Operating a FortiGate-7000

Operating a FortiGate-7000

This chapter describes some FortiGate-7000 general operating procedure.

Failover in a standalone FortiGate-7000

A FortiGate-7000 will continue to operate even if one of the FIM or FPM modules fails or is removed. If an FPM module fails, sessions being processed by that module fail. All sessions are then load balanced to the remaining FPM modules. Sessions that were being processed by the failed module are restarted and load balanced to the remaining FPM modules.

If an FIM module fails, the other FIM module will continue to operate and will become the config-sync master. However, traffic received by the failed FIM module will be lost.

You can use LACP or redundant interfaces to connect interfaces of both FIMs to the same network. In this way, if one of the FIMs fails the traffic will continue to be received by the other FIM module.

Replacing a failed FPM or FIM module

This section describes how to remove a failed FPM or FIM module and replace it with a new one. The procedure is slightly different depending on if you are operating in HA mode with two chassis or just operating a standalone chassis.

Replacing a failed module in a standalone FortiGate-7000 chassis

  1. Power down the failed module by pressing the front panel power button.
  2. Remove the module from the chassis.
  3. Insert the replacement module. It should power up when inserted into the chassis if the chassis has power.
  4. The module’s configuration is synchronized and its firmware is upgraded to match the firmware version on the primary module. The new module reboots.
  5. Confirm that the new module is running the correct firmware version either from the GUI or by using the config system status

Manually update the module to the correct version if required. You can do this by logging into the module and performing a firmware upgrade.

  1. Verify that the configuration has been synchronized.

The following command output shows the sync status of the FIM modules in a FortiGate-7000 chassis. The field in_sync=1 indicates that the configurations of the modules are synchronized.

diagnose sys confsync status | grep in_sy

FIM04E3E16000080, Slave, uptime=177426.45, priority=2, slot_id=1:2, idx=0, flag=0x0, in_sync=1

FIM10E3E16000063, Master, uptime=177415.38, priority=1, slot_id=1:1, idx=1, flag=0x0, in_sync=1

If in_sync is not equal to 1 or if a module is missing in the command output you can try restarting the modules in the chassis by entering execute reboot from any module CLI. If this does not solve the problem, contact Fortinet support.

Replacing a failed module in a FortiGate-7000 chassis in an HA cluster

  1. Power down the failed module by pressing the front panel power button.
  2. Remove the module from the chassis.
  3. Insert the replacement module. It should power up when inserted into the chassis if the chassis has power.
  4. The module’s configuration is synchronized and its firmware is upgraded to match the configuration and firmware version on the primary module. The new module reboots.
  5. Confirm that the module is running the correct firmware version.

Manually update the module to the correct version if required. You can do this by logging into the module and performing a firmware upgrade.

  1. Configure the new module for HA operation. For example:

config system ha set mode a-p set chassis-id 1 set hbdev m1 m2 set hbdev-vlan-id 999 set hbdev-second-vlan-id 990

end

  1. Optionally configure the hostname:

config system global set hostname <name>

end

The HA configuration and the hostname must be set manually because HA settings and the hostname is not synchronized.

  1. Verify that the configuration has been synchronized.

The following command output shows the sync status of the FIM modules in a FortiGate-7000 chassis. The field in_sync=1 indicates that the configurations of the modules are synchronized.

diagnose sys confsync status | grep in_sy

FIM04E3E16000080, Slave, uptime=177426.45, priority=2, slot_id=1:2, idx=0, flag=0x0, in_sync=1

FIM10E3E16000063, Master, uptime=177415.38, priority=1, slot_id=1:1, idx=1, flag=0x0, in_sync=1

If in_sync is not equal to 1 or if a module is missing in the command output you can try restarting the modules in the chassis by entering execute reboot from any module CLI. If this does not solve the problem, contact Fortinet support.

Installing firmware on an FIM or FPM module from the BIOS using a TFTP server

Use the procedures in this section to install firmware on a FIM or FPM module from a TFTP server after interrupting the boot up sequence from the BIOS.

Installing firmware on an FIM or FPM module from the BIOS using a TFTP server

You might want to use this procedure if you need to reset the configuration of a module to factory defaults by installing firmware from a reboot. You can also use this procedure if you have formatted one or more FIM or FPM modules from the BIOS by interrupting the boot process.

This procedure involves creating a connection between a TFTP server and one of the MGMT interfaces of one of the FIM modules, using a chassis console port to connect to the CLI of the module that you are upgrading the firmware for, rebooting this module, interrupting the boot from the console session, and installing the firmware.

This section includes two procedures, one for upgrading FIM modules and one for upgrading FPM modules. The two procedures are very similar but a few details, most notably the local VLAN ID setting are different. If you need to update both FIM and FPM modules, you should update the FIM modules first as the FPM modules can only communicate with the TFTP server through FIM module interfaces.

Uploading firmware from a TFTP server to an FIM module

Use the following steps to upload firmware from a TFTP server to an FIM module. This procedure requires Ethernet connectivity between the TFTP server and one of the FIM module’s MGMT interfaces.

During this procedure, the FIM module will not be able to process traffic so, if possible, perform this procedure when the network is not processing any traffic.

If you are operating an HA configuration, you should remove the chassis from the HA configuration before performing this procedure.

  1. Set up a TFTP server and copy the firmware file to be installed into the TFTP server default folder.
  2. Set up your network to allow traffic between the TFTP server and one of the MGMT interfaces of the FIM module to be updated.

If the MGMT interface you are using is one of the MGMT interfaces connected as a LAG to a switch you must shutdown or disconnect all of the other connections in the LAG from the switch. This includes the MGMT interfaces in the other FIM module.

  1. Connect the console cable supplied with your chassis to the Console 1 port on your chassis front panel and to your management computer’s RS-232 console port.
  2. Start a terminal emulation program on the management computer. Use these settings: Baud Rate (bps) 9600, Data bits 8, Parity None, Stop bits 1, and Flow Control None.
  3. Press Ctrl-T to enter console switch mode.
  4. Repeat pressing Ctrl-T until you have connected to the module to be updated. Example prompt:

<Switching to Console: FIM02 (9600)>

  1. Optionally log into the FIM module’s CLI.
  2. Reboot the FIM module to be updated.

You can do this using the execute reboot command from the CLI or by pressing the power switch on the module front panel.

  1. When the FIM module starts up, follow the boot process in the terminal session and press any key when prompted to interrupt the boot process.
  2. Press C to set up the TFTP configuration.
  3. Use the BIOS menu to set the following. Only change settings if required.

[P]: Set image download port: MGMT1 (change if required)

[D]: Set DHCP mode: Disabled

[I]: Set local IP address: A temporary IP address to be used to connect to the TFTP server. This address must not be the same as the chassis management IP address and cannot conflict with other addresses on your network

[S]: Set local Subnet Mask: Set as required for your network.

[G]: Set local gateway: Set as required for your network.

[V]: Local VLAN ID: Use -1 to clear the Local VLAN ID.

[T]: Set remote TFTP server IP address: The IP address of the TFTP server.

[F]: Set firmware image file name: The name of the firmware file to be installed.

  1. Press Q to quit this menu.
  2. Press R to review the configuration.

If you need to make any corrections, press C and make the changes as required. When the configuration is correct proceed to the next step.

  1. Press T to start the TFTP transfer.

The firmware image is uploaded from the TFTP server and installed on the FIM module which then reboots. When it starts up the module’s configuration is reset to factory defaults. The module’s configuration is synchronized to match the configuration of the primary module. The new module reboots again and can start processing traffic.

  1. Verify that the configuration has been synchronized.

The following command output shows the sync status of the FIM modules in a FortiGate-7000 chassis. The field in_sync=1 indicates that the configurations of the modules are synchronized.

diagnose sys confsync status | grep in_sy

FIM04E3E16000080, Slave, uptime=177426.45, priority=2, slot_id=1:2, idx=0, flag=0x0, in_sync=1

FIM10E3E16000063, Master, uptime=177415.38, priority=1, slot_id=1:1, idx=1, flag=0x0, in_sync=1

If in_sync is not equal to 1 or if a module is missing in the command output you can try restarting the modules in the chassis by entering execute reboot from any module CLI. If this does not solve the problem, contact Fortinet support.

Uploading firmware from a TFTP server to an FPM module

Use the following steps to upload firmware from a TFTP server to an FPM module. This procedure requires Ethernet connectivity between the TFTP server and one of the MGMT interfaces of one of the FIM modules in the same chassis as the FPM module.

During this procedure, the FPM module will not be able to process traffic so, if possible, perform this procedure when the network is not processing any traffic. However, the other FPM modules and the FIM modules in the chassis should continue to operate normally and the chassis can continue processing traffic.

If you are operating an HA configuration, you should remove the chassis from the HA configuration before performing this procedure.

  1. Set up a TFTP server and copy the firmware file to be installed into the TFTP server default folder.
  2. Set up your network to allow traffic between the TFTP server and a MGMT interface of one of the FIM modules in the chassis that also includes the FPM module.

You can use any MGMT interface of either of the FIM modules. If the MGMT interface you are using is one of the MGMT interfaces connected as a LAG to a switch you must shutdown or disconnect all of the other connections in the LAG from the switch. This includes the MGMT interfaces in the other FIM module.

Installing firmware on an FIM or FPM module from the BIOS using a TFTP server

  1. Connect the console cable supplied with your chassis to the Console 1 port on your chassis front panel and to your management computer’s RS-232 console port.
  2. Start a terminal emulation program on the management computer. Use these settings: Baud Rate (bps) 9600, Data bits 8, Parity None, Stop bits 1, and Flow Control None.
  3. Press Ctrl-T to enter console switch mode.
  4. Repeat pressing Ctrl-T until you have connected to the module to be updated. Example prompt:

<Switching to Console: FPM03 (9600)>

  1. Optionally log into the FPM module’s CLI.
  2. Reboot the FPM module to be updated.

You can do this using the execute reboot command from the CLI or by pressing the power switch on the module front panel.

  1. When the FPM module starts up, follow the boot process in the terminal session and press any key when prompted to interrupt the boot process.
  2. Press C to set up the TFTP configuration.
  3. Use the BIOS menu to set the following. Only change settings if required.

[P]: Set image download port: The name of the FIM module that can connect to the TFTP server (FIM01 is the FIM module in slot 1 and FIM02 is the FIM module in slot 2).

[D]: Set DHCP mode: Disabled.

[I]: Set local IP address: A temporary IP address to be used to connect to the TFTP server. This address must not be the same as the chassis management IP address and cannot conflict with other addresses on your network.

[S]: Set local Subnet Mask: Set as required for your network.

[G]: Set local gateway: Set as required for your network.

[V]: Local VLAN ID: The VLAN ID of the FIM interface that can connect to the TFTP server:

FIM01 local VLAN IDs

Interface                MGMT1 MGMT2 MGMT3 MGMT4
Local VLAN ID         11 12 13 14
FIM02 local VLAN IDs      
Interface                MGMT1 MGMT2 MGMT3 MGMT4
Local VLAN ID         21 22 23 24

[T]: Set remote TFTP server IP address: The IP address of the TFTP server.

[F]: Set firmware image file name: The name of the firmware file to be installed.

  1. Press Q to quit this menu.
  2. Press R to review the configuration.

If you need to make any corrections, press C and make the changes as required. When the configuration is correct proceed to the next step.

  1. Press T to start the TFTP transfer.

The firmware image is uploaded from the TFTP server and installed on the FPM module which then reboots.

When it starts up the module’s configuration is reset to factory defaults. The module’s configuration is synchronized to match the configuration of the primary module. The new module reboots again and can start processing traffic.

  1. Verify that the configuration has been synchronized.

The following command output shows the sync status of the FIM modules in a FortiGate-7000 chassis. The field in_sync=1 indicates that the configurations of the modules are synchronized.

diagnose sys confsync status | grep in_sy

FIM04E3E16000080, Slave, uptime=177426.45, priority=2, slot_id=1:2, idx=0, flag=0x0, in_sync=1

FIM10E3E16000063, Master, uptime=177415.38, priority=1, slot_id=1:1, idx=1, flag=0x0, in_sync=1

If in_sync is not equal to 1 or if a module is missing in the command output you can try restarting the modules in the chassis by entering execute reboot from any module CLI. If this does not solve the problem, contact Fortinet support.

 

This entry was posted in Administration Guides, FortiGate and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.