FIM-7904E interface module

Leave a reply

FIM-7904E interface module

The FIM-7904E interface module is a hot swappable module that provides data, management and session sync/heartbeat interfaces, base backplane switching and fabric backplane session-aware load balancing for a FortiGate-7000 series chassis. The FIM-7904E includes an integrated switch fabric and DP2 processors to load balance millions of data sessions over the chassis fabric backplane to FPM processor modules.

The FIM-7904E can be installed in any FortiGate-7000 series chassis in hub/switch slots 1 and 2. The FIM-7904E provides four Quad Small Form-factor Pluggable plus (QSFP+) interfaces for a FortiGate-7000 chassis. Using a

40GBASE-SR10 multimode QSFP+ transceiver, each QSFP+ interface can also be split into four 10GBASE-SR interfaces.

You can also install FIM-7904Es in a second chassis and operate the chassis in HA mode with another set of processor modules to provide chassis failover protection.

FIM-7904E front panel

The FIM-7904E includes the following hardware features:

  • Eight front panel 40GigE QSFP+ fabric channel interfaces (B1 to B8). These interfaces are connected to 40Gbps networks to distribute sessions to the FPM processor modules installed in chassis slots 3 and up. Using 40GBASESR10 multimode QSFP+ transceivers, each QSFP+ interface can also be split into four 10GBASE-SR interfaces. These interfaces also support creating link aggregation groups (LAGs) that can include interfaces from both FIM7904Es. l Two front panel 10GigE SFP+ interfaces (M1 and M2) that connect to the base backplane channel. These interfaces are used for heartbeat, session sync, and management communication between FIM-7904Es in different chassis. These interfaces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers, but should not normally be changed. If you use switches to connect these interfaces, the switch ports should be able to accept packets with a maximum frame size of at least 1526. The M1 and M2 interfaces need to be on different broadcast domains. If M1 and M2 are connected to the same switch, Q-in-Q must be enabled on the switch. l Four 10/100/10000BASE-T out of band management Ethernet interfaces (MGMT1 to MGMT4).
  • One 80Gbps fabric backplane channel for traffic distribution with each FPM module installed in the same chassis as the FIM-7904E.

 

  • One 1Gbps base backplane channel for base backplane with each FPM module installed in the same chassis as the FIM-7904E.
  • One 40Gbps fabric backplane channel for fabric backplane communication with the other FIM-7904E in the chassis. l One 1Gbps base backplane channel for base backplane communication with the other FIM-7904E in the chassis. l On-board DP2 processors and an integrated switch fabric to provide high-capacity session-aware load balancing. l One front panel USB port. l Power button. l NMI switch (for troubleshooting as recommended by Fortinet Support). l Mounting hardware. l LED status indicators.

Splitting the FIM-7904E B1 to B8 interfaces

Each 40GE interface (B1 to B8) on the FIM-7904Es in slot 1 and slot 2 of a FortiGate-7000 system can be split into 4x10GBE interfaces. You split these interfaces after the FIM-7904Es are installed in your FortiGate-7000 system and the system us up and running. You can split the interfaces of the FIM-7904Es in slot 1 and slot 2 at the same time by entering a single CLI command. Splitting the interfaces requires a system reboot so Fortinet recommends that you split multiple interfaces at the same time according to your requirements to avoid traffic disruption.

For example, to split the B1 interface of the FIM-7904E in slot 1 (this interface is named 1-B1) and the B1 and B4 interfaces of the FIM-7904E in slot 2 (these interfaces are named 2-B1 and 2-B4) connect to the CLI of your FortiGate-7000 system using the management IP and enter the following command:

config system global set split-port 1-B1 2-B1 2-B4

end

After you enter the command, the FortiGate-7000 reboots and when it comes up:

l The 1-B1 interface will no longer be available. Instead the 1-B1/1, 1-B1/2, 1-B1/3, and 1-B1/4 interfaces will be available. l The 2-B1 interface will no longer be available. Instead the 2-B1/1, 2-B1/2, 2-B1/3, and 2-B1/4 interfaces will be available. l The 2-B4 interface will no longer be available. Instead the 2-B4/1, 2-B4/2, 2-B4/3, and 2-B4/4 interfaces will be available.

You can now connect breakout cables to these interfaces and configure traffic between them just like any other FortiGate interface.

FIM-7904E hardware schematic

The FIM-7904E includes an integrated switch fabric (ISF) that connects the front panel interfaces to the DP2 session-aware load balancers and to the chassis backplanes. The ISF also allows the DP2 processors to distribute sessions amoung all NP6 processors on the FPM modules in the same chassis.

FIM-7910E

FIM-7904E hardware architecture

FIM-7910E interface module

The FIM-7910E interface module is a hot swappable module that provides data, management and session sync/heartbeat interfaces, base backplane switching and fabric backplane session-aware load balancing for a FortiGate-7000 series chassis. The FIM-7910E includes an integrated switch fabric and DP2 processors to load balance millions of data sessions over the chassis fabric backplane to FPM processor modules.

The FIM-7910E can be installed in any FortiGate-7000 series chassis in hub/switch slots 1 and 2. The FIM-7910E provides four C form-factor pluggable 2 (CFP2) interfaces for a FortiGate-7000 chassis. Using a 100GBASESR10 multimode CFP2 transceiver, each CFP2 interface can also be split into ten 10GBASE-SR interfaces.

FIM-7910E front panel

FIM-7910E

The FIM-7910E includes the following hardware features:

  • Four front panel 100GigE CFP2 fabric channel interfaces (C1 to C4). These interfaces are connected to 100Gbps networks to distribute sessions to the FPM processor modules installed in chassis slots 3 and up. Using 100GBASESR10 multimode CFP2 transceivers, each CFP2 interface can also be split into ten 10GBASE-SR interfaces. These interfaces also support creating link aggregation groups (LAGs) that can include interfaces from both FIM-7910Es. l Two front panel 10GigE SFP+ interfaces (M1 and M2) that connect to the base backplane channel. These interfaces are used for heartbeat, session sync, and management communication between FIM-7910Es in different chassis. These interfaces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers, but should not normally be changed. If you use switches to connect these interfaces, the switch ports should be able to accept packets with a maximum frame size of at least 1526. The M1 and M2 interfaces need to be on different broadcast domains. If M1 and M2 are connected to the same switch, Q-in-Q must be enabled on the switch. l Four 10/100/1000BASE-T out of band management Ethernet interfaces (MGMT1 to MGMT4).
  • One 80Gbps fabric backplane channel for traffic distribution with each FPM module installed in the same chassis as the FIM-7910E.
  • One 1Gbps base backplane channel for base backplane with each FPM module installed in the same chassis as the FIM-7910E.
  • One 40Gbps fabric backplane channel for fabric backplane communication with the other FIM-7910E in the chassis. l One 1Gbps base backplane channel for base backplane communication with the other FIM-7910E in the chassis. l On-board DP2 processors and an integrated switch fabric to provide high-capacity session-aware load balancing. l One front panel USB port. l Power button. l NMI switch (for troubleshooting as recommended by Fortinet Support). l Mounting hardware. l LED status indicators.

Splitting the FIM-7910E C1 to C4 interfaces

Each 100GE interface (C1 to C4) on the FIM-7910Es in slot 1 and slot 2 of a FortiGate-7000 system can be split into 10 x 10GBE interfaces. You split these interfaces after the FIM-7910Es are installed in your FortiGate-7000 system and the system us up and running. You can split the interfaces of the FIM-7910Es in slot 1 and slot 2 at the same time by entering a single CLI command. Splitting the interfaces requires a system reboot so Fortinet recommends that you split multiple interfaces at the same time according to your requirements to avoid traffic disruption.

For example, to split the C1 interface of the FIM-7910E in slot 1 (this interface is named 1-C1) and the C1 and C4 interfaces of the FIM-7910E in slot 2 (these interfaces are named 2-C1 and 2-C4) connect to the CLI of your FortiGate-7000 system using the management IP and enter the following command:

config system global set split-port 1-C1 2-C1 2-C4

end

After you enter the command, the FortiGate-7000 reboots and when it comes up:

  • The 1-C1 interface will no longer be available. Instead the 1-C1/1, 1-C1/2, …, and 1-C1/10 interfaces will be available. l The 2-C1 interface will no longer be available. Instead the 2-C1/1, 2-C1/2, …, and 2-C1/10 interfaces will be available.

FIM-7920E

  • The 2-C4 interface will no longer be available. Instead the 2-C4/1, 2-C4/2, …, and 2-C4/10 interfaces will be available.

You can now connect breakout cables to these interfaces and configure traffic between them just like any other FortiGate interface.

FIM-7910E hardware schematic

The FIM-7910E includes an integrated switch fabric (ISF) that connects the front panel interfaces to the DP2 session-aware load balancers and to the chassis backplanes. The ISF also allows the DP2 processors to distribute sessions amoung all NP6 processors on the FPM modules in the same chassis.

FIM-7910E hardware schematic

FIM-7920E interface module

The FIM-7920E interface module is a hot swappable module that provides data, management and session sync/heartbeat interfaces, base backplane switching and fabric backplane session-aware load balancing for a FortiGate-7000 series chassis. The FIM-7920E includes an integrated switch fabric and DP2 processors to load balance millions of data sessions over the chassis fabric backplane to FPM processor modules.

The FIM-7920E can be installed in any FortiGate-7000 series chassis in hub/switch slots 1 or 2. The FIM-7920E provides four Quad Small Form-factor Pluggable 28 (QSFP28) 100GigE interfaces for a FortiGate-7000 chassis. Using a 100GBASE-SR4 QSFP28 or 40GBASE-SR4 QSFP+ transceiver, each QSFP28 interface can also be split into four 10GBASE-SR interfaces.

You can also install FIM-7920Es in a second chassis and operate the chassis in HA mode with another set of processor modules to provide chassis failover protection.

FIM-7920E

FIM-7920E front panel

The FIM-7920E includes the following hardware features:

  • Four front panel 100GigE QSFP28 fabric channel interfaces (C1 to C4). These interfaces are connected to

100Gbps networks to distribute sessions to the FPM processor modules installed in chassis slots 3 and up. Using a

100GBASE-SR4 QSFP28 or 40GBASE-SR4 QSFP+ transceiver, each QSFP28 interface can also be split into four 10GBASE-SR interfaces. These interfaces also support creating link aggregation groups (LAGs) that can include interfaces from both FIM-7920Es.

  • Two front panel 10GigE SFP+ interfaces (M1 and M2) that connect to the base backplane channel. These interfaces are used for heartbeat, session sync, and management communication between FIM-7920Es in different chassis. These interfaces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers, but should not normally be changed. If you use switches to connect these interfaces, the switch ports should be able to accept packets with a maximum frame size of at least 1526. The M1 and M2 interfaces need to be on different broadcast domains. If M1 and M2 are connected to the same switch, Q-in-Q must be enabled on the switch. l Four 10/100/1000BASE-T out of band management Ethernet interfaces (MGMT1 to MGMT4).
  • One 80Gbps fabric backplane channel for traffic distribution with each FPM module installed in the same chassis as the FIM-7920E.
  • One 1Gbps base backplane channel for base backplane with each FPM module installed in the same chassis as the FIM-7920E.
  • One 40Gbps fabric backplane channel for fabric backplane communication with the other FIM-7920E in the chassis. l One 1Gbps base backplane channel for base backplane communication with the other FIM-7920E in the chassis. l On-board DP2 processors and an integrated switch fabric to provide high-capacity session-aware load balancing. l One front panel USB port. l Power button. l NMI switch (for troubleshooting as recommended by Fortinet Support). l Mounting hardware. l LED status indicators.

Changing the interface type and splitting the FIM-7920E C1 to C4 interfaces

By default, the FIM-7920E C1 to C4 interfaces are configured as 100GE QSFP28 interfaces. You can use the following command to convert them to 40GE QSFP+ interfaces. Once converted, you can use the other command below to split them into four 10GBASE-SR interfaces.

 

FIM-7920E hardware schematic

Changing the interface type

For example, to change the interface type of the C1 interface of the FIM-7920E in slot 1 to 40GE QSFP+ connect to the CLI of your FortiGate-7000 system using the management IP and enter the following command:

config system global set qsfp28-40g-port 1-C1

end

The FortiGate-7000 system reboots and when it starts up interface C1 of the FIM-7920E in slot 1 is operating as a 40GE QSFP+ interface .

To change the interface type of the C3 and C4 ports of the FIM-7920E in slot 2 to 40GE QSFP+ enter the following command:

config system global set qsfp28-40g-port 2-C3 2-C4

end

The FortiGate-7000 system reboots and when it starts up interfaces C3 and C4 of the FIM-7920E in slot 2 are operating as a 40GE QSFP+ interfaces.

Splitting the C1 to C4 interfaces

Each 40GE interface (C1 to C4) on the FIM-7920Es in slot 1 and slot 2 of a FortiGate-7000 system can be split into 4 x 10GBE interfaces. You split these interfaces after the FIM-7920Es are installed in your FortiGate-7000 system and the system us up and running. You can split the interfaces of the FIM-7920Es in slot 1 and slot 2 at the same time by entering a single CLI command. Splitting the interfaces requires a system reboot so Fortinet recommends that you split multiple interfaces at the same time according to your requirements to avoid traffic disruption.

For example, to split the C1 interface of the FIM-7920E in slot 1 (this interface is named 1-C1) and the C1 and C4 interfaces of the FIM-7920E in slot 2 (these interfaces are named 2-C1 and 2-C4) connect to the CLI of your FortiGate-7000 system using the management IP and enter the following command:

config system global set split-port 1-C1 2-C1 2-C4

end

After you enter the command, the FortiGate-7000 reboots and when it comes up:

l The 1-C1 interface will no longer be available. Instead the 1-C1/1, 1-C1/2, 1-C1/3, and 1-C1/4 interfaces will be available. l The 2-C1 interface will no longer be available. Instead the 2-C1/1, 2-C1/2, 2-C1/3, and 2-C1/4 interfaces will be available. l The 2-C4 interface will no longer be available. Instead the 2-C4/1, 2-C4/2, 2-C4/3, and 2-C4/4 interfaces will be available.

You can now connect breakout cables to these interfaces and configure traffic between them just like any other FortiGate interface.

FIM-7920E hardware schematic

The FIM-7920E includes an integrated switch fabric (ISF) that connects the front panel interfaces to the DP2 session-aware load balancers and to the chassis backplanes. The ISF also allows the DP2 processors to FPM-7620E processing module

distribute sessions among all NP6 processors on the FPM modules in the same chassis.

FIM-7920E hardware schematic

FPM-7620E processing module

The FPM-7620E processing module is a high-performance worker module that processes sessions load balanced to it by FortiGate-7000 series interface (FIM) modules over the chassis fabric backplane. The FPM-7620E can be installed in any FortiGate-7000 series chassis in slots 3 and up.

The FPM-7620E includes two 80Gbps connections to the chassis fabric backplane and two 1Gbps connections to the base backplane. The FPM-7620E processes sessions using a dual CPU configuration, accelerates network traffic processing with 4 NP6 processors and accelerates content processing with 8 CP9 processors. The NP6 network processors are connected by the FIM switch fabric so all supported traffic types can be fast path accelerated by the NP6 processors.

The FPM-7620E includes the following hardware features:

l Two 80Gbps fabric backplane channels for load balanced sessions from the FIM modules installed in the chassis. l Two 1Gbps base backplane channels for management, heartbeat and session sync communication. l Dual CPUs for high performance operation. l Four NP6 processors to offload network processing from the CPUs. l Eight CP9 processors to offload content processing and SSL and IPsec encryption from the CPUs.

FPM-7620E processing

FPM-7620E front panel

  • Power button.
  • NMI switch (for troubleshooting as recommended by Fortinet Support). l Mounting hardware. l LED status indicators.

NP6 network processors – offloading load balancing and network traffic

The four FPM-7620E NP6 network processors combined with the FIM module integrated switch fabric (ISF) provide hardware acceleration by offloading load balancing from the FPM-7620E CPUs. The result is enhanced network performance provided by the NP6 processors plus the network processing load is removed from the CPU. The NP6 processor can also handle some CPU intensive tasks, like IPsec VPN encryption/decryption. Because of the integrated switch fabric, all sessions are fast-pathed and accelerated.

FPM-7620E processing module FPM-7620E hardware architecture

 

Accelerated IPS, SSL VPN, and IPsec VPN (CP9 content processors)

Accelerated IPS, SSL VPN, and IPsec VPN (CP9 content processors)

The FPM-7620E includes eight CP9 processors that provide the following performance enhancements:

  • Flow-based inspection (IPS, application control etc.) pattern matching acceleration with over 10Gbps throughput l IPS pre-scan l IPS signature correlation l Full match processors
  • High performance VPN bulk data engine l IPsec and SSL/TLS protocol processor l DES/3DES/AES128/192/256 in accordance with FIPS46-3/FIPS81/FIPS197 l MD5/SHA-1/SHA256/384/512-96/128/192/256 with RFC1321 and FIPS180 l HMAC in accordance with RFC2104/2403/2404 and FIPS198 l ESN mode
  • GCM support for NSA “Suite B” (RFC6379/RFC6460) including GCM-128/256; GMAC-128/256
  • Key Exchange Processor that supports high performance IKE and RSA computation l Public key exponentiation engine with hardware CRT support l Primary checking for RSA key generation l Handshake accelerator with automatic key material generation l True Random Number generator l Elliptic Curve support for NSA “Suite B” l Sub public key engine (PKCE) to support up to 4096 bit operation directly (4k for DH and 8k for RSA with CRT)
  • DLP fingerprint support l TTTD (Two-Thresholds-Two-Divisors) content chunking l Two thresholds and two divisors are configurable Accelerated IPS, SSL VPN, and IPsec VPN (CP9 content processors)

FIM-7901E interface module

Leave a reply

FIM-7901E interface module

The FIM-7901E interface module is a hot swappable module that provides data, management and session sync/heartbeat interfaces, base backplane switching and fabric backplane session-aware load balancing for a FortiGate-7000 chassis. The FIM-7901E includes an integrated switch fabric and DP2 processors to load balance millions of data sessions over the chassis fabric backplane to FPM processor modules.

The FIM-7901E can be installed in any FortiGate-7000 series chassis in hub/switch slots 1 and 2. The FIM-7901E provides thirty-two 10GigE small form-factor pluggable plus (SPF+) interfaces for a FortiGate-7000 chassis.

You can also install FIM-7901Es in a second chassis and operate the chassis in HA mode with another set of processor modules to provide chassis failover protection.

FIM-7901E front panel

The FIM-7901E includes the following hardware features:

  • Thirty-two front panel 10GigE SFP+ fabric channel interfaces (A1 to A32). These interfaces are connected to 10Gbps networks to distribute sessions to the FPM processor modules installed in chassis slots 3 and up. These interfaces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers. These interfaces also support creating link aggregation groups (LAGs) that can include interfaces from both FIM-7901Es. l Two front panel 10GigE SFP+ interfaces (M1 and M2) that connect to the base backplane channel. These interfaces are used for heartbeat, session sync, and management communication between FIM-7901Es in different chassis. These interfaces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers, but should not normally be changed. If you use switches to connect these interfaces, the switch ports should be able to accept packets with a maximum frame size of at least 1526. The M1 and M2 interfaces need to be on different broadcast domains. If M1 and M2 are connected to the same switch, Q-in-Q must be enabled on the switch. l Four 10/100/1000BASE-T out of band management Ethernet interfaces (MGMT1 to MGMT4).
  • One 80Gbps fabric backplane channel for traffic distribution with each FPM module installed in the same chassis as the FIM-7901E.
  • One 1Gbps base backplane channel for base backplane with each FPM module installed in the same chassis as the FIM-7901E.
  • One 40Gbps fabric backplane channel for fabric backplane communication with the other FIM-7901E in the chassis.

FIM-7901E

  • One 1Gbps base backplane channel for base backplane communication with the other FIM-7901E in the chassis. l On-board DP2 processors and an integrated switch fabric to provide high-capacity session-aware load balancing. l One front panel USB port. l Power button. l NMI switch (for troubleshooting as recommended by Fortinet Support). l Mounting hardware. l LED status indicators.

FIM-7901E schematic

The FIM-7901E includes an integrated switch fabric (ISF) that connects the front panel interfaces to the DP2 session-aware load balancers and to the chassis backplanes. The ISF also allows the DP2 processors to distribute sessions amoung all NP6 processors on the FPM modules in the same chassis.

FIM-7901E schematic

FortiGate-7060E

Leave a reply

FortiGate-7060E

The FortiGate-7060E is a 8U 19-inch rackmount 6-slot chassis with a 80Gbps fabric and 1Gbps base backplane designed by Fortinet. The fabric backplane provides network data communication and the base backplane provides management and synch communication among the chassis slots.

FortiGate-7060E front panel

The chassis is managed by two redundant management modules. Each module includes an Ethernet connection as well as two switchable console ports that provide console connections to the modules in the chassis slots. The active management module controls chassis cooling and power management and provides an interface for managing the modules installed in the chassis.

FortiGate-7060E front panel, (example module configuration)

schematic

Power is provided to the chassis using four hot swappable 3+1 redundant 100-240 VAC, 50-60 Hz power supply units (PSUs). You can also optionally add up to six PSUs to provide 3+3 redundancy. The FortiGate-7060E can also be equipped with DC PSUs allowing you to connect the chassis to -48V DC power

The standard configuration of the FortiGate-7060E includes two FIM (interface) modules in chassis slots 1 and 2 and up to four FPM (processing) modules in chassis slots 3 to 6.

FortiGate-7060E schematic

The FortiGate-7060E chassis schematic below shows the communication channels between chassis components including the management modules (MGMT), the FIM modules (called FIM1 and FIM2) and the FPM modules (FPM3, FPM4, FPM5, and FPM6).

By default MGMT2 is the active management module and MGMT1 is inactive. The active management module always has the IPMB address 0x20 and the inactive management module always has the IPMB address 0x22.

The active management module communicates with all modules in the chassis over the base backplane. Each module, including the management modules has a Shelf Management Controller (SMC). These SMCs support Intelligent Platform Management Bus (IPMB) communication between the active management module and the FIM and FPM modules for storing and sharing sensor data that the management module uses to control chassis cooling and power distribution. The base backplane also supports serial communications to allow console access from the management module to all modules, and 1Gbps Ethernet communication for management and heartbeat communication between modules.

FIM1 and FIM2 (IPMB addresses 0x82 and 0x84) are the FIM modules in slots 1 and 2. The interfaces of these modules connect the chassis to data networks and can be used for Ethernet management access to chassis components. The FIM modules include DP2 processors that distribute sessions over the Integrated Switch Fabric FortiGate-7040E

(ISF) to the NP6 processors in the FPM modules. Data sessions are communicated to the FPM modules over the 80Gbps chassis fabric backplane.

FPM03, FPM04, FPM05, and FPM06 (IPMB addresses 0x86, 0x88, 0x8A, and 0x8C) are the FPM processor modules in slots 3 to 6. These worker modules process sessions distributed to them by the FIM modules. FPM modules include NP6 processors to offload sessions from the FPM CPU and CP9 processors that accelerate content processing.

FortiGate-7040E

The FortiGate-7040E is a 6U 19-inch rackmount 4-slot chassis with a 80Gbps fabric and 1Gbps base backplane designed by Fortinet. The fabric backplane provides network data communication and the base backplane provides management and synch communication among the chassis slots.

FortiGate-7040E front panel

The FortiGate-7040E chassis is managed by a single management module that includes an Ethernet connection as well as two switchable console ports that provide console connections to the modules in the chassis slots. The management module controls chassis cooling and power management and provides an interface for managing the modules installed in the chassis. The standard configuration of the FortiGate-7040E includes two FIM (interface) modules in chassis slots 1 and 2 and two FPM (processing) modules in chassis slots 3 and 4.

FortiGate-7040E front panel

 

FortiGate-7040E schematic

The FortiGate-7040E chassis schematic below shows the communication channels between chassis components including the management module (MGMT), the FIM modules (called FIM1 and FIM2) and the FPM modules (FPM3 and FPM4).

The management module (MGMT, with IPMB address 0x20) communicates with all modules in the chassis over the base backplane. Each module, including the management module includes a Shelf Management Controller (SMC). These SMCs support Intelligent Platform Management Bus (IPMB) communication between the management module and the FIM and FPM modules for storing and sharing sensor data that the management module uses to control chassis cooling and power distribution. The base backplane also supports serial communications to allow console access from the management module to all modules, and 1Gbps Ethernet communication for management and heartbeat communication between modules.

FIM1 and FIM2 (IPMB addresses 0x82 and 0x84) are the FIM modules in slots 1 and 2. The interfaces of these modules connect the chassis to data networks and can be used for Ethernet management access to chassis components. The FIM modules include DP2 processors that distribute sessions over the Integrated Switch Fabric (ISF) to the NP6 processors in the FPM modules. Data sessions are communicated to the FPM modules over the 80Gbps chassis fabric backplane.

FPM3 and FPM4 (IPMB addresses 0x86 and 0x88) are the FPM processor modules in slots 3 and 4. These worker modules process sessions distributed to them by the FIM modules. FPM modules include NP6 processors to offload sessions from the FPM CPU and CP9 processors that accelerate content processing.

FortiGate-7030E

The FortiGate-7030E is a 6U 19-inch rackmount 3-slot chassis with a 80Gbps fabric and 1Gbps base backplane designed by Fortinet. The fabric backplane provides network data communication and the base backplane provides management and synch communication among the chassis slots.

FortiGate-7060E

FortiGate-7030E front panel

The FortiGate-7030E chassis is managed by a single management module that includes an Ethernet connection as well as two switchable console ports that provide console connections to the modules in the chassis slots. The management module controls chassis cooling and power management and provides an interface for managing the modules installed in the chassis. The standard configuration of the FortiGate-7030E includes one FIM (interface) module in chassis slot 1 and two FPM (processing) modules in chassis slots 3 and 4. The front panel also includes a sealed blank panel. Breaking the seal or removing the panel voids your FortiGate-7030E warranty. FortiGate-7030E front panel (example module configuration)

(missing or bad snippet)

FortiGate-7030E schematic

The FortiGate-7030E chassis schematic below shows the communication channels between chassis components including the management module (MGMT), the FIM module (called FIM1) and the FPM modules (FPM3 and FPM4).

The management module (MGMT, with IPMB address 0x20) communicates with all modules in the chassis over the base backplane. Each module, including the management module includes a Shelf Management Controller (SMC). These SMCs support Intelligent Platform Management Bus (IPMB) communication between the management module and the FIM and FPM modules for storing and sharing sensor data that the management module uses to control chassis cooling and power distribution. The base backplane also supports serial communications to allow console access from the management module to all modules, and 1Gbps Ethernet communication for management and heartbeat communication between modules.

FIM1 (IPMB address 0x82) is the FIM module in slot 1. The interfaces of this module connect the chassis to data networks and can be used for Ethernet management access to chassis components. The FIM module include DP2 processors that distribute sessions over the Integrated Switch Fabric (ISF) to the NP6 processors in the FPM modules. Data sessions are communicated to the FPM modules over the 80Gbps chassis fabric backplane.

FPM3 and FPM4 (IPMB addresses 0x86 and 0x88) are the FPM processor modules in slots 3 and 4. These worker modules process sessions distributed to them by the FIM module. FPM modules include NP6 processors to offload sessions from the FPM CPU and CP9 processors that accelerate content processing.

 

FIM-7901E

FortiGate-7000 overview

Leave a reply

FortiGate-7000 overview

A FortiGate-7000 product consists of a FortiGate-7000 series chassis (for example, the FortiGate-7040E) with FortiGate-7000 modules installed in the chassis slots. A FortiGate-7040E chassis comes with two interface modules (FIM) to be installed in slots 1 and 2 to provide network connections and session-aware load balancing to two processor modules (FPM) to be installed in slots 3 and 4.

FortiGate-7000 products are sold and licensed as packages that include the chassis as well as the modules to be included in the chassis. When you receive your FortiGate-7000 series product the chassis has to be installed in a rack and the modules installed in the chassis. Interface modules always go in slots 1 and 2 and processor modules in slots 3 and up.

If your FortiGate-7000 product includes two different interfaces modules, for optimal configuration you should install the module with the lower model number in slot 1 and the module with the higher model number in slot 2. For example, if your chassis includes a FIM-7901E and a FIM-7904E, install the FIM-7901E in chassis slot 1 and the FIM-7904E in chassis slot 2. This applies to any combination of two different interface modules.

As an administrator, when you browse to the FortiGate-7000 management IP address you log into the interface module in slot 1 (the primary or master interface module or FIM) to view the status of the FortiGate-7000 and make configuration changes. The FortiOS firmware running on each module has the same configuration and when you make configuration changes to the primary interface module, the configuration changes are synchronized to all modules.

The same FortiOS firmware build runs on each module in the chassis. You can upgrade FortiGate-7000 firmware by logging into the primary interface module and performing a firmware upgrade as you would for any FortiGate. During the upgrade process the firmware of all of the modules in the chassis upgrades in one step. Firmware upgrades should be done during a quiet time because traffic will briefly be interrupted during the upgrade process.

Licenses, Device Registration, and Support

A FortiGate-7000 product is made up of a FortiGate-7000 series chassis, one or two FIM interface modules and two to four FPM processor modules. The entire package is licensed and configured as a single product under the FortiGate-7000 chassis serial number. When you receive a new FortiGate-7000 product you register it on https://support.fortinet.com using the chassis serial number. Use the chassis serial number when requesting support from Fortinet for the product.

All Fortinet licensing, including FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOM) is for the entire FortiGate-7000 product and not for individual components.

If an individual component, such as a single interface or processor fails you can RMA and replace just that component.

FortiGate 7000 FortiOS 5.4.5 Admin Guide

Leave a reply

Introduction

This document describes what you need to know to get started using a FortiGate-7000 product. Also included are details about CLI commands that are specific to FortiGate-7000 products.

This FortiOS Handbook chapter contains the following sections:

FortiGate-7000 overview provides a quick overview of FortiGate-7000 components.

Getting started with FortiGate-7000 describes how to get started with managing and configuring your FortiGate7000 product.

FortiGate-7000 Load balancing commands describes FortiGate-7000 load balancing CLI commands.

What’s new in for FortiGate-7000 v5.4.5

The following new features have been added to FortiGate-7000 v5.4.5.

M1 and M2 interfaces can use different VLANs for heartbeat traffic (408386)

The M1 and M2 interfaces can be configured to use different VLANs for HA heartbeat traffic.

The following command now configures the VLAN used by the M1 interface (default 999):

config system ha set hbdev-vlan-id 999

end

The following new command configures the VLAN used by the M2 interface (default 1999):

config system ha set hbdev-second-vlan-id 1999

end

GTP load balancing

GTP load balancing is supported for FortiGate-7000 configurations licensed for FortiOS Carrier. You can use the following command to enable GTP load balancing. This command is only available after you have licensed the FortiGate-7000 for FortiOS Carrier.

config load-balance setting set gtp-load-balance enable

end

FSSO user authentication is synchronized

FSSO user authentication is synchronized to all FIM and FPM modules. FSSO users are no longer required to reauthenticate when sessions are processed by a different FIM or FPM module.

What’s new in for FortiGate-7000 v5.4.5                                                                                                Introduction

HA Link failure threshold changes (422264 )

The link failure threshold is now determined based on the all FIM modules in a chassis. This means that the chassis with the fewest active links will become the backup chassis.

FortiGate-7000s running FortiOS v5.4.5 can be configured as dialup IPsec VPN servers

The following shows how to setup a dialup IPsec VPN configuration where the FortiGate-7000 running v5.4.5 acts as a dialup IPsec VPN server.

Configure the phase1, set type to dynamic.

config vpn ipsec phase1-interface edit dialup-server set type dynamic set interface “v0020” set peertype any set psksecret < password>

end

Configure the phase 2, to support dialup IPsec VPN, set the destination subnet to 0.0.0.0 0.0.0.0.

config vpn ipsec phase2-interface edit dialup-server set phase1name dialup-server set src-subnet 4.2.0.0 255.255.0.0 set dst-subnet 0.0.0.0 0.0.0.0

end

To configure the remote FortiGate as a dialup IPsec VPN client

The dialup IPsec VPN client should advertise its local subnet(s) using the phase 2 src-subnet option.

If there are multiple local subnets create a phase 2 for each one. Each phase 2 only advertises one local subnet to the dialup IPsec VPN server. If more than one local subnet is added to the phase 2, only the first one is advertised to the server.

Dialup client configuration:

config vpn ipsec phase1-interface

Introduction                                                                                                What’s new in for FortiGate-7000 v5.4.5

edit “to-fgt7k” set interface “v0020” set peertype any set remote-gw 1.2.0.1 set psksecret <password>

end

config vpn ipsec phase2-interface edit “to-fgt7k” set phase1name “to-fgt7k” set src-subnet 4.2.6.0 255.255.255.0 set dst-subnet 4.2.0.0 255.255.0.0

next edit “to-fgt7k-2” set phase1name “to-fgt7k” set src-subnet 4.2.7.0 255.255.255.0 set dst-subnet 4.2.0.0 255.255.0.0 end

Licenses, Device Registration, and Support                                                                         FortiGate-7000 overview

7000 Series Chassis FortiOS 5.4.5 Release Notes

Leave a reply

Introduction

This document provides the following information for FortiGate-7000 v5.4.5 build 6481:

l Supported Models l What’s New in FortiGate-7000 v5.4.5 build 6481 l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues

Supported Models

FortiGate-7000 v5.4.5 build 6481 supports all ForGate-7030E, 7040E, and 7060E models and configurations.

What’s New in FortiGate-7000 v5.4.5 build 6481

The following new features have been added to FortiGate-7000 v5.4.5 build 6481 firmware:

M1 and M2 interfaces can use different VLANs for heartbeat traffic (408386)

The M1 and M2 interfaces can be configured to use different VLANs for HA heartbeat traffic.

The following command now configures the VLAN used by the M1 interface (default 999):

config system ha set hbdev-vlan-id 999

end

The following new command configures the VLAN used by the M2 interface (default 1999):

config system ha set hbdev-second-vlan-id 1999

end

GTP load balancing

GTP load balancing is supported for FortiGate-7000 configurations licensed for FortiOS Carrier. You can use the following command to enable GTP load balancing. This command is only available after you have licensed the FortiGate-7000 for FortiOS Carrier.

config load-balance setting set gtp-load-balance enable end

What’s New in FortiGate-7000 v5.4.5 build 6481                                                                                    Introduction

FSSO user authentication is synchronized

FSSO user authentication is synchronized to all FIM and FPM modules. FSSO users are no longer required to reauthenticate when sessions are processed by a different FIM or FPM module.

HA Link failure threshold changes (422264 )

The link failure threshold is now determined based on the all FIM modules in a chassis. This means that the chassis with the fewest active links will become the backup chassis.

FortiGate-7000s running FortiOS v5.4.5 can be configured as dialup IPsec VPN servers

The following shows how to setup a dialup IPsec VPN configuration where the FortiGate-7000 running v5.4.5 acts as a dialup IPsec VPN server.

Configure the phase1, set type to dynamic.

config vpn ipsec phase1-interface edit dialup-server set type dynamic set interface “v0020” set peertype any set psksecret < password>

end

Configure the phase 2, to support dialup IPsec VPN, set the destination subnet to 0.0.0.0 0.0.0.0.

config vpn ipsec phase2-interface edit dialup-server set phase1name dialup-server set src-subnet 4.2.0.0 255.255.0.0 set dst-subnet 0.0.0.0 0.0.0.0

end

To configure the remote FortiGate as a dialup IPsec VPN client

The dialup IPsec VPN client should advertise its local subnet(s) using the phase 2 src-subnet option.

Introduction                                                                                    What’s New in FortiGate-7000 v5.4.5 build 6481

config vpn ipsec phase1-interface edit “to-fgt7k” set interface “v0020” set peertype any set remote-gw 1.2.0.1 set psksecret <password>

end

config vpn ipsec phase2-interface edit “to-fgt7k” set phase1name “to-fgt7k” set src-subnet 4.2.6.0 255.255.255.0 set dst-subnet 4.2.0.0 255.255.0.0

next edit “to-fgt7k-2” set phase1name “to-fgt7k” set src-subnet 4.2.7.0 255.255.255.0 set dst-subnet 4.2.0.0 255.255.0.0 end

Special Notices

This section highlights some of the operational changes that administrators should be aware of for FortiGate7000 5.4.5 build 6481.

Recommended configuration for traffic that cannot be load balanced

The following flow rules are recommended to handle common forms of traffic that cannot be load balanced. These flow rules send GPRS (port 2123), SSL VPN, IPv4 and IPv6 IPsec VPN, ICMP and ICMPv6 traffic to the primary (or master) FPM.

The CLI syntax below just shows the configuration changes. All other options are set to their defaults. For example, the flow rule option that controls the FPM slot that sessions are sent to is forward-slot and in all cases below forward-slot is set to its default setting of master. This setting sends matching sessions to the primary (or master) FPM.

config load-balance flow-rule edit 20 set status enable set ether-type ipv4 set protocol udp set dst-l4port 2123-2123

next edit 21 set status enable set ether-type ip set protocol tcp set dst-l4port 10443-10443 set comment “ssl vpn to the primary FPM”

next edit 22 set status enable set ether-type ipv4 set protocol udp set src-l4port 500-500 set dst-l4port 500-500 set comment “ipv4 ike”

next edit 23 set status enable set ether-type ipv4 set protocol udp set src-l4port 4500-4500 set comment “ipv4 ike-natt src”

next edit 24 set status enable set ether-type ipv4 set protocol udp set dst-l4port 4500-4500 set comment “ipv4 ike-natt dst”

Special Notices                                                   Recommended configuration for traffic that cannot be load balanced

next edit 25 set status enable set ether-type ipv4 set protocol esp set comment “ipv4 esp”

next edit 26 set status enable set ether-type ipv6 set protocol udp set src-l4port 500-500 set dst-l4port 500-500 set comment “ipv6 ike”

next edit 27 set status enable set ether-type ipv6 set protocol udp set src-l4port 4500-4500 set comment “ipv6 ike-natt src”

next edit 28 set status enable set ether-type ipv6 set protocol udp set dst-l4port 4500-4500 set comment “ipv6 ike-natt dst”

next edit 29 set status enable set ether-type ipv6 set protocol esp set comment “ipv6 esp”

next edit 30 set ether-type ipv4 set protocol icmp set comment “icmp”

next edit 31 set status enable set ether-type ipv6 set protocol icmpv6 set comment “icmpv6”

next edit 32 set ether-type ipv6 set protocol 41 end

Upgrade Information

FortiGate-7000 v5.4.5 build 6481supports upgrading from FortiGate-7000 v5.4.3 build 6382.

All of the modules in your FortiGate-7000 chassis run the same firmware image. You can upgrade the firmware by using the management IP address to log into the primary interface module GUI or CLI and perform a firmware upgrade just as you would for any FortiGate product. During the upgrade process, the firmware of all of the modules in the chassis upgrades in one step. Firmware upgrades should be done during a quiet time because traffic is briefly interrupted during the upgrade process.

Upgrading an HA configuration

Even if uninterruptable-upgrade is enabled, upgrading a FortiGate-7000 HA configuration will cause a minor traffic disruption. You should upgrade HA cluster firmware when traffic is low or during a maintenance period.

IPsec VPN issues when upgrading from v5.4.3 to v5.4.5

If your FortiGate-7000 configuration includes IPsec VPNs you should enhance your IPsec VPN Phase 2 configurations as described in this section. If your FortiGate-7000 does not include IPsec VPNs you can proceed with a normal firmware upgrade.

Because the FortiGate-7000 only allows 16-bit to 32-bit routes for remote subnets, you must add one or more destination subnets to your IPsec VPN phase 2 configuration for FortiGate-7000 v5.4.5 using the following command:

config vpn ipsec phase2-interface edit “to_fgt2″So set phase1name <name> set src-subnet <IP> <netmask> set dst-subnet <IP> <netmask>

end Where

src-subnet is the subnet protected by the FortiGate that you are configuring and from which users connect to the destination subnet. Configuring the source subnet is optional but recommended.

dst-subnet is the destination subnet behind the remote IPsec VPN endpoint. Configuring the destination subnet is required.

You can add the source and destination subnets either before or after upgrading to v5.4.5 as these settings are compatible with both v5.4.3 and v5.4.5. However, if you make these changes after upgrading, your IPsec VPNs may not work correctly until these configuration changes are made.

Upgrade Information                                                             IPsec VPN issues when upgrading from v5.4.3 to v5.4.5

Adding source and destination subnets to IPsec VPN phase 2 configurations

In a simple configuration such as the one below with an IPsec VPN between two remote subnets you can just add the subnets to the phase 2 configuration.

Enter the following command to add the source and destination subnets to the FortiGate-7000 IPsec VPN Phase 2 configuration.

config vpn ipsec phase2-interface edit “to_fgt2″So set phase1name “to_fgt2” set src-subnet 172.16.1.0 255.255.255.0 set dst-subnet 172.16.2.0 255.255.255.0

end

In a more complex configuration, such as the one below with a total of 5 subnets you still need to add all of the subnets to the Phase 2 configuration. In this case you can create a firewall address for each subnet and the addresses to address groups and add the address groups to the Phase 2 configuration.

Enter the following commands to create firewall addresses for each subnet.

config firewall address edit “local_subnet_1” set subnet 4.2.1.0 255.255.255.0

next

edit “local_subnet_2” set subnet 4.2.2.0 255.255.255.0

IPsec VPN issues when upgrading from v5.4.3 to v5.4.5                                                             Upgrade Information

next edit “remote_subnet_3”

set subnet 4.2.3.0 255.255.255.0

next edit “remote_subnet_4”

set subnet 4.2.4.0 255.255.255.0

next edit “remote_subnet_5”

set subnet 4.2.5.0 255.255.255.0

end

And then put the five firewall addresses into two firewall address groups.

config firewall addrgrp edit “local_group” set member “local_subnet_1” “local_subnet_2”

next

edit “remote_group” set member “remote_subnet_3” “remote_subnet_4” “remote_subnet_5”

end

Now, use the firewall address groups in the Phase 2 configuration:

config vpn ipsec phase2-interface edit “to-fgt2” set phase1name “to-fgt2” set src-addr-type name set dst-addr-type name set src-name “local_group” set dst-name “remote_group” end

Product Integration and Support

See the Product Integration and Support section of the FortiOS 5.4.5 release notes for product integration and support information for FortiGate-7000 v5.4.5 build 6481.

Also please note the following exceptions for FortiGate-7000 v5.4.5 build 6481:

Minimum recommended FortiManager firmware version : 5.6.1

Minimum recommended FortiAnalyzer firmware version : 5.4.4

FortiGate-7000 v5.4.5 special features and limitations

FortiGate-7000 v5.4.5 has specific behaviors which may differ from FortiOS features. For more information, see the “Special features and limitations for FortiGate-7000 v5.4.5” section of the most recent version of the FortiGate-7000 Handbook chapter available at http://docs.fortinet.com/d/fortigate-7000.

Resolved Issues

The following issues have been fixed in FortiGate-7000 v5.4.5 build 6481. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID Description
464156 HA heartbeat VLAN tags not correctly applied to HA heartbeat traffic.
464735 Decode VDOM license key failed error messages no longer appear when FortiGate-7000 components start up.
462228 NAT sessions are no longer dropped from DP timers problems after a system restart.
455825 FortiGuard auto-update no longer keeps contacting FortiGuard to request updates after a successful update.
460289 Authenticated users are synchronized to all FPMs. Users no longer have to re-authenticate if some of their traffic is processed by a different FPM.
454070 In an HA configuration, IPv4 routes are now correctly synchronized to all FPMs.
456140 In an HA configuration, only the primary FIM module communicates with FortiManager.
456116 History output of the diagnose sys ha status command now includes timestamps to show when failover occurred.
422602 In an HA configuration, failovers no longer occur after an antivirus update.
452415 The output of the diagnose sys link-monitor status command is now synchronized.
454411 Local certificates are now synchronized to all FIM modules.
453285 VLAN Traffic continues to flow through Link Aggregation (LAG) interfaces between two FIMs if one of the FIMs is shut down.
448131 Incorrect link local IPv6 addresses that caused IPv6 traffic slowdowns have been corrected.
410647 TCP, HTTP, and UDP-based link monitoring for SD-WAN link load balancing is now supported.
423946 The cmdbsvr process no longer crashes when 500 VDOMs and 10k policies have been configured.
439398 The diagnose vpn ssl list command now correctly displays information for all FIM and FPM modules.
442607 Changes to replacement messages made from a VDOM can now be successfully saved.
415234 You can set the Interface to any when creating a firewall VIP.

Resolved Issues

Bug ID Description
410741 AntiVirus, Web Filtering, and other security profile log messages generated by FPM modules now appear on the GUI of all FIM or FPM modules (including the GUI of the primary FIM module).
417584 HA chassis failover from management links only occurs if no management links are available on the chassis. As long as at least one management link is available a failover will not occur.
424015 Fixed a bug with firmware updates with uninterruptable-upgrade enabled to cause extra chassis failovers.
408535 The hostname is now synchronized to all modules.
392288 A configuration that includes 500 VDOMs can now be restored from the GUI.

 

 

Known Issues

The following issues have been identified in FortiGate-7000 v5.4.5 build 6481. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID Description
449276 FortiGuard IPS signature updates may cause an HA failover.
455632 FIM modules may incorrectly leave and rejoin an HA cluster.
444107 Remote disk share mounting fails when using NFS v2/v3 over UDP. To work around this issue use NFS over TCP.
440550 Some FortiView pages may display Failed to get FortiView data error messages.
460148 The application field in system event log crash messages is unreadable.
459413 HA remote IP monitoring using the pingserver-monitor-interface, pingserverfailover-threshold, and pingserver-flip-timeout options does not work.
459424 The GUI the VDOM list page does not show correct CPS, CPU, and memory usage for each VDOM.
456872 Routes to LACP LAGs are not synchronized to all modules.
442168 Traffic counters that display interface traffic for a physical interface do not display traffic sent and received by VLANs added to the physical interface.
422404 FPMs cannot communicate with the configured FortiAnalyzer if source-ip is set to the IP address of a management interface.
449298 FortiGate-7000 resource utilization is not reported correctly by FortiAnalyzer.

FortiView Guide

5 Replies

Purpose

FortiView is a comprehensive monitoring system for your network that integrates real-time and historical data into a single view on your FortiGate. It can log and monitor threats to networks, filter data on multiple levels, keep track of administrative activity, and more.

FortiView allows you to use multiple filters within the consoles, enabling you to narrow your view to a specific time

(up to 24 hours in the past), by user ID or local IP address, by application, and many more. For more on FortiView’s filtering options, see Filtering options on page 37

FortiView can be used to investigate traffic activity, such as user uploads/downloads or videos watched on YouTube, on a network-wide, user group, and individual-user level, with information relayed in both text and visual format. FortiView makes it easy to get an actionable picture of your network’s internet activity.

The degree to which information can be logged will depend on which FortiGate unit you have. For more information, see Enabling FortiView on page 9.

Pages: 1 2 3 4 5 6 7 8 9 10