Fortinet FortiGate FortiGate-5001SX Security System Manual

Security System Guide

FortiGate-5001SX

CONSOLE

ACC

PWR

A detailed guide to the features and capabilities FortiGate-5001SX Security System. This FortiGate-5001SX Security System Guide describes FortiGate-5001SX hardware fea tu res , ho w to ins tall the FortiGate-5001SX module in a

FortiGate-5000 series chassis, how to configure the FortiGate-5001SX security system for your network, and contains troubleshooting information to help you diagnose and fix problems.

The most recent versions of this and all FortiGate-5000 series documents are available from the FortiGate-5000 page of the Fortinet Technical Documentation web site (http://docs.forticare.com).

Visit http://support.fortinet.com to register your FortiGate-5001SX system. By registering you can receive product

USB

updates, technical support, and FortiGuard services.

1 2 3 4 5 6 7 8

STA IPM

FortiGate-5001SX Security System Guide

01-30000-0380-20070201

www.fortinet.com

Warnings and cautions

Only trained and qualified personnel should be allowed to install or maintain FortiGate-5000 series equipment. Read and comply with all warnings, cautions and notices in this document.

CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According

to the Instructions.

Caution: You should be aware of the following cautions and warnings before installing FortiGate-5000 series

hardware

• Turning off all power switches may not turn off all power to the FortiGate-5000 series equipment. Except where noted, disconnect the FortiGate-5000 series equipment from all power sources, telecommunications links and networks before installing, or removing FortiGate-5000 series components, or performing other maintenance tasks. Failure to do this can result in personal injury or equipment damage. Some circuitry in the Fort iGa te-5000 series equipment may continue to operate even though all power switches are off.

• An easily accessible disconnect device, such as a circuit breaker, should be incorporated into the data center wiring that connects power to the FortiGate-5000 series equipment.

• Install FortiGate-5000 series chassis at the lower positions of a rack to avoid making the rack top-heavy and unstable.

• Do not insert metal objects or tools into open chassis slots.

• Electrostatic discharge (ESD) can damage FortiGate-5000 series equipment. Only perform the procedures described in this document from an ESD workstation. If no such station is available, you can provide some ESD protection by wearing an anti-static wrist or ankle strap and attaching it to an ESD connector or to a metal part of a FortiGate chassis.

• Some FortiGate-5000 series components may overlo ad your supply circuit and imp act your over current protection and supply wiring. Refer to nameplate ratings to address this concern.

• Make sure all FortiGate-5000 series components have reliable grounding. Fortinet recommends direct connections to the branch circuit.

• If you install a FortiGate-5000 series component in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient. Make sure the operating ambient temperature does not exceed the manufacturer's maximum rated ambient temperature.

• Installing FortiGate-5000 series equipment in a rack should be such that the amount of airflow required for safe operation of the equipment is not compromised.

• This equipment is for installation only in a Restricted Access Location (dedicated equipment room, service closet or the like), in accordance with the National Electrical Code.

• Per the National Electrical Code, sizing of a Listed circuit breaker or branch circuit fuse and the supply conductors to the equipment is based on the marked inpu t current rating. A p roduct with a marked input current rating of 25 A is required to be placed on a 40 A branch circuit. The supply conductors will also be sized according to the input current rating and also derated for the maximum rated operating ambient temperature, Tma, of the equipment.

• FortiGate-5000 series equipment shall be installed and connected to an electrical supply source in accordance with the applicable codes and re gu la tio ns for the location in which it is installed. Particular attention shall be paid to use of correct wire type and size to comply with the applicable codes and regulations for the installation / location. Connection of the supply wiring to the terminal block on the equipment may be accomplished using Listed wire compression lugs, for example, Pressure Terminal Connector made by Ideal Industries Inc. or equivalent which is suitable for A WG 10. Par ticular attenti on shall be given to use of the appropriate compre ss ion too l spe cifie d by the compression lug manufacturer, if one is specified.

FortiGate-5001SX Security System Guide

01-30000-0380-20070201

Contents

Warnings and cautions..................................................................................... 2

FortiGate-5001SX security system................................... 5

Front panel LEDs and connectors................................................................... 6

LEDs ............................................................................................................. 6

Connectors.................................................................................................... 7

Base backplane gigabit interfaces................................................................... 7

Hardware installation......................................................... 9

RAM DIMMs........................................................................................................ 9

Installing SFP transceivers............................................................................. 11

Changing FortiGate-5001SX jumper settings ............................................... 12

Inserting a FortiGate-5001SX module into a chassis................................... 14

Before inserting the FortiGate-5001SX module in a chassis ...................... 15

Insertion procedure ..................................................................................... 15

Removing a FortiGate-5001SX module from a chassis ............................... 17

Troubleshooting .............................................................................................. 19

FortiGate-5001SX does not startup ............................................................ 19

FortiGate-5001SX cannot display chassis information ............................... 21

Quick Configuration Guide ............................................. 23

Registering your Fortinet product ................................................................. 23

Planning the configuration ............................................................................. 23

NAT/Route mode ........................................................................................ 24

Transparent mode....................................................................................... 24

Choosing the configuration tool.................................................................... 25

Web-based manager................................................................................... 25

Command Line Interface (CLI).................................................................... 26

Factory default settings.................................................................................. 26

Configuring NAT/Route mode........................................................................ 27

Using the web-based manager to configure NAT/Route mode................... 27

Using the CLI to configure NAT/Route mode.............................................. 28

Configuring Transparent mode...................................................................... 29

Using the web-based manager to configure Transparent mode................ . 29

Using the CLI to configure Transparent mode ............................................ 30

Upgrading FortiGate-5001SX firmware.......................................................... 31

FortiGate-5001SX base backplane data communication............................. 32

Powering off the FortiGate-5001SX module .................................................. 33

FortiGate-5001SX Security System Guide 01-30000-0380-20070201 3

Contents

For more information ...................................................... 35

Fortinet documentation .................................................................................. 35

Fortinet Tools and Documentation CD........................................................ 35

Fortinet Knowledge Center ........................................................................ 35

Comments on Fortinet technical documentation ........................................ 35

Customer service and technical support...................................................... 35

FortiGate-5001SX Security System Guide

4 01-30000-0380-20070201

FortiGate-5001SX security system

The FortiGate-5001SX security system is a high-performance FortiGate security system with a total of 8 front panel Gigabit ethernet interfaces and two base backplane interfaces. Use the front panel interfaces for connections to your networks and the backplane interfaces for communication between FortiGate-5000 series modules over the FortiGate-5000 chassis backplane.

You can also configure two or more FortiGate-5001SX modules to create a high availability (HA) cluster using the base backplane interfaces for HA heartbeat communication through chassis backplane, leaving all eight front panel gigabit interfaces available for network connections.

The FortiGate-5001SX module also supports high-end FortiGate features including 802.1Q VLANs, multiple virtual domains, 802.3ad aggregate interfaces, and FortiGate-5000 chassis monitoring.

Figure 1: FortiGate-5001SX front panel

Module PositionLink/Traffic

Status

STA IPM

Extraction

Lever

Mounting

Knot

Mounting

Knot

Locking

Screw

Flash Disk

Access

Power

PWR

Extraction

Lever

ACC

CONSOLE

RS-232

Serial

USB

1 2 3 4 5 6 7 8

1 2 3 4

SFP Gigabit fiber

or copper

5 6 7 8

Gigabit Copper

The FortiGate-5001SX module includes the following features:

• A total of eight front panel gigabit interfaces

• Four gigabit interfaces that can accept Small Formfactor Pluggable (SFP) fiber or copper transceivers (interfaces 1, 2, 3, and 4)

• Four 10/100/1000Base-T gigabit copper network interfaces (i nterfaces 5, 6, 7, and 8)

• Two base backpla ne gigabit interfaces (port9 and port10) for HA heartbeat and data communications across the FortiGate-5000 chassis backplane.

• DB-9 RS-232 serial console connection

• One USB connector

• Mounting hardware

• LED status indicators

The FortiGate-5001SX module comes supplied with four fiber or four copp er SFP transceivers. Before you can connect FortiGate-5001SX interfaces 1 to 4, you must insert the SFP transceivers into the FortiGate-5001SX front panel cage slots numbered 1 to 4.

FortiGate-5001SX Security System Guide 01-30000-0380-20070201 5

Front panel LEDs and connectors FortiGate-5001SX security system

The FortiGate-5001SX module ships with two RAM DIMMs installed on the FortiGate-5001SX circuit board. You should confirm that the RAM DIMMs are installed correctly before inserting the FortiGate-5001SX module into a chassis.

Front panel LEDs and connectors

From the FortiGate-5001SX font panel you can view the status of the front panel LEDs to verify that the module is functioning normally. You also connect the FortiGate-5001SX module to your network through the front panel ethernet connections. The front panel also includes the RS-232 console port for connecting to the FortiOS CLI and a USB port. The USB port can be used with a Fortinet USB key. For information about using the FortiUSB key, see the FortiGa te -5000 Ser ies

Firmware and FortiUSB Guide.

LEDs

Table 1 lists and describes the FortiGate-5001SX module LEDs.

Table 1: FortiGate-5001SX LEDs

LED State Description PWR Green The FortiGate-5001SX module is powered on. ACC Off or

Flashing red

STA Green Normal operation.

Red The FortiGate-5001SX is starting or a fault condition

IPM Blue The FortiGate-5001SX is ready to be hot-swapped

Flashing Blue

Off Normal operation. The FortiGate-5001SX module is in

1, 2, 3, 4 Green The correct cable is connected to the gigabit SFP

Flashing Network activity at the gigabit SFP interface.

The ACC LED flashes red when the FortiGate-5001SX module accesses the FortiOS flash disk. The FortiOS flash disk stores the current FortiOS firmware build and configuration files. The system accesses the flash disk when starting up, during a firmware upgrade, or when an administrator is using the CLI or GUI to change the FortiOS configuration. Under normal operating conditions this LED flashes occasionally, but is mostly off.

exists.

(removed from the chassis). If the IPM light is blue and no other LEDs are lit the FortiGate-5001SX module has lost power, possibly because of a loose or incorrectly aligned left extraction lever. See “Inserting a

FortiGate-5001SX module into a chassis” on page 14

for more information. The FortiGate-5001SX is changing from hot swap to

running mode or from running mode to hot swap.

contact with the chassis backplane.

interface.

FortiGate-5001SX Security System Guide

6 01-30000-0380-20070201

FortiGate-5001SX security system Base backplane gigabit interfaces

Table 1: FortiGate-5001SX LEDs (Continued)

LED State Description 5, 6,

7, 8

Link LED

Speed LED

Green The correct cable is inserted into this interface and the

connected equipment has power. Flashing Network activity at this interface. Green The interface is connected at 1000 Mbps. Amber The interface is connected at 100 Mbps. Unlit The interface is connected at 10 Mbps.

Connectors

Table 2 lists and describes the FortiGate-5001SX connectors.

Table 2: FortiGate-5001SX connectors

Connector T ype Speed Protocol Description 1, 2, 3, 4 LC

SFP

5, 6, 7, 8 RJ-45 10/100/1000 CONSOLE DB-9 9600 bps RS-232 serial Serial connection to the command line USB USB FortiUSB key firmware updates and

1000Base-SX Ethernet Four gigabit SFP interfaces that can

Ethernet Copper gigabit connection to

Base-T

accept fiber or copper gigabit transceivers. These interfaces only operate at 1000Mbps.

10/100/1000Base-T copper networks. interface. configuration backup (FortiOS v3.0).

Base backplane gigabit interfaces

The FortiGate-5001SX port9 and port10 base backplane gigabit interfaces can be used for HA heartbeat communication between FortiGate-5001SX modules installed in the same or in different FortiGate-5000 chassis. You can also configure FortiGate-5001SX modules to use the base backplane interfaces for data communication between FortiGate modules. To support base backplane communications your FortiGate-5140 or 5050 chassis must include one or more FortiSwitch-5003 modules. FortiSwitch-5003 modules are installed in chassis slots 1 and 2. The FortiGate-5020 chassis supports base backplane communication with no additions or changes to the chassis.

For information about base backplane communication in FortiGate-5140 and FortiGate-5050 chassis, see the FortiGate-5000 Base Backplane Communication

Guide. For information about the FortiSwitch-5003 module, see the FortiSwitch-5003 Guide.

FortiGate-5001SX Security System Guide 01-30000-0380-20070201 7

Base backplane gigabit interfaces FortiGate-5001SX security system

FortiGate-5001SX Security System Guide

8 01-30000-0380-20070201

Hardware installation RAM DIMMs

Hardware installation

Before use, the FortiGate-5001SX module must be correctly inserted into a FortiGate-5140, FortiGate-50 50 , or FortiG ate-5020 chassis.

Before inserting the module into a chassis you should make sure RAM DIMMS are installed and FortiGate-5001SX jumpers are set. SFP transceivers must also be installed for interfaces 1 to 4 before these interfaces can be connected to network devices.

This section describes:

• RAM DIMMs

• Installing SFP transceivers

• Changing FortiGate-5001SX jumper settings

• Inserting a FortiGate-5001SX module into a chassis

• Removing a FortiGate-5001SX module from a chassis

• Troubleshooting

RAM DIMMs

To install FortiGate-5001SX RAM DIMMs

To complete this procedure, you need:

• A FortiGate-5001SX module

• Two RAM DIMMs to be installed into the FortiGate-5001SX module RAM DIMM slots

• An electrostatic discharge (ESD) preventive wrist or ankle strap with connection cord

Caution: FortiGate-5001SX modules must be protected from static discharge and physical shock. Only handle or work with FortiGate-5001SX modules at a static-free workstation.

Always wear a grounded electrostatic discharge (ESD) preventive wrist or ankle strap when handling FortiGate-5001SX modules.

1 Attach the ESD wrist or ankle strap to your wrist or ankle and to an ESD socket or

to a bare metal surface on a chassis or frame.

Caution: Handle DIMMs by the edges only. DIMMs are ESD-sensitive components that

can be damaged by mishandling.

2 Remove RAM DIMMs from their antistatic packaging.

FortiGate-5001SX Security System Guide 01-30000-0380-20070201 9

RAM DIMMs Hardware installation

Figure 2: Location of FortiGate-5001SX RAM DIMM slots

RAM DIMM

slots

JP2

JP1

JP3

Front Faceplate

3 Insert each RAM DIMM perpendicular to the RAM DIMM slots. Push the DIMM

firmly into place using the minimum amount of force required. When the DIMM is properly seated, the socket guide posts click into place.

Do not use excessive force when installing a DIMM. The RAM slots allow only one alignment of each RAM DIM. If you cannot lock the

locking levers the DIM is not aligned correctly or is in upside-down.

FortiGate-5001SX Security System Guide

10 01-30000-0380-20070201

Hardware installation Installing SFP transceivers

Installing SFP transceivers

The FortiGate-5001SX module ships with four SFP transceivers that you must install for normal operation of the FortiGate-5001SX module. The SFP transceivers are inserted into cage sockets numbered 1 to 4 on the FortiGate-5001SX front panel. You can install the SFP transceivers be fore or af ter inserting the FortiGate-5001SX module into a FortiGate chassis.

You can install 1000Base-LX (single-mode fiber) or 1000Base-T (copper cable) SFP transceivers. The 1000Base-LX transceivers use fiber connectors while the 1000Base-T transceivers use RJ-45 connectors.

You can install the following types of SFP transceivers for connectors 1, 2, 3, and 4:

• SFP fiber transceivers

• SFP 1000Base-LX, SM module

• SFP 1000Base-SX, MM module (multimode)

• SFP copper transceivers

• SFP 1000Base-T, SERDES version only (SGMII version not supported)

To install SFP transceivers

To complete this procedure, you need:

• A FortiGate-5001SX module

• Four SFP transceivers

• An electrostatic discharge (ESD) preventive wrist or ankle strap with connection cord

Caution: FortiGate-5001SX modules must be protected from static discharge and physical shock. Only handle or work with FortiGate-5001SX modules at a static-free workstation.

Always wear a grounded electrostatic discharge (ESD) preventive wrist or ankle strap when handling FortiGate-5001SX modules.

1 Attach the ESD wrist or ankle strap to your wrist or ankle and to an ESD socket or

to a bare metal surface on the chassis or frame.

2 Remove the caps from SFP cage sockets on the FortiGate-5001SX front panel.

Caution: Handling the SFP transceivers by holding the release Latch can damage the

connector. Do not force the SFP transceivers into the cage slots. If the transceiver does not

easily slide in and click into place, it may not be aligned correctly. If this happens, remove the SFP transceiver, realign it and slide it in again.

3 Hold the sides of the SFP transceiver and slide SFP transceiver into the cage

socket until it clicks into place.

FortiGate-5001SX Security System Guide 01-30000-0380-20070201 11

+ 25 hidden pages

Fortinet FortiGate FortiGate-5001SX Security System Manual

Specifications and Main Features

Frequently Asked Questions

User Manual