How it Works
Fortinet
Loading...
F
Loading...
Loading...
FortiGate FortiGate-5005FA2

Fortinet FortiGate FortiGate-5005FA2 Security System Manual

Security System Guide
FortiGate-5005FA2
ACT
LINK
ACT
LINK
BASE
CONSOLE
USB USB
OOS ACC STATUS
3 412 56
78
IPM
A detailed guide to the features and capabilities FortiGate-5005FA2 Security System. This FortiGate-5005FA2 Security System Guide describes FortiGate-5005FA2 hardware features, how to install the FortiGate-50 05 FA2
module in a FortiGate-5000 series chas sis, ho w to configure the FortiGate-5005FA2 security system for your network, and contains troubleshooting information to help you diagnose and fix problems.
The most recent versions of this and all FortiGate-5000 series documents are available from the FortiGate-5000 page of the Fortinet Technical Documentation web site (http://docs.forticare.com).
Visit http://support.fortinet.com to register your FortiGate-5005FA2 system. By registering you can receive product
updates, technical support, and FortiGuard services.
FortiGate-5005FA2 Security System Guide
01-30000-0377-20070201
www.fortinet.com
Warnings and cautions
Only trained and qualified personnel should be allowed to install or maintain FortiGate-5000 series equipment. Read and comply with all warnings, cautions and notices in this document.
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According
!
to the Instructions.
Caution: You should be aware of the following cautions and warnings before installing FortiGate-5000 series
!
hardware
Turning off all power switches may not turn off all power to the FortiGate-5000 series equipment. Except where noted, disconnect the FortiGate-5000 series equipment from all power sources, telecommunications links and networks before installing, or removing FortiGate-5000 series components, or performing other maintenance tasks. Failure to do this can result in personal injury or equipment damage. Some circuitry in the Fort iGa te-5000 series equipment may continue to operate even though all power switches are off.
An easily accessible disconnect device, such as a circuit breaker, should be incorporated into the data center wiring that connects power to the FortiGate-5000 series equipment.
Install FortiGate-5000 series chassis at the lower positions of a rack to avoid making the rack top-heavy and unstable.
Do not insert metal objects or tools into open chassis slots.
Electrostatic discharge (ESD) can damage FortiGate-5000 series equipment. Only perform the procedures described in this document from an ESD workstation. If no such station is available, you can provide some ESD protection by wearing an anti-static wrist or ankle strap and attaching it to an ESD connector or to a metal part of a FortiGate chassis.
Some FortiGate-5000 series components may overlo ad your supply circuit and imp act your over current protection and supply wiring. Refer to nameplate ratings to address this concern.
Make sure all FortiGate-5000 series components have reliable grounding. Fortinet recomme nds direct connections to the branch circuit.
If you install a FortiGate-5000 series component in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient. Make sure the operating ambient temperature does not exceed the manufacturer's maximum rated ambient temperature.
Installing FortiGate-5000 series equipment in a rack should be such that the amount of airflow required for safe operation of the equipment is not compromised.
This equipment is for installation only in a Restricted Access Location (dedicated equipment room, service closet or the like), in accordance with the National Electrical Code.
Per the National Electrical Code, sizing of a Listed circuit breaker or branch circuit fuse and the supply conductors to the equipment is based on the marked inpu t current rating. A p roduct with a marked input current rating of 25 A is required to be placed on a 40 A branch circuit. The supply conductors will also be sized according to the input current rating and also derated for the maximum rated operating ambient temperature, Tma, of the equipment.
FortiGate-5000 series equipment shall be installed and connected to an electrical supply source in accordance with the applicable codes and re gu la tio ns for the location in which it is installed. Particular attention shall be paid to use of correct wire type and size to comply with the applicable codes and regulations for the installation / location. Connection of the supply wiring to the terminal block on the equipment may be accomplished using Listed wire compression lugs, for example, Pressure Terminal Connector made by Ideal Industries Inc. or equivalent which is suitable for A WG 10. Par ticular attenti on shall be given to use of the appropriate compre ss ion too l spe cifie d by the compression lug manufacturer, if one is specified.
FortiGate-5005FA2 Security System Guide
01-30000-0377-20070201
Contents
Contents
Warnings and cautions..................................................................................... 2
FortiGate-5005FA2 security system................................. 5
Front panel LEDs and connectors................................................................... 6
LEDs ............................................................................................................. 6
Connectors.................................................................................................... 7
Accelerated packet forwarding and policy enforcement............................... 7
FA2 interfaces and active-active HA performance........................................ 8
Base backplane gigabit communication......................................................... 8
FortiGate-5005-DIST security system........................... ... ... ... .... ... ... ... ... .... ... ... 8
Hardware installation......................................................... 9
Installing SFP transceivers............................................................................... 9
Installing FortiGate-5005FA2 modules .......................................................... 10
Insertion procedure ..................................................................................... 11
Removing a FortiGate-5005FA2 module................... .... ... ... ........................... 13
Troubleshooting .............................................................................................. 15
FortiGate-5005FA2 does not start up.......................................................... 15
Quick Configuration Guide ............................................. 17
Registering your Fortinet product ................................................................. 17
Planning the configuration ............................................................................. 17
NAT/Route mode ........................................................................................ 18
Transparent mode....................................................................................... 18
Choosing the configuration tool.................................................................... 19
Web-based manager................................................................................... 19
Command Line Interface (CLI).................................................................... 20
Factory default settings.................................................................................. 20
Configuring NAT/Route mode........................................................................ 21
Using the web-based manager to configure NAT/Route mode................... 21
Using the CLI to configure NAT/Route mode.............................................. 22
Configuring Transparent mode...................................................................... 23
Using the web-based manager to configure Transparent mode................. 23
Using the CLI to configure Transparent mode ............................................ 24
Upgrading FortiGate-5005FA2 firmware........................................................ 25
FortiGate-5005FA2 base backplane data communication........................... 26
Powering off the FortiGate-5005FA2 module................................................ 28
FortiGate-5005FA2 Security System Guide 01-30000-0377-20070201 3
Contents
For more information ...................................................... 29
Fortinet documentation .................................................................................. 29
Fortinet Tools and Documentation CD........................................................ 29
Fortinet Knowledge Center ........................................................................ 29
Comments on Fortinet technical documentation ........................................ 29
Customer service and technical support...................................................... 29
Register your Fortinet product....................................................................... 29
FortiGate-5005FA2 Security System Guide
4 01-30000-0377-20070201
FortiGate-5005FA2 security system
FortiGate-5005FA2 security system
The FortiGate-5005FA2 security system is a high-performance FortiGate security system with a total of 8 front panel Gigabit ethernet interfaces, two base backplane interfaces, and two fabric backplane interfaces. Use the front panel interfaces for connections to your networks and the backplane interfaces for communication between FortiGate-5000 series modules over the FortiGate-5000 chassis backplane.
You can also configure two or more FortiGate-5005FA2 modules to create a high availability (HA) cluster using the base backplane interfaces for HA heartbeat communication through the chassis backplane, leaving all eight fron t panel gigabit interfaces available for network connections.
FortiGate-5005FA2 front panel interfaces 7 and 8 also include accelerated packet forwarding and policy enforcement for faster small packet performance. Using backplane base and fabric interfaces, the FortiGate-5005FA2 also functions as the worker module in a FortiGate-5005-DIST security system.
The FortiGate-5005FA2 module also supports high-end FortiGate features including 802.1Q VLANs, multiple virtual domains, 802.3ad aggregate interfaces, and FortiGate-5000 chassis monitoring.
Figure 1: FortiGate-5005FA2 front panel
Fabric and Base
network activity
LEDs
ACT LINK ACT LINK
Mounting
Knot
Extraction
Lever
FABRIC
BASE
CONSOLE
RJ-45 Serial
USB
USB USB
OOS ACC STATUS
Out
of
Service
Flash Disk
Access
1 2 3 4 5 6 SPF Gigabit
Fiber or Copper
3 412 56
Status
Link/Traffic
7 8 SPF Gigabit
Fiber or Copper
Accelerated
78
IPM
Module Position
Extraction
Lever
Mounting
Knot
The FortiGate-5005FA2 module includes the following features:
A total of eight front panel gigabit interfaces that can accept Small Formfactor Pluggable (SFP) fiber or copper gigabit transceivers.
Six standard gigabit interfaces (interfaces 1 to 6).
Two accelerated packet forwarding and policy enforcement gigabit
interfaces (interfaces 7 and 8).
Two fabric backplane gigabit interfaces (fabric1 and fabric2) for FortiGate-5005-DIST security system management communications. The fabric backplane gigabit interfaces can also be used for data communications across the FortiGate-5000 chassis backplane if combined with a module that supports backplane fabric switching.
Two base backplane gigabit interfaces (base1 and base2) for HA heartbeat and data communications across the FortiGate-5000 chassis backplane and for FortiGate-5005-DIST security system data communication.
RJ-45 RS-232 serial console connection.
FortiGate-5005FA2 Security System Guide 01-30000-0377-20070201 5
Front panel LEDs and connectors FortiGate-5005FA2 security system
2 USB connectors.
Mounting hardware.
LED status indicators. The FortiGate-5005FA2 module comes supplied with fiber and copper SFP
transceivers. You can order the SFP transceivers in any combination. Before you can connect any FortiGate-5005FA2 front panel interfaces, you must insert the SFP transceivers into the FortiGate-5005FA2 front panel cage slots.
Front panel LEDs and connectors
From the FortiGate-5005FA2 font panel you can view the status of the front panel LEDs to verify that the module is functioning normally. You also connect the FortiGate-5005FA2 module to your network through the front panel ethernet connectors. The front panel also includes the RJ-45 console po rt for connecting to the FortiOS CLI and two USB ports. The USB ports can be used with a Fortinet USB key. For information about using the FortiUSB key, see the FortiGate-5000
Series Firmware and FortiUSB Guide.
LEDs
Table 1 lists and describes the FortiGate-50 05 FA2 module LEDs.
Table 1: FortiGate-5005FA2 module LEDs
LED State Description Fabric ACT 2 Amber Network activity at backplane fabric interface 2.
LINK 2 Green Backplane fabric interface 2 is connected at 1000 Mbps. ACT 1 Amber Network activity at backplane fabric interface 1. LINK 1 Green Backplane fabric interface 1 is connected at 1000 Mbps.
Base ACT 2 Amber Network activity at backplane base interface 2 (backplane2).
LINK 2 Green Backplane base interface 2 (backplane2) is connected at
ACT 1 Amber Network activity at backplane base interface 1 (backplane1). LINK 1 Green Backplane base interface 1 (backplane1) is connected at
OOS (Out of Service)
ACC Off or
STATUS Amber The FortiGate-5005FA2 module is powered on.
Off Normal operation. Red A fault condition exists and the FortiGate-5005FA2 blade is
Flashing green
1000 Mbps.
1000 Mbps.
out of service (OOS). This LED may also flash very briefly during normal startup.
The ACC LED flashes green when the FortiGate-5005FA2 module accesses the FortiOS flash disk. The FortiOS flash disk stores the current FortiOS firmware build and configuration files. The system accesses the flash disk when starting up, during a firmware upgrade, or when an administrator is using the CLI or GUI to change the FortiOS configuration. Under normal operating conditions this LED flashes occasionally, but is mostly off.
FortiGate-5005FA2 Security System Guide
6 01-30000-0377-20070201
FortiGate-5005FA2 security system Accelerated packet forwarding and policy enforcement
Table 1: FortiGate-5005FA2 module LEDs (Continued)
LED State Description IPM Blue The FortiGate-5005FA2 is ready to be hot-swapped
Flashing Blue
Off Normal operation. The FortiGate-5005FA2 module is in
1, 2, 3, 4, 5, 6, 7, 8
Green The correct cable is connected to the gigabit SFP interface. Flashing Netwo r k activity at the gigabit SFP interface.
(removed from the chassis). If the IPM light is blue and no other LEDs are lit the FortiGate-5005FA2 module has lost power. See “Installing FortiGate-5005FA2 modules” on
page 10 for more information.
The FortiGate-5005FA2 is changing from hot swap to running mode or from running mode to hot swap.
contact with the chassis backplane.
Connectors
Table 2 lists and describes the FortiGate-5005FA2 connectors.
Table 2: FortiGate-5005FA2 connectors
Connector Type Speed Protocol Description 1, 2, 3,
4, 5, 6
7, 8 LC SFP 1000Base-SX Ethernet Two accelerated gigabit SFP interfaces
CONSOLE RJ-45 9600 bps RS-232 USB USB FortiUSB key firmware updates and
LC SFP 1000Base-SX Ethernet Six gigabit SFP interfaces that can
serial
accept fiber or copper gigabit transceivers. These interfaces only operate at 1000Mbps. See “Installing
SFP transceivers” on page 9 for more
information. that can accept fiber or copper gigabit
transceivers. These interfaces only operate at 1000Mbps. The accelerated interface connectors are inverted compared to connectors 1 to 6. See
“Installing SFP transceivers” on page 9
for more information. Serial connection to the command line
interface. configuration backup.
Accelerated packet forwarding and policy enforcement
FortiGate-5005F A2 Accelerated packet forwar ding and policy enforcement result s in accelerated small packet performance required for voice, video, and other multimedia streaming applications. The following traffic scenarios are recommended for the accelerated interfaces:
Small packet applications, such as voice over IP (VoIP). The FortiGate-5005FA2 accelerated interfaces provide wire speed
performance for small packet applications.
Latency sensitive applications, such as multimedia. The FortiGate-5005FA2 accelerated interfaces add much less latency than
normal (non-accelerated) interfaces.
FortiGate-5005FA2 Security System Guide 01-30000-0377-20070201 7
Base backplane gigabit communication FortiGate-5005FA2 security system
Session Oriented Traffic with long session lifetime, such as FTP sessions. Packet size does not affect performance for traffic with long session lifetime.
For long sessions, processing that would otherwise be handled by the FortiGate-5005FA2 CPUs is off-loaded to the acceleration module.
Firewall and intrusion protection (IPS), when there is a reasonable percentage of P2P packets.
Firewall, intrusion protection (IPS), and antivirus, when there is a reasonable percentage of P2P packets.
Firewall and IPSec VPN applications.
The following traffic scenarios should be handled by the no rma l (or no n ­accelerated) FortiGate-5005FA2 interfaces:
Session oriented traffic when the session lifetime is very short.
Firewall and antivirus only applications. Traffic wil l not be off-loaded to th e FortiGate-5005FA2 accelerator module. The
result will be high CPU usage because of the high CPU requirement for antivirus scanning.
FA2 interfaces and active-active HA performance
FortiOS v3.0 MR4 firmware can also use FA2 acceleration to improve active-active HA load balancing performance. See the FortiGate HA Overview or the FortiGate HA Guide for more information.
Base backplane gigabit communication
The FortiGate-5005FA2 base1 and base2 backplane gigabit interfaces can be used for HA heartbeat communication between FortiGate-5005FA2 modules installed in the same or in different FortiGate-5000 chassis. You can also configure FortiGate-5005FA2 modules to use the base backplane inte r fa ces for data communication between FortiGate modules. To support base backplane communications your FortiGate-5140 or FortiGate-5050 chassis m ust include one or more FortiSwitch-5003 modules. FortiSwitch-5003 modules are installed in chassis slots 1 and 2. The FortiGate-5020 chassis supports base backplane communication with no additions or changes to the chassis.
For information about base backplane communication in FortiGate-5140 and FortiGate-5050 chassis, see the FortiGate-5000 Base Backplane Communication
Guide. For information about the FortiSwitch-5003 module, see the FortiSwitch-5003 Guide.
FortiGate-5005-DIST security system
You can install FortiGate-5005FA2 modules as worker modules in a FortiGate-5005-DIST security system. Worker modules apply FortiGate security system functionality such as applying firewall policies, virus scanning, IPS and routing to distributed traffic.
For complete information about the FortiGate-5005-DIST security system and the role of worker modules, see the FortiGate-5005- DIST Security System
Administration Guide.
FortiGate-5005FA2 Security System Guide
8 01-30000-0377-20070201
Hardware installation Installing SFP transceivers
Hardware installation
Before use, the FortiGate-5005FA2 module must be correctly inserted into a FortiGate-5140, FortiGate-50 50 , or FortiG ate-5020 chassis.
SFP transceivers must also be installed before the FortiGate-5005FA2 module can be connected to network devices.
This section describes:
Installing SFP transceivers
Installing FortiGate-5005FA2 modules
Removing a FortiGate-5005FA2 module
Troubleshooting
Installing SFP transceivers
The FortiGate-5005FA2 module ships with eight SFP transceivers that you must install for normal operation of the FortiGate-5005FA2 module. The SFP transceivers are inserted into cage sockets numbered 1 to 8 on the FortiGate-5005FA2 front panel. You can install the SFP transceivers before or after inserting the FortiGate-5005FA2 module into a FortiGate chassis.
Note: Cage slots 7 and 8 are rotated 180 degrees. Install the SFP transceivers in slots 7 and 8 inverted compared to the orientation of the transceivers in slots 1 to 6.
You can install the following types of SFP transceivers for connectors 1 to 8:
SFP fiber transceivers
SFP 1000Base-LX, SM module
SFP 1000Base-SX, MM module (multimode)
SFP copper transceivers
SFP 1000Base-T, SERDES version only (SGMII version not supported)
To install SFP transceivers
To complete this procedure, you need:
A FortiGate-5005FA2 module
Eight SFP transceivers
An electrostatic discharge (ESD) preventive wrist or ankle strap with connection cord
Caution: FortiGate-5005FA2 modules must be protected from static discharge and physical shock. Only handle or work with FortiGate-5005FA2 modules at a static-free
!
workstation. Always wear a grounded electrostatic discharge (ESD) preventive wrist or ankle strap when handling FortiGate-5005FA2 modules.
1 Attach the ESD wrist or ankle strap to your wrist or ankle and to an ESD socket or
to a bare metal surface on the chassis or frame.
2 Remove the caps from SFP cage sockets on the FortiGate-5005FA2 front panel.
FortiGate-5005FA2 Security System Guide 01-30000-0377-20070201 9
Loading...
+ 21 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use