Fortinet FortiGate-7000F Series, System Manual

Page 1: ...FortiGate 7121F System Guide FortiGate 7000F Series ...

Page 2: ...upport fortinet com FORTINET TRAINING CERTIFICATION PROGRAM https www fortinet com support and training training html NSE INSTITUTE https training fortinet com FORTIGUARD CENTER https fortiguard com END USER LICENSE AGREEMENT https www fortinet com doc legal EULA pdf FEEDBACK Email techdoc fortinet com April 8 2021 FortiGate 7121F System Guide 01 626 669640 20210408 ...

Page 3: ...chassis to ground 19 Turning on FortiGate 7000F chassis power 20 FortiGate 7000F hardware assembly and rack mounting 21 Installing optional accessories 21 Front mounting brackets 21 Cable bracket kit 22 Front air filter kit 24 Power cord clamps 25 Mounting the FortiGate 7000F chassis in a four post rack 26 Mounting the FortiGate 7000F chassis in a two post rack 27 Inserting FIMs and FPMs 28 Gettin...

Page 4: ...g to the FortiOS CLI of the FIM in slot 1 49 Connecting to the FortiOS CLI of the FIM in slot 2 49 Connecting to the SMC SDI CLI of the FPM in slot 3 50 Changing the SMM admin account password 50 FortiGate 7000F chassis slots IPMB addresses 50 Rebooting an FIM or FPM from the SMC SDI CLI 51 Comlog 52 System event log SEL 53 Sensor data record SDR 53 Common SMM CLI operations 53 Cautions and warnin...

Page 5: ... Fortinet Technologies Inc Change log Date Change description April 8 2021 Removed information about the FPM 7620F console port which is not supported March 30 2021 Initial release FortiGate 7121F System Guide 5 ...

Page 6: ...M controls chassis cooling and power management and provides an interface for managing the FIMs and FPMs in the chassis Do not operate the FortiGate 7000F chassis with open slots on the front or back panel For optimum cooling performance and safety each chassis front panel slot must contain an FIM or FPM or an FIM or FPM blank panel also called a dummy card In addition all cooling fan trays power ...

Page 7: ...1 2 4 6 8 10 12 1 2 3 7 6 5 4 8 XXX XXX VAC X X X XA XX XXHz SHOCK HAZARD DISCONNECT ALL POWER SOURCES RISQUE D ÉLECTROCUTION DÉBRANCHEZ TOUTE LES SOURCES D ALIEMENTATION CAUTION ATTENTION ESD socket FIM 7921F FIM slots 1 and 2 SMM 2 SMM 1 Ground Connectoor PSUs 1 to 8 FPM 7620F FPM slots 3 5 7 9 11 FPM 7620F FPM slots 4 6 8 10 12 FortiGate 7121F System Guide 7 ...

Page 8: ... 20 Interfaces 1 to 18 can be connected to 100Gbps data networks Interfaces 19 and 20 can be connected to 400Gbps data networks You can also change the interface type of interfaces 19 and 20 and change the speeds of all of the data interfaces The FIM 7921F also includes two 100 GigE QSFP28 base channel management interfaces M1 and M2 and two 25 GigE SPF28 base channel management interfaces M3 and ...

Page 9: ...ed back to the FPMs The FPM 7620F processes sessions using a dual CPU configuration accelerates network traffic processing with two NP7 processors and accelerates content processing with eight CP9 processors The NP7 network processors are connected by the FIM switch fabric so all supported traffic types can be fast path accelerated by the NP7 processors FPM 7620F front panel Power Slider Module Le...

Page 10: ...ed according to the chassis serial number You need to register your chassis to receive Fortinet customer services such as product updates and customer support You must also register your product for FortiGuard services Register your product by visiting https support fortinet com To register enter your contact information and the serial numbers of the Fortinet products that you or your organization...

Page 11: ...ault IPMB 0x22 FPM FPM FPM5 IPMB 0x8A NP7 CP9 I SMC SDI FPM FPM7 IPMB 0x8E FPM6 IPMB 0x8C FIM1 IPMB 0x84 SMC SDI I PMB 0x8C SMC SDI NP7 CP9 FPM FPM8 IPMB 0x90 I PMB 0x90 SMC SDI FIM Data Interfaces NP7 CP9 FPM FPM10 IPMB 0x94 I PMB 0x94 SMC SDI NP7 CP9 FPM FPM12 IPMB 0x98 I PMB 0x98 SMC SDI NP7 CP9 I SMC SDI FPM FPM9 IPMB 0x92 NP7 CP9 I SMC SDI FPM FPM11 IPMB 0x96 NP7 FIM Data Interfaces MGMT1 2 2...

Page 12: ...M3 to FPM12 IPMB addresses 0x86 to 0x98 are the FPM processor modules in slots 3 to 12 These worker modules process sessions distributed to them over the fabric backplane by the NP7 processors in the FIMs FPMs include NP7 processors to offload sessions from the FPM CPU and CP9 processors that accelerate content processing FPMs also include data interfaces that increase the number of data interface...

Page 13: ... chassis including 2x SMM 6x fan trays and 8x ACPSUs l Additional FIMs and FPMs l FIM and FPM blank panels to be installed in empty chassis slots l Transceivers l Cable bracket kit for data cable management l Front air filter kit l Additional AC PSUs l Additional FAN trays Physical description of the FortiGate 7000F chassis The FortiGate 7000F chassis is a 16U chassis that can be installed in a st...

Page 14: ...ut the chassis may experience high temperature warnings Maintaining a lower ambient temperature can reduce the chance of overheating Fan trays are hot swappable You can replace a failed fan tray while the chassis is operating To replace a fan tray unscrew the four retention screws and use the handles to pull the fan tray out of the chassis Install a replacement fan tray by sliding it into place in...

Page 15: ...alling the chassis make sure there is enough clearance for effective cooling air flow The following diagram shows the cooling air flow through the chassis and the locations of fan trays Make sure the cooling air intake and warm air exhaust openings are not blocked by cables or rack construction because this could result in cooling performance reduction and possible overheating and component damage...

Page 16: ...r optimal cooling allow 100 mm of clearance at the front and back of the chassis Optional air filter You can purchase an optional NEBS compliant air filter kit that includes a front filter that fits over the front of the chassis This filter is not required for normal operation but can be added if you require air filtration The air filters should be inspected regularly If dirty or damaged the filte...

Page 17: ...e redundancy you can connect each PSU to a separate power source Use a C15 Power cable supplied with the chassis to connect power to each PSU C16 power connector C15 C16 power connectors are used for high temperature environments and are rated up to 120 C AC PSU showing C16 power connector Latch PSU LED C16 Power Connector The PSU LED indicates whether the PSU is operating correctly and connected ...

Page 18: ...es Total max power W FIM 7921F 597 2 1194 FPM 7620F 716 10 7160 Chassis fans SMMs etc 1400 N A 1400 Totals 9754 To completely power a FortiGate 7000F with two FIMs and ten FPMs you would need six PSUs You can add one or two more PSUs to provide 6 1 or 6 2 redundancy Power distribution unit PDU requirements Due to the power consumption FortiGate 7000F Fortinet recommends the following PDU requireme...

Page 19: ...ting the FortiGate 7000F chassis to ground The FortiGate 7000F chassis includes a ground terminal on the rear the bottom of the FortiGate 7000F back panel The ground terminal provides two connectors to be used with a double holed lug such as Thomas Betts PN 54850BE This connector must be connected to a local ground connection You need the following equipment to connect the FortiGate 7000F chassis ...

Page 20: ...e chassis is operating correctly the LEDs on the PSUs and fans should be lit As well the LEDs on the SMMs should be lit When the chassis first starts up you should also hear the cooling fans operating In addition if any modules have been installed in the chassis they should power on and their front panel LEDs should indicate that they are starting up and operating normally FortiGate 7121F System G...

Page 21: ...top heavy and potentially falling over If you are going to mount the chassis higher make sure the rack is well anchored Since the chassis is over 400 lbs use a lift to raise the chassis into position before mounting it Install accessories before mounting the chassis in a rack Install the FIMs and FPMs after the chassis is rack mounted Installing optional accessories The following accessories are o...

Page 22: ...s horizontal cable mount levers that must be installed after the cable kit brackets are attached to the left and right mounting brackets Once the mount levers are installed you can attach network cables to them Installing the cable bracket kit Attach the left cable bracket to the top and bottom of the left side mounting bracket using four M4x8 large pan head screws Power cord clamps Attach the rig...

Page 23: ...able tie Attach cable ties to the mount levers Rubber retainer Installing horizontal cable mount levers Insert the other end of the mount lever into the top hole in the bracket on the other side of the chassis From the inside insert the mount lever through the top hole in the side bracket and extend it a short distance past the side bracket Press the mount lever down until held in place by the rub...

Page 24: ...holes sealing foam not shown in the diagram 3 Slide the cover in and then down into place 4 Re install the top cover this holds the channel outlet sealing cover in place Installing an FPM in slot 11 if the front filter kit has been installed 1 Remove the top cover 2 Remove the slot 11 mount lever by pushing it upward and backward 3 Slide the FPM into slot 11 not shown 4 Re install the slot 11 moun...

Page 25: ... the mount lever through the top hole in the side bracket and extend it a short distance past the side bracket Press the mount lever down until held in place by the rubber retainer in each bracket 1 2 3 1 2 3 Cable management Tie cables to the mount lever using the second round of the cable tie Attach cable ties to the mount levers Maintain a greater than 1 inch 2 5 cm network cable bend radius Po...

Page 26: ...h enough space above it for the chassis The length of the tray sides adjusts to match your rack Once the 4 post rack mount tray has been installed slide the chassis onto the tray and secure it to the rack mount tray and the rack posts as shown in the diagram Mounting the chassis in a four post rack 3 Secure the chassis to the rack mount ray 2 Place the chassis on the rack mount tray 4 Secure the c...

Page 27: ...nough space above the trays for the chassis Then place the chassis on the mid mount tray Then use rack mount screws to attach the mid mount brackets to the rack posts securing the chassis in the rack Mounting the chassis in a 2 post rack 2 Attach the mid mount tray to the rack posts 3 Place the chassis on the mid mount tray 4 Secure the chassis by attaching the mid mounting brackets to the rack po...

Page 28: ...nt To insert FIM and FPM modules see the guide supplied with the module FIM and FPM backplane connectors are shipped with a backplane connector protection label and plastic cover Before inserting the FIM or FPM module into the chassis slot remove the label and plastic cover and check the backplane connectors to make sure they are clean and undamaged To install an FIM or FPM into a chassis carefull...

Page 29: ...og in to the CLI by connecting the MGMT1 interface of the FIM in slot 1 to your network Then use an SSH client to connect to 192 168 1 99 and use the same admin account to log in l Log in to the primary FIM CLI by connecting to the RJ 45 RS 232 Console 1 serial port on the System Management Module SMM with settings BPS 9600 data bits 8 parity none stop bits 1 flow control none l Log in to the prim...

Page 30: ...gmt intf 1 mgmt1 end To manage individual FIMs or FPMs using special management ports the SLBC interface must be connected to a network The slbc mgmt intf option is blank by default and must be set to be able to manage individual FIMs and FPMs using the SLBC management interface IP address and special port numbers If you decide to use a different management interface you must also change the slbc ...

Page 31: ...s and FPMs are synchronized each output line should include in_sync 1 If a line ends with in_sync 0 that FIM or FPM is not synchronized The following example just shows a few output lines diagnose sys confsync status grep in_sy FIM21FTB21000063 Slave uptime 79898 73 priority 2 slot_id 1 2 idx 0 flag 0x0 in_sync 1 FIM21FTB21000068 Master uptime 79887 77 priority 1 slot_id 1 1 idx 1 flag 0x0 in_sync...

Page 32: ...depending on your Multi VDOM license Changing data interface network settings To change the IP address of any FortiGate 7000F data interface l From the GUI access the Global GUI and go to Network Interfaces Edit any interface to change its IP address and other settings l From the CLI config system interface edit interface name set ip ip address netmask end Resetting to factory defaults At any time...

Page 33: ...ss enabled To block access to the special management port numbers disconnect the mgmt interface from a network configure the SLBC management interface with an invalid IP address or disable management or administrative access for the SLBC management interface You can connect to the GUI of CLI of individual FIMs or FPMs using the SLBC management interface IP address followed by a special port number...

Page 34: ...UI header banner and the CLI prompt shows its hostname The System Information dashboard widget also shows the host name and serial number The CLI prompt also shows the slot address in the format hostname slot address Logging in to different FIMs or FPMs allows you to use dashboard widgets FortiView or Monitor GUI pages to view the activity of that FIM or FPM Even though you can log in to different...

Page 35: ...lot 4 FPM04 8024 44324 2324 2224 16124 Ch2 slot 6 FPM06 8026 44326 2326 2226 16126 Ch2 slot 8 FPM08 8028 44328 2328 2228 16128 Ch2 slot 10 FPM10 8030 44330 2330 2230 16130 Ch2 slot 12 FPM12 8032 44332 2332 2232 16132 Managing individual FIMs and FPMs from the CLI From any CLI you can use the execute load balance slot manage slot command to log into the CLI of different FIMs and FPMs You can use th...

Page 36: ...e id is the ID of the other FortiGate 7000F in the cluster From the primary FortiGate 7000F use an ID of 0 to log into the secondary FortiGate 7000F From the secondary FortiGate 7000F use an ID of 1 to log into the primary FortiGate 7000F You can enter the to see the list of IDs that you can connect to After you have logged in you can manage the secondary FortiGate 7000F from the primary FIM or yo...

Page 37: ...rades may take longer depending on factors such as the size of the configuration Before beginning a firmware upgrade Fortinet recommends that you perform the following tasks l Review the latest release notes for the firmware version that you are upgrading to l Verify the recommended upgrade path as documented in the release notes l Back up your FortiGate 7000F configuration Fortinet recommends tha...

Page 38: ...stalling a replacement FIM or FPM that is running a different firmware version l Installing firmware on or formatting an FIM or FPM from the BIOS To verify the firmware versions on each FIM or FPM you can check individual FIM and FPM GUIs or enter the get system status command from each FIM or FPM CLI You can also use the diagnose sys confsync status grep in_sy command to see if the FIMs and FPMs ...

Page 39: ...tart it using the execute reboot command If this does not solve the problem contact Fortinet Support at https support fortinet com The example output also shows that the uptime of the FIM in slot 2 is lower than the uptime of the other modules indicating that the FIM in slot 2 has recently restarted If you enter the diagnose sys confsync status grep in_sy command before the FIM has completely rest...

Page 40: ...to install the firmware During this procedure the FIM will not be able to process traffic However the other FIM and the FPMs should continue to operate normally 1 Set up a TFTP server and copy the firmware file to the TFTP server default folder 2 Set up your network to allow traffic between the TFTP server and one of the FIM MGMT interfaces 3 Using the console cable supplied with your FortiGate 70...

Page 41: ...art it using the execute reboot command If this does not solve the problem contact Fortinet Support at https support fortinet com If you enter the diagnose sys confsync status grep in_sy command before the FIM has restarted it will not appear in the command output As well the Configuration Sync Monitor will temporarily show that it is not synchronized Installing FPM firmware from the BIOS after a ...

Page 42: ... use to connect to the TFTP server This address must not be the same as the FortiGate 7000F management IP address and cannot conflict with other addresses on your network S Set local Subnet Mask Set as required for your network G Set local gateway Set as required for your network V Local VLAN ID Should be set to none use 1 to set the Local VLAN ID to none T Set remote TFTP server IP address The IP...

Page 43: ...e uptime 327578 35 priority 17 slot_id 1 4 idx 2 flag 0x64 in_sync 1 FPM20FTB21900168 Slave uptime 327527 53 priority 24 slot_id 1 11 idx 3 flag 0x64 in_sync 0 FPM20FTB21900170 Slave uptime 327520 91 priority 18 slot_id 1 5 idx 4 flag 0x64 in_sync 1 FPM20FTB21900179 Slave uptime 327556 85 priority 19 slot_id 1 6 idx 5 flag 0x64 in_sync 1 FPM20FTB21900182 Slave uptime 327579 41 priority 25 slot_id ...

Page 44: ...rface setting and the session support flag FortiGate 7000F SMM front panel Status Alarm Temp Power LEDs Fan and PSU LEDs MGMT Ethernet Interface Console 1 Connection LEDs Console 2 Connection LEDs Retention Screw Retention Screw Console 1 RJ 45 RS 232 Serial Interface Console 1 Connection Change Button Console 2 Connection Change Button Console 2 RJ 45 RS 232 Serial Interface The active SMM commun...

Page 45: ... Module failure If the SMM fails you should RMA the chassis The chassis and the modules in it will continue to operate with no functioning SMM until you can replace the chassis If there is no functioning SMM the chassis fans operate at maximum speed and the FIM and FPM modules in the chassis switch to standalone mode and manage their own power System Management Module LEDs The following table desc...

Page 46: ... is indicating an anomaly Temp Solid green All temperature sensors indicated acceptable operating temperatures Blinking green At least one temperature sensor is detecting a high temperature outside of the normal operating range In this case an upper non critical UNC temperature The SMM increases fan speed to increase cooling and reduce the temperature Blinking red At least one temperature sensor i...

Page 47: ... fan tachometer sensor in this fan tray has registered an alert because a critical or non recoverable NR threshold has been crossed PSU LEDs for each of eight PSUs Off The PSU is not installed in the chassis Green The PSU is present and operating normally Blinking red The PSU module is installed but no power is being delivered not plugged in Red The PSU s sensors have detected an alert condition T...

Page 48: ...odule using an IPMI tool and are disabled by default You can enable serial access to individual SMC SDI consoles from the SMM SMC SDI CLI using the command serial set sdi enable slot During normal operation you may want to access the SMM SMC SDI CLI you shouldn t normally require access to individual FIM and FPM SMC SDI consoles By default when the chassis first starts up Console 1 is connected to...

Page 49: ...9600 Data bits 8 Parity None Stop bits 1 and Flow Control None 3 Press Ctrl T to enter console switch mode 4 Repeat pressing Ctrl T until you have connected to slot 1 Example prompt Switching to Console FIM01 9600 5 Login with an administrator name and password The default is admin with no password For security reasons it is strongly recommended that you change the password 6 When your session is ...

Page 50: ...d that you change the password 7 You can begin entering commands at the admin FPM03 MC prompt 8 When your session is complete enter the exit command to log out Changing the SMM admin account password Use the following procedure to change the SMM admin account password 1 Enter the following command to show all users and their user IDs user list The output should show that the admin user has a user ...

Page 51: ...s to display sensor readings for the FIM in slot 2 sensor 0x84 sensor 2 When command syntax descriptions in this chapter include the slot variable you can replace it with a slot number 1 to 12 or an IPMB address number 0x82 to 0x98 Rebooting an FIM or FPM from the SMC SDI CLI A common use of the SMC SDI CLI is being able to remotely reboot a FIM or FPM From any SMC SDI CLI use the following comman...

Page 52: ...ion SMC CLI Commands IPMI commands Display comlog information Available on the passive module comlog getinfo Status Disabled COM Speed 9600 Storage Size 0x00400000 Log Start 0x00000000 Log End 0x00000C37 Log Size 3127 Bytes Display a module s comlog Available on the passive module comlog getinfo slot comlog print slot fortinetoem comlog getinfo fortinetoem comlog print Clear a module s comlog Eith...

Page 53: ...sensors in all parts of the chassis including the FIMs and FPMs Information includes the Sensor ID string sensor type sensor event reading type entity ID entity instance sensor unit reading linearization parameters sensor thresholds and so on The following commands display information stored in the SDR Operation SMC CLI Commands IPMI Commands Display current local sensor values and sensor SDRs or ...

Page 54: ...ay SMC device ID Build Date Number SMC firmware information address info entity map for the device in the slot Available on the passive module info slot N A Switching active SMM The active SMM becomes passive and the passive becomes active Available on the passive module smm_switch N A Display status power budget and hot swap state for all modules Available on the passive module status N A List th...

Page 55: ...e on the passive module user list user list channel number Disable a user account Available on the passive module user disable user id user disable user id Enable a user account Available on the passive module user enable user id user enable user id Set a user account user name Available on the passive module user set name user id name user set name user id name Set a user account password Availab...

Page 56: ...te when the console is disabled Available on the passive module serial set sdi default_sniff_baud speed N A Enable a console connection from the SMM to another module serial set sdi enable slot N A Disable the console connection between the SMM and another module Available on the passive module serial set sdi disable slot N A Cold or warm reset a module mc reset slot cold mc reset slot warm mc res...

Page 57: ...macaddr mac lan set channel kgkey value lan set channel krkey value lan set help use this command to display online help for LAN settings Enable or disable all LAN interfaces lan disable channel lan enable channel fortinetoem param set 0 1 fortinetoem param set 0 0 Set fan levels Change or switch the active fan set fan_min_level level fan_max_level level level range is 0 20 N A Change LED settings...

Page 58: ...chanical loading Chargement Mécanique Montage de l équipement dans le rack doit être telle qu une situation dangereuse n est pas lié à un chargement mécanique inégal Circuit Overloading Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring Appropriate consideratio...

Page 59: ...ther with over current protection suitable for local code rated 200 240V 10A recommended shall be installed with this equipment Avertissement Un dispositif de déconnection externe homologué UL exemple d un disjoncteur ou autre avec des protections de surintensité appropriées nominal 200 240V 10A recommandé à I installation de ce matériel Battery Risk of explosion if the battery is replaced by an i...

Page 60: ... Mise à la terre Pour éviter d endommager votre matériel assurez vous que les branchements qui entrent à partir de l extérieur du bâtiment passent par un parafoudre parasurtenseur et sont correctement mis à la terre Utilisez un poste de travail de décharge électrostatique ESD et ou portez un bracelet anti statique lorsque vous travaillez Ce produit possède une borne de mise à la terre qui est prév...

Page 61: ...nt in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense WARNING Any changes or modifications to this product not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment Industry Canada Equipment Standard for Digital Equipment ICES Canada CAN IC...

Page 62: ...定により 同梱し ている電源コ ード は本製品の専用電源コ ード と し て利用し 他の製 品に使用し ないでく ださ い Bureau of Standards Metrology and Inspection BSMI Taiwan The presence conditions of the restricted substance BSMI RoHS table are available at the link below 限用物質含有情況表 RoHS Table 請到以下 網址下載 https www fortinet com bsmi 此為甲類資訊技術設備 於居住環境中使用時 可能會造成射頻擾動 在此種情況下 使用者會被要求採取某些 適當的對策 英屬蓋曼群島商防特網股份有限公司台灣分公司 地址 台北市內湖區行愛路176號2樓 電話 02 27961666 China 此为A级...

Page 63: ...tinet enters a binding written contract signed by Fortinet s General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly identified performance metrics and in such event only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet For absolute clarity any such warranty w...