Fortinet FortiGate FortiGate-5001A Security System Manual

Page 1

FortiGate-5001A

Security System Guide

A detailed guide to the FortiGate-5001A Security System. This FortiGate-5001A Security System Guide describes FortiGate-5001A hardware features, how to install the FortiGate-5001A board in a FortiGate-5000 series chassis, and how to configure the FortiGate-5001A security system for your network.

The most recent versions of this and all FortiGate-5000 series documents are available from the FortiGate-5000 page of the Fortinet Technical Documentation web site (http://docs.forticare.com).

Visit http://support.fortinet.com to register your FortiGate-5001A system. By registering you can receive product

updates, technical support, and FortiGuard services.

FortiGate-5001A Security System Guide

01-30000-0438-200800801

Page 2

Warnings and cautions

Only trained and qualified personnel should be allowed to install or maintain FortiGate-5000 series equipment. Read and comply with all warnings, cautions and notices in this document.

CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According to the Instructions.

Caution: You should be aware of the following cautions and warnings before installing FortiGate-5000 series hardware

• Turning off all power switches may not turn off all power to the FortiGate-5000 series equipment. Except where noted, disconnect the FortiGate-5000 series equipment from all power sources, telecommunications links and networks before installing, or removing FortiGate-5000 series components, or performing other maintenance tasks. Failure to do this can result in personal injury or equipment damage. Some circuitry in the FortiGate-5000 series equipment may continue to operate even though all power switches are off.

• An easily accessible disconnect device, such as a circuit breaker, should be incorporated into the data center wiring that connects power to the FortiGate-5000 series equipment.

• Install FortiGate-5000 series chassis at the lower positions of a rack to avoid making the rack top-heavy and unstable.

• Do not insert metal objects or tools into open chassis slots.

• Electrostatic discharge (ESD) can damage FortiGate-5000 series equipment. Only perform the procedures described in this document from an ESD workstation. If no such station is available, you can provide some ESD protection by wearing an anti-static wrist strap and attaching it to an ESD connector or to a metal part of a FortiGate chassis.

• Some FortiGate-5000 series components may overload your supply circuit and impact your overcurrent protection and supply wiring. Refer to nameplate ratings to address this concern.

• Make sure all FortiGate-5000 series components have reliable grounding. Fortinet recommends direct connections to the branch circuit.

• If you install a FortiGate-5000 series component in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient. Make sure the operating ambient temperature does not exceed the manufacturer's maximum rated ambient temperature.

• Installing FortiGate-5000 series equipment in a rack should be such that the amount of airflow required for safe operation of the equipment is not compromised. Refer to the ATCA specification for more information about cooling and airflow requirements.

• This equipment is for installation only in a Restricted Access Location (dedicated equipment room, service closet or the like), in accordance with the National Electrical Code.

• Per the National Electrical Code, sizing of a Listed circuit breaker or branch circuit fuse and the supply conductors to the equipment is based on the marked input current rating. A product with a marked input current rating of 25 A is required to be placed on a 40 A branch circuit. The supply conductors will also be sized according to the input current rating and also derated for the maximum rated operating ambient temperature, Tma, of the equipment.

• FortiGate-5000 series equipment shall be installed and connected to an electrical supply source in accordance with the applicable codes and regulations for the location in which it is installed. Particular attention shall be paid to use of correct wire type and size to comply with the applicable codes and regulations for the installation / location. Connection of the supply wiring to the terminal block on the equipment may be accomplished using Listed wire compression lugs, for example, Pressure Terminal Connector made by Ideal Industries Inc. or equivalent which is suitable for AWG 10. Particular attention shall be given to use of the appropriate compression tool specified by the compression lug manufacturer, if one is specified.

FortiGate-5001A Security System Guide

01-30000-0438-200800801

Page 3

Contents

Warnings and cautions ..................................................................................... 2

FortiGate-5001A security system ..................................... 5

Front panel LEDs and connectors ................................................................... 6

LEDs ............................................................................................................. 6

Connectors.................................................................................................... 7

Base backplane gigabit communication ......................................................... 8

Fabric backplane gigabit communication ....................................................... 8

AMC modules..................................................................................................... 8

Hardware installation......................................................... 9

Changing FortiGate-5001A SW11 switch settings........................................ 10

FortiGate-5001A mounting components ....................................................... 12

Inserting a FortiGate-5001A board................................................................. 13

Removing a FortiGate-5001A board............................................................... 16

Resetting a FortiGate-5001A board................................................................ 17

Installing and removing AMC modules ......................................................... 19

Inserting AMC slot fillers ............................................................................. 20

Inserting AMC modules............................................................................... 20

Removing AMC modules ............................................................................ 21

Troubleshooting .............................................................................................. 22

FortiGate-5001A does not start up .............................................................. 22

FortiGate-5001A status LED is flashing during system operation............... 23

FortiGate AMC modules not detected by FortiGate-5001A board .............. 23

Quick Configuration Guide ............................................. 25

Registering your Fortinet product ................................................................. 25

Upgrading to High Encryption........................................................................ 25

Planning the configuration ............................................................................. 26

NAT/Route mode ........................................................................................ 26

Transparent mode....................................................................................... 27

Choosing the configuration tool .................................................................... 28

Web-based manager................................................................................... 28

Command Line Interface (CLI).................................................................... 28

Factory default settings .................................................................................. 28

Configuring NAT/Route mode ........................................................................ 29

Using the web-based manager to configure NAT/Route mode................... 29

Using the CLI to configure NAT/Route mode .............................................. 30

FortiGate-5001A Security System Guide 01-30000-0438-200800801 3

Page 4

Contents

Configuring Transparent mode...................................................................... 31

Using the web-based manager to configure Transparent mode ................. 31

Using the CLI to configure Transparent mode ............................................ 32

Upgrading FortiGate-5001A firmware............................................................ 33

FortiGate-5001A base backplane data communication ............................... 34

Powering off the FortiGate-5001A board....................................................... 36

For more information ...................................................... 37

Fortinet documentation .................................................................................. 37

Fortinet Tools and Documentation CD........................................................ 37

Fortinet Knowledge Center ........................................................................ 37

Comments on Fortinet technical documentation ........................................ 37

Customer service and technical support ...................................................... 37

FortiGate-5001A Security System Guide

4 01-30000-0438-200800801

Page 5

FortiGate-5001A security system

Fabri

RJ-4

FortiGate-5001A security system

The FortiGate-5001A security system is a high-performance Advanced Telecommunications Computing Architecture (ACTA) compliant FortiGate security system that can be installed in any ACTA chassis including the FortiGate-5140, FortiGate-5050, or FortiGate-5020 chassis.

The FortiGate-5001A security system contains two front panel gigabit ethernet interfaces, two base backplane gigabit interfaces, and two fabric backplane gigabit interfaces. Use the front panel interfaces for connections to your networks and the backplane interfaces for communication between FortiGate-5000 series boards over the ACTA chassis backplane. The fabric interfaces are reserved for future 10-gigabit operation but can be used now for board to board 1-gigabit operation. In FortiGate-5140 and FortiGate-5050 chassis you must install a FortiSwitch-5003 board or another backplane switching product to support backplane communication.

The FortiGate-5001A-DW front panel also includes a double-width Advanced Mezzanine Card (AMC) opening. You can install a supported FortiGate ADM module such as the FortiGate-ADM-XB2 or the FortiGate-ADM-FB8 in the AMC opening. The FortiGate-ADM-XB2 adds two accelerated 10-gigabit interfaces to the FortiGate-5001A board and the FortiGate-ADM-FB8 adds 8 accelerated 1 gigabit interfaces.

You can also configure two or more FortiGate-5001A boards to create a high availability (HA) cluster using the base backplane interfaces for HA heartbeat communication through the chassis backplane, leaving front panel interfaces available for network connections.

The FortiGate-5001A board also supports high-end FortiGate features including

802.1Q VLANs, multiple virtual domains, 802.3ad aggregate interfaces, and FortiGate-5000 chassis monitoring.

Figure 1: FortiGate-5001A front panel

c and Base

network activity

LEDs

USB

IPM LED

(board

position)

ACC OOS Power Status LEDs

Retention

Screw

Extraction

Lever

Retention

Screw

Extraction

Lever

Double-width AMC

opening

Console

port1 and port2

10/100/1000

Copper Interfaces

The FortiGate-5001A board includes the following features:

• Two front panel 10/100/1000Base-T copper gigabit ethernet interfaces.

• Two base backplane gigabit interfaces (base CH0 and Base CH1 on the front panel and base1 and base2 in the firmware) for HA heartbeat and data communications across the FortiGate-5000 chassis backplane. The base backplane gigabit interfaces can also be used for data communications across the FortiGate-5000 chassis backplane if combined with a board that supports backplane base switching.

FortiGate-5001A Security System Guide 01-30000-0438-200800801 5

Page 6

Front panel LEDs and connectors FortiGate-5001A security system

• Two fabric backplane gigabit interfaces (Fabric ch0 and Fabric CH1 on the front panel and fabric1 and fabric2 in the firmware) for data communications across the FortiGate-5000 chassis backplane. The fabric backplane gigabit interfaces can also be used for data communications across the FortiGate5000 chassis backplane if combined with a board that supports backplane fabric switching. The fabric backplane is also reserved for future 10 gigabit operation.

• Dual-width AMC opening.

• RJ-45 RS-232 serial console connection.

• 2 USB connectors.

• Mounting hardware.

• LED status indicators.

Front panel LEDs and connectors

From the FortiGate-5001A font panel you can view the status of the front panel LEDs to verify that the board is functioning normally. You also connect the FortiGate-5001A board to your network through the front panel 10/100/1000 ethernet connectors. The front panel also includes the RJ-45 console port for connecting to the FortiOS CLI and two USB ports. The USB ports can be used with any USB key for backing up and restoring configuration files. For information about using the using a USB key with a FortiGate unit, see the FortiGate-5000

Series Firmware and FortiUSB Guide.

LEDs

Tab le 1 lists and describes the FortiGate-5001A LEDs.

Table 1: FortiGate-5001A LEDs

LED State Description

1, 2 (Left LED)

1, 2 (Right LED)

Base CH0 Green Base backplane interface 0 (base1) is connected at 1 Gbps.

Base CH1 Green Base backplane interface 1 (base2) is connected at 1 Gbps.

Fabric CH0 Green Fabric backplane interface 0 (fabric1) is connected at 1

Green The correct cable is connected to the interface and the

Flashing Green

Off No link is established.

Green Connection at 1 Gbps.

Amber Connection at 100 Mbps.

Off Connection at 10 Mbps.

Flashing Green

connected equipment has power.

Network activity at the interface.

Network activity at base backplane interface 0.

Network activity at base backplane interface 1.

Gbps.

Network activity at fabric backplane interface 0.

FortiGate-5001A Security System Guide

6 01-30000-0438-200800801

Page 7

FortiGate-5001A security system Front panel LEDs and connectors

Table 1: FortiGate-5001A LEDs (Continued)

LED State Description

Fabric CH1 Green Fabric backplane interface 1 (fabric2) is connected at 1

Flashing Green

ACC

OOS (Out of Service)

Power

Off or Flashing green

Off Normal operation.

Green A fault condition exists and the FortiGate-5001A blade is out

Green The FortiGate-5001A board is powered on.

Gbps.

Network activity at fabric backplane interface 1.

The ACC LED flashes green when the FortiGate-5001A board accesses the FortiOS flash disk. The FortiOS flash disk stores the current FortiOS firmware build and configuration files. The system accesses the flash disk when starting up, during a firmware upgrade, or when an administrator is using the CLI or GUI to change the FortiOS configuration. Under normal operating conditions this LED flashes occasionally, but is mostly off.

of service (OOS). This LED may also flash very briefly during normal startup.

Connectors

Status

IPM

Green The FortiGate-5001A board is powered on.

Flashing Green

Blue The FortiGate-5001A is ready to be hot-swapped (removed

Flashing Blue

Off Normal operation. The FortiGate-5001A board is in contact

The FortiGate-5001A is starting up. If this LED is flashing at any time other than system startup, a fault condition may exist.

from the chassis). If the IPM light is blue and no other LEDs are lit the FortiGate-5001A board has lost power

The FortiGate-5001A is changing from hot swap to running mode or from running mode to hot swap. This happens when the FortiGate-5001A board is starting up or shutting down.

with the chassis backplane.

Ta bl e 2 lists and describes the FortiGate-5001A connectors.

Table 2: FortiGate-5001A connectors

Connector Type Speed Protocol Description

1, 2 RJ-45 10/100/1000

Base-T

CONSOLE RJ-45 9600 bps RS-232

USB USB FortiUSB key firmware updates and

Ethernet Copper gigabit connection to

serial

10/100/1000Base-T copper networks. Serial connection to the command line

interface.

configuration backup.

FortiGate-5001A Security System Guide 01-30000-0438-200800801 7

Page 8

Base backplane gigabit communication FortiGate-5001A security system

Base backplane gigabit communication

The FortiGate-5001A base backplane gigabit interfaces can be used for HA heartbeat communication between FortiGate-5001A boards installed in the same or in different FortiGate-5000 chassis. You can also configure FortiGate-5001A boards to use the base backplane interfaces for data communication between FortiGate boards. To support base backplane communications your FortiGate-5140 or FortiGate-5050 chassis must include one or more FortiSwitch-5003 boards. FortiSwitch-5003 boards are installed in chassis slots 1 and 2. The FortiGate-5020 chassis supports base backplane communication with no additions or changes to the chassis.

For information about base backplane communication in FortiGate-5140 and FortiGate-5050 chassis, see the FortiGate-5000 Base Backplane Communication

Guide. For information about the FortiSwitch-5003 board, see the FortiSwitch-5003 Guide.

Fabric backplane gigabit communication

AMC modules

The FortiGate-5001A fabric backplane gigabit interfaces can be used for data communication or HA heartbeat communication between FortiGate-5001A boards installed in the same or in different FortiGate-5000 chassis. The fabric backplane is also reserved for future 10 gigabit operation. To support fabric backplane communications your FortiGate-5140 or FortiGate-5050 chassis must include one or more gigabit switch boards installed in chassis slots 1 and 2. The FortiGate-5020 chassis does not support fabric backplane communications.

You can install one FortiGate ADM module in the FortiGate-5001A-DW front panel AMC double-width opening. The following FortiGate ADM modules are available:

• FortiGate-ADM-XB2, provides 2 accelerated XFP 10 gigabit interfaces.

• FortiGate-ADM-FB8, provides 8 accelerated SFP 1 gigabit interfaces.

Figure 2: FortiGate-ADM-XB2

OOS

PWR

ADM-XB2

LINK

ACT

LINK

ACT

FortiGate-5001A Security System Guide

8 01-30000-0438-200800801

Page 9

Hardware installation

Before use, the FortiGate-5001A board must be correctly inserted into an Advanced Telecommunications Computing Architecture (ACTA) chassis such as the FortiGate-5140, FortiGate-5050, or FortiGate-5020 chassis.

Before inserting the board into a chassis you should make sure the SW-11 switch is set correctly.

In the available Advanced Mezzanine Card (AMC) double-width opening on the FortiGate-5001A-DW front panel you can install a supported FortiGate ADM module such as the FortiGate-ADM-XB2 or the FortiGate-ADM-FB8.

Caution: Because the FortiGate-5001A board does not support hot swapping AMC modules, the FortiGate-5001A board must be disconnected from power and the left handle opened before you install a FortiGate AMC module. See “Installing and removing AMC

modules” on page 19.

Caution: Do not operate the FortiGate-5001A board with an open AMC opening. For optimum cooling performance and safety, the AMC opening must contain an AMC slot filler or a FortiGate AMC module.

This section describes:

• Changing FortiGate-5001A SW11 switch settings

• FortiGate-5001A mounting components

• Inserting a FortiGate-5001A board

• Removing a FortiGate-5001A board

• Resetting a FortiGate-5001A board

• Installing and removing AMC modules

• Troubleshooting

FortiGate-5001A Security System Guide 01-30000-0438-200800801 9

Page 10

Changing FortiGate-5001A SW11 switch settings Hardware installation

Changing FortiGate-5001A SW11 switch settings

The SW11 switch on the FortiGate-5001A board is factory set by Fortinet to detect a shelf manager (Figure 3). This is the correct setting if you are installing the FortiGate-5001A in a chassis that contains an operating shelf manager (such as the FortiGate-5140 or FortiGate-5050 chassis).

Figure 3: FortiGate-5140 and 5050 setting for SW11 (factory default shelf manager

mode)

Factory Default (Shelf Manager Required)

SW11

3421

1 Off 2 On 3 Off 4 Off

By default a FortiGate-5001A board will not start up if the board is installed in a chassis, such as a FortiGate-5020, that does not contain a shelf manager or that contains a shelf manager that is not operating. Before installing a FortiGate-5001A in a FortiGate-5020 chassis or a chassis that does not contain an operating shelf manager you must change the SW11 switch setting as shown in Figure 4.

Figure 4: FortiGate-5020 setting for SW11 (standalone mode)

Standalone Mode for FortiGate-5020 (no Shelf Manager)

SW11

3421

1 Off 2 On 3 On 4 Off

In all cases you should confirm that you have the correct FortiGate-5001A SW11 settings before installing the board in a chassis.

Table 3: FortiGate-5001A SW11 settings for different chassis

Chassis Correct SW11

Setting

FortiGate-5140 or 5050 or any ACTA chassis with an operating shelf manager (factory default shelf manager mode).

FortiGate-5020 or any ACTA chassis without an operating shelf manager (standalone mode).

10 01-30000-0438-200800801

1OffShelf manager cannot find

2On

3Off

4Off

1OffFortiGate-5001A board will not start up.

2On

3On

4Off

Result of wrong jumper setting

FortiGate-5001A board. No shelf manager information about the FortiGate-5001A board available.

FortiGate-5001A Security System Guide

Page 11

Hardware installation Changing FortiGate-5001A SW11 switch settings

To change or verify the SW11 switch settings

To complete this procedure, you need:

• A FortiGate-5001A board

• A tool for changing the SW11 switch setting (optional)

• An electrostatic discharge (ESD) preventive wrist strap with connection cord

Caution: FortiGate-5001A boards must be protected from static discharge and physical shock. Only handle or work with FortiGate-5001A boards at a static-free workstation. Always wear a grounded electrostatic discharge (ESD) preventive wrist strap when handling FortiGate-5001A boards.

1 Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal

surface on a chassis or frame.

2 If you have installed the FortiGate-5001A board in a chassis, remove it.

For removal instructions, see “Removing a FortiGate-5001A board” on page 16.

3 Use Figure 5 to locate SW11 on the FortiGate-5001A board.

The top of the FortiGate-5001A board is covered with a copper heat sink. The printed circuit board is under the copper heat sink. SW11 is located on the printed circuit board and is accessible from the left side of the FortiGate-5001A board under the copper heat sink.

4 If required, change SW11 to the correct setting.

5 Insert the FortiGate-5001A board into a chassis and verify that the board starts up

and operates correctly.

For inserting instructions, see “Inserting a FortiGate-5001A board” on page 13.

Figure 5: Location of SW11 on the FortiGate-5001A board

Location of SW 11

Factory Default (Shelf Manager Required)

SW11

Standalone Mode for FortiGate-5020 (no Shelf Manager)

SW11

1 Off

2 On 3 Off 4 Off

3421

1 Off

2 On 3 On 4 Off

3421

FortiGate-5001A board (top view)

FortiGate-5001A Front Faceplate

FortiGate-5001A Security System Guide 01-30000-0438-200800801 11

Page 12

FortiGate-5001A mounting components Hardware installation

Closed

Open

Alignment

Retention

Screw

Lock

Handle

Alignment Pin

Retention

Screw

Lock

Handle

Hook

(right handle

only)

Alignment Pin

Retention

Screw

Lock

Hook

(right handle

only)

Alignment

Retention

Screw

Lock

Handle

FortiGate-5001A mounting components

To install a FortiGate-5001A board you slide the board into an open slot in the front of an ATCA chassis and then use the mounting components to lock the board into place in the slot. When locked into place and positioned correctly the board front panel is flush with the chassis front panel. The board is also connected to the chassis backplane.

To position the board correctly you must use the mounting components shown in

Figure 6 for the right side of the front panel and Figure 7 for the left side of the

front panel.

Figure 6: FortiGate-5001A mounting components (right handle)

Note: The right handle includes a hook that secures the handle into place when the board

is mounted in the chassis (Figure 6). The hook is not included on the left handle (Figure 7). Otherwise the left and right mounting components are the same. Operating the left and right handles is also basically the same except that without the hook you do not have to squeeze the left handle lock. Also the left handle does not lock into place in the same way as the right handle.

Figure 7: FortiGate-5001A mounting components (left handle)

12 01-30000-0438-200800801

Alignment

Retention

Screw

Handle

Lock

AMC Slot

Filler

FortiGate-5001A Security System Guide

Page 13

Hardware installation Inserting a FortiGate-5001A board

The FortiGate-5001A handles align the board in the chassis slot and are used to insert and eject the board from the slot. The right handle activates a microswitch that turns on or turns off power to the board. If the FortiGate-5001A board is installed in a FortiGate-5140 chassis this is the lower handle. When the right handle is open the microswitch is off and the board cannot receive power. When the right handle is fully closed the microswitch is on and if the board is fully inserted into a chassis slot the board can receive power. You can use the right handle to cycle the power and reset the board without removing the board from the chassis. See “Resetting a FortiGate-5001A board” on page 17.

Inserting a FortiGate-5001A board

The FortiGate-5001A board must be fully installed in a chassis slot, with the handles closed and locked and retention screws fully tightened for the FortiGate-5001A board to receive power and operate normally. If the FortiGate-5001A board is not receiving power, the IPM LED glows solid blue and all other LEDs remain off. See “Front panel LEDs and connectors” on page 6.

It is important to carefully seat the FortiGate-5001A board all the way into the chassis, to not use too much force on the handles, and to make sure that the handles are properly locked. Only then will the FortiGate-5001A board power-on and start up correctly.

FortiGate-5001A boards are hot swappable. The procedure for inserting a FortiGate-5001A board into a chassis slot is the same whether or not the chassis is powered on.

To insert a FortiGate-5001A board into a chassis slot

Caution: Do not carry the FortiGate-5001A board by holding the handles or retention

screws. When inserting or removing the FortiGate-5001A board from a chassis slot, handle the board by the front panel. The handles are not designed for carrying the board. If the handles become bent or damaged the FortiGate-5001A board may not align correctly in the chassis slot.

To complete this procedure, you need:

• A FortiGate-5001A board with either an AMC double-width slot filler or a FortiGate ADM module installed in the front panel ADM opening

• An ATCA chassis with an empty slot

• An electrostatic discharge (ESD) preventive wrist strap with connection cord

1 Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal

surface on the chassis or frame.

2 If required, remove the protective metal frame that the FortiGate-5001A board has

been shipped in.

3 Insert the FortiGate-5001A board into the empty slot in the chassis.

FortiGate-5001A Security System Guide 01-30000-0438-200800801 13

Page 14

Inserting a FortiGate-5001A board Hardware installation

Unlock

Handle

Alignment Pin

Open

Alignment Pin

Lock

Handle

4 Unlock the right handle by squeezing the handle lock.

You do no need to unlock the left handle.

5 Open the left and right handles to their fully open positions.

6 Insert the FortiGate-5001A board into the empty slot in the chassis.

7 Carefully guide the board into the chassis using the rails in the slot.

Insert the board by applying moderate force to the front faceplate (not the handles) to slide the board into the slot. The board should glide smoothly into the chassis slot. If you encounter any resistance while sliding the board in, the board could be aligned incorrectly. Pull the board back out and try inserting it again.

8 Slide the board in until the alignment pins are inserted half way into their sockets

in the chassis.

9 Turn both handles to their fully-closed positions.

The handles should hook into the sides of the chassis slot. Closing the handles draws the FortiGate-5001A board into place in the chassis slot and into full contact with the chassis backplane. The FortiGate-5001A front panel should be in contact with the chassis front panel. When the handles are fully-closed the right handle locks into place.

As the right handle closes the microswitch is turned on, supplying power to the board. If the chassis is powered on the IPM LED starts flashing blue. If the board is aligned correctly, inserted all the way into the slot, and the right handle is properly closed the IPM LED flashes blue for a few seconds. At the same time the STATUS LED turns amber, the interface LEDs flash amber, and the ACC LED starts flashing green. After a few seconds the IPM LED goes out and the FortiGate-5001A firmware starts up. If the board is operating correctly, the front panel LEDs are lit as described in Ta bl e 4 .

FortiGate-5001A Security System Guide

14 01-30000-0438-200800801

Page 15

Hardware installation Inserting a FortiGate-5001A board

Table 4: FortiGate-5001A normal operating LEDs

LED State

ACC

OOS (Out of Service)

Power

Off (Or flashing green when the system accesses the FortiGate-5001A flash disk.)

Off

Green

Status

IPM

Green

Off

If you have installed an AMC module in the FortiGate-5001A board, the AMC LEDs are lit as described in Ta bl e 5 .

Table 5: FortiGate AMC module normal operating LEDs

LED State

HS Off

OOS Off

PWR Amber

OT Off

If the board has not been inserted properly the IPM LED changes to solid blue and all other LEDS turn off. If this occurs, open the handles, slide the board part way out, and repeat the insertion process.

10 Once the board is inserted correctly, fully tighten the left and right retention screws

to lock the FortiGate-5001A board into position in the chassis slot.

FortiGate-5001A Security System Guide 01-30000-0438-200800801 15

Retention

Screw

Tighten

Page 16

Removing a FortiGate-5001A board Hardware installation

Loosen

Retention

Screw

Removing a FortiGate-5001A board

The following procedure describes how to correctly use the FortiGate-5001A mounting components described in “FortiGate-5001A mounting components” on

page 12 to remove a FortiGate-5001A board from an ATCA chassis slot.

FortiGate-5001A boards are hot swappable. The procedure for removing a FortiGate-5001A board from a chassis slot is the same whether or not the chassis is powered on.

To remove a FortiGate-5001A board from a chassis slot

Caution: Do not carry the FortiGate-5001A board by holding the handles or retention

To complete this procedure, you need:

• An ATCA chassis with a FortiGate-5001A board installed

• An electrostatic discharge (ESD) preventive wrist strap with connection cord

1 Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal

surface on the chassis or frame.

2 Disconnect all cables from the FortiGate-5001A board, including all network

cables, the console cable, and any USB cables or keys.

3 Fully loosen the retention screws on the left and right sides of the

FortiGate-5001A front panel.

4 Unlock the right handle by squeezing the handle lock.

FortiGate-5001A Security System Guide

16 01-30000-0438-200800801

Page 17

Hardware installation Resetting a FortiGate-5001A board

Handle

Alignment Pin

Open

Alignment Pin

Lock

Handle

Fully Closed

and Locked

Alignment Pin

Handle

Alignment Pin

Handle

5 Open the left and right handles to their fully open positions.

Pivoting the handles turns off the microswitch, turns off all LEDs, and ejects the board from the chassis slot. You need to use moderate pressure to eject the board.

6 Pull the board about half way out.

7 Turn both handles to their fully-closed positions.

When the right handle is fully-closed it locks into place.

8 Carefully slide the board completely out of the slot.

9 Re-attach the protective metal frame if you are going ship the FortiGate-5001A

board or store it outside of a chassis.

Resetting a FortiGate-5001A board

You can use the handle on the right side of the FortiGate-5001A board to cycle the power and reset the board without ejecting the board from its slot. The right handle is the handle closest to the front panel LEDs. If the FortiGate-5001A board is installed in a FortiGate-5140 chassis this is the lower handle.

To reset a FortiGate-5001A without removing the board from the chassis

You do not have to loosen the retention screws or adjust the position of the FortiGate-5001A board to use this procedure.

To complete this procedure, you need:

• An ATCA chassis with a FortiGate-5001A board installed

• An electrostatic discharge (ESD) preventive wrist strap with connection cord

FortiGate-5001A Security System Guide 01-30000-0438-200800801 17

Page 18

Resetting a FortiGate-5001A board Hardware installation

Unlock

Handle

1 Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal

surface on the chassis or frame.

2 Unlock the right handle by squeezing the handle lock.

3 Pivot the right handle open.

The handle can only pivot a short distance. Pivoting the right handle turns off the microswitch which powers down the board, turning off all LEDs except the IPM LED which turns on.

4 After 10 seconds snap the right handle back into place.

The board powers up, the LEDs light and in a few minutes the FortiGate-5001A board operates normally.

FortiGate-5001A Security System Guide

18 01-30000-0438-200800801

Page 19

Hardware installation Installing and removing AMC modules

Installing and removing AMC modules

You can install one FortiGate ADM module in the FortiGate-5001A-DW front panel AMC double-width opening. The following FortiGate ADM modules are available:

• FortiGate-ADM-XB2, provides 2 accelerated XFP 10 gigabit interfaces.

• FortiGate-ADM-FB8, provides 8 accelerated SFP 1 gigabit interfaces.

Caution: Do not operate the FortiGate-5001A board with an open AMC opening. For optimum cooling performance and safety, the AMC opening must contain a slot filler or a FortiGate ADM module.

Note: When closed, the FortiGate-5001A left handle blocks the AMC opening. You must eject the FortiGate-5001A board from its chassis slot and completely open the left handle before inserting or removing AMC modules or slot fillers.

Table 6: FortiGate-ADM-XB2 and FortiGate-ADM-FB8 LEDs

LED State Description

HS Off Normal operation.

Blue Ejection latch open.

Flashing Ejection latch opened during system operation.

OOS Off LED currently not in use.

PWR Amber The module is properly inserted in the FortiGate unit.

Off The module is not receiving power from the FortiGate unit.

OT Off LED currently not in use.

LINK Green The correct cable is in use and the connected equipment has

Off No link established.

ACT Flashing

Green

Off No network activity at this interface.

power.

Network activity at this interface.

This section describes:

• Inserting AMC slot fillers

• Inserting AMC modules

• Removing AMC modules

FortiGate-5001A Security System Guide 01-30000-0438-200800801 19

Page 20

Installing and removing AMC modules Hardware installation

Inserting AMC slot fillers

The FortiGate-5001A-DW includes one AMC double-width slot filler that must be installed in the double-width AMC slot if you do not have a FortiGate ADM module. Either a filler or an AMC module must be installed for proper cooling air flow.

To install an AMC slot filler

To complete this procedure, you need:

• FortiGate-5001A board with an empty AMC slot

• An electrostatic discharge (ESD) preventive wrist strap with connection cord

1 Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal

surface on the chassis or frame.

2 Eject the FortiGate-5001A board from the chassis slot.

3 Completely open the FortiGate-5001A left handle.

4 Pull the latch on the slot filler front panel to the extended position.

5 Insert the slot filler by applying moderate force to the front faceplate to slide the

slot filler into the opening. The slot filler should glide smoothly into the opening. If you encounter any

resistance while sliding the slot filler in, the slot filler could be aligned incorrectly. Pull the slot filler back out and try inserting it again.

6 Press the latch in the slot filler front panel to lock in the slot filler.

Inserting AMC modules

The following steps describe how to install an AMC module into your FortiGate-5001A board.

Insert the fiber transceivers into the module before inserting the module into the FortiGate unit. For details on installing the transceivers, see the QuickStart Guide for the module.

To insert a module into a FortiGate-5001A board

Note: When closed, the FortiGate-5001A left handle blocks the AMC opening. You must

eject the FortiGate-5001A board from its chassis slot and completely open the left handle before inserting or removing AMC modules or slot fillers.

FortiGate-5001A Security System Guide

20 01-30000-0438-200800801

Page 21

Hardware installation Installing and removing AMC modules

To complete this procedure, you need:

• A FortiGate-5001A board with an open slot

• FortiGate ADM module to install

• An electrostatic discharge (ESD) preventive wrist strap with connection cord

Caution: FortiGate-5001A boards and FortiGate ADM modules must be protected from static discharge and physical shock. Only handle or work with these components at a static-free workstation. Always wear a grounded electrostatic discharge (ESD) preventive wrist strap when handling these components.

1 Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal

surface on the chassis or frame.

2 Eject the FortiGate-5001A board from the chassis slot.

3 Completely open the left handle.

4 Remove the AMC slot filler from the FortiGate-5001A front panel by pulling open

the latch on the AMC slot filler front panel and then pulling the slot filler out using the latch.

5 Pull the latch on the FortiGate ADM module front panel to the extended position.

6 Insert the FortiGate ADM module into the empty slot in the FortiGate-5001A front

panel. Make sure the Fortinet logo on the module front panel is right-side up. The Fortinet logo appears on the upper-right corner of the module front panel.

7 Carefully guide the module into the FortiGate-5001A board.

8 Insert the module by applying moderate force to the front faceplate near the upper

edge to slide the module into the opening.

The module should glide smoothly into the opening. If you encounter any resistance while sliding the module in, the module could be aligned incorrectly. Pull the module back out and try inserting it again.

9 Press the latch on the module front panel to lock in the module.

10 Insert the FortiGate-5001A into a chassis slot.

Removing AMC modules

Before removing an AMC module you need to shut down the FortiGate-5001A board using proper shut down procedures.

To remove a module

Note: When closed, the FortiGate-5001A left handle blocks the AMC opening. You must

eject the FortiGate-5001A board from its chassis slot and completely open the left handle before inserting or removing AMC modules or slot fillers.

To complete this procedure, you need:

• A FortiGate-5001A board containing a FortiGate ADM module

• An electrostatic discharge (ESD) preventive wrist strap with connection cord

FortiGate-5001A Security System Guide 01-30000-0438-200800801 21

Page 22

Troubleshooting Hardware installation

Caution: Because the FortiGate-5001A board does not support hot swapping AMC modules, the FortiGate-5001A board must be disconnected from power and the left handle opened before you remove a FortiGate AMC module. See “Installing and removing AMC

modules” on page 19.

1 Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal

surface on the chassis or frame.

2 Eject the FortiGate-5001A board from the chassis slot.

3 Completely open the FortiGate-5001A left handle.

4 Pull the latch on the ADM module front panel to the extended position to unlock

the module from the FortiGate-5001A board.

5 Gently pull the latch to remove the module.

6 Install a replacement module or an AMC slot filler into the opening in the

FortiGate-5001A front panel.

Troubleshooting

This section describes the following troubleshooting topics:

• FortiGate-5001A does not start up

• FortiGate-5001A status LED is flashing during system operation

• FortiGate AMC modules not detected by FortiGate-5001A board

FortiGate-5001A does not start up

Positioning of FortiGate-5001A handles and a few other causes may prevent a FortiGate-5001A board for starting up correctly.

All chassis: handles not fully closed

If the handles are damaged or positioned incorrectly the FortiGate-5001A board will not start up. Make sure the handles are correctly aligned, fully inserted and locked.

Chassis with a shelf manager: no communication with shelf manager

If the FortiGate-5001A board is receiving power and the handles are fully closed and the FortiGate-5001A still does not start up, the problem could be that the FortiGate-5001A cannot communicate with the chassis shelf manager. This problem can only occur in an ATCA chassis that contains a shelf manager (such as the FortiGate-5140 and FortiGate-5050).

To correct this problem power down and then restart the chassis. If you are operating a FortiGate-5000 series chassis you can power down and then restart the chassis without removing FortiGate-5000 series components.

FortiGate-5001A Security System Guide

22 01-30000-0438-200800801

Page 23

Hardware installation Troubleshooting

All chassis: Firmware problem

If the FortiGate-5001A board is receiving power and the handles are fully closed, and you have restarted the chassis and the FortiGate-5001A still does not start up, the problem could be with FortiOS. Connect to the FortiGate-5001A console and try cycling the power to the board. If the BIOS starts up, interrupt the BIOS startup and install a new firmware image. For details about installing a new firmware image in this way, see the FortiGate-5000 Series Firmware and

FortiUSB Guide.

If this does not solve the problem, contact Fortinet Technical Support.

FortiGate-5001A status LED is flashing during system operation

Normally, the FortiGate-5001A Status LED is solid green when the FortiGate-5001A board is operating normally. If this LED starts flashing while the board is operating, a fault condition may exist. At the same time the FortiGate-5001A may stop processing traffic.

To resolve the problem you can try removing and reinserting the FortiGate-5001A board in the chassis slot. Reloading the firmware may also help.

If this does not solve the problem there may have been a hardware failure or other problem. Contact Fortinet Technical Support for assistance.

FortiGate AMC modules not detected by FortiGate-5001A board

If the FortiGate-5001A board cannot detect the FortiGate AMC module installed in the FortiGate-5001A front panel AMC opening, the AMC module interfaces will not be visible from the FortiGate-5001A web-based manager or CLI. Also, the AMC module HS LED could be solid blue.

To correct this problem you should remove and reset the AMC module. Because AMC modules are not hot swappable, you must first power down the FortiGate-5001A board.

To remove and reset an AMC module

1 Attach an ESD wrist strap to your wrist and to an ESD socket or to a bare metal

surface on the chassis or frame.

2 Remove the FortiGate-5001A board from the chassis slot.

See “Removing a FortiGate-5001A board” on page 16. You do not have to completely remove the FortiGate-5001A board from the slot; however the board should be disconnected from power.

3 With the FortiGate-5001A left handle fully open, pull the latch on the AMC module

front panel to open the latch and pull the AMC module out of the FortiGate-5001A front panel AMC opening.

4 Re-insert the AMC module into the FortiGate-5001A front panel AMC opening.

Make sure the AMC module is inserted correctly into the opening.

5 Close the latch on the AMC front panel.

FortiGate-5001A Security System Guide 01-30000-0438-200800801 23

Page 24

Troubleshooting Hardware installation

6 Insert the FortiGate-5001A board into the chassis slot.

Both the AMC module and the FortiGate-5001A board should start up. If both the FortiGate-5001A board and the AMC module are functioning normally, the front panel LEDs will appear as described in Table 4 on page 15 and Tab le 5 o n

page 15.

If this does not solve the problem, contact Fortinet Technical Support.

FortiGate-5001A Security System Guide

24 01-30000-0438-200800801

Page 25

Quick Configuration Guide Registering your Fortinet product

Quick Configuration Guide

This section is a quick start guide to connecting and configuring a FortiGate-5001A security system for your network.

Before using this chapter, your FortiGate-5000 series or compatible ATCA chassis should be mounted and connected to your power system. In addition, your FortiGate-5001A boards should be inserted into the chassis and additional hardware components (such as AMC cards and SFP transceivers) should be installed. The FortiGate-5001A boards should also be powered up and the front panel LEDs should indicate that the boards are functioning normally.

This chapter includes the following topics:

• Registering your Fortinet product

• Upgrading to High Encryption

• Planning the configuration

• Choosing the configuration tool

• Factory default settings

• Configuring NAT/Route mode

• Configuring Transparent mode

• Upgrading FortiGate-5001A firmware

• FortiGate-5001A base backplane data communication

• Powering off the FortiGate-5001A board

Registering your Fortinet product

Register your Fortinet product to receive Fortinet customer services such as product updates and technical support. You must also register your product for FortiGuard services such as FortiGuard Antivirus and Intrusion Prevention updates and for FortiGuard Web Filtering and AntiSpam.

To register, enter your contact information and the serial numbers of the Fortinet products that you or your organization have purchased. You can register multiple Fortinet products in a single session without re-entering your contact information.

Upgrading to High Encryption

This FortiGate-5001A board has a factory installed low encryption feature set. You can purchase a high encryption upgrade within 90 days of shipment from Fortinet. Fortinet Technical Support can provide a high encryption license key once you have provided suitable documentation that the necessary export licenses have been granted for your region, and our legal department has authorized the use of high encryption.

When you receive the high encryption license key, in the CLI, enter the command execute crypto-license <high-enc-key>.

Fortinet does not guarantee that the customer will receive a export license upon purchase of the product or license key.

FortiGate-5001A Security System Guide 01-30000-0438-200800801 25

Page 26

Planning the configuration Quick Configuration Guide

Planning the configuration

Before beginning to configure your FortiGate-5001A security system, you need to plan how to integrate the system into your network. Your configuration plan depends on the operating mode that you select: NAT/Route mode (the default) or Transparent mode.

NAT/Route mode

In NAT/Route mode, the FortiGate-5001A security system is visible to the networks that it is connected to. Each interface connected to a network must be configured with an IP address that is valid for that network. In many configurations, in NAT/Route mode all of the FortiGate interfaces are on different networks, and each network is on a separate subnet.

You would typically use NAT/Route mode when the FortiGate-5001A security system is deployed as a gateway between private and public networks. In the default NAT/Route mode configuration, the FortiGate-5001A security system functions as a firewall. Firewall policies control communications through the FortiGate-5001A security system. No traffic can pass through the FortiGate-5001A security system until you add firewall policies.

In NAT/Route mode, firewall policies can operate in NAT mode or in Route mode. In NAT mode, the FortiGate firewall performs network address translation before IP packets are sent to the destination network. In Route mode, no translation takes place.

Figure 8: Example FortiGate-5001A board operating in NAT/Route mode

Internet

NAT mode policies

controlling traffic between

internal and external

networks.

192.168.1.99

port2

204.23.1.2

port1

FortiGate-5001A board in NAT/Route mode

Internal Network

FortiGate-5001A Security System Guide

26 01-30000-0438-200800801

Page 27

Quick Configuration Guide Planning the configuration

192.168.1.99 Management IP

204.23.1.2 Gateway to public network

192.168.1.1

port1

port2

Transparent mode policies

controlling traffic between

internal and external

networks.

FortiGate-5001A board in Transparent mode

Internet

Internal Network

Transparent mode

In Transparent mode, the FortiGate-5001A security system is invisible to the network. All of the FortiGate-5001A interfaces are connected to different segments of the same network. In Transparent mode you only have to configure a management IP address so that you can connect to the FortiGate-5001A security system to make configuration changes and so the FortiGate-5001A security system can connect to external services such as the FortiGuard Distribution Network (FDN).

Figure 9: Example FortiGate-5001A board operating in Transparent mode

FortiGate-5001A Security System Guide 01-30000-0438-200800801 27

You would typically deploy a FortiGate-5001A security system in Transparent mode on a private network behind an existing firewall or behind a router. In the default Transparent mode configuration, the FortiGate-5001A security system functions as a firewall. No traffic can pass through the FortiGate-5001A security system until you add firewall policies.

Page 28

Choosing the configuration tool Quick Configuration Guide

Choosing the configuration tool

You can use either the web-based manager or the Command Line Interface (CLI) to configure the FortiGate board.

Web-based manager

The FortiGate-5001A web-based manager is an easy to use management tool. Use the web-based manager to configure the FortiGate-5001A administrator password, the interface addresses, the default gateway, and the DNS server addresses.

Requirements:

• An Ethernet connection between the FortiGate-5001A board and management computer.

• Internet Explorer 6.0 or higher on the management computer.

Command Line Interface (CLI)

The CLI is a full-featured management tool. Use it to configure the administrator password, the interface addresses, the default gateway, and the DNS server addresses.

Requirements:

• The serial connector that came packaged with your FortiGate-5001A board.

• Terminal emulation application (for example, HyperTerminal for Windows) on the management computer.

Factory default settings

The FortiGate-5001A unit ships with a factory default configuration. The default configuration allows you to connect to and use the FortiGate-5001A web-based manager to configure the FortiGate-5001A board onto the network. To configure the FortiGate-5001A board onto the network you add an administrator password, change the network interface IP addresses, add DNS server IP addresses, and, if required, configure basic routing.

Table 7: FortiGate-5001A factory default settings

Operation Mode NAT/Route

Administrator Account User Name: admin

port1 IP/Netmask 192.168.1.99/24

port2 IP/Netmask 192.168.100.99/24

Default route Gateway: 192.168.100.1

Primary DNS Server: 65.39.139.53

Secondary DNS Server: 65.39.139.53

Note: At any time during the configuration process, if you run into problems, you can reset

the FortiGate-5001A board to the factory defaults and start over. From the web-based manager go to System > Status find System Operation at the bottom of the page and select Reset to Factory Default. From the CLI enter execute factory reset.

Password: (none)

Device: port2

FortiGate-5001A Security System Guide

28 01-30000-0438-200800801

Page 29

Quick Configuration Guide Configuring NAT/Route mode

Configuring NAT/Route mode

Use Tab le 8 to gather the information you need to customize NAT/Route mode settings for the FortiGate-5001A security system. You can use one table for each board to configure.

Table 8: FortiGate-5001A board NAT/Route mode settings

Admin Administrator Password:

port1

port2

Default Route

DNS Servers

IP: _____._____._____._____

Netmask: _____._____._____._____

IP: _____._____._____._____

Netmask: _____._____._____._____

Device (Name of the Interface connected to the external network):

Default Gateway IP address: _____._____._____._____

The default route consists of the name of the interface connected to an external network (usually the Internet) and the default gateway IP address. The default route directs all non-local traffic to this interface and to the external network.

Primary DNS Server: _____._____._____._____

Secondary DNS Server: _____._____._____._____

Using the web-based manager to configure NAT/Route mode

1 Connect port1 of the FortiGate-5001A board to the same hub or switch as the

computer you will use to configure the FortiGate board.

Note: If you cannot connect to port1, see “Using the CLI to configure NAT/Route mode” on

page 30.

2 Configure the management computer to be on the same subnet as the port1

interface of the FortiGate-5001A board. To do this, change the IP address of the management computer to 192.168.1.2 and the netmask to 255.255.255.0.

3 To access the FortiGate web-based manager, start Internet Explorer and browse

to https://192.168.1.99 (remember to include the “s” in https://).

4 Type admin in the Name field and select Login.

To change the admin administrator password

1 Go to System > Admin > Administrators.

2 Select Change Password for the admin administrator and enter a new password.

To configure interfaces

1 Go to System > Network > Interface.

2 Select the edit icon for each interface to configure.

FortiGate-5001A Security System Guide 01-30000-0438-200800801 29

Page 30

Configuring NAT/Route mode Quick Configuration Guide

3 Set the addressing mode for the interface. (See the online help for information.)

• For manual addressing, enter the IP address and netmask for the interface that you added to Table 8 on page 29.

• For DHCP addressing, select DHCP and any required settings.

• For PPPoE addressing, select PPPoE and enter the username and password and any other required settings.

To configure the Primary and Secondary DNS server IP addresses

1 Go to System > Network > Options.

2 Enter the Primary and Secondary DNS IP addresses that you added to Tabl e 8 on

page 29 as required and select Apply.

To configure the Default Gateway

1 Go to Router > Static and select Edit icon for the static route.

2 Select the Device that you recorded above.

3 Set Gateway to the Default Gateway IP address that you added to Tab l e 8 on

page 29.

4 Select OK.

Using the CLI to configure NAT/Route mode

1 Use the serial cable supplied with your FortiGate-5001A board to connect the

FortiGate Console port to the management computer serial port.

2 Start a terminal emulation program (HyperTerminal) on the management

computer. Use these settings:

Baud Rate (bps) 9600, Data bits 8, Parity None, Stop bits 1, and Flow Control None.

3 At the Login: prompt, type admin and press Enter twice (no password required).

4 Change the administrator password.

config system admin

edit admin

set password <password>

end

5 Configure the port1 internal interface to the setting that you added to Table 8 on

page 29.

config system interface

edit port1

set ip <intf_ip>/<netmask_ip>

end

6 Repeat to configure each interface as required, for example, to configure the port2

interface to the setting that you added to Table 8 on page 29.

config system interface

edit port2 ...

FortiGate-5001A Security System Guide

30 01-30000-0438-200800801

Page 31

Quick Configuration Guide Configuring Transparent mode

7 Configure the primary and secondary DNS server IP addresses to the settings

that you added to Table 8 on page 29.

config system dns

set primary <dns-server_ip> set secondary <dns-server_ip> end

8 Configure the default gateway to the setting that you added to Table 8 on

page 29.

config router static

edit 1

set device <interface_name> set gateway <gateway_ip>

end

Configuring Transparent mode

Use Tab le 9 to gather the information you need to customize Transparent mode settings.

Table 9: Transparent mode settings

Admin Administrator Password:

IP: _____._____._____._____

Management IP

Default Route

DNS Servers

Netmask: _____._____._____._____

The management IP address and netmask must be valid for the network where you will manage the FortiGate-5001A unit.

Default Gateway IP address: _____._____._____._____

In Transparent mode the default route requires the default gateway IP address. The default route directs all non-local traffic to the external network.

Primary DNS Server: _____._____._____._____

Secondary DNS Server: _____._____._____._____

Using the web-based manager to configure Transparent mode

1 Connect port1 of the FortiGate-5001A board to the same hub or switch as the

computer you will use to configure the FortiGate board.

Note: If you cannot connect to port1, see “Using the CLI to configure Transparent mode” on

page 32.

2 Configure the management computer to be on the same subnet as the port1

interface of the FortiGate-5001A board. To do this, change the IP address of the management computer to 192.168.1.2 and the netmask to 255.255.255.0.

3 To access the FortiGate web-based manager, start Internet Explorer and browse

to https://192.168.1.99 (remember to include the “s” in https://).

4 Type admin in the Name field and select Login.

FortiGate-5001A Security System Guide 01-30000-0438-200800801 31

Page 32

Configuring Transparent mode Quick Configuration Guide

To switch from NAT/Route mode to transparent mode

1 Go to System > Status and select the Change link beside Operation Mode: NAT.

2 Set Operation Mode to Transparent.

3 Set the Management IP/Netmask to the settings that you added to Ta bl e 9 on

page 31.

4 Set the default Gateway to the setting that you added to Table 9 on page 31.

To change the admin administrator password

1 Go to System > Admin > Administrators.

2 Select Change Password for the admin administrator and enter the password that

you added to Table 9 on page 31.

To change the management interface

1 Go to System > Config > Operation.

2 Enter the Management IP address and netmask hat you added to Table 9 on

page 31 and select Apply.

To configure the Primary and Secondary DNS server IP addresses

1 Go to System > Network > Options.

2 Enter the Primary and Secondary DNS IP addresses that you added to Tabl e 9 on

page 31 as required and select Apply.

Using the CLI to configure Transparent mode

1 Use the serial cable supplied with your FortiGate-5001A board to connect the

FortiGate Console port to the management computer serial port.

2 Start a terminal emulation program (HyperTerminal) on the management

computer. Use these settings:

Baud Rate (bps) 9600, Data bits 8, Parity None, Stop bits 1, and Flow Control None.

3 At the Login: prompt, type admin and press Enter twice (no password required).

4 Change from NAT/Route mode to Transparent mode. Configure the Management

IP address and default gateway to the settings that you added to Tab le 9 o n

page 31.

config system settings

set opmode transparent set manageip <mng_ip>/<netmask> set gateway <gateway_ip> end

5 Configure the primary and secondary DNS server IP addresses to the settings

that you added to Table 9 on page 31.

config system dns

set primary <dns-server_ip> set secondary <dns-server_ip> end

FortiGate-5001A Security System Guide

32 01-30000-0438-200800801

Page 33

Quick Configuration Guide Upgrading FortiGate-5001A firmware

Upgrading FortiGate-5001A firmware

Fortinet periodically updates the FortiGate-5001A FortiOS firmware to include enhancements and address issues. After you have registered your FortiGate-5001A security system (see “Registering your Fortinet product” on

page 25) you can download FortiGate-5001A firmware from the support web site http://support.fortinet.com.

Only FortiGate-5001A administrators (whose access profiles contain system read and write privileges) and the FortiGate-5001A admin user can change the FortiGate-5001A firmware.

For complete details about upgrading and downgrading FortiGate-5001A firmware using the web-based manager or CLI; and using a USB key, see the FortiGate-

5000 Series Firmware and FortiUSB Guide.

To upgrade the firmware using the web-based manager

1 Copy the firmware image file to your management computer.

2 Log into the web-based manager as the admin administrator.

3 Go to System > Status.

4 Under System Information > Firmware Version, select Update.

5 Type the path and filename of the firmware image file, or select Browse and locate

the file.

6 Select OK.

The FortiGate-5001A board uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process takes a few minutes.

7 Log into the web-based manager.

8 Go to System > Status and check the Firmware Version to confirm the firmware

upgrade is successfully installed.

9 Update the FortiGate-5001A antivirus and attack definitions. See the

FortiGate-5001A online help for details.

To upgrade the firmware using the CLI

To use the following procedure, you must have a TFTP server the FortiGate-5001A board can connect to.

1 Make sure the TFTP server is running.

2 Copy the new firmware image file to the root directory of the TFTP server.

3 Log into the CLI.

4 Make sure the FortiGate board can connect to the TFTP server.

You can use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168:

execute ping 192.168.1.168

FortiGate-5001A Security System Guide 01-30000-0438-200800801 33

Page 34

FortiGate-5001A base backplane data communication Quick Configuration Guide

5 Enter the following command to copy the firmware image from the TFTP server to

the FortiGate-5001A board:

execute restore image <name_str> <tftp_ipv4>

Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server. For example, if the firmware image file name is

image.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image image.out 192.168.1.168

The FortiGate-5001A board responds with the message:

This operation will replace the current firmware version! Do you want to continue? (y/n)

6 Type y.

The FortiGate-5001A board uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes.

7 Reconnect to the CLI.

8 To confirm the firmware image is successfully installed, enter:

get system status

9 Update antivirus and attack definitions. You can use the command

execute update-now

FortiGate-5001A base backplane data communication

You can configure the FortiGate-5001A boards for data communications using the two FortiGate-5140, FortiGate-5050, or FortiGate-5020 chassis base backplane interfaces.

Note: Different FortiGate-5000 series boards may use different names for the base backplane interfaces. For example, on the FortiGate-5001SX and FortiGate-5001FA2 boards the base backplane interfaces are called port9 and port10. On the FortiGate-5005FA2 and FortiGate-5001A boards, the base backplane interfaces are called base1 and base2.

By default the base backplane interfaces are not enabled for data communication. Using the information in this section, you can configure the FortiGate-5001A board to use the base backplane interfaces for data communication. Once the base backplane interfaces are configured for data communication you can operate and configure them in the same way as any FortiGate-5001A interface.

Note: VLAN communication over the backplane is only available for FortiGate-5001A boards installed in a FortiGate-5020 chassis. The FortiSwitch-5003 does not support VLAN-tagged packets so VLAN communication is not available over the FortiGate-5050 and FortiGate-5140 chassis backplanes.

Although not recommended, you can use base backplane interfaces for data communication and HA heartbeat communication at the same time.

FortiGate-5001A Security System Guide

34 01-30000-0438-200800801

Page 35

Quick Configuration Guide FortiGate-5001A base backplane data communication

In a FortiGate-5140 or FortiGate-5050 chassis, FortiGate-5001A base backplane communication requires one or two FortiSwitch-5003 boards. A FortiSwitch-5003 board installed in chassis slot 1 provides communication on the base1 interface. A FortiSwitch-5003 board installed in chassis slot 2 provides communication on the base2 interface. The FortiGate-5020 chassis supports base backplane data communication for both interfaces with no additions or changes to the chassis.

For details and configuration examples of FortiGate-5001A base backplane communication using the FortiSwitch-5003 board, see the

FortiGate-5000 Backplane Guide.

To enable base backplane data communication from the FortiGate-5001A web-based manager

From the FortiGate-5001A web-based manager use the following steps to enable base backplane data communication.

1 Go to System > Network > Interface.

2 Select Show backplane interfaces.

The base1, base2, fabric1, and fabric2 backplane interfaces now appear in the Interface list.

Figure 10: FortiGate-5001A interface list with backplane interfaces enabled

(FortiGate-ADM-XB2 also installed)

To enable base backplane data communication from the FortiGate-5001A CLI

From the FortiGate-5001A board CLI you can use the following steps to enable base backplane data communication.

1 Enter the following command to show the backplane interfaces:

config system global

set show-backplane-intf enable end

The base1, base2, fabric1, and fabric2 backplane interfaces now appear in all Interface lists.

FortiGate-5001A Security System Guide 01-30000-0438-200800801 35

Page 36

Powering off the FortiGate-5001A board Quick Configuration Guide

Powering off the FortiGate-5001A board

To avoid potential hardware problems, always shut down the FortiGate-5001A operating system properly before removing the FortiGate-5001A board from a chassis slot or before powering down the chassis.

To power off a FortiGate-5001A board

1 Shut down the FortiGate-5001A operating system:

• From the web-based manager, go to System > Status and from the Unit Operation widget, select Shutdown and then select OK.

• From the CLI enter execute shutdown

2 Remove the FortiGate-5001A board from the chassis slot.

Note: Once a shutdown operation is completed, the only way to restart the

FortiGate-5001A board is to remove and reinsert it.

FortiGate-5001A Security System Guide

36 01-30000-0438-200800801

Page 37

For more information Fortinet documentation

For more information

Support for your Fortinet product is available as online help from within the web-based manager, from the Tools and Documentation CD included with the product, on the Fortinet Technical Documentation web site, from the Fortinet Knowledge Center web site, as well as from Fortinet Technical Support.

Fortinet documentation

The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com. FortiGate-5000 series documentation is located in its own section of the site at http://docs.forticare.com/fgt5k.html.

Fortinet Tools and Documentation CD

All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current for your product at shipping time. For the latest versions of all Fortinet documentation see the Fortinet Technical Documentation web site at http://docs.forticare.com.

Fortinet Knowledge Center

Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at

http://kc.forticare.com.

Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.

Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network.

Please visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides.

FortiGate-RTM-XB2 System Guide Beta Draft-01-30000-75063-20080626 37

Page 38

© Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

Trademarks

Fortinet, FortiGate and FortiGuard are registered trademarks and Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuardAntispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, and FortiVoIP, are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Regulatory compliance

FCC Class A, Part 15 CE mark

www.fortinet.com

FortiGate-RTM-XB2 System Guide

Beta Draft-01-30000-75063-20080626