managed by a single management module that includes an Ethernet connection as well as two switchable console ports that provide console connections to the modules in the chassis slots. The management module controls chassis cooling and power management and provides an interface for managing the modules installed in the chassis. The standard configuration of the FortiGate-7040E includes two FIM (interface) modules in chassis slots 1 and 2 and two FPM (processing) modules in chassis slots 3 and 4.

FortiGate-7040E front panel

FortiGate-7000 Fortinet Technologies Inc.

FortiGate-7030E FortiGate-7060E

FortiGate-7040E schematic

The FortiGate-7040E chassis schematic below shows the communication channels between chassis components including the management module (MGMT), the FIM modules (called FIM1 and FIM2) and the FPM modules (FPM3 and FPM4).

The management module (MGMT, with IPMB address 0x20) communicates with all modules in the chassis over the base backplane. Each module, including the management module includes a Shelf Management Controller (SMC). These SMCs support Intelligent Platform Management Bus (IPMB) communication between the management module and the FIM and FPM modules for storing and sharing sensor data that the management module uses to control chassis cooling and power distribution. The base backplane also supports serial communications to allow console access from the management module to all modules, and 1Gbps Ethernet communication for management and heartbeat communication betweenmodules.

FIM1 and FIM2 (IPMB addresses 0x82 and 0x84) are the FIM modules in slots 1 and 2. The interfaces of these modules connect the chassis to data networks and can be used for Ethernet management access to chassis components. The FIM modules include DP2 processors that distribute sessions over the Integrated Switch Fabric (ISF) to the NP6 processors in the FPMmodules. Data sessions are communicated to the FPM modules over the 80Gbps chassis fabric backplane.

FPM3 and FPM4 (IPMB addresses 0x86 and 0x88) are the FPM processor modules in slots 3 and 4. These worker modules process sessions distributed to them by the FIMmodules. FPMmodules include NP6 processors to offload sessions from the FPM CPU and CP9 processors that accelerate content processing.

FortiGate-7030E

The FortiGate-7030E is a 6U 19-inch rackmount 3-slot chassis with a 80Gbps fabric and 1Gbps base backplane designed by Fortinet. The fabric backplane provides network data communication and the base backplane provides management and synch communication among the chassis slots.

15 FortiGate-7000

Fortinet Technologies Inc.

FortiGate-7060E FortiGate-7030E

FortiGate-7030E front panel

The FortiGate-7030E chassis is managed by a single management module that includes an Ethernet connection as well as two switchable console ports that provide console connections to the modules in the chassis slots. The management module controls chassis cooling and power management and provides an interface for managing the modules installed in the chassis. The standard configuration of the FortiGate-7030E includes one FIM (interface) module in chassis slot 1 and two FPM (processing) modules in chassis slots 3 and 4. The front panel also includes a sealed blank panel. Breaking the seal or removing the panel voids your FortiGate-7030E warranty.

FortiGate-7030E front panel (example module configuration)

(missing or bad snippet)

FortiGate-7030E schematic

The FortiGate-7030E chassis schematic below shows the communication channels between chassis components including the management module (MGMT), the FIM module (called FIM1) and the FPM modules (FPM3 and FPM4).

FortiGate-7000 Fortinet Technologies Inc.

FortiGate-7030E FortiGate-7060E

FIM1 (IPMB address 0x82) is the FIM module in slot 1. The interfaces of this module connect the chassis to data networks and can be used for Ethernet management access to chassis components. The FIM module include DP2 processors that distribute sessions over the Integrated Switch Fabric (ISF) to the NP6 processors in the FPMmodules. Data sessions are communicated to the FPM modules over the 80Gbps chassis fabric backplane.

FPM3 and FPM4 (IPMB addresses 0x86 and 0x88) are the FPM processor modules in slots 3 and 4. These worker modules process sessions distributed to them by the FIMmodule. FPMmodules include NP6 processors to offload sessions from the FPM CPU and CP9 processors that accelerate content processing.

17 FortiGate-7000

Fortinet Technologies Inc.

FIM-7901E interface module FortiGate-7030E

FIM-7901E interface module

The FIM-7901E interface module is a hot swappable module that provides data, management and session sync/heartbeat interfaces, base backplane switching and fabric backplane session-aware load balancing for a FortiGate-7000 chassis. The FIM-7901E includes an integrated switch fabric and DP2 processors to load balance millions of data sessions over the chassis fabric backplane to FPM processor modules.

The FIM-7901E can be installed in any FortiGate-7000 series chassis in hub/switch slots 1 and 2. The FIM-7901E provides thirty-two 10GigE small form-factor pluggable plus (SPF+) interfaces for a FortiGate-7000 chassis.

You can also install FIM-7901Es in a second chassis and operate the chassis in HA mode with another set of processor modules to provide chassis failover protection.

FIM-7901E front panel

The FIM-7901E includes the following hardware features:

l Thirty-two front panel 10GigE SFP+ fabric channel interfaces (A1 to A32). These interfaces are connected to

10Gbps networks to distribute sessions to the FPM processor modules installed in chassis slots 3 and up. These interfaces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers. These interfaces also support creating link aggregation groups (LAGs) that can include interfaces from both FIM-7901Es.

l Two front panel 10GigE SFP+ interfaces (M1 and M2) that connect to the base backplane channel. These

interfaces are used for heartbeat, session sync, and management communication between FIM-7901Es in different chassis. These interfaces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers, but should not normally be changed. If you use switches to connect these interfaces, the switch ports should be able to accept packets with a maximum frame size of at least 1526. The M1 and M2 interfaces need to be on different broadcast domains. If M1 and M2 are connected to the same switch, Q-in-Q must be enabled on the switch.

l Four 10/100/1000BASE-T out of band management Ethernet interfaces (MGMT1 to MGMT4).

l One 80Gbps fabric backplane channel for traffic distribution with each FPM module installed in the same chassis as

the FIM-7901E.

l One 1Gbps base backplane channel for base backplane with each FPM module installed in the same chassis as the

FIM-7901E.

l One 40Gbps fabric backplane channel for fabric backplane communication with the other FIM-7901E in the chassis.

FortiGate-7000 Fortinet Technologies Inc.

FortiGate-7030E FIM-7901E interface module

l One 1Gbps base backplane channel for base backplane communication with the other FIM-7901E in the chassis.

l On-board DP2 processors and an integrated switch fabric to provide high-capacity session-aware load balancing.

l One front panel USB port.

l Power button.

l NMIswitch (for troubleshooting as recommended by Fortinet Support).

l Mounting hardware.

l LED status indicators.

FIM-7901E schematic

The FIM-7901E includes an integrated switch fabric (ISF) that connects the front panel interfaces to the DP2 session-aware load balancers and to the chassis backplanes. The ISFalso allows the DP2 processors to distribute sessions amoung all NP6 processors on the FPMmodules in the same chassis.

FIM-7901E schematic

19 FortiGate-7000

Fortinet Technologies Inc.

FIM-7904E interface module FortiGate-7030E

FIM-7904E interface module

The FIM-7904E interface module is a hot swappable module that provides data, management and session sync/heartbeat interfaces, base backplane switching and fabric backplane session-aware load balancing for a FortiGate-7000 series chassis. The FIM-7904E includes an integrated switch fabric and DP2 processors to load balance millions of data sessions over the chassis fabric backplane to FPM processor modules.

The FIM-7904E can be installed in any FortiGate-7000 series chassis in hub/switch slots 1 and 2. The FIM-7904E provides four Quad Small Form-factor Pluggable plus (QSFP+) interfaces for a FortiGate-7000 chassis. Using a 40GBASE-SR10 multimode QSFP+ transceiver, each QSFP+ interface can also be split into four 10GBASE-SR interfaces.

You can also install FIM-7904Es in a second chassis and operate the chassis in HA mode with another set of processor modules to provide chassis failover protection.

FIM-7904E front panel

The FIM-7904E includes the following hardware features:

l Eight front panel 40GigE QSFP+ fabric channel interfaces (B1 to B8). These interfaces are connected to 40Gbps

networks to distribute sessions to the FPM processor modules installed in chassis slots 3 and up. Using 40GBASESR10 multimode QSFP+ transceivers, each QSFP+ interface can also be split into four 10GBASE-SR interfaces. These interfaces also support creating link aggregation groups (LAGs) that can include interfaces from both FIM7904Es.

l Two front panel 10GigE SFP+ interfaces (M1 and M2) that connect to the base backplane channel. These

interfaces are used for heartbeat, session sync, and management communication between FIM-7904Es in different chassis. These interfaces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers, but should not normally be changed. If you use switches to connect these interfaces, the switch ports should be able to accept packets with a maximum frame size of at least 1526. The M1 and M2 interfaces need to be on different broadcast domains. If M1 and M2 are connected to the same switch, Q-in-Q must be enabled on the switch.

l Four 10/100/10000BASE-T out of band management Ethernet interfaces (MGMT1 to MGMT4).

l One 80Gbps fabric backplane channel for traffic distribution with each FPM module installed in the same chassis as

the FIM-7904E.

FortiGate-7000 Fortinet Technologies Inc.

FortiGate-7030E FIM-7904E interface module

l One 1Gbps base backplane channel for base backplane with each FPM module installed in the same chassis as the

FIM-7904E.

l One 40Gbps fabric backplane channel for fabric backplane communication with the other FIM-7904E in the chassis.

l One 1Gbps base backplane channel for base backplane communication with the other FIM-7904E in the chassis.

l On-board DP2 processors and an integrated switch fabric to provide high-capacity session-aware load balancing.

l One front panel USB port.

l Power button.

l NMIswitch (for troubleshooting as recommended by Fortinet Support).

l Mounting hardware.

l LED status indicators.

Splitting the FIM-7904E B1 to B8 interfaces

Each 40GE interface (B1 to B8) on the FIM-7904Es in slot 1 and slot 2 of a FortiGate-7000 system can be split into 4x10GBE interfaces. You split these interfaces after the FIM-7904Es are installed in your FortiGate-7000 system and the system us up and running. You can split the interfaces of the FIM-7904Es in slot 1 and slot 2 at the same time by entering a single CLI command. Splitting the interfaces requires a system reboot so Fortinet recommends that you split multiple interfaces at the same time according to your requirements to avoid traffic disruption.

For example, to split the B1 interface of the FIM-7904E in slot 1 (this interface is named 1-B1) and the B1 and B4 interfaces of the FIM-7904E in slot 2 (these interfaces are named 2-B1 and 2-B4) connect to the CLI of your FortiGate-7000 system using the management IP and enter the following command:

config system global

set split-port 1-B1 2-B1 2-B4

end

After you enter the command, the FortiGate-7000 reboots and when it comes up:

l The 1-B1 interface will no longer be available. Instead the 1-B1/1, 1-B1/2, 1-B1/3, and 1-B1/4 interfaces will be

available.

l The 2-B1 interface will no longer be available. Instead the 2-B1/1, 2-B1/2, 2-B1/3, and 2-B1/4 interfaces will be

available.

l The 2-B4 interface will no longer be available. Instead the 2-B4/1, 2-B4/2, 2-B4/3, and 2-B4/4 interfaces will be

available.

You can now connect breakout cables to these interfaces and configure traffic between them just like any other FortiGate interface.

FIM-7904E hardware schematic

The FIM-7904E includes an integrated switch fabric (ISF) that connects the front panel interfaces to the DP2 session-aware load balancers and to the chassis backplanes. The ISFalso allows the DP2 processors to distribute sessions amoung all NP6 processors on the FPMmodules in the same chassis.

21 FortiGate-7000

Fortinet Technologies Inc.

FIM-7904E interface module FIM-7910E interface module

FIM-7904E hardware architecture

FIM-7910E interface module

The FIM-7910E interface module is a hot swappable module that provides data, management and session sync/heartbeat interfaces, base backplane switching and fabric backplane session-aware load balancing for a FortiGate-7000 series chassis. The FIM-7910E includes an integrated switch fabric and DP2 processors to load balance millions of data sessions over the chassis fabric backplane to FPM processor modules.

The FIM-7910E can be installed in any FortiGate-7000 series chassis in hub/switch slots 1 and 2. The FIM-7910E provides four C form-factor pluggable 2 (CFP2) interfaces for a FortiGate-7000 chassis. Using a 100GBASESR10 multimode CFP2 transceiver, each CFP2 interface can also be split into ten 10GBASE-SR interfaces.

FIM-7910E front panel

FortiGate-7000 Fortinet Technologies Inc.

FIM-7910E interface module FIM-7904E interface module

The FIM-7910E includes the following hardware features:

l Four front panel 100GigE CFP2 fabric channel interfaces (C1 to C4). These interfaces are connected to 100Gbps

networks to distribute sessions to the FPM processor modules installed in chassis slots 3 and up. Using 100GBASESR10 multimode CFP2 transceivers, each CFP2 interface can also be split into ten 10GBASE-SR interfaces. These interfaces also support creating link aggregation groups (LAGs) that can include interfaces from both FIM-7910Es.

l Two front panel 10GigE SFP+ interfaces (M1 and M2) that connect to the base backplane channel. These

interfaces are used for heartbeat, session sync, and management communication between FIM-7910Es in different chassis. These interfaces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers, but should not normally be changed. If you use switches to connect these interfaces, the switch ports should be able to accept packets with a maximum frame size of at least 1526. The M1 and M2 interfaces need to be on different broadcast domains. If M1 and M2 are connected to the same switch, Q-in-Q must be enabled on the switch.

l Four 10/100/1000BASE-T out of band management Ethernet interfaces (MGMT1 to MGMT4).

l One 80Gbps fabric backplane channel for traffic distribution with each FPM module installed in the same chassis as

the FIM-7910E.

l One 1Gbps base backplane channel for base backplane with each FPM module installed in the same chassis as the

FIM-7910E.

l One 40Gbps fabric backplane channel for fabric backplane communication with the other FIM-7910E in the chassis.

l One 1Gbps base backplane channel for base backplane communication with the other FIM-7910E in the chassis.

l On-board DP2 processors and an integrated switch fabric to provide high-capacity session-aware load balancing.

l One front panel USB port.

l Power button.

l NMIswitch (for troubleshooting as recommended by Fortinet Support).

l Mounting hardware.

l LED status indicators.

Splitting the FIM-7910E C1 to C4 interfaces

Each 100GE interface (C1 to C4) on the FIM-7910Es in slot 1 and slot 2 of a FortiGate-7000 system can be split into 10 x 10GBE interfaces. You split these interfaces after the FIM-7910Es are installed in your FortiGate-7000 system and the system us up and running. You can split the interfaces of the FIM-7910Es in slot 1 and slot 2 at the same time by entering a single CLI command. Splitting the interfaces requires a system reboot so Fortinet recommends that you split multiple interfaces at the same time according to your requirements to avoid traffic disruption.

For example, to split the C1 interface of the FIM-7910E in slot 1 (this interface is named 1-C1) and the C1 and C4 interfaces of the FIM-7910E in slot 2 (these interfaces are named 2-C1 and 2-C4) connect to the CLI of your FortiGate-7000 system using the management IP and enter the following command:

config system global

set split-port 1-C1 2-C1 2-C4

end

After you enter the command, the FortiGate-7000 reboots and when it comes up:

l The 1-C1 interface will no longer be available. Instead the 1-C1/1, 1-C1/2, ..., and 1-C1/10 interfaces will be

available.

l The 2-C1 interface will no longer be available. Instead the 2-C1/1, 2-C1/2, ..., and 2-C1/10 interfaces will be

available.

23 FortiGate-7000

Fortinet Technologies Inc.

FIM-7904E interface module FIM-7920E interface module

l The 2-C4 interface will no longer be available. Instead the 2-C4/1, 2-C4/2, ..., and 2-C4/10 interfaces will be

available.

You can now connect breakout cables to these interfaces and configure traffic between them just like any other FortiGate interface.

FIM-7910E hardware schematic

The FIM-7910E includes an integrated switch fabric (ISF) that connects the front panel interfaces to the DP2 session-aware load balancers and to the chassis backplanes. The ISFalso allows the DP2 processors to distribute sessions amoung all NP6 processors on the FPMmodules in the same chassis.

FIM-7910E hardware schematic

FIM-7920E interface module

The FIM-7920E interface module is a hot swappable module that provides data, management and session sync/heartbeat interfaces, base backplane switching and fabric backplane session-aware load balancing for a FortiGate-7000 series chassis. The FIM-7920E includes an integrated switch fabric and DP2 processors to load balance millions of data sessions over the chassis fabric backplane to FPM processor modules.

The FIM-7920E can be installed in any FortiGate-7000 series chassis in hub/switch slots 1 or 2. The FIM-7920E provides four Quad Small Form-factor Pluggable 28 (QSFP28) 100GigE interfaces for a FortiGate-7000 chassis. Using a 100GBASE-SR4 QSFP28 or 40GBASE-SR4 QSFP+ transceiver, each QSFP28 interface can also be split into four 10GBASE-SR interfaces.

You can also install FIM-7920Es in a second chassis and operate the chassis in HA mode with another set of processor modules to provide chassis failover protection.

FortiGate-7000 Fortinet Technologies Inc.

FIM-7920E interface module FIM-7904E interface module

FIM-7920E front panel

The FIM-7920E includes the following hardware features:

l Four front panel 100GigE QSFP28 fabric channel interfaces (C1 to C4). These interfaces are connected to

100Gbps networks to distribute sessions to the FPM processor modules installed in chassis slots 3 and up. Using a 100GBASE-SR4 QSFP28 or 40GBASE-SR4 QSFP+ transceiver, each QSFP28 interface can also be split into four 10GBASE-SR interfaces. These interfaces also support creating link aggregation groups (LAGs) that can include interfaces from both FIM-7920Es.

l Two front panel 10GigE SFP+ interfaces (M1 and M2) that connect to the base backplane channel. These

interfaces are used for heartbeat, session sync, and management communication between FIM-7920Es in different chassis. These interfaces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers, but should not normally be changed. If you use switches to connect these interfaces, the switch ports should be able to accept packets with a maximum frame size of at least 1526. The M1 and M2 interfaces need to be on different broadcast domains. If M1 and M2 are connected to the same switch, Q-in-Q must be enabled on the switch.

l Four 10/100/1000BASE-T out of band management Ethernet interfaces (MGMT1 to MGMT4).

l One 80Gbps fabric backplane channel for traffic distribution with each FPM module installed in the same chassis as

the FIM-7920E.

l One 1Gbps base backplane channel for base backplane with each FPM module installed in the same chassis as the

FIM-7920E.

l One 40Gbps fabric backplane channel for fabric backplane communication with the other FIM-7920E in the chassis.

l One 1Gbps base backplane channel for base backplane communication with the other FIM-7920E in the chassis.

l On-board DP2 processors and an integrated switch fabric to provide high-capacity session-aware load balancing.

l One front panel USB port.

l Power button.

l NMIswitch (for troubleshooting as recommended by Fortinet Support).

l Mounting hardware.

l LED status indicators.

Changing the interface type and splitting the FIM-7920E C1 to C4 interfaces

By default, the FIM-7920E C1 to C4 interfaces are configured as 100GE QSFP28 interfaces. You can use the following command to convert them to 40GE QSFP+ interfaces. Once converted, you can use the other command below to split them into four 10GBASE-SR interfaces.

25 FortiGate-7000

Fortinet Technologies Inc.

FIM-7904E interface module FIM-7920E hardware schematic

Changing the interface type

For example, to change the interface type of the C1 interface of the FIM-7920E in slot 1 to 40GE QSFP+ connect to the CLI of your FortiGate-7000 system using the management IP and enter the following command:

config system global

set qsfp28-40g-port 1-C1

end

The FortiGate-7000 system reboots and when it starts up interface C1 of the FIM-7920E in slot 1 is operating as a 40GE QSFP+ interface .

To change the interface type of the C3 and C4 ports of the FIM-7920E in slot 2 to 40GE QSFP+ enter the following command:

config system global

set qsfp28-40g-port 2-C3 2-C4

end

The FortiGate-7000 system reboots and when it starts up interfaces C3 and C4 of the FIM-7920E in slot 2 are operating as a 40GE QSFP+ interfaces.

Splitting the C1 to C4 interfaces

Each 40GE interface (C1 to C4) on the FIM-7920Es in slot 1 and slot 2 of a FortiGate-7000 system can be split into 4 x 10GBE interfaces. You split these interfaces after the FIM-7920Es are installed in your FortiGate-7000 system and the system us up and running. You can split the interfaces of the FIM-7920Es in slot 1 and slot 2 at the same time by entering a single CLI command. Splitting the interfaces requires a system reboot so Fortinet recommends that you split multiple interfaces at the same time according to your requirements to avoid traffic disruption.

For example, to split the C1 interface of the FIM-7920E in slot 1 (this interface is named 1-C1) and the C1 and C4 interfaces of the FIM-7920E in slot 2 (these interfaces are named 2-C1 and 2-C4) connect to the CLI of your FortiGate-7000 system using the management IP and enter the following command:

config system global

set split-port 1-C1 2-C1 2-C4

end

After you enter the command, the FortiGate-7000 reboots and when it comes up:

l The 1-C1 interface will no longer be available. Instead the 1-C1/1, 1-C1/2, 1-C1/3, and 1-C1/4 interfaces will be

available.

l The 2-C1 interface will no longer be available. Instead the 2-C1/1, 2-C1/2, 2-C1/3, and 2-C1/4 interfaces will be

available.

l The 2-C4 interface will no longer be available. Instead the 2-C4/1, 2-C4/2, 2-C4/3, and 2-C4/4 interfaces will be

available.

You can now connect breakout cables to these interfaces and configure traffic between them just like any other FortiGate interface.

FIM-7920E hardware schematic

The FIM-7920E includes an integrated switch fabric (ISF) that connects the front panel interfaces to the DP2 session-aware load balancers and to the chassis backplanes. The ISFalso allows the DP2 processors to

FortiGate-7000 Fortinet Technologies Inc.

FPM-7620E processing module FIM-7904E interface module

distribute sessions among all NP6 processors on the FPMmodules in the same chassis.

FIM-7920E hardware schematic

FPM-7620E processing module

The FPM-7620E processing module is a high-performance worker module that processes sessions load balanced to it by FortiGate-7000 series interface (FIM) modules over the chassis fabric backplane. The FPM-7620E can be installed in any FortiGate-7000 series chassis in slots 3 and up.

The FPM-7620E includes two 80Gbps connections to the chassis fabric backplane and two 1Gbps connections to the base backplane. The FPM-7620E processes sessions using a dual CPU configuration, accelerates network traffic processing with 4 NP6 processors and accelerates content processing with 8 CP9 processors. The NP6 network processors are connected by the FIM switch fabric so all supported traffic types can be fast path accelerated by the NP6 processors.

The FPM-7620E includes the following hardware features:

l Two 80Gbps fabric backplane channels for load balanced sessions from the FIM modules installed in the chassis.

l Two 1Gbps base backplane channels for management, heartbeat and session sync communication.

l Dual CPUs for high performance operation.

l Four NP6 processors to offload network processing from the CPUs.

l Eight CP9 processors to offload content processing and SSL and IPsec encryption from the CPUs.

27 FortiGate-7000

Fortinet Technologies Inc.

+ 60 hidden pages

Fortinet FortiGate-7000, FortiGate-7040E, FortiGate-7904E, FortiGate-7901E, FortiGate-7030E Handbook

Specifications and Main Features

Frequently Asked Questions

User Manual

Change Log

Introduction

What's new in for FortiGate-7000 v5.4.5

M1 and M2 interfaces can use different VLANs for heartbeat traffic (408386)

GTP load balancing

FSSO user authentication is synchronized

HA Link failure threshold changes (422264 )

FortiGate-7000 overview

Licenses, Device Registration, and Support

FortiGate-7060E

FortiGate-7060E front panel

FortiGate-7060E schematic

FortiGate-7040E

FortiGate-7040E front panel

FortiGate-7040E schematic

FortiGate-7030E

FortiGate-7030E front panel

FortiGate-7030E schematic

FIM-7901E interface module

FIM-7901E schematic

FIM-7904E interface module

Splitting the FIM-7904E B1 to B8 interfaces

FIM-7904E hardware schematic

FIM-7910E interface module

Splitting the FIM-7910E C1 to C4 interfaces

FIM-7910E hardware schematic

FIM-7920E interface module

Changing the interface type and splitting the FIM-7920E C1 to C4 interfaces

Splitting the C1 to C4 interfaces

FIM-7920E hardware schematic

FPM-7620E processing module