FortiGate-5001A
Security System Guide
A detailed guide to the FortiGate-5001A Security System. This FortiGate-5001A Security System Guide describes
FortiGate-5001A hardware features, how to install the FortiGate-5001A board in a FortiGate-5000 series chassis, and
how to configure the FortiGate-5001A security system for your network.
The most recent versions of this and all FortiGate-5000 series documents are available from the FortiGate-5000 page of
the Fortinet Technical Documentation web site (http://docs.forticare.com).
Visit http://support.fortinet.com to register your FortiGate-5001A system. By registering you can receive product
updates, technical support, and FortiGuard services.
FortiGate-5001A Security System Guide
01-30000-0438-200800801
Warnings and cautions
!
!
Only trained and qualified personnel should be allowed to install or maintain FortiGate-5000 series
equipment. Read and comply with all warnings, cautions and notices in this document.
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According
to the Instructions.
Caution: You should be aware of the following cautions and warnings before installing FortiGate-5000 series
hardware
• Turning off all power switches may not turn off all power to the FortiGate-5000 series equipment.
Except where noted, disconnect the FortiGate-5000 series equipment from all power sources,
telecommunications links and networks before installing, or removing FortiGate-5000 series
components, or performing other maintenance tasks. Failure to do this can result in personal injury or
equipment damage. Some circuitry in the FortiGate-5000 series equipment may continue to operate
even though all power switches are off.
• An easily accessible disconnect device, such as a circuit breaker, should be incorporated into the data
center wiring that connects power to the FortiGate-5000 series equipment.
• Install FortiGate-5000 series chassis at the lower positions of a rack to avoid making the rack top-heavy
and unstable.
• Do not insert metal objects or tools into open chassis slots.
• Electrostatic discharge (ESD) can damage FortiGate-5000 series equipment. Only perform the
procedures described in this document from an ESD workstation. If no such station is available, you
can provide some ESD protection by wearing an anti-static wrist strap and attaching it to an ESD
connector or to a metal part of a FortiGate chassis.
• Some FortiGate-5000 series components may overload your supply circuit and impact your overcurrent
protection and supply wiring. Refer to nameplate ratings to address this concern.
• Make sure all FortiGate-5000 series components have reliable grounding. Fortinet recommends direct
connections to the branch circuit.
• If you install a FortiGate-5000 series component in a closed or multi-unit rack assembly, the operating
ambient temperature of the rack environment may be greater than room ambient. Make sure the
operating ambient temperature does not exceed the manufacturer's maximum rated ambient
temperature.
• Installing FortiGate-5000 series equipment in a rack should be such that the amount of airflow required
for safe operation of the equipment is not compromised. Refer to the ATCA specification for more
information about cooling and airflow requirements.
• This equipment is for installation only in a Restricted Access Location (dedicated equipment room,
service closet or the like), in accordance with the National Electrical Code.
• Per the National Electrical Code, sizing of a Listed circuit breaker or branch circuit fuse and the supply
conductors to the equipment is based on the marked input current rating. A product with a marked input
current rating of 25 A is required to be placed on a 40 A branch circuit. The supply conductors will also
be sized according to the input current rating and also derated for the maximum rated operating
ambient temperature, Tma, of the equipment.
• FortiGate-5000 series equipment shall be installed and connected to an electrical supply source in
accordance with the applicable codes and regulations for the location in which it is installed. Particular
attention shall be paid to use of correct wire type and size to comply with the applicable codes and
regulations for the installation / location. Connection of the supply wiring to the terminal block on the
equipment may be accomplished using Listed wire compression lugs, for example, Pressure Terminal
Connector made by Ideal Industries Inc. or equivalent which is suitable for AWG 10. Particular attention
shall be given to use of the appropriate compression tool specified by the compression lug
manufacturer, if one is specified.
FortiGate-5001A Security System Guide
01-30000-0438-200800801
Contents
Contents
Warnings and cautions ..................................................................................... 2
FortiGate-5001A security system ..................................... 5
Front panel LEDs and connectors ................................................................... 6
LEDs ............................................................................................................. 6
Connectors.................................................................................................... 7
Base backplane gigabit communication ......................................................... 8
Fabric backplane gigabit communication ....................................................... 8
AMC modules..................................................................................................... 8
Hardware installation......................................................... 9
Changing FortiGate-5001A SW11 switch settings........................................ 10
FortiGate-5001A mounting components ....................................................... 12
Inserting a FortiGate-5001A board................................................................. 13
Removing a FortiGate-5001A board............................................................... 16
Resetting a FortiGate-5001A board................................................................ 17
Installing and removing AMC modules ......................................................... 19
Inserting AMC slot fillers ............................................................................. 20
Inserting AMC modules............................................................................... 20
Removing AMC modules ............................................................................ 21
Troubleshooting .............................................................................................. 22
FortiGate-5001A does not start up .............................................................. 22
FortiGate-5001A status LED is flashing during system operation............... 23
FortiGate AMC modules not detected by FortiGate-5001A board .............. 23
Quick Configuration Guide ............................................. 25
Registering your Fortinet product ................................................................. 25
Upgrading to High Encryption........................................................................ 25
Planning the configuration ............................................................................. 26
NAT/Route mode ........................................................................................ 26
Transparent mode....................................................................................... 27
Choosing the configuration tool .................................................................... 28
Web-based manager................................................................................... 28
Command Line Interface (CLI).................................................................... 28
Factory default settings .................................................................................. 28
Configuring NAT/Route mode ........................................................................ 29
Using the web-based manager to configure NAT/Route mode................... 29
Using the CLI to configure NAT/Route mode .............................................. 30
FortiGate-5001A Security System Guide
01-30000-0438-200800801 3
Contents
Configuring Transparent mode...................................................................... 31
Using the web-based manager to configure Transparent mode ................. 31
Using the CLI to configure Transparent mode ............................................ 32
Upgrading FortiGate-5001A firmware............................................................ 33
FortiGate-5001A base backplane data communication ............................... 34
Powering off the FortiGate-5001A board....................................................... 36
For more information ...................................................... 37
Fortinet documentation .................................................................................. 37
Fortinet Tools and Documentation CD........................................................ 37
Fortinet Knowledge Center ........................................................................ 37
Comments on Fortinet technical documentation ........................................ 37
Customer service and technical support ...................................................... 37
Register your Fortinet product....................................................................... 37
FortiGate-5001A Security System Guide
4 01-30000-0438-200800801
FortiGate-5001A security system
Fabri
RJ-4
FortiGate-5001A security system
The FortiGate-5001A security system is a high-performance Advanced
Telecommunications Computing Architecture (ACTA) compliant FortiGate
security system that can be installed in any ACTA chassis including the
FortiGate-5140, FortiGate-5050, or FortiGate-5020 chassis.
The FortiGate-5001A security system contains two front panel gigabit ethernet
interfaces, two base backplane gigabit interfaces, and two fabric backplane
gigabit interfaces. Use the front panel interfaces for connections to your networks
and the backplane interfaces for communication between FortiGate-5000 series
boards over the ACTA chassis backplane. The fabric interfaces are reserved for
future 10-gigabit operation but can be used now for board to board 1-gigabit
operation. In FortiGate-5140 and FortiGate-5050 chassis you must install a
FortiSwitch-5003 board or another backplane switching product to support
backplane communication.
The FortiGate-5001A-DW front panel also includes a double-width Advanced
Mezzanine Card (AMC) opening. You can install a supported FortiGate ADM
module such as the FortiGate-ADM-XB2 or the FortiGate-ADM-FB8 in the AMC
opening. The FortiGate-ADM-XB2 adds two accelerated 10-gigabit interfaces to
the FortiGate-5001A board and the FortiGate-ADM-FB8 adds 8 accelerated
1 gigabit interfaces.
You can also configure two or more FortiGate-5001A boards to create a high
availability (HA) cluster using the base backplane interfaces for HA heartbeat
communication through the chassis backplane, leaving front panel interfaces
available for network connections.
The FortiGate-5001A board also supports high-end FortiGate features including
802.1Q VLANs, multiple virtual domains, 802.3ad aggregate interfaces, and
FortiGate-5000 chassis monitoring.
Figure 1: FortiGate-5001A front panel
c and Base
network activity
LEDs
USB
IPM
LED
(board
position)
ACC
OOS
Power
Status
LEDs
Retention
Screw
Extraction
Lever
Retention
Screw
Extraction
Lever
Double-width AMC
opening
Console
port1 and port2
10/100/1000
Copper Interfaces
5
The FortiGate-5001A board includes the following features:
• Two front panel 10/100/1000Base-T copper gigabit ethernet interfaces.
• Two base backplane gigabit interfaces (base CH0 and Base CH1 on the front
panel and base1 and base2 in the firmware) for HA heartbeat and data
communications across the FortiGate-5000 chassis backplane. The base
backplane gigabit interfaces can also be used for data communications across
the FortiGate-5000 chassis backplane if combined with a board that supports
backplane base switching.
FortiGate-5001A Security System Guide
01-30000-0438-200800801 5
Front panel LEDs and connectors FortiGate-5001A security system
• Two fabric backplane gigabit interfaces (Fabric ch0 and Fabric CH1 on the
front panel and fabric1 and fabric2 in the firmware) for data communications
across the FortiGate-5000 chassis backplane. The fabric backplane gigabit
interfaces can also be used for data communications across the FortiGate5000 chassis backplane if combined with a board that supports backplane
fabric switching. The fabric backplane is also reserved for future 10 gigabit
operation.
• Dual-width AMC opening.
• RJ-45 RS-232 serial console connection.
• 2 USB connectors.
• Mounting hardware.
• LED status indicators.
Front panel LEDs and connectors
From the FortiGate-5001A font panel you can view the status of the front panel
LEDs to verify that the board is functioning normally. You also connect the
FortiGate-5001A board to your network through the front panel 10/100/1000
ethernet connectors. The front panel also includes the RJ-45 console port for
connecting to the FortiOS CLI and two USB ports. The USB ports can be used
with any USB key for backing up and restoring configuration files. For information
about using the using a USB key with a FortiGate unit, see the FortiGate-5000
Series Firmware and FortiUSB Guide.
LEDs
Tab le 1 lists and describes the FortiGate-5001A LEDs.
Table 1: FortiGate-5001A LEDs
LED State Description
1, 2
(Left LED)
1, 2
(Right LED)
Base CH0 Green Base backplane interface 0 (base1) is connected at 1 Gbps.
Base CH1 Green Base backplane interface 1 (base2) is connected at 1 Gbps.
Fabric CH0 Green Fabric backplane interface 0 (fabric1) is connected at 1
Green The correct cable is connected to the interface and the
Flashing
Green
Off No link is established.
Green Connection at 1 Gbps.
Amber Connection at 100 Mbps.
Off Connection at 10 Mbps.
Flashing
Green
Flashing
Green
Flashing
Green
connected equipment has power.
Network activity at the interface.
Network activity at base backplane interface 0.
Network activity at base backplane interface 1.
Gbps.
Network activity at fabric backplane interface 0.
FortiGate-5001A Security System Guide
6 01-30000-0438-200800801
FortiGate-5001A security system Front panel LEDs and connectors
Table 1: FortiGate-5001A LEDs (Continued)
LED State Description
Fabric CH1 Green Fabric backplane interface 1 (fabric2) is connected at 1
Flashing
Green
ACC
OOS
(Out of
Service)
Power
Off or
Flashing
green
Off Normal operation.
Green A fault condition exists and the FortiGate-5001A blade is out
Green The FortiGate-5001A board is powered on.
Gbps.
Network activity at fabric backplane interface 1.
The ACC LED flashes green when the FortiGate-5001A
board accesses the FortiOS flash disk. The FortiOS flash
disk stores the current FortiOS firmware build and
configuration files. The system accesses the flash disk when
starting up, during a firmware upgrade, or when an
administrator is using the CLI or GUI to change the FortiOS
configuration. Under normal operating conditions this LED
flashes occasionally, but is mostly off.
of service (OOS). This LED may also flash very briefly during
normal startup.
Connectors
Status
IPM
Green The FortiGate-5001A board is powered on.
Flashing
Green
Blue The FortiGate-5001A is ready to be hot-swapped (removed
Flashing
Blue
Off Normal operation. The FortiGate-5001A board is in contact
The FortiGate-5001A is starting up. If this LED is flashing at
any time other than system startup, a fault condition may
exist.
from the chassis). If the IPM light is blue and no other LEDs
are lit the FortiGate-5001A board has lost power
The FortiGate-5001A is changing from hot swap to running
mode or from running mode to hot swap. This happens when
the FortiGate-5001A board is starting up or shutting down.
with the chassis backplane.
Ta bl e 2 lists and describes the FortiGate-5001A connectors.
Table 2: FortiGate-5001A connectors
Connector Type Speed Protocol Description
1, 2 RJ-45 10/100/1000
Base-T
CONSOLE RJ-45 9600 bps RS-232
USB USB FortiUSB key firmware updates and
Ethernet Copper gigabit connection to
serial
10/100/1000Base-T copper networks.
Serial connection to the command line
interface.
configuration backup.
FortiGate-5001A Security System Guide
01-30000-0438-200800801 7
Base backplane gigabit communication FortiGate-5001A security system
Base backplane gigabit communication
The FortiGate-5001A base backplane gigabit interfaces can be used for HA
heartbeat communication between FortiGate-5001A boards installed in the same
or in different FortiGate-5000 chassis. You can also configure FortiGate-5001A
boards to use the base backplane interfaces for data communication between
FortiGate boards. To support base backplane communications your
FortiGate-5140 or FortiGate-5050 chassis must include one or more
FortiSwitch-5003 boards. FortiSwitch-5003 boards are installed in chassis slots 1
and 2. The FortiGate-5020 chassis supports base backplane communication with
no additions or changes to the chassis.
For information about base backplane communication in FortiGate-5140 and
FortiGate-5050 chassis, see the FortiGate-5000 Base Backplane Communication
Guide. For information about the FortiSwitch-5003 board, see the
FortiSwitch-5003 Guide.
Fabric backplane gigabit communication
AMC modules
The FortiGate-5001A fabric backplane gigabit interfaces can be used for data
communication or HA heartbeat communication between FortiGate-5001A boards
installed in the same or in different FortiGate-5000 chassis. The fabric backplane
is also reserved for future 10 gigabit operation. To support fabric backplane
communications your FortiGate-5140 or FortiGate-5050 chassis must include one
or more gigabit switch boards installed in chassis slots 1 and 2. The
FortiGate-5020 chassis does not support fabric backplane communications.
You can install one FortiGate ADM module in the FortiGate-5001A-DW front panel
AMC double-width opening. The following FortiGate ADM modules are available:
• FortiGate-ADM-XB2, provides 2 accelerated XFP 10 gigabit interfaces.
• FortiGate-ADM-FB8, provides 8 accelerated SFP 1 gigabit interfaces.
Figure 2: FortiGate-ADM-XB2
HS
OOS
PWR
OT
ADM-XB2
LINK
ACT
1
2
LINK
ACT
FortiGate-5001A Security System Guide
8 01-30000-0438-200800801
Hardware installation
!
!
Hardware installation
Before use, the FortiGate-5001A board must be correctly inserted into an
Advanced Telecommunications Computing Architecture (ACTA) chassis such as
the FortiGate-5140, FortiGate-5050, or FortiGate-5020 chassis.
Before inserting the board into a chassis you should make sure the SW-11 switch
is set correctly.
In the available Advanced Mezzanine Card (AMC) double-width opening on the
FortiGate-5001A-DW front panel you can install a supported FortiGate ADM
module such as the FortiGate-ADM-XB2 or the FortiGate-ADM-FB8.
Caution: Because the FortiGate-5001A board does not support hot swapping AMC
modules, the FortiGate-5001A board must be disconnected from power and the left handle
opened before you install a FortiGate AMC module. See “Installing and removing AMC
modules” on page 19.
Caution: Do not operate the FortiGate-5001A board with an open AMC opening. For
optimum cooling performance and safety, the AMC opening must contain an AMC slot filler
or a FortiGate AMC module.
This section describes:
• Changing FortiGate-5001A SW11 switch settings
• FortiGate-5001A mounting components
• Inserting a FortiGate-5001A board
• Removing a FortiGate-5001A board
• Resetting a FortiGate-5001A board
• Installing and removing AMC modules
• Troubleshooting
FortiGate-5001A Security System Guide
01-30000-0438-200800801 9
Changing FortiGate-5001A SW11 switch settings Hardware installation
Changing FortiGate-5001A SW11 switch settings
The SW11 switch on the FortiGate-5001A board is factory set by Fortinet to detect
a shelf manager (Figure 3). This is the correct setting if you are installing the
FortiGate-5001A in a chassis that contains an operating shelf manager (such as
the FortiGate-5140 or FortiGate-5050 chassis).
Figure 3: FortiGate-5140 and 5050 setting for SW11 (factory default shelf manager
mode)
Factory Default (Shelf Manager Required)
ON
SW11
3421
1 Off
2 On
3 Off
4 Off
By default a FortiGate-5001A board will not start up if the board is installed in a
chassis, such as a FortiGate-5020, that does not contain a shelf manager or that
contains a shelf manager that is not operating. Before installing a
FortiGate-5001A in a FortiGate-5020 chassis or a chassis that does not contain
an operating shelf manager you must change the SW11 switch setting as shown
in Figure 4.
Figure 4: FortiGate-5020 setting for SW11 (standalone mode)
Standalone Mode for FortiGate-5020
(no Shelf Manager)
ON
SW11
3421
1 Off
2 On
3 On
4 Off
In all cases you should confirm that you have the correct FortiGate-5001A SW11
settings before installing the board in a chassis.
Table 3: FortiGate-5001A SW11 settings for different chassis
Chassis Correct SW11
Setting
FortiGate-5140 or 5050 or any
ACTA chassis with an
operating shelf manager
(factory default shelf manager
mode).
FortiGate-5020 or any ACTA
chassis without an operating
shelf manager (standalone
mode).
10 01-30000-0438-200800801
1OffShelf manager cannot find
2On
3Off
4Off
1OffFortiGate-5001A board will not start up.
2On
3On
4Off
Result of wrong jumper setting
FortiGate-5001A board. No shelf
manager information about the
FortiGate-5001A board available.
FortiGate-5001A Security System Guide
Hardware installation Changing FortiGate-5001A SW11 switch settings
!
To change or verify the SW11 switch settings
To complete this procedure, you need:
• A FortiGate-5001A board
• A tool for changing the SW11 switch setting (optional)
• An electrostatic discharge (ESD) preventive wrist strap with connection cord
Caution: FortiGate-5001A boards must be protected from static discharge and physical
shock. Only handle or work with FortiGate-5001A boards at a static-free workstation.
Always wear a grounded electrostatic discharge (ESD) preventive wrist strap when
handling FortiGate-5001A boards.
1 Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal
surface on a chassis or frame.
2 If you have installed the FortiGate-5001A board in a chassis, remove it.
For removal instructions, see “Removing a FortiGate-5001A board” on page 16.
3 Use Figure 5 to locate SW11 on the FortiGate-5001A board.
The top of the FortiGate-5001A board is covered with a copper heat sink. The
printed circuit board is under the copper heat sink. SW11 is located on the printed
circuit board and is accessible from the left side of the FortiGate-5001A board
under the copper heat sink.
4 If required, change SW11 to the correct setting.
5 Insert the FortiGate-5001A board into a chassis and verify that the board starts up
and operates correctly.
For inserting instructions, see “Inserting a FortiGate-5001A board” on page 13.
Figure 5: Location of SW11 on the FortiGate-5001A board
Location of SW 11
Factory Default (Shelf Manager Required)
SW11
Standalone Mode for FortiGate-5020
(no Shelf Manager)
SW11
1 Off
ON
2 On
3 Off
4 Off
3421
1 Off
ON
2 On
3 On
4 Off
3421
FortiGate-5001A
board (top view)
FortiGate-5001A
Front Faceplate
FortiGate-5001A Security System Guide
01-30000-0438-200800801 11
FortiGate-5001A mounting components Hardware installation
Closed
Open
Alignment
Pin
Retention
Screw
Lock
Handle
Alignment Pin
Retention
Screw
Lock
Handle
Handle
Hook
(right handle
only)
Alignment Pin
Retention
Screw
Lock
Hook
(right handle
only)
Alignment
Pin
Retention
Screw
Lock
Handle
FortiGate-5001A mounting components
To install a FortiGate-5001A board you slide the board into an open slot in the
front of an ATCA chassis and then use the mounting components to lock the
board into place in the slot. When locked into place and positioned correctly the
board front panel is flush with the chassis front panel. The board is also connected
to the chassis backplane.
To position the board correctly you must use the mounting components shown in
Figure 6 for the right side of the front panel and Figure 7 for the left side of the
front panel.
Figure 6: FortiGate-5001A mounting components (right handle)
Note: The right handle includes a hook that secures the handle into place when the board
is mounted in the chassis (Figure 6). The hook is not included on the left handle (Figure 7).
Otherwise the left and right mounting components are the same. Operating the left and
right handles is also basically the same except that without the hook you do not have to
squeeze the left handle lock. Also the left handle does not lock into place in the same way
as the right handle.
Figure 7: FortiGate-5001A mounting components (left handle)
12 01-30000-0438-200800801
Alignment
Pin
Retention
Screw
Handle
Lock
AMC Slot
Filler
FortiGate-5001A Security System Guide
Loading...