background image

FortiGate-5001FA2-LENC   Security System Guide

8

01-30000-76602-20080606

Base backplane gigabit communication

FortiGate-5001FA2-LENC security system

• Session Oriented Traffic with long session lifetime, such as FTP sessions.

Packet size does not affect performance for traffic with long session lifetime. 
For long sessions, processing that would otherwise be handled by the 
FortiGate-5001FA2-LENC CPUs is off-loaded to the acceleration module.

• Firewall and intrusion protection (IPS), when there is a reasonable percentage 

of P2P packets.

• Firewall, intrusion protection (IPS), and antivirus, when there is a reasonable 

percentage of P2P packets.

• Firewall and IPSec VPN applications.

The following traffic scenarios should be handled by the normal (or non-
accelerated) FortiGate-5001FA2-LENC interfaces:

• Session oriented traffic when the session lifetime is very short.
• Firewall and antivirus only applications. 

Traffic will not be off-loaded to the FortiGate-5001FA2-LENC accelerator 
module. The result will be high CPU usage because of the high CPU 
requirement for antivirus scanning.

FA2 interfaces and active-active HA performance

FortiOS v3.0 MR4 firmware can also use FA2 acceleration to improve 
active-active HA load balancing performance. See the 

FortiGate HA Overview

 or 

the 

FortiGate HA Guide

 for more information.

Base backplane gigabit communication

The FortiGate-5001FA2-LENC port9 and port10 base backplane gigabit interfaces 
can be used for HA heartbeat communication between FortiGate-5001FA2-LENC 
boards installed in the same or in different FortiGate-5000 chassis. You can also 
configure FortiGate-5001FA2-LENC boards to use the base backplane interfaces 
for data communication between FortiGate boards. To support base backplane 
communications your FortiGate-5140 or 5050 chassis must include one or more 
FortiSwitch-5003 boards. FortiSwitch-5003 boards are installed in chassis slots 1 
and 2. The FortiGate-5020 chassis supports base backplane communication with 
no additions or changes to the chassis.

For information about base backplane communication in FortiGate-5140 and 
FortiGate-5050 chassis, see the 

FortiGate-5000 Base Backplane Communication 

Guide

. For information about the FortiSwitch-5003 board, see the 

FortiSwitch-5003 Guide

.

Summary of Contents for FortiGate 5001FA2-LENC

Page 1: ...n a FortiGate 5000 series chassis how to configure the FortiGate 5001FA2 LENC security system for your network and contains troubleshooting information to help you diagnose and fix problems The most recent versions of this and all FortiGate 5000 series documents are available from the FortiGate 5000 page of the Fortinet Technical Documentation web site http docs forticare com Visit http support fo...

Page 2: ...ack assembly the operating ambient temperature of the rack environment may be greater than room ambient Make sure the operating ambient temperature does not exceed the manufacturer s maximum rated ambient temperature Installing FortiGate 5000 series equipment in a rack should be such that the amount of airflow required for safe operation of the equipment is not compromised Refer to the ATCA specif...

Page 3: ... FortiGate 5001FA2 LENC board from a chassis 17 Troubleshooting 18 FortiGate 5001FA2 LENC does not startup 18 FortiGate 5001FA2 LENC cannot display chassis information 20 Quick Configuration Guide 21 Registering your Fortinet product 21 Upgrading to High Encryption 21 Planning the configuration 22 NAT Route mode 22 Transparent mode 23 Choosing the configuration tool 23 Web based manager 23 Command...

Page 4: ...ring off the FortiGate 5001FA2 LENC board 32 For more information 33 Fortinet documentation 33 Fortinet Tools and Documentation CD 33 Fortinet Knowledge Center 33 Comments on Fortinet technical documentation 33 Customer service and technical support 33 Register your Fortinet product 33 ...

Page 5: ...et performance The FortiGate 5001FA2 LENC board also supports high end FortiGate features including 802 1Q VLANs multiple virtual domains 802 3ad aggregate interfaces and FortiGate 5000 chassis monitoring Figure 1 FortiGate 5001FA2 LENC front panel The FortiGate 5001FA2 LENC board includes the following features A total of eight front panel gigabit interfaces Two accelerated packet forwarding and ...

Page 6: ...Guide LEDs Table 1 lists and describes the FortiGate 5001FA2 LENC board LEDs Table 1 FortiGate 5001FA2 LENC board LEDs LED State Description PWR Green The FortiGate 50012FA2 board is powered on ACC Off or Flashing red The ACC LED flashes red when the FortiGate 5001FA2 LENC board accesses the FortiOS flash disk The FortiOS flash disk stores the current FortiOS firmware build and configuration files...

Page 7: ...e connected equipment has power Flashing Network activity at this interface Speed LED Green The interface is connected at 1000 Mbps Amber The interface is connected at 100 Mbps Unlit The interface is connected at 10 Mbps Table 1 FortiGate 5001FA2 LENC board LEDs Continued LED State Description Table 2 FortiGate 5001FA2 LENC connectors Connector Type Speed Protocol Description 1 and 2 LC SFP 1000Ba...

Page 8: ...f the high CPU requirement for antivirus scanning FA2 interfaces and active active HA performance FortiOS v3 0 MR4 firmware can also use FA2 acceleration to improve active active HA load balancing performance See the FortiGate HA Overview or the FortiGate HA Guide for more information Base backplane gigabit communication The FortiGate 5001FA2 LENC port9 and port10 base backplane gigabit interfaces...

Page 9: ...LENC board ships with two RAM DIMMs installed on the FortiGate 5001FA2 LENC circuit board You should confirm that the RAM DIMMs are installed correctly before inserting the FortiGate 5001FA2 LENC board into a chassis To install FortiGate 5001FA2 LENC RAM DIMMs To complete this procedure you need A FortiGate 5001FA2 LENC board Two RAM DIMMs to be installed into the FortiGate 5001FA2 LENC board RAM ...

Page 10: ...ou cannot lock the locking levers the DIM is not aligned correctly or is in upside down Installing SFP transceivers The FortiGate 5001FA2 LENC board ships with four SFP transceivers that you must install for normal operation of the FortiGate 5001FA2 LENC board The SFP transceivers are inserted into cage sockets numbered 1 to 4 on the FortiGate 5001FA2 LENC front panel You can install the SFP trans...

Page 11: ...umper settings The JP3 jumper on the FortiGate 5001FA2 LENC board is factory set by Fortinet into one of two positions see Figure 3 on page 12 For a FortiGate 5140 or FortiGate 5050 chassis the jumper connects pins 2 and 3 For a FortiGate 5020 chassis the jumper connects pins 1 and 2 The jumper must connect pins 2 and 3 if the chassis contains a shelf manager Both the FortiGate 5140 and the FortiG...

Page 12: ...s Correct JP3 Jumper Setting Result of wrong jumper setting FortiGate 5140 pins 2 and 3 Shelf manager cannot find FortiGate 5001FA2 LENC board No chassis information available FortiGate 5050 pins 2 and 3 Shelf manager cannot find FortiGate 5001FA2 LENC board No chassis information available FortiGate 5020 pins 1 and 2 FortiGate 5001FA2 LENC board will not start up Note If the shelf manager in a Fo...

Page 13: ...A2 LENC board into a chassis The following procedure describes how to correctly use the FortiGate 5001FA2 LENC mounting components shown in Figure 4 to insert a FortiGate 5001FA2 LENC board into a FortiGate 5000 series chassis slot The FortiGate 5001FA2 LENC board left handle contacts to a hidden power switch The board must be fully installed in a chassis slot and this handle must be closed and lo...

Page 14: ...board into a FortiGate 5000 series chassis slot is the same whether or not the FortiGate 5000 series chassis is powered on To insert a FortiGate 5001FA2 LENC board into a FortiGate 5000 series chassis To complete this procedure you need A FortiGate 5001FA2 LENC board Closed Open Alignment Pin Retention Screw Lock Handle Alignment Pin Retention Screw Lock Handle Switch Contact Power Switch Lock Lef...

Page 15: ...ails in the slot Insert the board by applying moderate force to the front faceplate not the handles to slide the board into the slot The board should glide smoothly into the chassis If you encounter any resistance while sliding the board in the board could be aligned incorrectly Pull the board back out and try inserting it again 6 Slide the board in until the alignment pins are inserted half way i...

Page 16: ...osed they lock into place If the chassis is powered on as the board slides into place the IPM LED starts flashing blue 8 Fully tighten the left and right retention screws to lock the FortiGate 5001FA2 LENC board into position in the chassis slot If the chassis is powered on the PWR LED turns green and the STA LED turns red The ACC LED also starts flashing red After a few minutes if the board is op...

Page 17: ... chassis or frame 2 Disconnect all cables from the FortiGate 5001FA2 LENC board including all network cables the console cable and any USB cables or keys 3 Fully loosen the retention screws on the left and right sides of the FortiGate 5001FA2 LENC front panel 4 Unlock the left and right handles by squeezing the handle locks Caution Do not carry the FortiGate 5001FA2 LENC board by holding the handl...

Page 18: ... of the slot Troubleshooting This section describes the following troubleshooting topics FortiGate 5001FA2 LENC does not startup FortiGate 5001FA2 LENC cannot display chassis information FortiGate 5001FA2 LENC does not startup Positioning of FortiGate 5001FA2 LENC handles the presence or absence of a functioning shelf manager incorrect jumper settings and firmware problems may all prevent a FortiG...

Page 19: ... FortiGate 5140 or 5050 chassis shelf manager not installed or not functioning If you are operating a FortiGate 5001FA2 LENC in a FortiGate 5140 or 5050 chassis the FortiGate 5001FA2 LENC board will not start up if the JP3 jumper connects pins 2 and 3 see Figure 3 on page 12 and a shelf manager is not installed or is not operating correctly If the shelf manager is not installed or not operating co...

Page 20: ... the JP3 jumper is set between pins 2 and 3 the FortiGate 5001FA2 LENC board should be able to communicate with the chassis shelf manager If the FortiGate 5001FA2 LENC board can communicate with the shelf manager the FortiGate 5001FA2 LENC web based manager System Chassis pages should display information about the boards installed in the chassis If any one of the conditions listed above are not me...

Page 21: ...ering your Fortinet product Register your Fortinet product to receive Fortinet customer services such as product updates and technical support You must also register your product for FortiGuard services such as FortiGuard Antivirus and Intrusion Prevention updates and for FortiGuard Web Filtering and AntiSpam Register your product by visiting http support fortinet com and selecting Product Registr...

Page 22: ...ity system is deployed as a gateway between private and public networks In the default NAT Route mode configuration the FortiGate 5001FA2 LENC security system functions as a firewall Firewall policies control communications through the FortiGate 5001FA2 LENC security system No traffic can pass through the FortiGate 5001FA2 LENC security system until you add firewall policies In NAT Route mode fire...

Page 23: ...LENC security system functions as a firewall No traffic can pass through the FortiGate 5001FA2 LENC security system until you add firewall policies Choosing the configuration tool You can use either the web based manager or the Command Line Interface CLI to configure the FortiGate board Web based manager The FortiGate 5001FA2 LENC web based manager is an easy to use management tool Use the web bas...

Page 24: ...figure the FortiGate 5001FA2 LENC board onto the network To configure the FortiGate 5001FA2 LENC board onto the network you add an administrator password change the network interface IP addresses add DNS server IP addresses and if required configure basic routing Table 5 FortiGate 5001FA2 LENC factory default settings Operation Mode NAT Route Administrator Account User Name admin Password none por...

Page 25: ... Type admin in the Name field and select Login To change the admin administrator password 1 Go to System Admin Administrators 2 Select Change Password for the admin administrator and enter a new password To configure interfaces 1 Go to System Network Interface 2 Select the edit icon for each interface to configure Table 6 FortiGate 5001FA2 LENC board NAT Route mode settings Admin Administrator Pas...

Page 26: ...evice that you recorded above 3 Set Gateway to the Default Gateway IP address that you added to Table 6 on page 25 4 Select OK Using the CLI to configure NAT Route mode 1 Use the serial cable supplied with your FortiGate 5001FA2 LENC board to connect the FortiGate Console port to the management computer serial port 2 Start a terminal emulation program HyperTerminal on the management computer Use t...

Page 27: ... on the same subnet as the port1 interface of the FortiGate 5001FA2 LENC board To do this change the IP address of the management computer to 192 168 1 2 and the netmask to 255 255 255 0 3 To access the FortiGate web based manager start Internet Explorer and browse to https 192 168 1 99 remember to include the s in https 4 Type admin in the Name field and select Login Table 7 Transparent mode sett...

Page 28: ...ver IP addresses 1 Go to System Network Options 2 Enter the Primary and Secondary DNS IP addresses that you added to Table 7 on page 27 as required and select Apply Using the CLI to configure Transparent mode 1 Use the serial cable supplied with your FortiGate 5001FA2 LENC board to connect the FortiGate Console port to the management computer serial port 2 Start a terminal emulation program HyperT...

Page 29: ...t computer 2 Log into the web based manager as the admin administrator 3 Go to System Status 4 Under System Information Firmware Version select Update 5 Type the path and filename of the firmware image file or select Browse and locate the file 6 Select OK The FortiGate 5001FA2 LENC board uploads the firmware image file upgrades to the new firmware version restarts and displays the FortiGate login ...

Page 30: ... You can configure the FortiGate 5001FA2 LENC boards for data communications using the two FortiGate 5140 FortiGate 5050 or FortiGate 5020 chassis base backplane interfaces By default the base backplane interfaces are used for HA heartbeat communication However using the information in this section you can configure the FortiGate 5001FA2 LENC to also use the base backplane interfaces for data comm...

Page 31: ...on using the FortiSwitch 5003 board see the FortiGate 5000 Base Backplane Communication Guide To enable base backplane data communication from the FortiGate 5001FA2 LENC web based manager From the FortiGate 5001FA2 LENC web based manager use the following steps to enable base backplane data communication 1 Go to System Network Interface 2 Select Show backplane interfaces The port9 and port10 backp...

Page 32: ...ate 5001FA2 LENC board from a chassis slot or before powering down the chassis To power off a FortiGate 5001FA2 LENC board 1 Shut down the FortiGate 5001FA2 LENC operating system From the web based manager go to System Status and from the Unit Operation widget select Shutdown and then select OK From the CLI enter execute shutdown 2 Remove the FortiGate 5001FA2 LENC board from the chassis slot Note...

Page 33: ...ilable from the Fortinet Knowledge Center The knowledge center contains troubleshooting and how to articles FAQs technical notes and more Visit the Fortinet Knowledge Center at http kc forticare com Comments on Fortinet technical documentation Please send information about any errors or omissions in this document or any Fortinet technical documentation to techdoc fortinet com Customer service and ...

Page 34: ...ate and FortiGuard are registered trademarks and Dynamic Threat Prevention System DTPS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiAnalyzer FortiManager FortiOS FortiPartner FortiProtect FortiReporter FortiResponse FortiShield and FortiVoIP are tr...

Reviews: