Fortinet FortiGate-5000 User's Manual
Contents
1. ccsssssseessseeteeeeeseeeeenenees 29 FortiGate 5020 ChaSsiS nccsccccctindcdeecstitetieette ee ce 31 FortiGate 5020 front panel 0 ccccccecceeeeeseeeeeee eee eeee eee eeeeeeseeeaeeeeeeeeeeeeeseseeeesseaneaneeseeeees 31 FortiGate 5020 back panel ciscsiccicciecccssssscecceeccsteiwcctsenecavecnsceccenbess ieeseenacsadevecnnatenenieneendes 32 Physical description of the FortiGate 5020 chassis ccccssssseeeeeseeneeeeeeeeteeenenees 32 FortiGate 5001A Security system ceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeenenees 33 Front panel LEDS and CONNECTIONS 2 ecceeceee eee eeeeeeesneaneeceeeeeeeeeseesseaunenseeeeeeeeeeees 34 LEDS aa hide tei a a tos betel eed eater nae inde eels ented 35 COMMOCIOIS a cies ede ceeetiden eect NE sad nedes Haedeeees A a 36 Base backplane COMMUNICATION 2 eeeeeeeeee eee eeeeeeneeaneeeneeeeeeeeeseeeeeesneaneeeeeeeenees 36 Fabric backplane COMMUNICATION 2 ecee cece eee eeeeeeeeeeeeee eee eeeeeeeeeeeeneeeeaneaneeeeeeees 36 FortiGate RIM XB vcs cccccus cess enian cola veut dceunen saecaided AE EAE 37 AMG Modulo senisesse k Eaa EENE E k aaO 37 FortiGate RTM XB2 SyStein ccccceseseseeeeeseeeeeeececeeeeeeeeeeeeeeeeeeeneeneeeeess 39 FROME DAMON LED ea a e a a ra ae a area aaae EEA aeea ESERE REES 40 Fabric backplane 10 gigabit communication s ss ssssssnusssennnnnnunnnnnnnnnnnnnnnnnnnnnnnnnnnn nnn 40 FortiGate 5005FA2 security system sssss2. Extraction Lever Lever Link Payload Management Traffic Operation RJ 45 Ethernet FortiGate 5000 Series Introduction 01 30000 83466 20090108 The FortiGate 5005 DIST security system FortiGate 5005FA2 worker boards FortiGate 5005FA2 worker boards The FortiGate 5005FA2 security system serves as the worker board for the FortiGate 5005 DIST security system Worker boards are identically configured and administered as a single unit from the primary I O board Workers are typically installed in slots 3 and above though FortiGate 5005FA2 security systems with only one I O board can also have a worker installed in slot 2 The worker boards apply all of the FortiGate security system functionality to traffic passing through the FortiGate 5005 DIST security system Traffic is distributed to the worker boards by the I O boards The worker boards perform FortiGate functions such as applying firewall policies virus scanning IPS and routing to distributed traffic Figure 31 FortiGate 5005FA2 front panel Fabric and Base 7 8 SPF Gigabit network activity 12345 6 SPF Gigabit Fiber or Copper LEDs Fiber or Copper Accelerated FoRTIneT m ll a a a a a E C Mounting Mounting o Knot Module Extraction Position Lever Link Traffic RJ 45 Flash Disk Serial Access RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 O FortiGate 5005 DIST security system chassis The FortiGate 5005 DIST secu
3. FortiGate 5000 Series Introduction r FSATIner 28 ForanGare 514 e r ttt EPECEOE 13 11 2 7 5 3 1 The most recent versions of this and all FortiGate 5000 series documents are available from the FortiGate 5000 page of the Fortinet Technical Documentation web site http docs forticare com Visit http support fortinet com to register your FortiGate 5000 Series product By registering you can receive product updates technical support and FortiGuard services FSRTMET UNIFIED THREAT MANAGEMENT SOLUTIONS FortiGate 5000 Series Introduction 01 30000 83466 20090108 FortiGate 5000 Series Introduction 8 January 2009 01 30000 83466 20090108 Copyright 2009 Fortinet Inc All rights reserved No part of this publication including text examples diagrams or illustrations may be reproduced transmitted or translated in any form or by any means electronic mechanical manual optical or otherwise for any purpose without prior written permission of Fortinet Inc Trademarks Fortinet FortiGate and FortiGuard are registered trademarks and Dynamic Threat Prevention System DTPS APSecure FortiASIC FortiBlOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiAnalyzer FortiManager FortiOS FortiPartner FortiProtect FortiReporter FortiResponse FortiShield and FortiVoIP are trademarks
4. on page 27 RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 Introduction About the FortiGate 5000 series boards FortiGate 5020 chassis You can install one or two FortiGate 5000 series boards in the two slots of the FortiGate 5020 ATCA chassis The FortiGate 5020 is a 4U chassis that contains two redundant AC to DC power supplies that connect to AC power The FortiGate 5020 chassis also includes an internal cooling fan tray For details about the FortiGate 5020 chassis see FortiGate 5020 chassis on page 31 About the FortiGate 5000 series boards Each FortiGate 5000 series board is a standalone FortiGate security system that can also function as part of a FortiGate HA cluster All FortiGate 5000 series boards are also hot swappable All FortiGate 5000 series units are high capacity security systems with multiple gigabit interfaces multiple virtual domain capacity and other high end FortiGate features FortiGate 5001A security system The FortiGate 5001A board is an independent high performance FortiGate security system with two front panel gigabit ethernet interfaces two base backplane gigabit interfaces and two fabric backplane gigabit interfaces Use the front panel interfaces for connections to your networks and the backplane interfaces for communication between FortiGate 5000 series boards over the ACTA chassis backplane The fabric interfaces are reserved for future 10 gigabit oper
5. OB n a e 5 2 m m a g FortiGate 5140 Shelf Manager m g E E ER paga ma a pe e Front cabl A a a aa pe het 3 hot swappable cooling fan trays numbered 0 1 and 2 behind panel Also visible on the front of the FortiGate 5140 e Electrostatic discharge ESD socket used for connecting an ESD wrist or ankle band when working with the chassis e Front cable tray used for managing and securing ethernet and other cables e Three hot swappable FortiGate 5140 cooling fan trays optimum cooling performance and safety the slots must contain a FortiGate 5000 series board or an air baffle slot filler As well the removable terminal block cover must be installed over the power connectors on the back of the chassis j Caution Do not operate the FortiGate 5140 chassis with open slots on the front panel For FortiGate 5140 chassis back panel Figure 4 shows the back panel of the FortiGate 5140 chassis The back panel includes two hot swappable redundant 48V 60 VDC power entry modules PEMs labelled PEM A and PEM B Fortinet ships the FortiGate 5140 chassis with PEM A and PEM B installed The PEMs provide redundant DC power connections for the FortiGate 5140 chassis and distribute DC power to the fan trays and to the FortiGate 5000 series boards installed in the FortiGate 5140 chassis FortiGate 5000 Series Introduction 20 01 30000 83466 20090108 http docs fortinet com Feedback FortiGa
6. Power input 2x redundant 110 to 250 VAC RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 w N FortiGate 5001A security system FortiGate 5001A security system e E The FortiGate 5001A security system is a high performance Advanced Telecommunications Computing Architecture ACTA compliant FortiGate security system that can be installed in any ACTA chassis including the FortiGate 5140 FortiGate 5050 or FortiGate 5020 chassis Two FortiGate 5001A models are available e The FortiGate 5001A DW double width board includes a double width Advanced Mezzanine Card AMC opening You can install a supported FortiGate AMC Double width Module ADM such as the FortiGate ADM XB2 or the FortiGate ADM FB8 in the AMC opening The FortiGate ADM XB2 adds two accelerated 10 gigabit interfaces to the FortiGate 5001A board and the FortiGate ADM FB8 adds 8 accelerated 1 gigabit interfaces The FortiGate 5001A SW single width includes a single width AMC opening You can install a supported FortiGate AMC Single width Module ASM such as the FortiGate ASM FB4 or the FortiGate ASM S08 in the AMC opening The FortiGate ASM FB4 adds four accelerated 1 gigabit interfaces to the FortiGate 5001A board and the FortiGate ADM S08 adds a removable hard disk that you can use to store log files and content archives Other than the double width and single width AMC openings the FortiGate 5001A DW and SW models have t
7. board board accessable from back panel RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 w amp FortiGate 5020 back panel FortiGate 5020 chassis FortiGate 5020 back panel Figure 10 shows the back of a FortiGate 5020 chassis The chassis back panel includes two redundant AC power connectors and provides access to the hot swappable cooling fan tray Each AC power connector includes a 25 Amp circuit breaker that also functions as the on off switch for the AC power connector You can use the power wire fixtures to secure AC power wires to prevent the power wires from being accidently disconnected Figure 10 FortiGate 5020 chassis back panel Circuit Circuit breaker breaker AC power AC power connector connector Hot swappable Power Power cooling fan tray wire wire fixture fixture Physical description of the FortiGate 5020 chassis The FortiGate 5020 chassis is a 4U chassis that can be installed in a standard 19 inch rack Table 6 describes the physical characteristics of the FortiGate 5020 chassis Table 6 FortiGate 5020 physical description Dimensions 5 25 x 17 x 15 5 in 13 3 x 43 2 x 39 4 cm HxWxD Weight 35 5 Ib 16 1 kg Operating environment Temperature 13 to 158 F 25 to 70 C Relative humidity 5 to 95 Non condensing Storage environment Temperature 20 to 80 C Relative humidity 5 to 95 Non condensing Power dissipation Maximum 800 watts
8. communication in a single chassis or between multiple chassis Install FortiSwitch 5003 boards in chassis slots 1 and 2 A FortiSwitch 5003 board in slot 1 provides communications on base backplane interface 1 A FortiSwitch 5003 board in slot 2 provides communications on base backplane interface 2 If your configuration includes only one FortiSwitch 5003 board you can install it in slot 1 or slot 2 and configure the FortiGate 5000 boards installed in the chassis to use the correct base backplane interface The FortiSwitch 5003 board includes the following features e A total of 16 10 100 1000Base T gigabit ethernet interfaces e 13 backplane 10 100 1000Base T gigabit interfaces for base backplane switching between FortiGate 5000 series boards installed in the same chassis as the FortiSwitch 5003 e Three front panel 10 100 1000Base T gigabit interfaces ZREO ZRE1 ZRE2 for base backplane switching between two or more FortiGate 5000 series chassis e One 100Base TX out of band management ethernet interface ETHO e RJ 45 RS 232 serial console connection CONSOLE e Mounting hardware e LED status indicators Front panel LEDs and connectors From the FortiSwitch 5003 font panel you can view the status of the board LEDs to verify that the board is functioning normally You can also connect the FortiSwitch 5003 board in one chassis to a FortiSwitch 5003 board in another chassis through the front panel ethernet connections The front panel
9. provides a telco alarm interface and also provides serial connections to the shelf managers The factory installed shelf managers provide power distribution cooling alarms and shelf status for the FortiGate 5140 chassis optimum cooling performance and safety the slots must contain a FortiGate 5000 series board or an air baffle slot filler As well the removable terminal block cover must be installed over the power connectors on the back of the chassis lt Caution Do not operate the FortiGate 5140 chassis with open slots on the front panel For FortiGate 5000 Series Introduction 16 01 30000 83466 20090108 http docs fortinet com Feedback FortiGate 5140 R chassis FortiGate 5140 chassis back panel Also visible on the front of the FortiGate 5140 chassis e Electrostatic discharge ESD socket used for connecting an ESD wrist or ankle band when working with the chassis e Front cable tray used for managing and securing ethernet and other cables e Front accessible air filter e Three hot swappable FortiGate 5140 cooling fan trays FortiGate 5140 chassis back panel Figure 2 on page 17 shows the back panel of the FortiGate 5140 chassis The back panel includes two hot swappable redundant 48V 60 VDC power entry modules PEMs labelled A and B Fortinet ships the FortiGate 5140 chassis with PEM A and B installed The PEMs provide redundant DC power connections for the FortiGate 5140 chassis and distribute DC power to the
10. 10 Gbps Ethernet SFP 10 gigabit connection to the base backplane channel FABRIC SFP 10 Gbps Ethernet SFP 10 gigabit connection to the fabric 10G 14 F8 backplane channel F7 F6 F5 F4 F3 F2 F1 FortiSwitch 5003A configurations You can operate the FortiSwitch 5003A board as a fabric and base channel layer 2 switch for any FortiGate 5000 board The FortiSwitch 5003A board is compatible with all FortiGate 5000 boards Base and fabric gigabit switching within a chassis Figure 24 shows a FortiGate 5050 chassis with a FortiSwitch 5003A board in slot 1 and two FortiGate 5001A boards in slots 3 and 4 In this configuration the FortiGate 5001A boards are using base channel 1 for HA heartbeat communication The FortiGate 5001A boards use base as the HA heartbeat interface RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 Q FortiSwitch 5003A system FortiSwitch 5003A configurations Figure 24 FortiSwitch 5003A base channel 1 HA heartbeat communication Base channel 1 HA Heartbeat Communication i m 1 Forrisare 5050 ATinet Fabric 10 gigabit switching within a chassis One FortiGate RTM XB2 provides 10 gigabit connections to both FortiGate 5001A fabric channels The FortiGate RTM XB2 also provides NP2 packet acceleration for each fabric channel To effectively use NP2 acceleration packets must be received by the FortiGate 5001A board on one fabric channel and e
11. 5001FA2 boards the FortiGate 5140 chassis provides a total of 112 1 Gigabit ethernet FortiGate interfaces If all 14 slots contain FortiGate 5001A boards the FortiGate 5140 chassis supports 28 1 Gigabit ethernet FortiGate interfaces If you add FortiGate ADM XB2 modules to the FortiGate 5001A boards the FortiGate 5140 chassis supports another 28 10 Gigabit interfaces You can also install a FortiSwitch 5003A or FortiSwitch 5003 board in the FortiGate 5140 chassis to provide base backplane communications Base backplane communications can be used for HA heartbeat communications and for data communications You can add a second FortiSwitch 5003A or FortiSwitch 5003 board for redundancy FortiSwitch 5003A boards can also provide fabric backplane communication using the FortiGate 5140 fabric backplane channels You can mix and match any combination of FortiGate 5000 series boards in the FortiGate 5140 chassis For example you could install four FortiGate 5005FA2 boards four FortiGate 5001SX boards and four FortiGate 5001FA2 boards You can also install FortiController 5208 and FortiGate 5005FA2 boards in a FortiGate 5140 chassis to create a FortiGate 5005 DIST security system Some of the boards installed in a FortiGate 5140 chassis can be operating in a FortiGate HA cluster and some can be operating as standalone FortiGate units You can also operate multiple HA clusters and standalone FortiGate units in a single FortiGate 5140 chassis You can also
12. 5050 chassis is a 5U chassis that can be installed in a standard 19 inch rack Table 5 describes the physical characteristics of the FortiGate 5050 chassis Table 5 FortiGate 5050 chassis physical description Dimensions 8 75 x 17 x 15 5 in 13 3 x 43 2 x 39 4 cm HxWxD Weight 26 75 Ib 12 1 kg Operating environment Temperature 32 to 104 F 0 to 45 C Relative humidity 5 to 85 Non condensing Storage environment Temperature 13 to 158 F 25 to 70 C Relative humidity 5 to 95 Non condensing Power consumption Maximum 1 135 W Power input 2x redundant 48VDC to 58VDC FortiGate 5000 Series Introduction 01 30000 83466 20090108 29 http docs fortinet com e Feedback Physical description of the FortiGate 5050 chassis FortiGate 5050 chassis FortiGate 5000 Series Introduction 30 01 30000 83466 20090108 http docs fortinet com e Feedback FortiGate 5020 chassis FortiGate 5020 front panel FortiGate 5020 chassis You can install one or two FortiGate 5000 series boards in the two slots of the FortiGate 5020 ATCA chassis The FortiGate 5020 is a 4U chassis that contains two redundant AC to DC power supplies that connect to AC power The FortiGate 5020 chassis also includes an internal cooling fan tray If both slots contain FortiGate 5000 boards the FortiGate 5020 chassis provides up to 16 FortiGate gigabit ethernet interfaces If you install the same FortiGate
13. A EAE EAE 74 Connector S anae tetatit ie aadeandea eacdlecnee sain A ete 75 Backplane gigabit interfaces cccccceessennneeeeeeeneeeeeeeenseeeeeecenseeeaeeeeneeeenseeneeeeeneeeeeeenes 76 FortiGate 5000 Series Introduction 01 30000 83466 20090108 http docs fortinet com e Feedback Contents FortiGate 5000 Series Introduction 01 30000 83466 20090108 http docs fortinet com e Feedback Introduction Revision history Introduction This FortiGate 5000 Series Introduction is a high level guide to all three FortiGate 5000 series chassis and the boards that you can install in them This chapter includes the following topics e Revision history e About the FortiGate 5000 series chassis e About the FortiGate 5000 series boards e Warnings and cautions Fortinet documentation e Customer service and technical support e Register your Fortinet product Revision history Table 1 Revision History Version Description of changes 01 30003 0378 20061207 New version 01 30004 0378 20070201 Corrected FortiGate 5020 chassis on page 31 and FortiGate 5005FA2 security system on page 41 to document that FortiGate 5005FA2 boards can be installed in a FortiGate 5020 chassis Added Register your Fortinet product on page 14 Added FA2 interfaces and active active HA performance on page 44 and FA2 interfaces and active active HA performance on page 48 More minor changes and fixes througho
14. Copper X1 X2 XFP 10 Gigabit DIS Management Fiber or Copper 1 3 c15 RJ 45 Serial RESRTINET i oo Mounting Status Link Traffic 2 4 C16 Mounting Knot D16 Knot Extraction IPM Extraction Lever Lever Link Payload Management Traffic Operation RJ 45 Ethernet LEDs Table 25 lists and describes the FortiController 5208 board LEDs Table 25 FortiController 5208 board LEDs LED State Description X1 X2 Green The correct cable is connected to the 10 gigabit XFP interface STATUS Off The STATUS LED is always off even when the FortiController 5208 board is starting or operating normally PAYLOAD OPERATION Green DATA 1 16 Green The data LEDs display base backplane connections of the FortiController 5208 board and the 5005 boards over which the load balanced traffic is sent LED 1 corresponds to the FortiController 5208 board s connection LEDs 3 through 14 are for connections to the corresponding slots in a 5050 or 5140 chassis LEDs 15 and 16 are for the HA ports D15 D16 on the front panel Due to the organization of the backplane LED 2 will always be off even if an operating FortiController 5208 is in slot 2 FortiGate 5000 Series Introduction 01 30000 83466 20090108 FortiController 5208 system Front panel LEDs and connectors Table 25 FortiController 5208 board LEDs Continued LED State Description CONTROL 1 16 Green The control LEDs display the fabric backplane connecti
15. Mounting hardware e LED status indicators Front panel LEDs and connectors From the FortiGate 5001A font panel you can view the status of the front panel LEDs to verify that the board is functioning normally You also connect the FortiGate 5001A board to your network through the front panel 10 100 1000 ethernet connectors The front panel also includes the RJ 45 console port for connecting to the FortiOS CLI and two USB ports The USB ports can be used with any USB key for backing up and restoring configuration files For information about using the using a USB key with a FortiGate unit see the FortiGate 5000 Series Firmware and FortiUSB Guide RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 X A FortiGate 5001A security system LEDs Front panel LEDs and connectors Table 7 lists and describes the FortiGate 5001A LEDs Table 7 FortiGate 5001A LEDs LED State Description 1 2 Green The correct cable is connected to the interface and the Left LED connected equipment has power Flashing Network activity at the interface Green Off No link is established 1 2 Green Connection at 1 Gbps Right LED Amber Connection at 100 Mbps Off Connection at 10 Mbps Base CHO Green Base backplane interface 0 base1 is connected at 1 Gbps Flashing Network activity at base backplane interface 0 Green Base CH1 Green Base backplane inte
16. You can configure settings for FortiSwitch 5003A fabric interfaces from the FortiSwitch 5003A CLI The CLI columns show the names of the interfaces as they appear on the FortiSwitch 5003A CLI The fabric network activity LEDs show links and network activity for the interfaces and connections listed in Table 19 Figure 23 FortiSwitch 5003A fabric network activity LEDs FortiGate 5000 Series Introduction 01 30000 83466 20090108 RTIMET a N FortiSwitch 5003A configurations FortiSwitch 5003A system Table 19 Fabric network activity LEDs Fabric network Interface or connection activity LED 2 1 Fabric channel connection between fabric channel 1 and fabric channel 2 This LED is lit if there are two FortiSwitch 5003A boards installed in the chassis to indicate fabric backplane communication between them 3 to 13 Fabric backplane connection to FortiGate 5000 boards in chassis slots 3 to 13 Front panel connectors Table 20 lists and describes the FortiSwitch 5003A front panel connectors Table 20 FortiSwitch 5003A connectors Connector Type Speed Protocol Description MGMT RJ 45 10 100 1000 Ethernet Copper gigabit connection to out of band Base T management interface COM RJ 45 9600 bps RS 232 Serial connection to the command line 8 N 1 serial interface B1 B2 RJ 45 10 100 1000 Ethernet Copper gigabit connection to the base Base T backplane channel BASE 10G SFP
17. band management interface ETH1 connects to the shelf managers Neither of the out of band management interfaces are used CONSOLE RJ 45 9600 bps RS 232 Serial connection to the command line serial interface ZREO RJ 45 10 100 1000 Ethernet Redundant connections to another ZRE1 Base T FortiSwitch 5003 board in an different FortiGate 5140 or FortiGate 5050 chassis Use these interfaces for base backplane interface connections between FortiGate 5000 series chassis ZRE2 Base backplane communications This section provides a brief introduction to using FortiSwitch 5003 boards for base backplane communication FortiSwitch 5003 boards installed in a FortiGate 5140 or FortiGate 5050 chassis in slot 1 or slot 2 provide base backplane switching for all of the FortiGate 5000 series boards installed in chassis slots 3 and above Base backplane switching can be used for HA heartbeat communication and for data communication between FortiGate 5000 series boards The FortiGate 5000 series boards can all be installed in the same chassis or you can use the FortiSwitch 5003 front panel ZRE interfaces for base backplane communication among multiple FortiGate 5140 and FortiGate 5050 chassis The communication can be among a collection of the same chassis for example multiple FortiGate 5050 chassis or among a mixture of FortiGate 5140 and FortiGate 5050 chassis In most cases you would connect the same base backp
18. base backplane interfaces for data communication between FortiGate boards To support base backplane communications your FortiGate 5140 or 5050 chassis must include one or more FortiSwitch 5003 boards FortiSwitch 5003 boards are installed in chassis slots 1 and 2 The FortiGate 5020 chassis supports base backplane communication with no additions or changes to the chassis For information about base backplane communication in FortiGate 5140 and FortiGate 5050 chassis see the FortiGate 5000 Base Backplane Communication Guide For information about the FortiSwitch 5003 board see the FortiSwitch 5003 Guide RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 a Base backplane gigabit interfaces FortiGate 5001SX security system RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 S N FortiSwitch 5003A system FortiSwitch 5003A system The FortiSwitch 5003A board provides 10 1 gigabit fabric backplane channel layer 2 switching and 1 gigabit base backplane channel layer 2 switching in a dual star architecture for the FortiGate 5140 and FortiGate 5050 chassis The FortiSwitch 5003A board provides a total capacity of 200 Gigabits per second Gbps throughput The FortiGate 5140 chassis is a 14 slot ATCA chassis and the FortiGate 5050 chassis is a 5 slot ATCA chassis In both chassis the FortiSwitch 5003A board is installed in the first and second hub switch fabric slots For most versions
19. board supports high end features including 802 1Q VLANs and multiple virtual domains For details about the FortiGate 5001SX security system see FortiGate 5001SX security system on page 49 ForniSare 5001 coor OO zs F HHoooe use Fortinet FortiSwitch 5003A system The FortiSwitch 5003A system provides 10 1 gigabit fabric backplane channel layer 2 switching and 1 gigabit base backplane channel layer 2 switching in a dual star architecture for the FortiGate 5140 and FortiGate 5050 chassis The FortiGate board provides a total capacity of 200 Gigabits per second Gbps throughput For details about the FortiSwitch 5003A system see FortiGate 5001SX security system on page 49 RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 o Introduction Warnings and cautions FortiSwitch 5003 system The FortiSwitch 5003 system provides base backplane communication between FortiGate security boards installed in FortiGate 5140 or FortiGate 5050 chassis Base backplane communication can be used for HA heartbeat communication and for data communication The FortiSwitch 5003 board can also provide HA heartbeat and data communication between chassis The FortiSwitch 5003 board is only used in FortiGate 5140 and FortiGate 5050 chassis For details about the FortiSwitch 5003 board see FortiSwitch 5003 system on page 61 FortiGate 5005 DIST security system The FortiGate 5005 DIST
20. can accept Small Formfactor Pluggable SFP fiber or copper transceivers interfaces 1 2 3 and 4 e Four 10 100 1000Base T gigabit copper network interfaces interfaces 5 6 7 and 8 e Two base backplane gigabit interfaces port9 and port10 for HA heartbeat and data communications across the FortiGate 5000 chassis backplane e DB 9 RS 232 serial console connection e One USB connector e Mounting hardware e LED status indicators The FortiGate 5001SX board comes supplied with four fiber or four copper SFP transceivers Before you can connect FortiGate 5001SX interfaces 1 to 4 you must insert the SFP transceivers into the FortiGate 5001SX front panel cage slots numbered 1 to 4 FortiGate 5000 Series Introduction 01 30000 83466 20090108 RTIMET A Front panel LEDs and connectors FortiGate 5001SX security system The FortiGate 5001SX board ships with two RAM DIMMs installed on the FortiGate 5001 SX circuit board You should confirm that the RAM DIMMs are installed correctly before inserting the FortiGate 5001SX board into a chassis Front panel LEDs and connectors From the FortiGate 5001SX font panel you can view the status of the front panel LEDs to verify that the board is functioning normally You also connect the FortiGate 5001SX board to your network through the front panel ethernet connections The front panel also includes the RS 232 console port for connecting to the FortiOS CLI and a USB port The USB port can be
21. chassis slots and to the fan trays Figure 2 FortiGate 5140 chassis back panel le o RTM slot filler panels Back cable RTM tray ESD socket CO MEE L 5 Chassis ground connector green 48V 60 VDC RTN nom black red Ho DPA Power Entry Module B Entry Module A terminal block cover removed If you require redundant power you should connect both PEMs to DC power If redundant power is not required you should connect PEM A to DC power Each PEM has four 48V 60 VDC connectors and 4 RTN connections All eight of these connectors should be connected to DC power Figure 2 on page 17 shows the terminal block cover removed from PEM A and the wiring required to connect PEM A to DC power While operating the FortiGate 5140 both terminal block covers should be installed FortiGate 5000 Series Introduction 01 30000 83466 20090108 17 http docs fortinet com Feedback Physical description of the FortiGate 5140 chassis FortiGate 5140 R chassis The power entry modules are hot swappable which means you can remove and replace a defective PEM while the FortiGate 5140 is operating assuming that the FortiGate 5140 system has both PEMs connected to DC power for redundancy The back panel also includes the back cable tray an ESD socket and the chassis ground connector The ground connector must be connected to Data Center ground Use the back cable tray for securing and manag
22. e Two RJ 45 RS 232 serial console management connections e An RJ 45 Ethernet management connection e Mounting hardware e LED status indicators Before you can connect any FortiController 5208 front panel interfaces you must insert the XFP or SFP transceivers into the FortiController 5208 front panel cage slots This chapter includes the following information about the FortiController 5208 board Front panel LEDs and connectors e Backplane gigabit interfaces e Installing XFP and SFP transceivers FortiGate 5000 Series Introduction 01 30000 83466 20090108 RTIMET N w amp Front panel LEDs and connectors FortiController 5208 system RTIMET N e Inserting a FortiController 5208 module into a chassis e Removing a FortiController 5208 module from a chassis e Troubleshooting Front panel LEDs and connectors From the FortiController 5208 front panel you can view the status of the board LEDs to verify that the board is functioning normally LEDs also indicate connections and traffic for the front panel and backplane interfaces You also connect the FortiController 5208 board to your network through the front panel XFP and SFP connections The front panel also includes two RJ 45 serial console ports for connecting to the FortiController 5208 CLI and an Ethernet RJ 45 port for connecting to the CLI and GUI management interfaces over a network Figure 34 FortiController 5208 front panel SFP Gigabit Fiber or
23. front panel ethernet connectors The front panel also includes the RJ 45 console port for connecting to the FortiOS CLI and two USB ports The USB ports can be used with a Fortinet USB key For information about using the FortiUSB key see the FortiGate 5000 Series Firmware and FortiUSB Guide Table 10 lists and describes the FortiGate 5005FA2 board LEDs Table 10 FortiGate 5005FA2 board LEDs LED State Description Fabric ACT 2 Amber Network activity at backplane fabric interface 2 LINK 2 Green Backplane fabric interface 2 is connected at 1000 Mbps ACT 1 Amber Network activity at backplane fabric interface 1 LINK 1 Green Backplane fabric interface 1 is connected at 1000 Mbps Base ACT2 Amber Network activity at backplane base interface 2 backplane2 LINK 2 Green Backplane base interface 2 backplane2 is connected at 1000 Mbps ACT 1 Amber Network activity at backplane base interface 1 backplane LINK 1 Green Backplane base interface 1 backplane is connected at 1000 Mbps OOS Off Normal operation Out of Red A fault condition exists and the FortiGate 5005FA2 blade is Service out of service OOS This LED may also flash very briefly during normal startup ACC Off or The ACC LED flashes green when the FortiGate 5005FA2 Flashing board accesses the FortiOS flash disk The FortiOS flash green disk stores the current FortiOS firmware build and configuration files The syste
24. to a 10 gigabit network Fabric channel interfaces Table 18 lists and describes the FortiSwitch 5003A fabric channel interfaces You can configure fabric interface settings group fabric interfaces into trunks and configure MSTP spanning tree settings for fabric interfaces from the FortiSwitch 5003A CLI Table 18 Fabric channel interfaces Interface Name Front Panel CLI Description 2 1 slot 2 1 Interface between fabric channel 1 and fabric channel 2 If there are two FortiSwitch 5003A boards installed in a chassis this interface can be used to communicate between them In some configurations you may have to disable this communication 3 to 13 slot 3 to Fabric backplane slots 3 to 13 slot 13 The 3 to 13 fabric network activity LEDs are lit if there are FortiGate boards in chassis slots 3 to 13 14 F8 slot 14 f8 Front panel interface 14 F8 Fabric backplane slot 14 and front panel interface 14 F8 share the same FortiSwitch 5003A switch port By default the the front panel interface 14 F8 is enabled and fabric backplane slot 14 is disabled You can change this setting using a switch on the FortiSwitch 5003A board F1 to F7 f1 to f7 Front panel 10 gigabit fabric interfaces F1 to F7 Use these interfaces to connect your network to the fabric channel to connect fabric channel 1 to fabric channel 2 or to connect a fabric channel on one chassis to a fabric channel on another chassis
25. to distribute traffic to multiple FortiGate 5001A or 5005FA2 boards Figure 26 shows a basic link aggregation configuration using a single FortiSwitch 5003A board In this configuration the external switch is connected to FortiSwitch 5003A front panel f5 interface The switch adds VLAN tags to traffic from the internal and external networks Figure 26 Basic link aggregation configuration a S Internal Network External Network P P A aed Lad em gt Internal and external External switch 10 gigabit networks connected to FortiSwitch 5003A front panel interface F7 and to fabric channel 1 VLAN tagged traffic Forrisrre Six FortiGate RTM XB2 modules installed in RTM slots 6 8 9 10 11 and 13 to provide 10 gigabit fabric interfaces and NP2 acceleration for each FortiGate 5001A board Distributed 10 gigabit data communication on fabric channel 1 RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 Lez oO FortiSwitch 5003 system Front panel LEDs and connectors FortiSwitch 5003 system The FortiSwitch 5003 board provides base backplane interface switching for the FortiGate 5140 chassis and the FortiGate 5050 chassis You can use this switching for data communication or HA heartbeat communication between the base backplane interfaces of FortiGate 5000 series boards installed in slots 3 and up in these chassis FortiSwitch 5003 boards can be used for base backplane
26. total of 112 FortiGate gigabit ethernet interfaces If all 14 slots contain FortiGate 5001A boards the FortiGate 5140 chassis supports 28 1 Gigabit ethernet FortiGate interfaces If you add FortiGate ADM XB2 modules to the FortiGate 5001A boards the FortiGate 5140 chassis supports another 28 10 Gigabit interfaces You can also install a FortiSwitch 5003A or FortiSwitch 5003 board in the FortiGate 5140 chassis to provide base backplane communications Base backplane communications can be used for HA heartbeat communications and for data communications You can add a second FortiSwitch 5003A or FortiSwitch 5003 board for redundancy FortiSwitch 5003A boards can also provide fabric backplane communication using the FortiGate 5140 fabric backplane channels You can mix and match any combination of FortiGate 5000 series boards in the FortiGate 5140 chassis For example you could install four FortiGate 5005FA2 boards four FortiGate 5001SX boards and four FortiGate 5001FA2 boards You can also install FortiController 5208 and FortiGate 5005FA2 boards in a FortiGate 5140 chassis to create a FortiGate 5005 DIST security system Some of the boards installed in a FortiGate 5140 chassis can be operating in a FortiGate HA cluster and some can be operating as standalone FortiGate units You can also operate multiple HA clusters and standalone FortiGate units in a single FortiGate 5140 chassis You can also use FortiSwitch 5003A or FortiSwitch 5003 boards to oper
27. use COM1 COM2 RJ 45 9600 bps RS 232 Serial connection to the command line serial interface MANAGEMENT RJ 45 1000 Mbps Ethernet Ethernet management connection to the FortiController 5208 web based manager and command line interface Backplane gigabit interfaces The FortiController 5208 board uses the chassis backplane gigabit interfaces for all communication with boards installed in the chassis This communication includes e Management communication between the primary FortiController 5208 the optional secondary FortiController 5208 and the FortiGate 5005FA2 boards e Delivery of traffic data to the FortiGate 5005FA2 boards for processing e Receiving processed traffic from the FortiGate 5005FA2 boards e Ifinstalled the secondary FortiController 5208 board also delivers data traffic to the FortiGate 5005FA2 boards and receives the processed traffic from them No front panel cables are required for connections between the installed boards Once the FortiController 5208 board is configured as the primary and the FortiGate 5005FA2 boards are configured to use the LDB firmware all communication between the installed boards is automatic and requires no configuration RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 N e gt KR Ie www fortinet com
28. 0 series boards installed in multiple FortiGate 5000 chassis You can also use FortiSwitch 5003A boards for fabric data communication between chassis The FortiGate 5050 chassis requires 48VDC Data Center DC power If DC power is not available you can install a FortiGate 5053 power converter tray purchased separately with FortiGate 5020 5050 power supplies FortiGate 5000 Series Introduction 01 30000 83466 20090108 http docs fortinet com e Feedback 23 FortiGate 5050 front panel FortiGate 5050 R chassis FortiGate 5050 front panel Figure 5 shows the front of a FortiGate 5050 chassis Two FortiSwitch 5003 boards are installed in slots 1 and 2 Three FortiGate 5001SX boards are installed in slots 3 4 and 5 The FortiGate 5050 primary and secondary Shelf Managers and the Shelf Alarm Panel SAP are also visible The factory installed shelf alarm panel displays alarms provides a telco alarm interface and also provides serial connections to the shelf managers The factory installed shelf managers provide power distribution cooling alarms and shelf status for the FortiGate 5050 chassis Figure 5 FortiGate 5050 front panel with FortiGate 5001SX and FortiSwitch 5003 boards installed FortiGate 5001SX boards slots 3 4 and 5 Hot swappable cooling fan tray FortiSwitch 5003 boards slots 1 and 2 Power LED ESD socket Secondary Shelf Alarm Primary Shelf Manager Panel SAP Shelf Manager SMC 2 SMC 1 A
29. 050 or FortiGate 5140 chassis with one or two Input Output or I O boards FortiController 5208 boards and one or more worker boards FortiGate 5005FA2 boards running in DIST mode The I O boards provide 10 gigabit and 1 gigabit network connections and distribute traffic to the worker boards The worker boards provide FortiGate security system functions including firewall VPN IPS antivirus antispam and so on The following topics are included in this section e Basic FortiGate security system configuration e FortiController 5208 I O boards e FortiGate 5005FA2 worker boards e FortiGate 5005 DIST security system chassis e FortiGate 5005 DIST interface names Basic FortiGate security system configuration A basic FortiGate security system consists of a single FortiController 5208 board and four FortiGate 5005 boards installed in a FortiGate 5050 or FortiGate 5140 chassis see Figure 29 on page 68 This system can be installed in NAT Route mode between the Internet and a private network In this configuration the FortiGate 5005 DIST security system can provide FortiGate services to 10 gigabit traffic passing between the private network and the Internet RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 N FortiController 5208 I O boards The FortiGate 5005 DIST security system Figure 29 Example basic FortiGate 5005 DIST security system FortiGate 5005 DIST security system in NAT Route mode
30. 108 A e gt FortiGate 5001FA2 LENC security system Accelerated packet forwarding and policy enforcement Table 12 FortiGate 5001FA2 LENC board LEDs Continued LED State Description 5 6 Link Green The correct cable is inserted into this interface and the 7 8 LED connected equipment has power Flashing Network activity at this interface Speed Green The interface is connected at 1000 Mbps LED Amber The interface is connected at 100 Mbps Unit The interface is connected at 10 Mbps Connectors Table 13 lists and describes the FortiGate 5001FA2 LENC connectors Table 13 FortiGate 5001FA2 LENC connectors Connector Type Speed Protocol Description 1 and 2 LC SFP 1000Base SX Ethernet Two accelerated gigabit SFP interfaces that can accept optical or copper gigabit transceivers These interfaces only operate at 1000Mbps The accelerated interface connectors are inverted compared to connectors 3 and 4 3 and 4 LC SFP 1000Base SX Ethernet Two gigabit SFP interfaces that can accept optical or copper gigabit transceivers These interfaces only operate at 1000Mbps 5 6 7 8 RJ 45 10 100 1000 Ethernet Copper gigabit connection to Base T 10 100 1000Base T copper networks CONSOLE DB 9 9600 bps RS 232 Serial connection to the command line 8 N 1 serial interface USB USB FortiUSB key firmware updates and configuration backup Accelerated p
31. 11 FortiGate 5005 DIST security system cee eeeeeeeeeenneeeeeeeeeeeeeeeeeaeeeeeeeenaeeeeeeenaaas 11 FortiController 5208 SySteim cccceccsseececeeeseneeeeeeenseneeeeeeneaaeeeeeseeeaaeeeeensneaeeeeeneaees 11 Warnings and Cautions siti ciccccicc cecccctiscotecctice cnnvectiee csvnestieeesttecstecenteseoteeetteestivcestevcetee 11 About Data Center DC Powe l ceceeceeeeeeeeeeeeeeeeeeeeeeeeee eee eeeeenaeseaneaeeeseeeeeeeeneeneeees 13 FOrtinet GOCUIMe MtatlON sais cessscceecd dense cesdeectecsccccteeiestcndendebssanccueeneddeneenecvestatanadeadeoreeectas 13 Fortinet Tools and Documentation CD 000 ccceceeeeeeeeneeccecceeceeeeeeeeeeeeeetesssnnninaeeees 13 Fortinet Knowledge Center c cccccecessceceeeeeneeeceeeneeneeceeeneneeeeeneneaeeeseeennaseeeeeenanee 13 Comments on Fortinet technical documentation s eeeeececeeeeeeeeeeeeteeneenaeees 13 Customer service and technical SUPPoOFt c c eeeeeeeee eee eeeeeeeeeeneeeeeeeeeeeeeeeeeeeeeeenes 13 Register your Fortinet Product ccccseseeeeeeeeeeeeeeeeeeenseeeseeceeseeeeseeeneeeeasecneeeeenseeeeeeneas 14 FortiGate 5140 R Chassis wiiscsiscsccoccivasnisivecsteccssscuiesantcaatenncnsseacnesseeasietans 15 FortiGate 5140 chassis front panel cccceeceeeeeeeeeeeeeeeeneeeeeeeeeeeeeeeseseseeaeeeseeeeenees 16 FortiGate 5140 chassis back panel 2 ccececeeeeeeeeeeeeeeeneeeeeeeeeeseeeeeeeessneaneeeeeeeenees 17 Physica
32. 5000 series board in both slots you can configure the boards to operate as an HA cluster HA heartbeat communications between the boards uses the FortiGate 5020 base backplane communication channel No extra switching or other connections are required You can also use the base backplane channels for data communication between the FortiGate 5000 series boards installed in the FortiGate 5020 chassis You can configure base backplane communication between two identical FortiGate 5000 series boards for example between two FortiGate 5001SX boards or between different FortiGate 5000 series boards for example between a FortiGate 5001SX and a FortiGate 5005FA2 board as long as both boards use the same base backplane channel The FortiGate 5020 chassis can only be connected to AC power Two redundant FortiGate 5020 5050 power supplies are factory installed in the FortiGate 5020 chassis FortiGate 5020 front panel Figure 9 shows the front of a FortiGate 5020 chassis A FortiGate 5001SX board and a FortiGate 5005FA2 board are installed The FortiGate 5020 5050 power supplies are factory installed behind the panel at the top of the chassis The power LEDs for the power supplies are visible on the front panel as well Figure 9 FortiGate 5020 front panel with two FortiGate series boards Hot swappable FortiGate 5020 5050 power supplies behind panel PSU B Power LEDs ESRTiner FortiGate 5001SX FortiGate 5005FA2 Hot swappable cooling fan tray
33. A Q Base backplane gigabit communication FortiGate 5005FA2 security system e Firewall and intrusion protection IPS when there is a reasonable percentage of P2P packets e Firewall intrusion protection IPS and antivirus when there is a reasonable percentage of P2P packets e Firewall and IPSec VPN applications The following traffic scenarios should be handled by the normal or non accelerated FortiGate 5005FA2 interfaces e Session oriented traffic when the session lifetime is very short e Firewall and antivirus only applications Traffic will not be off loaded to the FortiGate 5005FA2 accelerator module The result will be high CPU usage because of the high CPU requirement for antivirus scanning FA2 interfaces and active active HA performance FortiOS v3 0 MR4 firmware can also use FA2 acceleration to improve active active HA load balancing performance See the FortiGate HA Overview or the FortiGate HA Guide for more information Base backplane gigabit communication The FortiGate 5005FA2 base1 and base2 backplane gigabit interfaces can be used for HA heartbeat communication between FortiGate 5005FA2 boards installed in the same or in different FortiGate 5000 chassis You can also configure FortiGate 5005FA2 boards to use the base backplane interfaces for data communication between FortiGate boards To support base backplane communications your FortiGate 5140 or FortiGate 5050 chassis must include one or more FortiS
34. DIST interface names The FortiGate 5005 DIST security system Table 24 FortiGate 5005 DIST interface naming FortiController 5208 FortiController 5208 front Web based manager and location panel interface names CLI interface names Primary X1 port1_X1 FortiController 5208 board installed in X2 port1_X2 chassis slot 1 1 portt_1 2 port1 2 3 port1_3 4 port1_4 Management mng Secondary x1 port2_X1 FortiController 5208 board installed in X2 port2_X2 chassis slot 2 1 port2_1 2 port2_2 3 port2_3 4 port2_4 Management Not used RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 N N FortiController 5208 system FortiController 5208 system You can create a FortiGate 5005 DIST high throughput multi threat network security system using one or two FortiController 5208 boards and multiple FortiGate 5005 boards in a FortiGate 5050 or FortiGate 5140 chassis A FortiGate 5020 chassis cannot be used to create a FortiGate 5005 DIST system Functionally one or two FortiController 5208 boards using the processing power of multiple FortiGate 5005 boards function much like a single FortiGate unit but with far greater capacity In a FortiGate 5005 DIST configuration the FortiGate 5005FA2 boards are used only for their processing power The FortiController 5208 assigns tasks to each FortiGate 5005FA2 board and provides all external connections to the network Given t
35. FA2 LENC interfaces e Session oriented traffic when the session lifetime is very short e Firewall and antivirus only applications Traffic will not be off loaded to the FortiGate 5001FA2 LENC accelerator module The result will be high CPU usage because of the high CPU requirement for antivirus scanning FA2 interfaces and active active HA performance FortiOS v3 0 MR4 firmware can also use FA2 acceleration to improve active active HA load balancing performance See the FortiGate HA Overview or the FortiGate HA Guide for more information Base backplane gigabit communication The FortiGate 5001FA2 LENC port9 and port10 base backplane gigabit interfaces can be used for HA heartbeat communication between FortiGate 5001FA2 LENC boards installed in the same or in different FortiGate 5000 chassis You can also configure FortiGate 5001FA2 LENC boards to use the base backplane interfaces for data communication between FortiGate boards To support base backplane communications your FortiGate 5140 or 5050 chassis must include one or more FortiSwitch 5003 boards FortiSwitch 5003 boards are installed in chassis slots 1 and 2 The FortiGate 5020 chassis supports base backplane communication with no additions or changes to the chassis For information about base backplane communication in FortiGate 5140 and FortiGate 5050 chassis see the FortiGate 5000 Base Backplane Communication Guide For information about the FortiSwitch 5003 board see the Forti
36. Gate RTM XB2 interface or that enters one FortiGate RTM XB2 interface and exits the other For more information about Fortinet NP2 processor acceleration see the Fortinet Hardware Acceleration Technical Note Figure 16 FortiGate RTM XB2 front panel RTM XB2 Retention Power Retention Screw Screw Handle The FortiGate RTM XB2 module includes the following features Two fabric backplane 10 gigabit interfaces for 10 gigabit data communications across a FortiGate 5000 chassis backplane e Two NP2 processors connected by an Enhanced Extension Interface EEI that provide hardware accelerated network processing e Mounting hardware e Power LED Note On some versions of the FortiGate 5001A firmware when a FortiGate 5001A board starts up with a FortiGate RTM XB2 module installed the fabric1 and fabric2 interfaces are replaced with interfaces that are named RTM 1 and RTM 2 to indicate the presence of the FortiGate RTM XB2 module Configuration settings that include the fabric1 and fabric2 interface names will have to be changed to use the RTM 1 and RTM 2 interface names FortiGate 5000 Series Introduction 01 30000 83466 20090108 RTIMET w Front panel LED FortiGate RTM XB2 system RTIMET A Front panel LED From the FortiGate RTM XB2 font panel includes a power LED Table 9 FortiGate RTM XB2 power LED LED State Description Green The FortiGate RTM XB2 module is powered on and p
37. Indicates a hardware or software problem with the FortiSwitch 5003 board Hot Swap Blue Indicates the FortiSwitch 5003 board is ready to be hot swapped During a hot swap the LED is on The LED turns off when the FortiSwitch 5003 board is correctly installed Reset Press and hold Reset for three seconds to restart the FortiSwitch 5003 switch board About the ZRE network activity LEDs The ZRE network activity LEDs show links and network activity for the interfaces and connections listed in Table 22 Figure 28 FortiSwitch 5003 ZRE network activity LEDs Table 22 ZRE network activity LEDs FortiSwitch 5003 interfaces and connections ZRE network Interface or connection activity LED 0 ZREO front panel interface 1 ZRE1 front panel interface 2 ZRE2 front panel interface 3 to 14 Base backplane connection to FortiGate 5000 series boards in chassis slots 3 to 14 15 Base backplane link Indicates that the FortiSwitch 5003 board can connect to the base backplane interface RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 O amp Base backplane communications FortiSwitch 5003 system Connectors Table 23 lists and describes the FortiSwitch 5003 front panel connectors Table 23 FortiSwitch 5003 connectors Connector Type Speed Protocol Description ETHO RJ 45 100Base T Ethernet Front panel out of band management interface A second out of
38. LEDS is cccsuectas cesesdendsanaastatsncaauedsos E chaauedsit caeeavsada aps 62 About the ZRE network activity LEDS cc eeeeceee seen cette eenneeeeeeetaeeeeeeteeeeeee 63 CONMECHOSS 022 0 cece E E ee cee e eee e teen cease ea aeaaeaaeceeeeeeee E T 64 Base backplane COMMUNICATIONS 2 eceeeceee eee eeeeeeeseeeeeeeeeeeeeeeeseeeeeeeneaeeeeeeeeeeees 64 The FortiGate 5005 DIST Security system cccccceeeeeeeeeeeeeeeeeneeeeeeees 67 Basic FortiGate security system configuration cccccseseeecesseeneeeeeseeeeeeeeeseeseeeeenees 67 FortiController 5208 I O boards ceccceeeeeeeeeeeeeeeeeeeeneeseeeeeeeeeseeeeeeeseaaneeseeeeeeeeeenes 68 FortiGate 5005FA2 worker boards cccccceceeceeeeeeeeeeeeeneeseeeeeeeeeeseseeeseeesneaneeseeneeeeees 69 FortiGate 5005 DIST security System chassis cccccessssneeeeeeeeneeeeeeeeeeeeeneeeeeeeenees 70 FortiGate 5140 Chassisiviisiccienetccesccsdsvasund iaaa aaa iaaa 70 FortiGate 5050 ChassSiS cccccceceeeeeeeeeeececaeceeeeeeeeeeeeseeecceaaaeaeeeeeeeeeeeeeeseneeensnaeees 71 FortiGate 5005 DIST interface NAMES 0 0 cccccesecneeeeeeneeeeeeeceneeeeeeneeeeeeenseeneeeeeaeeeneeeeneas 71 FortiController 5208 system ccccccceeeeeeeeeeneeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeennees 73 Front panel LEDS and CONMNECUOOSS 2 ecceeceee eee eeeeeeeeeeaneeseeeeeeeeeseesseaaneeseeeeeeeeeenes 74 LEDS esa eens ft asset ced aoe cnc da sates ces cfu EAE AEA E E AA
39. P 1000Base SX Ethernet Two accelerated gigabit SFP interfaces that can accept fiber or copper gigabit transceivers These interfaces only operate at 1000Mbps The accelerated interface connectors are inverted compared to connectors 1 to 6 CONSOLE RJ 45 9600 bps RS 232 Serial connection to the command line 8 N 1 serial interface USB USB FortiUSB key firmware updates and configuration backup Accelerated packet forwarding and policy enforcement FortiGate 5005FA2 Accelerated packet forwarding and policy enforcement results in accelerated small packet performance required for voice video and other multimedia streaming applications The following traffic scenarios are recommended for the accelerated interfaces e Small packet applications such as voice over IP VoIP The FortiGate 5005FA2 accelerated interfaces provide wire speed performance for small packet applications e Latency sensitive applications such as multimedia The FortiGate 5005FA2 accelerated interfaces add much less latency than normal non accelerated interfaces e Session Oriented Traffic with long session lifetime such as FTP sessions Packet size does not affect performance for traffic with long session lifetime For long sessions processing that would otherwise be handled by the FortiGate 5005FA2 CPUs is off loaded to the acceleration module RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108
40. SFP interface 5 6 Link Green The correct cable is inserted into this interface and the 7 8 LED connected equipment has power Flashing Network activity at this interface Speed Green The interface is connected at 1000 Mbps LED Amber The interface is connected at 100 Mbps Unlit The interface is connected at 10 Mbps RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 Q FortiGate 5001SX security system Base backplane gigabit interfaces Connectors Table 15 lists and describes the FortiGate 5001SX connectors Table 15 FortiGate 5001SX connectors Connector Type Speed Protocol Description 1 2 3 4 LC 1000Base SX Ethernet Four gigabit SFP interfaces that can SFP accept fiber or copper gigabit transceivers These interfaces only operate at 1000Mbps 5 6 7 8 RJ 45 10 100 1000 Ethernet Copper gigabit connection to Base T 10 100 1000Base T copper networks CONSOLE DB 9 9600 bps RS 232 seriall Serial connection to the command line 8 N 1 interface USB USB FortiUSB key firmware updates and configuration backup FortiOS v3 0 Base backplane gigabit interfaces The FortiGate 5001SX port9 and port10 base backplane gigabit interfaces can be used for HA heartbeat communication between FortiGate 5001SX boards installed in the same or in different FortiGate 5000 chassis You can also configure FortiGate 5001SX boards to use the
41. Switch 5003 Guide RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 A FortiGate 5001SX security system FortiGate 5001SX security system The FortiGate 5001SX security system is a high performance FortiGate security system with a total of 8 front panel gigabit ethernet interfaces and two base backplane interfaces Use the front panel interfaces for connections to your networks and the backplane interfaces for communication between FortiGate 5000 series boards over the FortiGate 5000 chassis backplane You can also configure two or more FortiGate 5001SX boards to create a high availability HA cluster using the base backplane interfaces for HA heartbeat communication through chassis backplane leaving all eight front panel gigabit interfaces available for network connections The FortiGate 5001SX board also supports high end FortiGate features including 802 1Q VLANs multiple virtual domains 802 3ad aggregate interfaces and FortiGate 5000 chassis monitoring Figure 20 FortiGate 5001SX front panel Flash Disk Module Access Link Traffic Position FormiSer 5001 sonsos _vSB a aa OG i H annm Mounting Extraction Extraction Mounting Knot Lever Lever Knot Locking RS 232 1234 5678 Screw Serial SFP Gigabit fiber Gigabit Copper or copper The FortiGate 5001SX board includes the following features e A total of eight front panel gigabit interfaces e Four gigabit interfaces that
42. X2 portl_X2 204 23 1 5 NAT mode policies Pe controlling 10G traffic between internal and Ga external networks a Management interface mng X1 port1_X1 192 168 1 99 Internal network FortiController 5208 I O boards RTIMET O Data flows into and out of the FortiGate 5005 DIST system through the I O boards The I O boards are FortiController 5208 boards installed in chassis slots 1 and 2 in a FortiGate 5050 or FortiGate 5140 chassis The I O board installed in slot 1 is configured as the primary I O board The optional I O board installed in slot 2 becomes the secondary I O board A FortiGate 5005 DIST system can include one or two I O boards As the I O board the FortiController 5208 provides all FortiGate 5005 DIST network connections The FortiController 5208 board provides two 10 gigabit interfaces and four 1 gigabit interfaces for network traffic The FortiController 5208 front panel also contains four 1 gigabit interfaces Two of these interfaces support inter chassis HA and two are for future use Adding a second FortiController 5208 board doubles the number of FortiGate 5005 DIST network interfaces Figure 30 FortiController 5208 front panel SFP Gigabit Fiber or Copper X1 X2 XFP 10 Gigabit DIS Management Fiber or Copper 1 3 C15 RJ 45 Serial ed e ea as e e e e de dh 12 aa Dision c1sic1e TMT Mounting Status Link Traffic 2 4 C16 Mounting Knot D16 Knot Extraction IPM
43. acceleration see the Fortinet Hardware Acceleration Technical Note Follow the instructions in the FortiGate RTM XB2 System Guide to install the FortiGate RTM XB2 module AMC modules You can install one FortiGate AMC Double width Module ADM in the FortiGate 5001A DW front panel AMC double width opening For example e The FortiGate ADM XB2 provides 2 NP2 accelerated XFP 10 gigabit interfaces The FortiGate ADM FB8 provides 8 NP2 accelerated SFP 1 gigabit interfaces Figure 14 FortiGate ADM XB2 ADM XB2 RTIMET You can install one FortiGate AMC Single width Module ASM in the FortiGate 5001A SW front panel AMC single width opening For example FortiGate 5000 Series Introduction 01 30000 83466 20090108 w amp N AMC modules FortiGate 5001A security system The FortiGate ASM FB4 provides 4 NP2 accelerated SFP 1 gigabit interfaces e The FortiGate ASM SO8 provides adds a removable hard disk that you can use to store log files and content archives Figure 15 FortiGate ASM FB4 HS FE SRATineT UNK ACT UNK ACT UNK ACT UNK ACT ASM FB4 A Note You can operate a FortiGate 5001A board with both a FortiGate RTM XB2 module es and a supported FortiGate AMC module installed at the same time RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 amp FortiGate RTM XB2 system FortiGate RTM XB2 system The FortiGate RTM XB2 system provides two 10 gigabit fabric ba
44. acket forwarding and policy enforcement FortiGate 5001FA2 LENC Accelerated packet forwarding and policy enforcement results in accelerated small packet performance required for voice video and other multimedia streaming applications The following traffic scenarios are recommended for the accelerated interfaces e Small packet applications such as voice over IP VoIP The FortiGate 5001FA2 LENC accelerated interfaces provide wire speed performance for small packet applications e Latency sensitive applications such as multimedia The FortiGate 5001FA2 LENC accelerated interfaces add much less latency than normal non accelerated interfaces e Session Oriented Traffic with long session lifetime such as FTP sessions Packet size does not affect performance for traffic with long session lifetime For long sessions processing that would otherwise be handled by the FortiGate 5001FA2 LENC CPUs is off loaded to the acceleration module e Firewall and intrusion protection IPS when there is a reasonable percentage of P2P packets RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 A N Base backplane gigabit communication FortiGate 5001FA2 LENC security system e Firewall intrusion protection IPS and antivirus when there is a reasonable percentage of P2P packets Firewall and IPSec VPN applications The following traffic scenarios should be handled by the normal or non accelerated FortiGate 5001
45. also includes and out of band management ethernet interface and the RJ 45 console port for connecting to the FortiSwitch 5003 CLI RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 Front panel LEDs and connectors FortiSwitch 5003 system Figure 27 FortiSwitch 5003 front panel Power LED Management CONSOLE ZRE Network LED Mode Switch 100Base TX RJ 45 Activity LEDs Ethernet Serial ZRE O to 15 Reset Switch ForriGrre 5003 5 wzo Extraction ZREO ZRE1 ZRE2 Hot Extraction Lever Outof base backplane interfaces Swap Lever Service LED LED Mounting 10 100 1000Base T Mounting Knot Ethernet Knot LEDs Table 21 lists and describes the FortiSwitch 5003 board front panel LEDs Table 21 FortiSwitch 5003 board front panel LEDs and switches LED State Description B Off Normal operation Red Out of service The LED turns on if the FortiSwitch 5003 board fails The LED may also flash briefly when the board is powering on Green The FortiSwitch 5003 board is powered on and operating normally Yellow Caution status Caution status is indicated by the fault condition of the CLOCK OK or INT FLT LEDs Off The board is not connected to power System Off Normal operation Yellow or Link status of out of band management interfaces not used E0 E1 G reen ZRE 0 15 Green Link Activity mode Blinking to indicate network traffic on this ZRE int
46. and describes the FortiGate 5001FA2 LENC board LEDs Table 12 FortiGate 5001FA2 LENC board LEDs LED State Description PWR Green The FortiGate 50012FA2 board is powered on ACC Off or The ACC LED flashes red when the Flashing FortiGate 5001FA2 LENC board accesses the FortiOS flash red disk The FortiOS flash disk stores the current FortiOS firmware build and configuration files The system accesses the flash disk when starting up during a firmware upgrade or when an administrator is using the CLI or GUI to change the FortiOS configuration Under normal operating conditions this LED flashes occasionally but is mostly off STA Green Normal operation Red The FortiGate 5001FA2 LENC is booting or a fault condition exists IPM Blue The FortiGate 5001FA2 LENC is ready to be hot swapped removed from the chassis If the IPM light is blue and no other LEDs are lit the FortiGate 5001FA2 LENC board has lost power possibly because of a loose or incorrectly aligned left handle Flashing The FortiGate 5001FA2 LENC is changing from hot swap to Blue running mode or from running mode to hot swap Off Normal operation The FortiGate 5001FA2 LENC board is in contact with the chassis backplane 1 2 3 4 Green The correct cable is connected to the gigabit SFP interface RTIMET Flashing Network activity at the gigabit SFP interface FortiGate 5000 Series Introduction 01 30000 83466 20090
47. ase Double width AMC Console network activity opening usg LEDs CONSOLE Retention Retention Screw BACC Screw Extraction port1 and port2 ED WOOS Extraction Lever 10 100 1000 board iPower Lever Copper Interfaces position Status LEDs Figure 12 FortiGate 5001A SW front panel RJ 45 Fabric and Base Single width AMC Console network activity opening LEDs FSRTINET CONSOLE Retention Retention Screw BACC Screw Extraction port1 and port2 LED WOOS Extraction Lever 10 100 1000 board MPower Lever Copper Interfaces position Status LEDs The FortiGate 5001A board includes the following features e Two front panel 10 100 1000Base T copper 1 gigabit ethernet interfaces e Two base backplane 1 gigabit interfaces base CHO and Base CH1 on the front panel and base1 and base2 in the firmware for HA heartbeat and data communications across the FortiGate 5000 chassis backplane e Two fabric backplane interfaces Fabric CHO and Fabric CH1 on the front panel and fabric1 and fabric2 in the firmware for HA heartbeat and data communications across the FortiGate 5000 chassis backplane The fabric backplane interfaces operate at 1 Gbps If you install a FortiGate RTM XB2 module the fabric backplane interfaces operate at 10 Gbps e One double width AMC opening FortiGate 5001A DW board e One single width AMC opening FortiGate 5001A SW board e RJ 45 RS 232 serial console connection e 2 USB connectors e
48. ate HA clusters consisting of FortiGate 5000 series boards installed in multiple FortiGate 5000 chassis You can also use FortiSwitch 5003A boards for fabric data communication between chassis The FortiGate 5140 chassis requires 48VDC Data Center DC power If DC power is not available you can install a FortiGate 5053 power converter tray purchased separately with FortiGate 5140 power supplies FortiGate 5000 Series Introduction 01 30000 83466 20090108 http docs fortinet com e Feedback 15 FortiGate 5140 chassis front panel FortiGate 5140 R chassis FortiGate 5140 chassis front panel Figure 1 shows the front panel of a FortiGate 5140 chassis Two FortiSwitch 5003A boards are installed in slots 1 and 2 Twelve FortiGate 5001A DW boards installed in slots 3 to 14 Figure 1 FortiGate 5140 chassis front panel with FortiGate 5001A DW and FortiSwitch 5003A boards installed FortiGate 5001A DW FortiGate 5001A DW boards boards slots 3 5 7 9 FortiSwitch 5003A slots 4 6 8 10 11 and 13 boards 12 and 14 slots 1 and 2 ESD socket L eee Shelf alarm AERTIMET ForpiGrre 5140 panel SAP e 13 11 9 7 5 3 Slot numbers Primary shelf manager Secondary shelf manager air filter Front cable tray Cooling fan trays 0 1 2 The FortiGate 5140 shelf alarm panel SAP and primary and secondary FortiGate 5140 Shelf Managers are also visible The factory installed shelf alarm panel displays alarms
49. ation but can be used now for board to board 1 gigabit operation In FortiGate 5140 and FortiGate 5050 chassis you must install a FortiSwitch 5003 board or another backplane switching product to support backplane communication For details about the FortiGate 5001A security system see FortiGate 5001A security system on page 33 The FortiGate 5001A DW front panel includes a double width Advanced Mezzanine Card AMC opening You can install a supported FortiGate AMC Double width Module ADM module such as the FortiGate ADM XB2 or the FortiGate ADM FB8 in the AMC opening The FortiGate ADM XB2 adds two accelerated 10 gigabit interfaces to the FortiGate board and the FortiGate ADM FB8 adds 8 accelerated 1 gigabit interfaces The FortiGate 5001A SW single width includes a single width AMC opening You can install a supported FortiGate AMC Single width Module ASM such as the FortiGate ASM FB4 or the FortiGate ASM S08 in the AMC opening The FortiGate ASM FB4 adds four accelerated 1 gigabit interfaces to the FortiGate board and the FortiGate ADM S08 adds a removable hard disk that you can use to store log files and content archives RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 About the FortiGate 5000 series boards Introduction FortiGate RTM XB2 module The FortiGate RTM XB2 system is a rear transition module RTM that provides two 10 gigabit fabric backplane interfaces and NP2 processor acce
50. boards are installed in slots 3 4 and 5 The FortiGate 5050 primary Shelf Manager is also visible The factory installed shelf managers provide power distribution cooling alarms shelf status and a telco alarm interface for the FortiGate 5050 chassis Figure 7 FortiGate 5050 front panel with FortiGate 5001SX and FortiSwitch 5003 boards installed Hot swappable cooling fan tray FortiSwitch 5003 Power LED boards slots 1 and 2 Fornisare 5050 FortiGate 5050 ESD socket Shelf Manager Also visible on the front of the FortiGate 5050 e Electrostatic discharge ESD socket used for connecting an ESD wrist or ankle band when working with the chassis e The location of the hot swappable FortiGate 5050 cooling fan tray behind panel e Power LED optimum cooling performance and safety the slots must contain a FortiGate 5000 series board or an air baffle slot filler As well the removable power supply panel must be installed over the power connectors on the back of the chassis j Caution Do not operate the FortiGate 5050 chassis with open slots on the front panel For FortiGate 5050 back panel Figure 8 shows the back panel of a FortiGate 5050 chassis The back panel includes two redundant 48V to 58V DC power input connectors labelled Input A and Input B The power input connectors provide redundant DC power connections for the FortiGate 5050 chassis and distribute DC power to the fan tray and the FortiGate 5000 series boa
51. bric backplane channels You can mix and match any combination of FortiGate 5000 series boards in the FortiGate 5050 chassis For example you could install two FortiGate 5005FA2 boards two FortiGate 5001SX boards and one FortiGate 5001FA2 board You can also install FortiController 5208 and FortiGate 5005FA2 boards in a FortiGate 5050 chassis to create a FortiGate 5005 DIST security system Some of the boards installed in a FortiGate 5050 chassis can be operating in a FortiGate HA cluster and some can be operating as standalone FortiGate units You can also operate multiple HA clusters and standalone FortiGate units in a single FortiGate 5050 chassis You can also use FortiSwitch 5003A or FortiSwitch 5003 boards to operate HA clusters consisting of FortiGate 5000 series boards installed in multiple FortiGate 5000 chassis You can also use FortiSwitch 5003A boards for fabric data communication between chassis The FortiGate 5050 chassis requires 48VDC Data Center DC power If DC power is not available you can install a FortiGate 5053 power converter tray purchased separately with FortiGate 5020 5050 power supplies FortiGate 5000 Series Introduction 01 30000 83466 20090108 http docs fortinet com e Feedback 27 FortiGate 5050 front panel FortiGate 5050 chassis FortiGate 5050 front panel Figure 7 shows the front of a FortiGate 5050 chassis Two FortiSwitch 5003 boards are installed in slots 1 and 2 Three FortiGate 5001SX
52. ckplane interfaces and NP2 processor acceleration for FortiGate 5001A boards installed in FortiGate 5140 and FortiGate 5050 chassis The FortiGate RTM XB2 is an ATCA rear transition module RTM that installs into an RTM slot at the back of a FortiGate 5140 and FortiGate 5050 chassis You must install one FortiGate RTM XB2 module for each FortiGate 5001A board Each chassis front panel slot has a corresponding RTM slot The FortiGate RTM XB2 module must be installed in the RTM slot that corresponds to the front panel slot in which you will install a FortiGate 5001A board For example if the FortiGate 5001A board will be installed in front panel slot 3 install the FortiGate RTM XB2 module for this board in RTM slot 3 Caution To avoid damaging components you should install the FortiGate RTM XB2 module first before you install the corresponding FortiGate 5001A board If you have already installed the FortiGate 5001A board you should remove it before installing the FortiGate RTM XB2 module Except for this limitation FortiGate RTM XB2 modules are hot swappable The FortiGate RTM XB2 NP2 processors provide hardware accelerated network processing for eligible traffic passing through the FortiGate RTM XB2 interfaces Each FortiGate RTM XBz2 interface is connected to an NP2 processor and the NP2 processors are connected by an Enhanced Extension Interface EEI The FortiGate RTM XB2 can accelerate eligible traffic that enters and exits the same Forti
53. condary FortiController 5208 board will be synchronized to the control LEDs of the primary because all the installed boards use the same fabric backplane network to communicate Each FortiController 5208 board has its own base backplane network with which to exchange data traffic with the worker boards so the data LEDs of each FortiController 5208 board will indicate only its own communication Connectors Table 26 lists and describes the FortiController 5208 board connectors Table 26 FortiController 5208 connectors Connector Type Speed Protocol Description X1 X2 XFP 10 Gbps Ethernet Two 10 gigabit XFP interfaces that can accept fiber or copper transceivers These interfaces operate only at 10 Gbps See Installing XFP and SFP transceivers on page 9 for more information RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 N a Backplane gigabit interfaces FortiController 5208 system Table 26 FortiController 5208 connectors Continued Connector Type Speed Protocol Description 1 2 3 4 LC SFP 1000 Mbps Ethernet Four 1 gigabit SFP interfaces that can accept fiber or copper transceivers These interfaces operate only at 1000Mbps See Installing XFP and SFP transceivers on page 9 for more information D15 D16 LC SFP 1000 Mbps Ethernet Two 1 gigabit SFP interfaces used for inter chassis high availability HA connections C15 C16 LC SFP For future
54. e FortiGate 5140 chassis FortiGate 5140 chassis Physical description of the FortiGate 5140 chassis The FortiGate 5140 chassis is a 12U chassis that can be installed in a standard 19 inch rack Table 3 describes the physical characteristics of the FortiGate 5140 chassis Table 3 FortiGate 5140 chassis physical description Dimensions 21 x 19 x 16 8 in 53 3 x 48 3 x 42 7 cm HxWxD Shipping weight 110 Ib 50 kg completely assembled with packaging Operating environment Temperature 32 to 104 F 0 to 40 C Relative humidity 5 to 95 Non condensing Storage environment Temperature 13 to 158 F 25 to 70 C Relative humidity 5 to 95 Non condensing Power consumption Maximum 2 980W DC Power input 2x redundant 48VDC to 58VDC 22 FortiGate 5000 Series Introduction 01 30000 83466 20090108 http docs fortinet com e Feedback FortiGate 5050 R chassis FortiGate 5050 R chassis You can install up to five FortiGate 5000 series boards in the five slots of the FortiGate 5050 ATCA chassis The FortiGate 5050 is a 5U 19 inch rackmount ATCA chassis that contains two redundant DC power connections that connect to 48 VDC Data Center DC power The FortiGate 5050 chassis also includes a hot swappable cooling fan tray If all five slots contain FortiGate 5005FA2 FortiGate 5001SX or FortiGate 5001FA2 boards the FortiGate 5050 chassis provides a total of 40 FortiGate gigabit ethernet
55. e at the location at which the FortiGate 5140 or FortiGate 5050 chassis is being installed Fortinet documentation The most up to date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http docs forticare com Fortinet Tools and Documentation CD All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product The documents on this CD are current at shipping time For up to date versions of Fortinet documentation see the Fortinet Technical Documentation web site at http docs forticare com Fortinet Knowledge Center Additional Fortinet technical documentation is available from the Fortinet Knowledge Center The knowledge center contains troubleshooting and how to articles FAQs technical notes and more Visit the Fortinet Knowledge Center at http kc forticare com Comments on Fortinet technical documentation Please send information about any errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet com Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly configure easily and operate reliably in your network Please visit the Fortinet Technical Support web site at http support fortinet com to learn about the technical support services that Fortin
56. erface Table 22 on page 63 lists the ZRE LEDs and the network interface that each represents activity Link Speed mode 100 Mbps connection LEDs LED Yellow Link Activity mode The interface is disabled and cannot Mode forward packets not used switch Link Speed mode 1000 Mbps connection changes Off Link Activity mode No link mode Link Speed mode 10 Mbps connection LED Mode Change the ZRE network activity LED display mode Normally the ZRE switch network activity LEDs operate in Link Activity mode In this mode the LEDs LC flash green to indicate a link and to indicate network traffic i Press this button to switch the ZRE LEDs to Link Speed mode In Link Speed mode the ZRE LEDs use a solid color to indicate a link The C color of the LED indicates the speed of the link aE CLK Flashing _ Initialization completed successfully Green LE OK Green Initialization completed successfully FortiGate 5000 Series Introduction 01 30000 83466 20090108 N FortiSwitch 5003 system Front panel LEDs and connectors Table 21 FortiSwitch 5003 board front panel LEDs and switches Continued LED State Description EXT FLT Off Normal operation Yellow Cannot establish a link to a configured interface or another connection problem external to the FortiSwitch 5003 board This LED may indicate issues that do not affect normal operation INT FLT Off Normal operation Yellow Failure of internal tests
57. es for communication between FortiGate 5000 series boards over the FortiGate 5000 chassis backplane You can also configure two or more FortiGate 5005FA2 boards to create a high availability HA cluster using the base backplane interfaces for HA heartbeat communication through the chassis backplane leaving all eight front panel gigabit interfaces available for network connections FortiGate 5005FA2 front panel interfaces 7 and 8 also include accelerated packet forwarding and policy enforcement for faster small packet performance Using backplane base and fabric interfaces the FortiGate 5005FA2 also functions as the worker board in a FortiGate 5005 DIST security system The FortiGate 5005FA2 board also supports high end FortiGate features including 802 1Q VLANs multiple virtual domains 802 3ad aggregate interfaces and FortiGate 5000 chassis monitoring Figure 18 FortiGate 5005FA2 front panel Fabric and Base 7 8 SPF Gigabit network activity 12 3 45 6 SPF Gigabit Fiber or Copper LEDs USB Fiber or Copper Accelerated Forrisare 2m ll a a a a a e G CTT T Tli Link Traffic Mounting Knot Module Extraction Position Lever RJ 45 Flash Disk Serial Access The FortiGate 5005FA2 board includes the following features A total of eight front panel gigabit interfaces that can accept Small Formfactor Pluggable SFP fiber or copper gigabit transceivers e Six standard gigabit interfaces interfaces 1 to 6 e Tw
58. et provides RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 a0 Register your Fortinet product Introduction Register your Fortinet product Register your Fortinet product to receive Fortinet customer services such as product updates and technical support You must also register your product for FortiGuard services such as FortiGuard Antivirus and Intrusion Prevention updates and for FortiGuard Web Filtering and AntiSpam Register your product by visiting http support fortinet com and selecting Product Registration To register enter your contact information and the serial numbers of the Fortinet products that you or your organization have purchased You can register multiple Fortinet products in a single session without re entering your contact information RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 A FortiGate 5140 R chassis FortiGate 5140 R chassis You can install up to 14 FortiGate 5000 series boards in the 14 front panel slots of the FortiGate 5140 ATCA chassis The FortiGate 5140 is a 12U chassis that contains two redundant hot swappable DC power entry modules that connect to 48 VDC Data Center DC power The FortiGate 5140 chassis also includes three hot swappable cooling fan trays and a front accessible air filter If all 14 front panel slots contain FortiGate 5005A2 FortiGate 5001SX or FortiGate 5001FA2 boards the FortiGate 5140 chassis provides a
59. he same functionality and performance The FortiGate 5001A security system contains two front panel 1 gigabit ethernet interfaces two base backplane 1 gigabit interfaces and two fabric backplane 1 gigabit interfaces Use the front panel interfaces for connections to your networks and the backplane interfaces for communication across the ACTA chassis backplane If you install a FortiGate RTM XB2 module for each FortiGate 5001A board the FortiGate 5001A fabric interfaces can operate at 10 Gbps The FortiGate RTM XB2 also provides NP2 accelerated network processing for eligible traffic passing through the FortiGate RTM XB2 interfaces You can also configure two or more FortiGate 5001A boards to create a high availability HA cluster using the base or fabric backplane interfaces for HA heartbeat communication through the chassis backplane leaving front panel interfaces available for network connections Note In most cases the base backplane interfaces are used for HA heartbeat communication and the fabric backplane interfaces are used for data communication The FortiGate 5001A board also supports high end FortiGate features including 802 1Q VLANs multiple virtual domains 802 3ad aggregate interfaces and FortiOS Carrier FortiGate 5000 Series Introduction 01 30000 83466 20090108 RTIMET at A Front panel LEDs and connectors FortiGate 5001A security system Figure 11 FortiGate 5001A DW front panel RJ 45 Fabric and B
60. his division of labor the FortiController 5208 board is also called the I O board and the FortiGate 5005FA2 boards are also called the worker boards The FortiController 5208 board provides two 10 gigabit interfaces and four 1 gigabit interfaces for network traffic The FortiController 5208 front panel also contains an additional four 1 gigabit interfaces for inter chassis HA and future use Optionally you can double the number of available of network interfaces by adding a second FortiController 5208 Once initial set up is complete all subsequent administration and configuration of the FortiController 5208 boards and FortiGate 5005 boards is done through the primary FortiController 5208 board The FortiGate 5005 boards are administered as a single unit and therefore configured identically All traffic is distributed to the FortiGate boards using the backplane interfaces so no front panel connections are required for the FortiGate boards The FortiController 5208 board includes the following features e Two 10 gigabit interfaces that can accept fiber or copper 10 gigabit Small Form factor Pluggable XFP fiber or copper transceivers Eight 1 gigabit front panel network interfaces that can accept Small Form factor Pluggable SFP fiber or copper transceivers Four of these interfaces are for data two for inter chassis high availability HA connections and two for future use e One fabric and two base backplane gigabit interfaces
61. igabit base backplane switching boards installed in the chassis in base slots 1 and 2 The FortiGate 5020 chassis supports base backplane communication with no additions or changes to the chassis For information about base backplane communication in FortiGate 5140 and FortiGate 5050 chassis see the FortiGate 5000 Backplane Communication Guide For information about the FortiSwitch 5003 board see the FortiSwitch 5003 System Guide For information about the FortiSwitch 5003A board see the FortiSwitch 5003A System Guide Fabric backplane communication The FortiGate 5001A fabric backplane interfaces can be used for data communication or HA heartbeat communication between FortiGate 5001A boards installed in the same or in different FortiGate 5000 chassis To support 1 gigabit fabric backplane communications your FortiGate 5140 or FortiGate 5050 chassis must include one or more FortiSwitch 5003A boards or other 1 gigabit fabric backplane switching boards installed in the chassis in fabric slots 1 and 2 The FortiGate 5020 chassis does not support fabric backplane communications For information about fabric backplane communication in FortiGate 5140 and FortiGate 5050 chassis see the FortiGate 5000 Backplane Communication Guide For information about the FortiSwitch 5003A board see the FortiSwitch 5003A System Guide RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 w fo FortiGate 5001A security system AMC module
62. ing DC power RTN and ground wires Physical description of the FortiGate 5140 chassis The FortiGate 5140 chassis is a 12U chassis that can be installed in a standard 19 inch rack Table 2 describes the physical characteristics of the FortiGate 5140 chassis Table 2 FortiGate 5140 chassis physical description Dimensions 21 x 19 x 20 6 in 53 3 x 48 3 x 52 4 cm Height x Width x Depth Shipping weight 110 Ib 50 kg completely assembled with packaging Operating environment Temperature 32 to 104 F 5 to 45 C Relative humidity 5 to 85 Non condensing Storage environment Temperature 13 to 158 F 25 to 70 C Relative humidity 5 to 85 Non condensing Power consumption Maximum 2 980W DC Power input 2x redundant 37VDC to 72VDC 30A per power feed total 4 4 power feeds 18 FortiGate 5000 Series Introduction 01 30000 83466 20090108 http docs fortinet com e Feedback FortiGate 5140 chassis FortiGate 5140 chassis front panel FortiGate 5140 chassis You can install up to 14 FortiGate 5000 series boards in the 14 front panel slots of the FortiGate 5140 ATCA chassis The FortiGate 5140 is a 12U chassis that contains two redundant hot swappable DC power entry modules that connect to 48 VDC Data Center DC power The FortiGate 5140 chassis also includes three hot swappable cooling fan trays If all 14 front panel slots contain FortiGate 5005A2 FortiGate 5001SX or FortiGate
63. interfaces If all 5 slots contain FortiGate 5001A boards the FortiGate 5050 chassis supports ten 1 Gigabit ethernet FortiGate interfaces If you add FortiGate ADM XB2 modules to the FortiGate 5001A boards the FortiGate 5050 chassis supports another ten 10 Gigabit interfaces You can also install a FortiSwitch 5003A or FortiSwitch 5003 board in the FortiGate 5050 chassis to provide base backplane communications Base backplane communications can be used for HA heartbeat communications and for data communications You can add a second FortiSwitch 5003A or FortiSwitch 5003 board for redundancy FortiSwitch 5003A boards can also provide fabric backplane communication using the FortiGate 5050 fabric backplane channels You can mix and match any combination of FortiGate 5000 series boards in the FortiGate 5050 chassis For example you could install two FortiGate 5005FA2 boards two FortiGate 5001SX boards and one FortiGate 5001FA2 board You can also install FortiController 5208 and FortiGate 5005FA2 boards in a FortiGate 5050 chassis to create a FortiGate 5005 DIST security system Some of the boards installed in a FortiGate 5050 chassis can be operating in a FortiGate HA cluster and some can be operating as standalone FortiGate units You can also operate multiple HA clusters and standalone FortiGate units in a single FortiGate 5050 chassis You can also use FortiSwitch 5003A or FortiSwitch 5003 boards to operate HA clusters consisting of FortiGate 500
64. is functioning normally The front panel includes a reset switch for restarting the FortiSwitch 5003A board The front panel also contains connectors to the fabric and base channels an out of band management ethernet interface and an RJ 45 RS 232 console port for connecting to the FortiSwitch 5003A CLI FortiGate 5000 Series Introduction 01 30000 83466 20090108 FortiSwitch 5003A system Front panel LEDs and connectors LEDs Table 16 lists and describes the FortiSwitch 5003A front panel LEDs Table 16 FortiSwitch 5003A front panel LEDs and switches LED State Description OOS Out of Service Off Normal operation Red Out of service The LED turns on if the FortiSwitch 5003A board fails The LED may also flash briefly when the board is powering on ACT Active Green The FortiSwitch 5003A board is powered on and operating normally Yellow Caution status Caution status is indicated by the fault condition of the HTY and FLT LEDs Off The board is not connected to power HTY Healthy Green The FortiSwitch 5003A board is powered on and operating normally Off The board health system has detected a fault FLT Fault Off Normal operation Yellow Cannot establish a link to a configured interface or another connection problem external to the FortiSwitch 5003A board This LED may indicate issues that do not affect normal operation RST Reset switch Press and hold Reset for three seconds t
65. l description of the FortiGate 5140 chassis ccccsssssseessssseteeeeeeseeeeenenees 18 FortiGate 5140 CHASSIS sasecsssscccaccnssnsanncccnnanscnseesnesntarataecesnsacadanassescanniends 19 FortiGate 5140 chassis front panel cccccceceeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeseseseeaneeeeeeeenees 19 FortiGate 5140 chassis back panel cceceeeeeeeeeeeeeeeeeneeeeeeeeeeeeeseeseeeseeaeeeseseeeeees 20 Physical description of the FortiGate 5140 chassis ccessssseeessseeneeeeeeeeeenenees 22 FortiGate 5050 R Chassis ccccccccsseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaeeeeeeeeeeeeeees 23 FortiGate 5050 front panel 0 cccccecceeeeeeeeeseeeeee seen eee eeeeeessneaeeeeeeseeeeeeseseeeeseeeneaeeeseeeees 24 FortiGate 5050 back panel o icsciccceceseccassecsscnneciectecneseeseavenstcnncsnnecttesceenecasearsensctoecdexseeaies 25 Physical description of the FortiGate 5050 chassis cccessssseesseeeteeneeeeeneenenees 26 FortiGate 5000 Series Introduction 01 30000 83466 20090108 http docs fortinet com e Feedback Contents FortiGate 5050 Chassis 2 2 ccscsenesnennnnnnnnnceeeeseneneeeceeeeseeneeeseessneneee 27 FortiGate 5050 front panel sisiccicscccsccessccstesccensccceseeaecteresesacconscunecned deneenecssetetaeneoecborerectes 28 FortiGate 5050 back pa el cncc icniccsnssistnnnnneccaetenensienantansasontcnsnddensvsuaxeanadnnnncdawecenncnian 28 Physical description of the FortiGate 5050 chassis
66. lane interfaces together but you can also use the FortiSwitch 5003 front panel ZRE interfaces for connections between base backplane interface 1 and base backplane interface 2 Again these connections can be within the same chassis or among multiple chassis A FortiSwitch 5003 board in slot 1 provides communications on base backplane interface 1 The FortiGate 5001SX and the FortiGate 5001FA2 boards communicate with base backplane interface 1 using the interface named port9 The FortiGate 5005FA2 board communicates with base backplane interface 1 using the interface named base A FortiSwitch 5003 board in slot 2 provides communications on base backplane interface 2 The FortiGate 5001SX and the FortiGate 5001FA2 boards communicate with base backplane interface 2 using the interface named port10 The FortiGate 5005FA2 board communicates with base backplane interface 2 using the interface named base2 RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 D gt A FortiSwitch 5003 system Base backplane communications In a single chassis more than one cluster can use the same base backplane interface for HA heartbeat communication To separate heartbeat communication for multiple clusters on the same base backplane interface configure a different HA group name and password for each cluster In a single chassis you can also use the same base backplane interface for data and HA heartbeat communication If you are o
67. leration for FortiGate 5001A boards installed in FortiGate 5140 and FortiGate 5050 chassis For details about the FortiGate RTM XB2 system see FortiGate RTM XB2 system on page 39 FortiGate 5005FA2 security system The FortiGate 5005FA2 board is an independent high performance FortiGate security system with eight gigabit ethernet interfaces The FortiGate 5005FA2 board supports high end features including 802 1Q VLANs and multiple virtual domains Two of the FortiGate 5005FA2 interfaces port7 and port8 include Fortinet technology to accelerate small packet performance FortiGate 5005FA2 boards also function as worker boards in a FortiGate 5005 DIST security system For details about the FortiGate 5005FA2 board see FortiGate 5005FA2 security system on page 41 FortiGate 5001FA2 security system The FortiGate 5001FA2 security zs SE system is an independent high performance FortiGate security system with eight gigabit ethernet interfaces The FortiGate 5001FA2 board is similar to the FortiGate 5001SX board except that two of the FortiGate 5001FA2 interfaces include Fortinet technology to accelerate small packet performance For details about the FortiGate 5001FA2 board see FortiGate 5001FA2 LENC security system on page 45 FortiGate 5001SX security system The FortiGate 5001SX security system is an independent high performance FortiGate security system with eight gigabit ethernet interfaces The FortiGate 5001SX
68. lso visible on the front of the FortiGate 5050 The location of the hot swappable FortiGate 5050 cooling fan tray behind panel e Power LED e ESD socket used for connecting an ESD wrist or ankle band when working with the chassis optimum cooling performance and safety the slots must contain a FortiGate 5000 series board or an air baffle slot filler As well the removable power supply panel must be installed over the power connectors on the back of the chassis j Caution Do not operate the FortiGate 5050 chassis with open slots on the front panel For FortiGate 5000 Series Introduction 24 01 30000 83466 20090108 http docs fortinet com Feedback FortiGate 5050 R chassis FortiGate 5050 back panel FortiGate 5050 back panel Figure 6 shows the back of a FortiGate 5050 chassis The FortiGate 5050 chassis back panel includes two redundant 48V to 58V DC power input connectors labelled Input A and Input B The power input connectors provide redundant DC power connections for the FortiGate 5050 chassis and distribute DC power to the fan tray and the FortiGate 5000 series boards installed in the FortiGate 5050 chassis Each power input connector includes a 24 Amp circuit breaker that also functions as an on off switch for the power input connector If you require redundant power you should connect both power input connectors to DC power If redundant power is not required you should connect power input connector A to DC powe
69. m accesses the flash disk when starting up during a firmware upgrade or when an administrator is using the CLI or GUI to change the FortiOS configuration Under normal operating conditions this LED flashes occasionally but is mostly off STATUS Amber The FortiGate 5005FA2 board is powered on FortiGate 5000 Series Introduction 01 30000 83466 20090108 FortiGate 5005FA2 security system Accelerated packet forwarding and policy enforcement Table 10 FortiGate 5005FA2 board LEDs Continued LED State Description IPM Blue The FortiGate 5005FA2 is ready to be hot swapped removed from the chassis If the IPM light is blue and no other LEDs are lit the FortiGate 5005FA2 board has lost power Flashing The FortiGate 5005FA2 is changing from hot swap to running Blue mode or from running mode to hot swap Off Normal operation The FortiGate 5005FA2 board is in contact with the chassis backplane 1 2 3 4 Green The correct cable is connected to the gigabit SFP interface 5 6 7 8 Flashing Network activity at the gigabit SFP interface Connectors Table 11 lists and describes the FortiGate 5005FA2 connectors Table 11 FortiGate 5005FA2 connectors Connector Type Speed Protocol Description 1 2 3 LC SFP 1000Base SX Ethernet Six gigabit SFP interfaces that can 4 5 6 accept fiber or copper gigabit transceivers These interfaces only operate at 1000Mbps 7 8 LC SF
70. nks and networks before installing or removing FortiGate 5000 series components or performing other maintenance tasks Failure to follow the instructions in this document can result in personal injury or equipment damage Install FortiGate 5000 series chassis at the lower positions of a rack to avoid making the rack top heavy and unstable Do not insert metal objects or tools into open chassis slots Electrostatic discharge ESD can damage FortiGate 5000 series equipment Only perform the procedures described in this document from an ESD workstation If no such station is available you can provide some ESD protection by wearing an anti static wrist strap and attaching it to an available ESD connector such as the ESD sockets provided on FortiGate 5000 series chassis Make sure all FortiGate 5000 series components have reliable grounding Fortinet recommends direct connections to the building ground If you install a FortiGate 5000 series component in a closed or multi unit rack assembly the operating ambient temperature of the rack environment may be greater than room ambient Make sure the operating ambient temperature does not exceed Fortinet s maximum rated ambient temperature Installing FortiGate 5000 series equipment in a rack should be such that the amount of airflow required for safe operation of the equipment is not compromised FortiGate 5000 series chassis should be installed by a qualified electrician FortiGate 5000 se
71. o accelerated packet forwarding and policy enforcement gigabit interfaces interfaces 7 and 8 e Two fabric backplane gigabit interfaces fabric1 and fabric2 for FortiGate 5005 DIST security system management communications The fabric backplane gigabit interfaces can also be used for data communications across the FortiGate 5000 chassis backplane if combined with a board that supports backplane fabric switching e Two base backplane gigabit interfaces base1 and base2 for HA heartbeat and data communications across the FortiGate 5000 chassis backplane and for FortiGate 5005 DIST security system data communication e RJ 45 RS 232 serial console connection FortiGate 5000 Series Introduction 01 30000 83466 20090108 RTIMET A Front panel LEDs and connectors RTIMET A N FortiGate 5005FA2 security system e 2 USB connectors e Mounting hardware e LED status indicators The FortiGate 5005FA2 board comes supplied with fiber and copper SFP transceivers You can order the SFP transceivers in any combination Before you can connect any FortiGate 5005FA2 front panel interfaces you must insert the SFP transceivers into the FortiGate 5005FA2 front panel cage slots Front panel LEDs and connectors LEDs From the FortiGate 5005FA2 font panel you can view the status of the front panel LEDs to verify that the board is functioning normally You also connect the FortiGate 5005FA2 board to your network through the
72. o restart the FortiSwitch 5003A board Solid Indicates this interface is connected to the 1 gigabit Green base channel interface of a FortiGate 5000 board Table 17 on page 56 lists the base network activity Base Network Activity LEDs and the interface that each represents LEDs Blinking Indicates 1 gigabit network traffic on this interface Green Off No link Solid Indicates this interface is connected to the Green 10 1 gigabit fabric channel interface of a FortiGate 5000 board Table 19 on page 58 lists the fabric network activity LEDs and the interface that Fabric Network each represents Activity LEDs Blinking Indicates 10 1 gigabit network traffic on this interface Green Table 19 on page 58 lists the fabric network activity LEDs and the interface that each represents Off Connection at 10 Mbps Off No link MGMT B1 Link Act Solid Indicates this interface is connected with the correct B2 Left Green cable and the attached network device has power Management LED Blinking Indicates network traffic on this interface and base Green E 1 gigabit Off No Link LEDs li Speed Green Connection at 1 Gbps EB Amber Connection at 100 Mbps C FortiGate 5000 Series Introduction 01 30000 83466 20090108 a a Front panel LEDs and connectors FortiSwitch 5003A system Table 16 FortiSwitch 5003A front panel LEDs and switches Continued LED State De
73. of Fortinet Inc in the United States and or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners Contents Contents IMEPOCUIGHOMN paa EEE E EE E E 7 REVISION DIStOry carnassiera aan ARRANA SAANA ANARAN ai Aa Dinna a 7 About the FortiGate 5000 series Chassis ccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeenes 8 FortiGate 5140 Chassi Srina A E AE E aeawees 8 FortiGate 5050 Gha SSi Stanac n a aaa E i ad a 8 FortiGate 5020 ChaSsSiS ccccceceeeeeeeeecceecaeceeeeeeeeeeeeecaaaaaaeaeeeeeeeeeeeseesececesieaeeeeeeeeeess 9 About the FortiGate 5000 series boards cccecseeseeeneeeeeee eee eeeeeeeeeeseeeeeeeeeeeeeeeeeeenes 9 FortiGate 5001A Security System 00 cee ceeceeeceeeeee eee eeeeeeeeeeeeeeeeeeeeseneeaeeeeteeeeaeeeeseennaeees 9 FortiGate RTM XB2 module 2 c ceceecceceeeeeeeeeeeeeeceeeaaecaeceeeeeeeeeeeeseteeesennanaeeees 10 FortiGate 5005FA2 security system cee eeeeeceeeeeeceeeeeeeeaaeeeeeeenaeeeeeeeetaeeeeeseeaaes 10 FortiGate 5001FA2 security system ccceceeeeeceeeeeeeeeeeeeenaeeeeeeeaaeeeeeeeetaeeeeenenaaes 10 FortiGate 5001SX security system 0 eee ceceeeeceeeeeeeeeeeeeeseeaaeeeeeeeaaeeeeeeeenateeeenenaaes 10 FortiSwitch 5003A system 00 0 0 eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaeeeeeeeeaeeeeeseeaeeeeeeeenaeeeeeeeeaaas 10 FortiSwitch 5003 SYStOM cscs sina ceeesd ata eeeeescinaceeesanacweeeeeatace
74. of the FortiGate 5140 and 5050 chassis the hub switch fabric slots are slots 1 and 2 For more information about these chassis see the FortiGate 5140 Chassis Guide and the FortiGate 5140 Chassis Guide You can use the FortiSwitch 5003A board for fabric and base backplane layer 2 switching for FortiGate 5000 boards installed in slots 3 and up in FortiGate 5140 and FortiGate 5050 chassis Usually you would use the base channel for management traffic for example HA heartbeat traffic and the fabric channel for data traffic FortiSwitch 5003A boards can be used for fabric and base backplane layer 2 switching within a single chassis and between multiple chassis The FortiSwitch 5003A system also supports 802 3ad static mode layer 2 link aggregation 802 1q VLANs and 802 1s Multi Spanning Tree Protocol MSTP for the fabric channels You can use these features to configure link aggregation and support redundant FortiSwitch 5003A switch configurations to distribute traffic to multiple FortiGate 5000 boards The FortiGate 5000 boards must operate in Transparent mode all are managed separately and all must have the same configuration A FortiSwitch 5003A board in hub switch fabric slot 1 provides communications on fabric channel 1 and base channel 1 A FortiSwitch 5003A board in hub switch fabric slot 2 provides communications on fabric channel 2 and base channel 2 If your chassis includes one FortiSwitch 5003A board you can install it in hub switch fab
75. ons of the FortiController 5208 board an optional secondary FortiController 5208 board and all the 5005 boards over which management communication is sent LED 1 is for the FortiController 5208 board s connection LEDs 2 through 14 are for connections to the corresponding slots in a 5050 or 5140 LEDs 15 and 16 are for future use Flashing Management communication activity on the fabric backplane connection 1 2 3 4 Green The correct cable is connected to the gigabit SFP interface Flashing Network activity at the gigabit SFP interface IPM Blue The FortiController 5208 is ready to be hot swapped removed from the chassis If the IPM light is blue and no other LEDs are lit the FortiController 5208 board has lost power See Inserting a FortiController 5208 module into a chassis on page 10 for more information Flashing The FortiController 5208 is changing from hot swap Blue to running mode or from running mode to hot swap Off Normal operation The FortiController 5208 board is in contact with the chassis backplane MANAGEMENT Link Amber The correct cable is inserted into this interface and LED the connected equipment has power Flashing Network activity at this interface Speed Green The interface is connected at 1000 Mbps LED Amber The interface is connected at 100 Mbps Unlit The interface is connected at 10 Mbps The control LEDs of a se
76. perating multiple clusters and multiple data paths on the same base backplane interface you may experience some bandwidth limitations To increase the amount of bandwidth available you can add a second FortiSwitch 5003 board and use both backplane interfaces for HA heartbeat and data communication If you have two FortiSwitch 5003 boards and two backplane interfaces available you can balance the traffic between the base backplane interfaces by how you configure your FortiGate 5000 board data interfaces and HA heartbeat interfaces For example if you have two busy FortiGate 5001SX clusters you might configure one cluster to use port9 for HA heartbeat traffic and the other to use port10 If you have a number of data paths that use the same base backplane interfaces you can change the configuration to distribute traffic between both base backplane interfaces FortiGate 5000 Series Introduction 01 30000 83466 20090108 RTIMET kez a Base backplane communications FortiSwitch 5003 system RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 Q fo7 The FortiGate 5005 DIST security system Basic FortiGate security system configuration The FortiGate 5005 DIST security system The FortiGate 5005 DIST security system is very similar to a single FortiGate unit but with much higher capacity and with support for failover protection and scalability The FortiGate 5005 DIST security system consists of a FortiGate 5
77. pper Fabric 10G aia or Copper SFP Retention Retention Screw OOS Healthy Fault Hot Swap SAW Extraction LED LED LED LED Extraction Lever MGMT 1G Active Reset Lever Copper LED Switch Intertage BASE 10G Optical or Copper SFP e One front panel base backplane 10 gigabit optical or copper SFP interface BASE 10G that connects to the base backplane channel Eight front panel fabric backplane 10 gigabit optical or copper SFP interfaces 14 F8 F7 F6 F5 F4 F3 F2 and F1 One gigabit out of band management ethernet interface MGMT e One RJ 45 RS 232 serial console connection COM e Mounting hardware e LED status indicators e IEEE 802 1q VLANs IEEE 802 3ad static mode layer 2 link aggregation e Link aggregation using a hash algorithm based on source and destination IP addresses e Multi Spanning Tree Protocol MSTP IEEE 802 1s to support redundant FortiSwitch 5003A boards and external MSTP compatible switches e Heartbeat between FortiGate 5001A and FortiGate 5005FA2 boards and the FortiSwitch 5003A over the fabric channel to support MSTP configurable from the FortiGate 5001A and FortiGate 5005FA2 systems Standard FortiOS command line interface CLI for configuring fabric switch settings VLANs MSTP trunks and so on Front panel LEDs and connectors RTIMET an A From the FortiSwitch 5003A font panel you can view the status of the board LEDs to verify that the board
78. r When operating the power input connectors are covered with clear protection plates Figure 6 FortiGate 5050 chassis back panel Ground Connector Q green le Positive A Positive DC in DC in Power RTN black RTN black wire red red fixture DC Power DC Power ESD socket Input A Input B The back panel includes the FortiGate 5050 chassis ground connector which must be connected to Data Center ground Use the power wire fixtures for securing and managing DC power wires The FortiGate 5050 chassis also includes an ESD socket on the back panel FortiGate 5000 Series Introduction 01 30000 83466 20090108 25 http docs fortinet com Feedback Physical description of the FortiGate 5050 chassis FortiGate 5050 R chassis Physical description of the FortiGate 5050 chassis The FortiGate 5050 chassis is a 5U chassis that can be installed in a standard 19 inch rack Table 4 describes the physical characteristics of the FortiGate 5050 chassis Table 4 FortiGate 5050 chassis physical description Dimensions 8 75 x 17 x 15 5 in 13 3 x 43 2 x 39 4 cm HxWxD Shipping weight 26 75 Ib 12 1 kg completely assembled with packaging Operating environment Temperature 32 to 104 F 0 to 45 C Relative humidity 5 to 85 Non condensing Storage environment Temperature 13 to 158 F 25 to 70 C Relative humidity 5 to 95 Non condensing Power consumption Maximum 1 135 W Power input 2
79. rds installed in the FortiGate 5050 chassis Each power input connector includes a 24 Amp circuit breaker that also functions as an on off switch for the power input connector If you require redundant power you should connect both power input connectors to DC power If redundant power is not required you should connect power input connector A to DC power When operating the power input connectors are covered with clear protection plates FortiGate 5000 Series Introduction 28 01 30000 83466 20090108 http docs fortinet com Feedback FortiGate 5050 chassis Physical description of the FortiGate 5050 chassis Figure 8 FortiGate 5050 chassis back panel RTINET RTM slot filler panels RTInET RTINEr Ground gt onnector green a iz ie Power wire in Positive black RTN RTN red The back panel includes the FortiGate 5050 chassis ground connector which must be connected to Data Center ground Use the power wire fixtures for securing and managing DC power wires The FortiGate 5050 chassis also includes an ESD socket on the back panel The back panel also contains 5 RTM slots numbered to correspond to the front panel slots The RTM slots are available for FortiGate 5000 RTM modules such as the FortiGate RTM XB2 module When the FortiGate 5050 chassis is shipped these slots are covered by RTM slot filler panels Physical description of the FortiGate 5050 chassis The FortiGate
80. re FortiGate 5001FA2 LENC boards to create a high availability HA cluster using the base backplane interfaces for HA heartbeat communication through chassis backplane leaving all eight front panel gigabit interfaces available for network connections FortiGate 5001FA2 LENC front panel interfaces 1 and 2 also include accelerated packet forwarding and policy enforcement for faster small packet performance The FortiGate 5001FA2 LENC board also supports high end FortiGate features including 802 1Q VLANs multiple virtual domains 802 3ad aggregate interfaces and FortiGate 5000 chassis monitoring Figure 19 FortiGate 5001FA2 LENC front panel Flash Disk Link Traffic Module Access Position Status Forni e RTINET CONSOLE HE JEE 2 lel OO Handle Retention Screw Retention Handle Screw 3 4 Optical or Copper SFP Gigabit RS 232 1 2 Optical or Copper 5678 Serial SFP Gigabit Gigabit Copper Accelerated The FortiGate 5001FA2 LENC board includes the following features A total of eight front panel gigabit interfaces e Two accelerated packet forwarding and policy enforcement gigabit interfaces that can accept optical Small Formfactor Pluggable SFP or copper SFP gigabit transceivers interfaces 1 and 2 e Two gigabit interfaces that can accept optical or copper SFP gigabit transceivers interfaces 3 and 4 e Four 10 100 1000Base T gigabit copper network interfaces interfaces 5 6 7 8 Two base backplane gigabi
81. re lit the FortiGate 5001A board has lost power Flashing The FortiGate 5001A is changing from hot swap to running Blue mode or from running mode to hot swap This happens when the FortiGate 5001A board is starting up or shutting down Off Normal operation The FortiGate 5001A board is in contact with the chassis backplane FortiGate 5000 Series Introduction 01 30000 83466 20090108 RTIMET w a Base backplane communication FortiGate 5001A security system Connectors Table 8 lists and describes the FortiGate 5001A connectors Table 8 FortiGate 5001A connectors Connector Type Speed Protocol Description 1 2 RJ 45 10 100 1000 Ethernet Copper 1 gigabit connection to Base T 10 100 1000Base T copper networks CONSOLE RJ 45 9600 bps RS 232 Serial connection to the command line 8 N 1 serial interface USB USB FortiUSB key firmware updates and configuration backup Base backplane communication The FortiGate 5001A base backplane 1 gigabit interfaces can be used for HA heartbeat communication between FortiGate 5001A boards installed in the same or in different FortiGate 5000 chassis You can also configure FortiGate 5001A boards to use the base backplane interfaces for data communication between FortiGate boards To support base backplane communications your FortiGate 5140 or FortiGate 5050 chassis must include one or more FortiSwitch 5003 boards FortiSwitch 5003A boards or other 1 g
82. rface 1 base2 is connected at 1 Gbps Flashing Network activity at base backplane interface 1 Green Fabric CHO Off Fabric backplane interface 0 fabric1 is connected at 10 Gbps Flashing Network activity at fabric backplane interface 0 Green Fabric CH1 Off Fabric backplane interface 1 fabric2 is connected at 10 Gbps Flashing Network activity at fabric backplane interface 1 Green Off or The ACC LED flashes green when the FortiGate 5001A A ACC Flashing board accesses the FortiOS flash disk The FortiOS flash green disk stores the current FortiOS firmware build and configuration files The system accesses the flash disk when starting up during a firmware upgrade or when an administrator is using the CLI or GUI to change the FortiOS configuration Under normal operating conditions this LED flashes occasionally but is mostly off 00s Off Normal operation Out of Green A fault condition exists and the FortiGate 5001A blade is out of service This may also flash very briefly during f ice OOS This LED Iso flash briefly duri Service normal startup SI Green The FortiGate 5001A board is powered on Power Sia Off The FortiGate 5001A board is powered on sa Flashing The FortiGate 5001A is starting up If this LED is flashing at Green any time other than system startup a fault condition may exist Blue The FortiGate 5001A is ready to be hot swapped removed IPM from the chassis If the IPM light is blue and no other LEDs a
83. ric slot 1 or 2 and configure the FortiGate 5000 boards installed in the chassis to use the correct fabric and base backplane interfaces For a complete 10 gigabit fabric backplane solution you must install FortiGate 5000 hardware that supports 10 gigabit connections For example a FortiGate 5001A board combined with a FortiGate RTM XB2 module provides two 10 gigabit fabric interfaces You can install the FortiGate 5001A boards in chassis slots 3 and up and FortiGate RTM XB2 modules in the corresponding RTM slots on the back of the chassis The FortiSwitch 5003A board includes the following features e One 1 gigabit base backplane channel for layer 2 base backplane switching between FortiGate 5000 boards installed in the same chassis as the FortiSwitch 5003A e One 10 1 gigabit fabric backplane channel for layer 2 fabric backplane switching between FortiGate 5000 boards installed in the same chassis as the FortiSwitch 5003A e Two front panel base backplane one gigabit copper gigabit interfaces B1 and B2 that connect to the base backplane channel FortiGate 5000 Series Introduction 01 30000 83466 20090108 RTIMET Hn amp Front panel LEDs and connectors FortiSwitch 5003A system Figure 21 FortiSwitch 5003A front panel Base Network Activity LEDs Fabric Network 3 2 1 SH2 SH1 Activity LEDs i 8 FH 2 m of D im 10 9 8 SN FG 15 14 13 12 13 2 n 10 B1 B2 RJ 45 COM Base 1G 14 F8 F7 F6 F5 F4 F3 F2 F1 Port Co
84. ries equipment shall be installed and connected to an electrical supply source in accordance with the applicable codes and regulations for the location in which it is installed Particular attention shall be paid to use of correct wire type and size to comply with the applicable codes and regulations for the installation location Connection of the supply wiring to the terminal block on the equipment may be accomplished using Listed wire compression lugs for example Pressure Terminal Connector made by Ideal Industries Inc or equivalent which is suitable for AWG 10 Particular attention shall be given to use of the appropriate compression tool specified by the compression lug manufacturer if one is specified FortiGate 5000 Series Introduction 01 30000 83466 20090108 Introduction About Data Center DC power About Data Center DC power The FortiGate 5140 and FortiGate 5050 chassis are designed to be installed in a Data Center or similar location that has available 48VDC power Fortinet expects that most FortiGate 5140 or FortiGate 5050 customers will be installing their FortiGate equipment in a data center or similar location that is already equipped with a 48VDC power system that provides power to existing networking or telecom equipment The FortiGate 5140 and FortiGate 5050 chassis are designed to be connected directly to this DC power system In this document Data Center DC power refers to a 48VDC power system that is already availabl
85. rity system RTIMET N So FortiGate 5005 DIST security system chassis FortiGate 5005 DIST security systems can be installed in FortiGate 5050 or FortiGate 5140 chassis FortiGate 5140 chassis You can install one or two I O boards in slot 1 and 2 of the FortiGate 5140 ATCA chassis You can also install up to 12 worker boards in slots 3 to 14 if two I O boards are used or up to 13 worker boards in slots 2 to 14 if one I O board is used The FortiGate 5140 is a 12U chassis that contains two redundant hot swappable DC power entry boards that connect to 48 VDC Data Center DC power The FortiGate 5140 chassis also includes three hot swappable cooling fan trays For details about the FortiGate 5140 chassis see to the FortiGate 5140 Chassis Guide Figure 32 FortiGate 5005 DIST components installed in a FortiGate 5140 chassis i Se See of a Og I a i Pie 3 amp E g g g E E e E e E e E e O FILTER FortiGate 5000 Series Introduction 01 30000 83466 20090108 The FortiGate 5005 DIST security system FortiGate 5050 chassis You can install one or two I O boards in slot 1 and 2 of the FortiGate 5050 ATCA chassis You can also install up to three worker boards in slots 3 to 5 if two I O boards are being used or four worker boards in slots 2 to 5 if one I O board is used The FortiGate 5050 is a 5U chassis that contains two redundant DC power connections that connect to 48 VDC Data Cen
86. roperly connected to a FortiGate 5001A board Fabric backplane 10 gigabit communication The FortiGate RTM XB2 module is used for fabric backplane 10 gigabit data communication To support fabric backplane communications your FortiGate 5140 or FortiGate 5050 chassis must include one or more 10 gigabit switch modules such as the FortiSwitch 5003A installed in chassis slots 1 and 2 The FortiGate 5020 chassis does not support fabric backplane communications Figure 17 Example FortiGate RTM XB2 configuration FortiGate RTM XB2 Internal Network module installed in RTM slot 3 provides two 10 gigabit fabric channels and NP2 acceleration for the FortiGate 5001A board v Internal 10 gigabit Network Connected to Fabric Channel 2 FortiGate 5001A Board Installed in FortiGate 5050 front panel slot 3 Fabric Channel 2 10 gigabit Data Communication Fabric Channel 1 10 Gigabit Data Communication External 10 gigabit Network Connected to Fabric Channel 1 a External Network FortiGate 5000 Series Introduction 01 30000 83466 20090108 FortiGate 5005FA2 security system FortiGate 5005FA2 security system The FortiGate 5005FA2 security system is a high performance FortiGate security system with a total of 8 front panel gigabit ethernet interfaces two base backplane interfaces and two fabric backplane interfaces Use the front panel interfaces for connections to your networks and the backplane interfac
87. s FortiGate RTM XB2 The FortiGate RTM XB2 module provides two 10 gigabit fabric backplane interfaces and NP2 processor acceleration for FortiGate 5001A fabric interfaces For 10 gigabit fabric backplane communications each FortiGate 5001A board requires one FortiGate RTM XB2 module The FortiGate RTM XB2 module is an ATCA rear transition module RTM that installs into an RTM slot at the back of a FortiGate 5140 and FortiGate 5050 chassis To support 10 gigabit fabric backplane communications your FortiGate 5140 or FortiGate 5050 chassis must also include one or more FortiSwitch 5003A boards or other 10 gigabit fabric backplane switching boards installed in the chassis in fabric slots 1 and 2 Note On some versions of the FortiGate 5001A firmware when a FortiGate 5001A board starts up with a FortiGate RTM XB2 module installed the fabric1 and fabric2 interfaces are replaced with interfaces that are named RTM 1 and RTM 2 to indicate the presence of the FortiGate RTM XB2 module Configuration settings that include the fabric1 and fabric2 interface names will have to be changed to use the RTM 1 and RTM 2 interface names Figure 13 FortiGate RTM XB2 front panel RTM XB2 Retention Power Retention Screw LED Screw Handle Handle The FortiGate RTM XB2 NP2 processors provide hardware accelerated network processing for eligible traffic passing through the FortiGate RTM XB2 interfaces For information about Fortinet NP2 processor
88. scription Solid Indicates this interface is connected to a 10 gigabit BASE 10G 14 F8 F7 Green network device with the correct cable and the F6 F5 F4 F3 F2 F1 attached network device has power Base and Fabric 10 Blinking Indicates 10 gigabit network traffic on this interface gigabit LEDs Green Off No link HS Hot Swap Blue The FortiSwitch 5003A is ready to be hot swapped removed from the chassis If the HS light is blue and no other LEDs are lit the FortiSwitch 5003A board has lost power Flashing The FortiSwitch 5003A is changing from hot swap to Blue running mode or from running mode to hot swap This happens when the FortiSwitch 5003A board is starting up or shutting down Off Normal operation The FortiSwitch 5003A board is in contact with the chassis backplane Base channel interfaces Table 17 lists and describes the FortiSwitch 5003A base backplane channel interfaces The base backplane interfaces are not configurable or visible from the FortiSwitch 5003A CLI Figure 22 FortiSwitch 5003A base network activity LEDs 3 2 1 SH2 SH1 Table 17 Base channel interfaces and network activity LEDs Interface Description Name SH1 If the FortiSwitch 5003A board is in the first hub switch fabric slot this LED indicates a backplane connection to shelf manager 1 If the FortiSwitch 5003A board is in second hub switch fabric slot this LED indicates a backplane connection
89. security system is very similar to a single FortiGate unit but with much higher capacity and with support for failover protection and scalability The FortiGate 5005 DIST security system consists of a FortiGate 5050 or FortiGate 5140 chassis with one or two Input Output or I O boards FortiController 5208 boards and one or more worker boards FortiGate 5005FA2 boards running in DIST mode The I O boards provide 10 gigabit and 1gigabit network connections and distribute traffic to the worker boards The worker boards provide FortiGate security system functions including firewall VPN IPS antivirus antispam and so on For details about the FortiGate 5005 DIST security system see The FortiGate 5005 DIST security system on page 67 FortiController 5208 system An integral part of a a re r FortiGate 5005 DIST Security a oo System the FortiController 5208 board provides all Fortigate 5005 DIST 10gigabit and 1 gigabit network interfaces The FortiControOller 5208 board also provides the management interface to the FortiGate 5005 DIST system and controls backplane communication between all FortiGate 5005 DIST components You can create a FortiGate 5005 DIST high throughput multi threat network security system using one or two FortiGate boards and multiple FortiGate 5005 boards in a FortiGate 5050 or FortiGate 5140 chassis A FortiGate 5020 chassis cannot be used to create a FortiGate 5005 DIST system Functionally one or t
90. ssnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 49 Front panel LEDS and CONNECTIONS 2 ecceeceee eee eeeeeeeeneeeeeseeeeeeeeeseesseaueeeseeeeeeeeetees 50 EDS E A E iaacevdeawtsa let at A T 50 CONMEGCIOMS as neadi a a a aa a a a a aa aaa 51 Base backplane gigabit interfaces sssuuusssennnnnrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnna 51 FortiSwitch 5003A system cccccceeeeeeeeseeeeeeeseeeeeeeeeneeeeeeeeeeeeeeeeeeeeeeeeees 53 Front panel LEDS and CONMNECLOSS 2 ecceeceeeeeeeeeeeeeeneeneeceeeeeeeeeseeeseaaneeseeeeeeeeeenes 54 VEDE ruban n ed dda a a a a E 55 Base channel interfaces ccccececeeenncceececeeeeeeeeeceseeeeaeeaeceeceeeeeseeesesennsanaeeeeeeeees 56 Fabric channel interfaces nrus nea a araia 57 Front panel Connectors cccceeeceeeeeeceeceeeeeeeeeeee tee ecaacaecaeeeeeeeeeeeseseccsccnaaeeeseneeeees 58 FortiSwitch 5003A Configurations cccccccessesenneeeeeeeeeeeeeeeeneeeeeenecneeeeeeseeneeeenseeeeeeens 58 Base and fabric gigabit switching within a chassis cceceeeeeeeeeeeeeereeeeeeeeneneeees 58 Fabric 10 gigabit switching within a chassis c cccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaeees 59 Layer 2 link aggregation and redundancy configurations ccceeeeeeeeeeeeeneeeeees 60 FortiSwitch 5003 system sicccciindesiiicieinaee itn eee 61 Front panel LEDS and CONMNECHOOSS ecceeceeeeeeeeeeeeeeeeaneeceeeeeeeeeseesseaaneeseeeeeeeeeenes 61
91. sssssssnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 41 Front panel LEDs and ConnectorS sssssssssesesersnnnnnnnnnunrnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nenene 42 LEDS niia a a eaa aa a a a a e 42 Connec OS ei E ENN a 43 Accelerated packet forwarding and policy enforcement sssssssssssnnsnsrrenennrrnnnnnnnnnns 43 FA2 interfaces and active active HA performance cccceeeeeeeeeeeeneecaeceeeeeeeeeees 44 Base backplane gigabit COMMUNICATION ccccceeseneeeeeeeeeeeeeeeeeneeeeeeeeeneeeesneeeeeeeenss 44 FortiGate 5005 DIST Security system 0 0 cccceeenneeeeeeeeeeeeeeeeeneeeeeeneeeeeeeneneeneeeensesneeeeenss 44 FortiGate 5001FA2 LENC security system ccccccseeeeeeeeeeeeeeeeeeeeees 45 Front panel LEDS and CONMECHOSS 2 ecceeceeeeeeeeeeeeeeneaneeceeeeeeeeeseeseeaaneeseeseeeeeeeees 46 EDS ios E EE EE A A alae ee eed Bear dined 46 COMMOCIONS a ic sen he peeve caas feeeeedtl cee di needa ee dale nebe needeebvs diene ds Hil ceeev ade cedbe nae 47 Accelerated packet forwarding and policy enforcement cccessseceeeeesnereeeeeseeees 47 FA2 interfaces and active active HA performance ccceeeeeeeeeeeeeeeeceeceeeeeeeeeeees 48 Base backplane gigabit COMMUNICATION ccccceeeenteeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeneeeeeeeens 48 FortiGate 5000 Series Introduction 01 30000 83466 20090108 http docs fortinet com e Feedback Contents FortiGate 5001SX security system sssssssssss
92. t interfaces port9 and port10 for HA heartbeat and data communications across the FortiGate 5000 chassis backplane e DB 9 RS 232 serial console connection One USB connector FortiGate 5000 Series Introduction 01 30000 83466 20090108 RTIMET A a Front panel LEDs and connectors FortiGate 5001FA2 LENC security system e Mounting hardware e LED status indicators The FortiGate 5001FA2 LENC board comes supplied with four optical or four copper SFP transceivers Before you can connect FortiGate 5001FA2 LENC interfaces 1 to 4 you must insert the SFP transceivers into the FortiGate 5001FA2 LENC front panel cage slots numbered 1 to 4 The FortiGate 5001FA2 LENC board ships with two RAM DIMMs installed on the FortiGate 5001FA2 LENC circuit board You should confirm that the RAM DIMMs are installed correctly before inserting the FortiGate 5001FA2 LENC board into a chassis Front panel LEDs and connectors From the FortiGate 5001FA2 LENC font panel you can view the status of the front panel LEDs to verify that the board is functioning normally You also connect the FortiGate 5001FA2 LENC board to your network through the front panel ethernet connectors The front panel also includes the RS 232 console port for connecting to the FortiOS CLI and a USB port The USB port can be used with a Fortinet USB key For information about using the FortiUSB key see the FortiGate 5000 Series Firmware and FortiUSB Guide LEDs Table 12 lists
93. te 5140 chassis FortiGate 5140 chassis back panel Figure 4 FortiGate 5140 chassis back panel Ol O O O O o RTM slot filler panels 48V 60 VDC nom RTN E E a zat Chassis ground o 7 OPponannno connector Je TGR ST oTes 48V 60 VDC RTN nom black red Power Entry Module B terminal block cover removed If you require redundant power you should connect both PEMs to DC power If redundant power is not required you should connect PEM A to DC power Each PEM has four 48V 60 VDC connectors and 4 RTN connections All eight of these connectors should be connected to DC power Figure 4 on page 21 shows the terminal block cover removed from PEM A and the wiring required to connect PEM A to DC power While operating the FortiGate 5140 both terminal block covers should be installed The power entry modules are hot swappable which means you can remove and replace a defective PEM while the FortiGate 5140 is operating assuming that the FortiGate 5140 system has both PEMs connected to DC power for redundancy The back panel also includes the back cable tray an ESD socket and the chassis ground connector The ground connector must be connected to Data Center ground Use the back cable tray for securing and managing DC power RTN and ground wires FortiGate 5000 Series Introduction 01 30000 83466 20090108 21 http docs fortinet com Feedback Physical description of th
94. ter DC power The FortiGate 5050 chassis also includes a hot swappable cooling fan tray For details about the FortiGate 5050 chassis see the FortiGate 5050 Chassis Guide Figure 33 FortiGate 5005 DIST components installed in a FortiGate 5050 chassis ForrniGeare 5050 FE Rriner FortiGate 5005 DIST interface names The FortiGate 5005 DIST worker web based manager and CLI use an internal naming convention to name FortiGate 5005 DIST interfaces The interface names indicate the I O board containing the interface and also include the I O board front panel interface name The naming convention is port lt I O board _number gt lt I O board interface name gt where lt I O_board_number gt is 1 for the interfaces of the primary I O board installed in chassis slot 1 and 2 for the interfaces of the secondary I O board installed in chassis slot 2 The interfaces for the secondary I O board only appear in the web based manager and CLI when a secondary I O board is installed lt I O_board_interface_name gt is the name of the interface as shown on the FortiController 5208 front panel Table 24 on page 72 shows the relationship between the names of the primary and secondary board front panel interfaces and the interface names that appear on the FortiGate 5005 DIST worker web based manager and CLI FortiGate 5000 Series Introduction 01 30000 83466 20090108 FortiGate 5005 DIST interface names RTIMET N FortiGate 5005
95. to shelf manager 2 This LED may not be lit even if a shelf manager is present if the shelf manager is configured to use its front panel interface 15 and SH2 Not used 2 1 Base channel connection between base channels 1 and 2 The 2 1 LED is lit if there is any board capable of connecting to the base channel in the other slot For example if the FortiSwitch 5003A board is installed in the first hub switch fabric slot this LED will be lit if any board is installed in the second hub switch fabric slot including a FortiSwitch 5003A board or any FortiGate 5000 board 3 to 14 Base channel connection to FortiGate 5000 boards in chassis slots 3 to 14 RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 Q e gt FortiSwitch 5003A system Front panel LEDs and connectors Table 17 Base channel interfaces and network activity LEDs Interface Description Name B1 and B2 Front panel gigabit base channel interfaces B1 and B2 Use these interfaces to connect your network to the base channel to connect base channel 1 to base channel 2 or to connect a base channel on one chassis to a base channel on another chassis BASE 10G Front panel 10 gigabit base channel interface Use this interface to connect a 10 gigabit network to the base channel 10 gigabit communication is not supported across the base channels but this interface is still available if you need to connect the base channel
96. use FortiSwitch 5003A or FortiSwitch 5003 boards to operate HA clusters consisting of FortiGate 5000 series boards installed in multiple FortiGate 5000 chassis You can also use FortiSwitch 5003A boards for fabric data communication between chassis The FortiGate 5140 chassis requires 48VDC Data Center DC power If DC power is not available you can install a FortiGate 5053 power converter tray purchased separately with FortiGate 5140 power supplies FortiGate 5140 chassis front panel Figure 3 shows the front panel of a FortiGate 5140 chassis Two FortiSwitch 5003 boards are installed in slots 1 and 2 Six FortiGate 5001SX boards are installed in slots 3 5 7 9 11 and 13 and six FortiGate 5001FA2 boards are installed in slots 4 6 8 10 12 and 14 The primary and secondary FortiGate 5140 Shelf Managers are also visible The factory installed shelf managers provide power distribution cooling alarms shelf status and a telco alarm interface for the FortiGate 5140 chassis FortiGate 5000 Series Introduction 01 30000 83466 20090108 19 http docs fortinet com e Feedback FortiGate 5140 chassis back panel FortiGate 5140 chassis Figure 3 FortiGate 5140 chassis front panel with FortiGate 5001SX FortiGate 5001FA2 and FortiSwitch 5003 boards installed FortiGate 5001SX FortiGate 5001FA2 boards boards slots 3 5 7 9 FortiSwitch 5003 slots 4 6 8 10 11 and 13 boards 12 and 14 slots 1 and 2 ForriGare 5140 numbers
97. used with a Fortinet USB key For information about using the FortiUSB key see the FortiGate 5000 Series Firmware and FortiUSB Guide LEDs Table 14 lists and describes the FortiGate 5001SX board LEDs Table 14 FortiGate 5001SX LEDs LED State Description PWR Green The FortiGate 5001SX board is powered on ACC Off or The ACC LED flashes red when the FortiGate 5001SX Flashing board accesses the FortiOS flash disk The FortiOS red flash disk stores the current FortiOS firmware build and configuration files The system accesses the flash disk when starting up during a firmware upgrade or when an administrator is using the CLI or GUI to change the FortiOS configuration Under normal operating conditions this LED flashes occasionally but is mostly off STA Green Normal operation Red The FortiGate 5001SX is starting or a fault condition exists IPM Blue The FortiGate 5001SX is ready to be hot swapped removed from the chassis If the IPM light is blue and no other LEDs are lit the FortiGate 5001SX board has lost power possibly because of a loose or incorrectly aligned left extraction lever Flashing The FortiGate 5001SX is changing from hot swap to Blue running mode or from running mode to hot swap Off Normal operation The FortiGate 5001SX board is in contact with the chassis backplane 1 2 3 4 Green The correct cable is connected to the gigabit SFP interface Flashing Network activity at the gigabit
98. ut the document 01 30000 0378 20070615 Added the following sections e FortiGate 5005 DIST security system on page 11 e FortiController 5208 system on page 11 e The FortiGate 5005 DIST security system on page 67 e FortiController 5208 system on page 73 01 30000 378 20080603 ee ee security system on page 33 Terminology change module changed to board for all FortiGate 5000 series boards 01 30000 83466 20081023 Updated FortiGate 5001A security system on page 33 to include the FortiGate 5001A SW board Added the following sections e FortiGate RTM XB2 system on page 39 e FortiSwitch 5003A system on page 53 RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 N About the FortiGate 5000 series chassis Introduction Table 1 Revision History Version Description of changes 01 30000 83466 20081023 Added information about both FortiGate 5140 and both FortiGate 5050 chassis versions e FortiGate 5140 R chassis on page 15 e FortiGate 5140 chassis on page 19 e FortiGate 5050 R chassis on page 23 e FortiGate 5050 chassis on page 27 About the FortiGate 5000 series chassis The FortiGate 5000 series Security Systems are chassis based systems that MSSPs and large enterprises can use to provide subscriber security services such as firewall VPN antivirus protection spam filtering
99. web filtering and intrusion prevention IPS The wide variety of system configurations available with FortiGate 5000 series provide flexibility to meet the changing needs of growing high performance networks The FortiGate 5000 series chassis support multiple hot swappable FortiGate 5000 series boards and power supplies This modular approach provides a scalable high performance and failure proof solution FortiGate 5140 chassis You can install up to 14 FortiGate 5000 series boards in the 14 slots of the FortiGate 5140 ATCA chassis The FortiGate 5140 is a 12U chassis that contains two redundant hot swappable DC power entry modules that connect to 48 VDC Data Center DC power The FortiGate 5140 chassis also includes three hot swappable cooling fan trays Fortinet supplies two FortiGate 5140 chassis with very similar features For details see e FortiGate 5140 R chassis on page 15 e FortiGate 5140 chassis on page 19 FortiGate 5050 chassis You can install up to five FortiGate 5000 series boards in the five slots of the FortiGate 5050 ATCA chassis The FortiGate 5050 is a 5U chassis that contains two redundant DC power connections that connect to 48 VDC Data Center DC power The FortiGate 5050 chassis also includes a hot swappable cooling fan tray Fortinet supplies two FortiGate 5050 chassis with very similar features For details see e FortiGate 5050 R chassis on page 23 e FortiGate 5050 chassis
100. witch 5003 boards FortiSwitch 5003 boards are installed in chassis slots 1 and 2 The FortiGate 5020 chassis supports base backplane communication with no additions or changes to the chassis For information about base backplane communication in FortiGate 5140 and FortiGate 5050 chassis see the FortiGate 5000 Base Backplane Communication Guide For information about the FortiSwitch 5003 board see the FortiSwitch 5003 Guide FortiGate 5005 DIST security system RTIMET A A You can install FortiGate 5005FA2 boards as worker boards in a FortiGate 5005 DIST security system Worker boards apply FortiGate security system functionality such as applying firewall policies virus scanning IPS and routing to distributed traffic For complete information about the FortiGate 5005 DIST security system and the role of worker boards see the FortiGate 5005 DIST Security System Administration Guide FortiGate 5000 Series Introduction 01 30000 83466 20090108 FortiGate 5001FA2 LENC security system FortiGate 5001FA2 LENC security system The FortiGate 5001FA2 LENC security system is a high performance FortiGate security system with a total of 8 front panel gigabit ethernet interfaces and two base backplane interfaces Use the front panel interfaces for connections to your networks and the backplane interfaces for communication between FortiGate 5000 series boards over the FortiGate 5000 chassis backplane You can also configure two or mo
101. wo FortiGate boards using the processing power of multiple FortiGate 5005 boards function much like a single FortiGate unit but with far greater capacity For details about the FortiController 55208 board see FortiController 5208 system on page 73 Warnings and cautions Only trained and qualified personnel should be allowed to install or maintain FortiGate 5000 series equipment Read and comply with all warnings cautions and notices in this document FortiGate 5000 Series Introduction 01 30000 83466 20090108 RTIMET Warnings and cautions RTIMET N A A Introduction CAUTION Risk of Explosion if Battery is replaced by an Incorrect Type Dispose of Used Batteries According to the Instructions Caution You should be aware of the following cautions and warnings before installing FortiGate 5000 series hardware Turning off all power switches may not turn off all power to the FortiGate 5000 series equipment Some circuitry in the FortiGate 5000 series equipment may continue to operate even though all power switches are off Many FortiGate 5000 components are hot swappable and can be installed or removed while the power is on But some of the procedures in this document may require power to be turned off and completely disconnected Follow all instructions in the procedures in this document that describe disconnecting FortiGate 5000 series equipment from power sources telecommunications li
102. x redundant 48VDC to 58VDC 26 FortiGate 5000 Series Introduction 01 30000 83466 20090108 http docs fortinet com e Feedback FortiGate 5050 chassis FortiGate 5050 chassis You can install up to five FortiGate 5000 series boards in the five slots of the FortiGate 5050 ATCA chassis The FortiGate 5050 is a 5U 19 inch rackmount ATCA chassis that contains two redundant DC power connections that connect to 48 VDC Data Center DC power The FortiGate 5050 chassis also includes a hot swappable cooling fan tray If all five slots contain FortiGate 5005FA2 FortiGate 5001SX or FortiGate 5001FA2 boards the FortiGate 5050 chassis provides a total of 40 1 Gigabit ethernet FortiGate interfaces If all 5 slots contain FortiGate 5001A boards the FortiGate 5050 chassis supports 10 1 Gigabit ethernet FortiGate interfaces If you add FortiGate ADM XB2 modules to the FortiGate 5001A boards the FortiGate 5050 chassis supports up to ten 10 Gigabit interfaces You can also install FortiSwitch 5003A or FortiSwitch 5003 boards in the FortiGate 5050 chassis slots 1 and 2 to provide base backplane communications Base backplane communications can be used for HA heartbeat communications and data communications using FortiGate 5050 base backplane channels You can add a second FortiSwitch 5003A or FortiSwitch 5003 board for redundancy FortiSwitch 5003A boards can also provide fabric backplane communication using the FortiGate 5050 fa
103. xit from the FortiGate 5001A board on the same fabric channel or on the other fabric channel See the FortiGate RTM XB2 System Guide for more information Figure 25 shows a FortiGate 5050 chassis containing two FortiSwitch 5003A boards and one FortiGate 5001A board Using these components this chassis supplies 10 gigabit connectivity between the external and internal network Figure 25 Example 10 gigabit connection between internal and external networks FortiGate RTM XB2 Internal Network module installed in RTM slot 3 provides two P P 10 gigabit fabric channels and NP2 acceleration for the FortiGate 5001A board Internal 10 gigabit Network Connected to Fabric Channel 2 FortiGate 5001A Board Installed in FortiGate 5050 front panel slot 3 Tarner Fabric Channel 2 10 gigabit Data Communication Fabric Channel 1 10 Gigabit Data Communication External 10 gigabit Network Connected to Fabric Channel 1 aT E External Network RTIMET FortiGate 5000 Series Introduction 01 30000 83466 20090108 a FortiSwitch 5003A configurations FortiSwitch 5003A system Layer 2 link aggregation and redundancy configurations The FortiSwitch 5003A board supports 802 3ad static mode layer 2 link aggregation 802 1q VLANs and 802 1s Multi Spanning Tree Protocol MSTP for the fabric channels You can use these features to configure link aggregation and support redundant FortiSwitch 5003A configurations
Download Pdf Manuals
Related Search