Tag Archives: fortigate 7060e

FortiGate-7000 overview

FortiGate-7000 overview

A FortiGate-7000 product consists of a FortiGate-7000 series chassis (for example, the FortiGate-7040E) with FortiGate-7000 modules installed in the chassis slots. A FortiGate-7040E chassis comes with two interface modules (FIM) to be installed in slots 1 and 2 to provide network connections and session-aware load balancing to two processor modules (FPM) to be installed in slots 3 and 4.

FortiGate-7000 products are sold and licensed as packages that include the chassis as well as the modules to be included in the chassis. When you receive your FortiGate-7000 series product the chassis has to be installed in a rack and the modules installed in the chassis. Interface modules always go in slots 1 and 2 and processor modules in slots 3 and up.

If your FortiGate-7000 product includes two different interfaces modules, for optimal configuration you should install the module with the lower model number in slot 1 and the module with the higher model number in slot 2. For example, if your chassis includes a FIM-7901E and a FIM-7904E, install the FIM-7901E in chassis slot 1 and the FIM-7904E in chassis slot 2. This applies to any combination of two different interface modules.

As an administrator, when you browse to the FortiGate-7000 management IP address you log into the interface module in slot 1 (the primary or master interface module or FIM) to view the status of the FortiGate-7000 and make configuration changes. The FortiOS firmware running on each module has the same configuration and when you make configuration changes to the primary interface module, the configuration changes are synchronized to all modules.

The same FortiOS firmware build runs on each module in the chassis. You can upgrade FortiGate-7000 firmware by logging into the primary interface module and performing a firmware upgrade as you would for any FortiGate. During the upgrade process the firmware of all of the modules in the chassis upgrades in one step. Firmware upgrades should be done during a quiet time because traffic will briefly be interrupted during the upgrade process.

Licenses, Device Registration, and Support

A FortiGate-7000 product is made up of a FortiGate-7000 series chassis, one or two FIM interface modules and two to four FPM processor modules. The entire package is licensed and configured as a single product under the FortiGate-7000 chassis serial number. When you receive a new FortiGate-7000 product you register it on https://support.fortinet.com using the chassis serial number. Use the chassis serial number when requesting support from Fortinet for the product.

All Fortinet licensing, including FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOM) is for the entire FortiGate-7000 product and not for individual components.

If an individual component, such as a single interface or processor fails you can RMA and replace just that component.

FortiGate-7060E Management Modules

FortiGate-7060E Management Modules

The FortiGate-7060E chassis includes two hot swappable management modules (shelf managers), located at the top of the chassis front panel. The management models operate in an active-passive redundant configuration. By default, when the system starts up the management module in slot MGT2 is active and the management module in slot MGT1 is passive. The active management module always has IPMB address 0x20 and the passive management module always has IPMB address 0x22.

The management modules are hot swappable. If you remove the passive management module, or if the passive management module fails, the chassis just keeps operating with the active management module. If you remove the active management module, or if the active management module fails, the passive management module becomes active. If you insert a new management module it quietly starts up and becomes passive. The active management module synchronizes the following data to the passive management module:

l Chassis state and chassis policy l LAN parameters for each LAN channel, including, the IP address, gateway IP address, channel enable status, local interface/non-local interface setting, and the session support flag. l The console connect feature status (enable or disable).

FortiGate-7060E management module front panel

The active management module communicates with module SMCs in the chassis, each of which is responsible for local management of one or more Field Replaceable Units (FRUs), including FIM and FPM modules, fan trays, and power supplies. Management communication within a chassis occurs over the Intelligent Platform Management Bus (IPMB).

The active management module includes LED indicators that report on the status of many of the chassis components, including fans trays and power supplies. You can also use the management module console ports to connect to the management module CLI and to the CLI of the modules in chassis slots 1 to 6.

Management Module LEDs

The active management module controls chassis power allocation, monitors chassis operating parameters, monitors and controls chassis cooling, and generates alarms if the chassis encounters problems. All FIM and FPM modules installed in the chassis communicate with the management module through the module’s IPMC.

Management modules are hot swappable. You can replace a management module by loosening its retention screws, then pulling it out of the chassis. When a management module is removed, the other management module continues providing management functions. If both management module are removed, chassis fans speed up to maximum speed.

When an FIM or FPM module detects the absence of a management module for more than 30 seconds, the module will go to Standalone Mode. In standalone mode the modules autonomously control their own power. When a management module becomes the active management module, it assumes control of chassis fans, and the FIM and FPM modules switch back to normal mode.

In normal mode, FIM and FPM module power on/off requires authorization from the active management module and the management module controls the power supplied by the chassis power systems to the modules.

Each module in the chassis includes its own module Shelf Manager Controller (SMC) Serial Debug Interface (SDI) or SMC SDI console that communicates with the management module SMC SDI. You can connect a serial cable to the active management module console ports to connect to the management module SMC SDI and to connect to each module’s SMC SDI console. You can also interact with the SMC SDI consoles using an Intelligent Platform Management Interface (IPMI) tool.

Management Module LEDs

The following table describes the management Module LED indicators:

FortiGate-7060E Management Module LEDs

LED                                   State Description
Status Off The management module is powered off or not initialized.
Solid Red The management module is not operating normally either because it is starting up or because it has failed.
Blinking Red The active management module cannot communicate with the passive management module.
Solid Green The management module has started up and is operating normally.
Blinking Green The management module is passive.

Management Module LEDs

LED State Description
Alarm Off No alarms
Red One or more analog sensors in the chassis or on a module in the chassis (other than PSUs) have surpassed a critical or non-recoverable (NR) threshold causing an alarm. When a critical threshold has been reached, it means that a condition has been detected that has surpassed an operating tolerance. For example, a temperature has increased above the allowed operating temperature range.
Amber One or more analog sensors in the chassis or on a module in the chassis (excluding PSUs) has surpassed a major or critical (CR) threshold. Any sensor, including sensors on PSUs, has generated an alert. Sensor alert criteria is defined per sensor. For analog sensors, alerts usually mean passing an upper critical (UC) or lower critical (LC) threshold. For other sensors, an alert could mean a flag bit is indicating an anomaly.
Temp Solid Green All temperature sensors indicated acceptable operating temperatures.
Blinking Green At least one temperature sensor is detecting a high temperature outside of the normal operating range. In this case an upper non-critical (UNC) temperature. The management module increases fan speed to increase cooling and reduce the temperature.
Blinking Red At least one temperature sensor is detecting a temperature outside of the acceptable operating range. In this case an upper critical (UC) temperature. The management module increases fan speed to the maximum level. This also indicates possible problems with the cooling system and could mean that the ambient temperature is too high. Also causes a major or critical (CR) alarm.
Solid Red At least one temperature sensor is detecting a temperature outside of the allowed operating range. In this case an upper non-recoverable (UNR) temperature. The management module increases fan speed to the maximum level. The temperature is high enough to potentially cause physical damage. Also causes a critical or non-recoverable (NR) alarm.

Management Module LEDs

LED                                   State Description
Power Solid Green Normal operation.
Blinking Green Chassis 12V disabled. This means that the administrator has entered commands into the management module CLI to power off the PSU main 12V outputs. All fans, FIM and FPM modules are completely powered off but the management module is still running.
Red Chassis 12V enabled but not OK. This means the management module has enabled the main 12V outputs for all chassis components, but the power OK (PWOK) signal of at least one PSU has not been sent. When a PSU is powering up, it would be normal for this LED to be red for a second (before PSU outputs are stabilized), but if LED remains red, it indicates a problem (such as a failed PSU). Management module or FIM or FPM module voltage sensors would most likely also trigger alarms if this happens since the PSUs may not be delivering enough power.
FAN (LEDs for each of three fan trays)

PSU (LEDs for each of four PSUs)

Off Fan tachometer sensors disabled. This could happen if the administrator disabled them from the management module CLI.
Green The fan tray is operating normally.
Blinking Red The fan tray is not working. Chassis cooling may be sufficient but redundancy is lost and the fan tray that is not working should be replaced.
Red A fan tachometer sensor in this fan tray has registered an alert because a critical or non-recoverable (NR) threshold has been crossed.
Off The PSU is not installed in the chassis.
Green The PSU is present and operating normally.
Blinking Red The PSU module is installed but no power is being delivered (not plugged in).
Red The PSU’s sensors have detected an alert condition. The PSU’s analog sensors crossed critical or non-recoverable (NR) thresholds, or the PSU Status Failure bit has been set.

About management module alarm levels

LED State Description
Console 1 and 2 Off This console port is not connected or is connected to the management module SMM CLI.
Green This console port is connected to this module host console in this chassis slot.
Amber This console port is connected to this module’s SMC console.

About management module alarm levels

Minor, major and critical alarms are defined based on both IPMI, ATCA, and Telco standards for naming alarms.

  • A minor alarm (also called an IPMI non-critical (NC) alarm) indicates that a temperature or a power level was detected by a sensor that is outside of the normal operating range but is not considered a problem. In the case of a minor temperature alarm the system could respond by increasing fan speed. A non-critical threshold can be an upper non-critical (UNC) threshold (for example, a high temperature or a high power level ) or a lower non-critical (UNC) threshold (for example, a low power level). l A major alarm (also called an IPMI critical or critical recoverable (CR) alarm) indicates a temperature or power level was detected by a sensor that is far enough outside of the normal operating range to require attention from the operator. It could also mean that the system itself cannot correct the alarm. For example, the cooling system cannot provide enough cooling to reduce the temperature. It could also mean that conditions are close to being outside of the allowed operating range. For example, the temperature is close to exceeding the allowed operating temperature. A critical threshold can also be an upper critical (UC) threshold (for example, a high temperature or a high power level ) or a lower critical (LC) threshold (for example, a low power level).
  • A critical alarm (also called an IPMI non-recoverable (NR) alarm) indicates a temperature or power level was detected by a sensor that is outside of the allowed operating range and could potentially cause physical damage.

You can use the management module CLI to get details about alarm sensors, thresholds, and the events that trigger alarms.

Using the console ports

The active management module includes two console ports named Console 1 and Console 2 that can be used to connect to any serial console in the chassis. This includes the management module CLI, the FortiOS CLIs (also called host CLIs) of the FIM and FPM modules in chassis slots 1 to 6 and all of the SMC SDI consoles in the chassis.

Each module, including the management modules, includes an SMC SDI console. These consoles are used for low level programming of the module using an IPMI tool and are disabled by default. You can enable serial access to individual module SMC SDI consoles from the management module SMC SDI CLI using the command serial set sdi enable <slot>. During normal operation you may want to access the management module SMC SDI CLI, you shouldn’t normally require access to individual module SMC SDI consoles.

Connecting to the FortiOS CLI of the FIM module in slot 1

By default when the chassis first starts up Console 1 is connected to the FortiOS CLI of the FIM module in slot 1 and Console 2 is disconnected.

The default settings for connecting to each console port are: Baud Rate (bps) 9600, Data bits 8, Parity None, Stop bits 1, and Flow Control None.

The FIM and FPM modules use the standard FortiOS CLI. The SMC SDI CLIs are described in this chapter. You can use the console connection change buttons to select the CLI that each console port is connected to.

  • Press the button to cycle through the FIM and FPM module FortiOS CLIs and disconnect this console.
  • Press and hold the button to connect to the management module SMC SDI CLI. You can also cycle through each module’s SMC SDI CLI if they are enabled.

The console’s LEDs indicate what it is connected to. If no LED is lit the console is either connected to the management module SMC SDI console or disconnected. Both console ports cannot be connected to the same CLI at the same time. If a console button press would cause a conflict that module is skipped. If one of the console ports is disconnected then the other console port can connect to any CLI.

If you connect a PC to one of the management module console ports with a serial cable and open a terminal session you begin by pressing Ctrl-T to enable console switching mode, then you can do the following:

  • Press Ctrl-T to cycle through the FIM and FPM module FortiOS CLIs (the new destination is displayed in the terminal window). If you press Ctrl-T after connecting to the FPM module in slot 6 the console is disconnected. Press Ctrl-T again to start over again at slot 1.
  • Press Ctrl-R to connect to the management module SMC SDI CLI. You can also cycle through each module’s SMC SDI CLI if they are enabled (the new destination is displayed in the terminal window). After cycling through all of the enabled SMC SDI CLIs the next press of Ctrl-R disconnects the console port.

Once the console port is connected to the CLI that you want to use, press Ctrl-G to enable the CLI. When your session is complete you can press Ctrl-G to disable the CLI.

Connecting to the FortiOS CLI of the FIM module in slot 1

Use the following steps to connect to the FortiOS CLI of the FIM module in slot 1:

  1. Connect the console cable supplied with your chassis to Console 1 and to your PC or other device RS-232 console port.
  2. Start a terminal emulation program on the management computer. Use these settings: Baud Rate (bps) 9600, Data bits 8, Parity None, Stop bits 1, and Flow Control None
  3. Press Ctrl-T to enter console switch mode.
  4. Repeat pressing Ctrl-T until you have connected to slot 1.
  5. Login with an administrator name and password.

The default is admin with no password.

For security reasons, it is strongly recommended that you change the password. 6. When your session is complete, enter the exit command to log out.

Connecting to the FortiOS CLI of the FIM module in slot 2

Use the following steps to connect to the FortiOS CLI of the FIM module in slot 2:

Connecting to the management module SMC SDI CLI

  1. Connect the console cable supplied with your chassis to Console 1 and to your PC or other device RS-232 console port.
  2. Start a terminal emulation program on the management computer. Use these settings: Baud Rate (bps) 9600, Data bits 8, Parity None, Stop bits 1, and Flow Control None
  3. Press Ctrl-T to enter console switch mode.
  4. Repeat pressing Ctrl-T until you have connected to slot 2.
  5. Login with an administrator name and password.

The default is admin with no password.

For security reasons, it is strongly recommended that you change the password.

  1. When your session is complete, enter the exit command to log out.

Connecting to the management module SMC SDI CLI

Use the following steps to connect to the management module SMC SDI CLI:

  1. Connect the console cable supplied with your chassis to Console 1 and to your PC or other device RS-232 console port.
  2. Start a terminal emulation program on the management computer. Use these settings: Baud Rate (bps) 9600, Data bits 8, Parity None, Stop bits 1, and Flow Control None Use the console change button or Ctrl-R to switch to the management module SMC SDI CLI.
  3. Press Ctrl-G to connect to the CLI.
  4. Login with an administrator name and password.

The default administrator name and password are admin/admin.

For security reasons, it is strongly recommended that you change the password.

  1. You can begin entering commands at the #
  2. When your session is complete, enter the exit command to log out.
  3. Optionally press Ctrl-G to disable the CLI.

Changing the management module admin account password

Use the following procedure to change the management module admin account password.

  1. Enter the following command to show all users and their user IDs. user list

The output should show that the admin user has a user ID of 2.

  1. Use the command user set password <user-id> [<password>] to add a password for the admin account. For example:

user set password 2 <password>

  1. Enter and confirm a new password for the admin

The password should be between 5 and 20 characters long and should include a combination of upper and lower case letters and numbers.

You can change the admin account password at any time.

Connecting to the management module using an IPMI tool

Connecting to the management module using an IPMI tool

You can install a remote IPMI tool on a management computer and then use this IPMI tool to start an IPMI session with the management module. You can use one of the console ports or the MGMT port to connect with the IPMI tool.

The IPMI commands are the same as the CLI commands described in this chapter but they have to be prefixed as shown in the following example that changes the MGMT interface IP address to 172.20.120.30 over a serial connection:

sudo ipmitool -I serial-terminal -D /dev/ttyS1:9600 -U <username> -P <password> lan set 4 ipaddr 172.20.120.30

Here is the same command over an Ethernet connection:

sudo ipmitool -I lanplus -H 10.160.19.30 -k gkey -U <username> -P <password> lan set 4 ipaddr 172.20.120.30

Use the following IPMI commands to change the management module password:

First from a console port connection:

sudo ipmitool -I serial-terminal -D /dev/ttyS1:9600 -U <username> -P <password> user set password 2 <password> And from an Ethernet connection:

sudo ipmitool -I lanplus -H 10.160.19.30 -k gkey -U <username> -P <password> user set password 2 <password>

To perform an operation on a module according to its chassis slot include the -t <slot> parameter in the IPMI command. For example, to list the sensors on the FIM module in chassis slot 2 (0x82), use the following IPMI command:

sudo ipmitool -I lanplus -H 10.160.19.30 -k gkey -U <username> -P <password0> -t 0x82 sensor

FortiGate-7060E chassis slots IPMB addresses

The following table lists the IPMB addresses of the FortiGate-7060E chassis slots.

Chassis slot number Name IPMB Address (FRUID)
Management module 1 MGMT1 if active 0x20, if passive (the default) 0x22
Management module 2 MGMT2 if active (the default) 0x20, if passive 0x22
5 FPM5 0x8A
3 FPM3 0x86
1 FIM1 0x82
2 FIM2 0x84

Rebooting a chassis module from the SMC SDI CLI

Chassis slot number Name IPMB Address (FRUID)
4 FPM4 0x88
6 FPM6 0x8C

You can use the IPMB address or chassis slot number to reference a chassis slot when entering commands in the shelf manager CLI. For example, enter either of the following commands to display sensor readings for the FIM module in slot 2:

sensor 0x84 sensor 2

When command syntax descriptions in this chapter include the <slot> variable you can replace it with a slot number (1 to 6) or an IPMB address number (0x82 to 0x8C)

Rebooting a chassis module from the SMC SDI CLI

A common use of the SMC SDI CLI is being able to remotely reboot a FIM or FPM module.

From any SMC SDI CLI use the following command to reboot the module in slot 3:

mc reset 3 warm

Use the following command to power off the module in slot 4:

fru deactivate 4

Use the following command to power on the FIM module in slot 2 (IPMI address 0x84):

fru activate 0x84

Use the following IPMI command to reset the module SMC to reboot the module in slot 3:

sudo ipmitool -I lanplus -H 10.160.19.30 -k gkey -U admin -P admin -t 0x86 mc reset warm Use the following IPMI command to power off the module in slot 4:

sudo ipmitool -I lanplus -H 10.160.19.30 -k gkey -U admin -P admin -t 0x88 picmg deactivate 0

Use the following IPMI command to power on the FIM module in slot 2 (IPMI address 0x84):

sudo ipmitool -I lanplus -H 10.160.19.30 -k gkey -U admin -P admin -t 0x84 picmg activate 0

Comlog

All module SMCs include a comlog system for writing and saving console log messages. When enabled, the comlog saves log messages in a local comlog file. Log messages include all local host console messages including BIOS boot up messages. In the comlog these messages include the following headers:

Header Cause
\n— COMLOG SYSTEM BOOT: YYYY/MM/DD hh:mm:ss —\n The module is starting up after being powered on or reset.

Comlog

Header Cause
\n— COMLOG DISABLED: YYYY/MM/DD hh:mm:ss —\n Logging is disabled.
\n— COMLOG ENABLED: YYYY/MM/DD hh:mm:ss —\n Logging is enabled
\n— COMLOG TIME: YYYY/MM/DD hh:mm:ss —\n This message is written every hour when the module is powered on and logging is enabled.

The following comlog-related CLI commands are available:

Description SMC CLI Commands IPMI commands
Display comlog information. Available on the passive module. comlog getinfo

Status

COM

Disabled Speed 9600
Storage Size 0x00400000
Log Start 0x00000000
Log End 0x00000C37
Log Size 3127 Bytes
Display a module’s comlog. Available on the passive module. comlog getinfo <slot> comlog print <slot> fortinetoem fortinetoem comlog comlog getinfo print
Clear a module’s comlog. Either by resetting the a comlog start location in flash (reset_loc) or erasing all of the flash storage (chip_erase). Available on the passive module. comlog clear [reset_loc] [chip_erase] fortinetoem comlog clear
Disable a module’s comlog. Available on the passive module. comlog disable fortinetoem comlog clear
Enable comlog. Available on the passive module. comlog enable fortinetoem comlog clear
Set comlog baud rate.

<speed> can be 9600, 19200, 38400,57600, 115200, or expressed as level 1 to 4. Available on the passive module.

comlog setbaud <speed> fortinetoem <speed> comlog setbaud

System event log (SEL)

System event log (SEL)

The SMC in each module generates system event log (SEL) messages that record system events as they occur. All SEL messages are stored by individual FIM and FPM module SMCs. They are also all collected and stored by the management module SMC. From the management module you can use the following commands from the active or passive management module to view and clear SEL messages.

Operation SMC CLI Commands IPMI Commands
Display the local SEL for a module. sel <slot> sel list sel elist -v sel list
Clear the local SEL. sel clear sel clear
Get SEL information. N/A sel info
Get SEL time time get sel time get
Set SEL time time set <yyyy/mm/dd hh:mm:ss> sel time set

Sensor data record (SDR)

The sensor data record (SDR) contains static information about the sensors in each chassis module. Information includes the Sensor ID string, sensor type, sensor event/reading type, entity id, entity instance, sensor unit, reading linearization parameters, sensor thresholds, and so on. The following commands display information stored in the SDR.

Operation SMC CLI Commands IPMI Commands
Display current local sensor values and sensor SDRs or sensor thresholds for a module. Available on the passive module. sensor <slot> sensor_thresholds <slot> sensor sensor hexlist sdr list sdr elist -v sdr list

(-v required when using the Windows command prompt)

Set Sensor thresholds N/A sensor thres help

(use this command to display online help for setting sensor thresholds)

Common management module CLI operations

Common management module CLI operations

The following table lists many of the operations you can perform from the management module CLI and the commands you use to perform them. Only a subset of these commands are available on the passive management module as indicated below. Also, the <slot> option is not available on the passive module.

Action SMC CLI Commands IPMI Commands
Log into the CLI. Ctrl-G N/A
Log out of the CLI. Available on the passive module. exit (followed by Ctrl-G) N/A
Display all commands. Available on the passive module. help help
Display information about all SMC firmware in the chassis. info mc info
Display SMC device ID, Build

Date/Number, SMC

firmware information, address info, entity map for the device in the slot. Available on the passive module.

info <slot> N/A
Switching active management module. The active management module becomes passive and the passive becomes active. Available on the passive module. smm_switch N/A
Display status, power budget and hot swap state for all modules. Available on the passive module. status N/A
List the IPMI channels. channel list channel info [<channelnumber>]

Common management module CLI operations

Action SMC CLI Commands IPMI Commands
Change the SDI

verbosity level. <level> can be:

0: Alerts + Errors

1: Alerts + Errors +

Verbose + Low-Level

Errors

2: Alerts + Errors +

Verbose + Low-Level

Errors + PI traffic

3: Alerts + Errors +

Verbose + Low-Level

Errors + PI traffic +

IPMB traffic + LAN

Interface traffic

4: Same as 3

verbose <level> N/A
Display the management module time. Available on the passive module. time get sel time get
Set the management module time. Available on the passive module. time set <yyy/mm/dd hh:m m:ss> sel time hh:mm:ss> set <yyy/mm/dd
Synchronize all module SMC times. time sync N/A
List management module user accounts. Available on the passive module. user list user list [<channel number>]
Disable a user account. Available on the passive module. user disable <user-id> user disable <user-id>
Enable a user account. Available on the passive module. user enable <user-id> user enable <user-id>
Set a user account user name. Available on the passive module. user set name <user-id> <name> user set name <user-id> <name>

Common management module CLI operations

Action SMC CLI Commands IPMI Commands
Set a user account password. Available on the passive module. user set password <user-id> <password> user set password <user-id> <password>
Set the privilege level that a user account has for a specified session-based IPMI <channel>. If a <channel> is not specified the privilege level is set for all IPMI channels. Available on the passive module. user priv <user-id> {callback

| user | operator | administrator | no_access}

[<channel>]

user priv <user id> <privilege level> [<channel number>]
View a summary of users. N/A user summary
User test command. N/A user test
Display the management module

serial interface settings. Available on the passive module.

serial print N/A
Set the SDI baud rate. Available on the passive module. serial set sdi baud <speed> N/A
Set the sniff baud rate when the console is disabled. Available on the passive module. serial set sdi baud <speed> default_sniff_ N/A
Enable a console connection from the management module to another module. serial set sdi enable <slot> N/A
Disable the console connection between the management module and another module. Available on the passive module. serial set sdi disable <slot> N/A
Cold or warm reset a module. mc reset <slot> mc reset <slot> cold warm mc reset cold mc reset warm

Common management module CLI operations

Action SMC CLI Commands IPMI Commands
Run a module self test. N/A mc selftest
Power on a module. fru activate <slot> [<fruid>] picmg activate
Power off a module. fru deactivate <slot> [<fruid>] picmg deactivate
Reset a module. fru reset <slot> [<fruid>] picmg reset
Power cycle the chassis N/A chassis power cycle
Get chassis sttatus N/A chassis status
Display the LAN configuration. Available on the passive module. lan print <channel >
Set LAN configuration.

The kgkey and krkey options are used for RCMP+.

lan set [<netmas lan set <mac> lan set

<ip> lan set macaddr lan set <value> lan set <value>

<channel> k>] <channel>

<channel>

<channel>

<mac>

<channel>

<channel>

ipaddr <ip> macaddr defgw ipaddr defgw kgkey krkey lan set help

(use this command to display online help for LAN settings)

Enable or disable all LAN interfaces. lan enable lan disable fortinetoem param set 0 1 fortinetoem param set 0 0
Set fan levels. Change or switch the active fan set. fan_min_level <0-30> fan_max_level <0-30> fan_set_switch N/A
Change LED settings. N/A picmg led set help

(use this command to display online help for LED settings)

Display HPM.1 status. N/A hpm check
Run an HPM.1 upgrade. N/A hpm upgrade <.img> hpm upgrade <.img> all activate

 

Cautions and Warnings

Environmental Specifications

Rack Mount Instructions – The following or similar rack-mount instructions are included with the installation instructions:

Instructions de montage en rack – Les instructions de montage en rack suivantes ou similaires sont incluses avec les instructions d’installation:

Elevated Operating Ambient – If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient. Therefore, consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature (Tma) specified by the manufacturer.

Température ambiante élevée – S’il est installé dans un rack fermé ou à unités multiples, la température ambiante de fonctionnement de l’environnement du rack peut être supérieure à la température ambiante de la pièce. Par conséquent, il est important d’installer le matériel dans un environnement respectant la température ambiante maximale (Tma) stipulée par le fabricant.

Reduced Air Flow – Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the equipment is not compromised.

Ventilation réduite – Installation de l’équipement dans un rack doit être telle que la quantité de flux d’air nécessaire au bon fonctionnement de l’équipement n’est pas compromise.

Mechanical Loading – Mounting of the equipment in the rack should be such that a hazardous condition is not achieved due to uneven mechanical loading.

Chargement Mécanique – Montage de l’équipement dans le rack doit être telle qu’une situation dangereuse n’est pas lié à un chargement mécanique inégal.

Circuit Overloading – Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern.

Surtension – Il convient de prendre l’ensemble des précautions nécessaires lors du branchement de l’équipement au circuit d’alimentation et être particulièrement attentif aux effets de la suralimentation sur le dispositif assurant une protection contre les courts-circuits et le câblage. Ainsi, il est recommandé de tenir compte du numéro d’identification de l’équipement.

Reliable Earthing – Reliable earthing of rack-mounted equipment should be maintained. Particular attention should be given to supply connections other than direct connections to the branch circuit (e.g. use of power strips).

 

FortiGate-7060E Chassis

FortiGate-7060E Chassis

The FortiGate-7060E is a 8U 19-inch rackmount 6-slot chassis with a 80Gbps fabric and 1Gbps base backplane designed by Fortinet. The fabric backplane provides network data communication and the base backplane provides management and synch communication among the chassis slots.

FortiGate-7060E front panel

The chassis is managed by two redundant management modules. Each module includes an Ethernet connection as well as two switchable console ports that provide console connections to the modules in the chassis slots. The active management module controls chassis cooling and power management and provides an interface for managing the modules installed in the chassis.

FortiGate-7060E front panel, (example module configuration)

 

Do not operate the FortiGate-7060E chassis with open slots on the front or back panel. For optimum cooling performance and safety, each chassis slot must contain an FIM or FPM module or an FIM or FPM blank panel (also called a dummy card). For the same reason, all cooling fan trays, power supplies or power supply slot covers must be installed while the chassis is operating.

Power is provided to the chassis using four hot swappable 3+1 redundant 100-240 VAC, 50-60 Hz power supply units (PSUs). You can also optionally add up to six PSUs to provide 3+3 redundancy. The FortiGate-7060E can also be equipped with DC PSUs allowing you to connect the chassis to -48V DC power

The standard configuration of the FortiGate-7060E includes two FIM (interface) modules in chassis slots 1 and 2 and up to four FPM (processing) modules in chassis slots 3 to 6.

FIM modules

FIM modules are hot swappable interface modules that provide data and management interfaces, base backplane switching and fabric backplane session-aware load balancing for the chassis. The FIM modules include an integrated switch fabric and DP2 processors to load balance millions of data sessions over the chassis fabric backplane to FPM processor modules. The following FIM modules are available:

  • The FIM-7901E includes thirty-two front panel 10GigE SFP+ fabric channel interfaces (A1 to A32). These interfaces are connected to 10Gbps networks. These interfaces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers.
  • The FIM-7904E includes eight front panel 40GigE QSFP+ fabric channel interfaces (B1 to B8). These interfaces are connected to 40Gbps networks. Using 40GBASE-SR4 multimode QSFP+ transceivers, each QSFP+ interface can also be split into four 10GBASE-SR interfaces and connected to 10Gbps networks.
  • The FIM-7910E (shown in FortiGate-7060E front panel, (example module configuration) on page 5) includes four front panel 100GigE CFP2 fabric channel interfaces (C1 to C4). These interfaces can be connected to 100Gbps networks. Using 100GBASE-SR10 multimode CFP2 transceivers, each CFP2 interface can also be split into ten 10GBASE-SR interfaces and connected to 10Gbps networks.
  • The FIM-7920E includes four front panel 100GigE QSFP28 fabric channel interfaces (C1 to C4). These interfaces can be connected to 100Gbps networks. Using a 100GBASE-SR4 QSFP28 or 40GBASE-SR4 QSFP+ transceiver, each QSFP28 interface can also be split into four 10GBASE-SR interfaces and connected to 10Gbps networks.

If you are installing different FIM modules in the FortiGate-7060E chassis, for optimal configuration you should install the module with the lower model number in slot 1 and the module with the higher number in slot 2. For example, if your chassis includes a FIM-7901E and a FIM-7904E, install the FIM-7901E in chassis slot 1 and the FIM7904E in chassis slot 2. Also, for example, if your chassis includes a FIM-7904E and a FIM-7920E, install the FIM-7904E in chassis slot 1 and the FIM-7920E in chassis slot 2. This applies to any combination of two different interface modules.

FPM-7620E FPM modules

The FPM-7620E modules are hot swappable processor modules that provide FortiOS firewalling and security services. The FPM modules function as workers, processing sessions load balanced to them by the FIM modules.

FPM modules include multiple NP6 network processors and CP9 content processors to accelerate traffic.

back panel

FortiGate-7060E back panel

The FortiGate-7060E back panel provides access to three hot swappable cooling fan trays and the chassis ground connector that must be connected to ground.

FortiGate-7060E back panel

Registering your FortiGate-7060E chassis

FortiGate-7000 series products are registered according to the chassis serial number. You need to register your chassis to receive Fortinet customer services such as product updates and customer support. You must also register your product for FortiGuard services. Register your product by visiting https://support.fortinet.com. To 7

FortiGate-7060E chassis schematic

register, enter your contact information and the serial numbers of the Fortinet products that you or your organization have purchased.

FortiGate-7060E chassis schematic

The FortiGate-7060E chassis schematic below shows the communication channels between chassis components including the management modules (MGMT), the FIM modules (called FIM1 and FIM2) and the FPM modules (FPM3, FPM4, FPM5, and FPM6).

By default MGMT2 is the active management module and MGMT1 is inactive. The active management module always has the IPMB address 0x20 and the inactive management module always has the IPMB address 0x22.

The active management module communicates with all modules in the chassis over the base backplane. Each module, including the management modules has a Shelf Management Controller (SMC). These SMCs support Intelligent Platform Management Bus (IPMB) communication between the active management module and the FIM and FPM modules for storing and sharing sensor data that the management module uses to control chassis cooling and power distribution. The base backplane also supports serial communications to allow console access from the management module to all modules, and 1Gbps Ethernet communication for management and heartbeat communication between modules.

FIM1 and FIM2 (IPMB addresses 0x82 and 0x84) are the FIM modules in slots 1 and 2. The interfaces of these modules connect the chassis to data networks and can be used for Ethernet management access to chassis components. The FIM modules include DP2 processors that distribute sessions over the Integrated Switch Fabric (ISF) to the NP6 processors in the FPM modules. Data sessions are communicated to the FPM modules over the 80Gbps chassis fabric backplane.

 

Chassis hardware information

FPM03, FPM04, FPM05, and FPM06 (IPMB addresses 0x86, 0x88, 0x8A, and 0x8C) are the FPM processor modules in slots 3 to 6. These worker modules process sessions distributed to them by the FIM modules. FPM modules include NP6 processors to offload sessions from the FPM CPU and CP9 processors that accelerate content processing.

Chassis hardware information

This section introduces FortiGate-7060E hardware components and accessories including power requirements and FIM and FPM modules that can be installed in the chassis.

Shipping components

The FortiGate-7060E chassis ships pre-assembled with the following components:

l The 8U FortiGate-7060E chassis l Two FIM modules l Up to four FPM modules l Two management modules installed in the front of the chassis l Four Power Supply Units (PSUs) installed in the front of the chassis l Three cooling fan trays installed in the back of the chassis l One protective front panel installed in the chassis to protect internal chassis components. This panel must be removed before installing FIM and FPM modules. l Four power cords with C15 power connectors l Four power cord management clamps l One set of 4-post rack mounting components l One set of 2-post rack mounting components l One pair of cable management side brackets l Two front mounting brackets l Twenty M4x6 flat-head screws l Six M4x8 large head pan-head screws l Six rubber feet l Two console cables l One RJ-45 Ethernet cable

Optional accessories and replacement parts

The following optional accessories can be ordered separately:

SKU Description
FG-7060E-FAN FortiGate-7060E fan tray.
FG-7060E-PS-AC 1500W AC power supply units (PSUs) for the FortiGate-7060E.

9

Chassis hardware information

SKU Description
FG-7060E-SMM FortiGate-7060E management module.
FG-7060E-CHASSIS FortiGate-7060E chassis including 2x management module, 3x fan trays, and 4x AC PSUs.

You can also order the following:

  • Additional FIM and FPM modules l Transceivers
  • DC PSUs
  • Air Filter kit
  • FPM and FIM single slot cover trays to be installed in empty chassis slots The following optional accessories can be ordered separately:
  • Additional FIM and FPM modules l Transceivers
  • DC PSUs
  • Additional AC PSUs l Additional FAN trays l Air Filter kit
  • FPM and FIM blank panels to be installed in empty chassis slots

Physical description of the FortiGate-7060E chassis

The FortiGate-7060E chassis is a 8U chassis that can be installed in a standard 19-inch rack. The following table describes the physical characteristics of the FortiGate-7060E chassis.

Dimensions (H x W x D) 352.7 x 440 x 650 mm (13.4 x 17.3 x 25.6 in)
Chassis weight completely assembled with FIM and FPM modules installed 205 lbs (93 kg)
Operating Temperature 32 to 104°F (0 to 40°C)
Storage Temperature -31 to 158°F (-35 to 70°C)
Relative Humidity 10% to 90% non-condensing
Noise Level 63db
Input Current and Voltage Range 10-12 A, 100 to 240 VAC (50 to 60 Hz)
Power Support Rating max. 3277W
Supplied Power Supply Units (PSUs) 4 (for 3+1 redundancy)

Cooling fans, cooling air flow, and minimum clearance

Max Power Supply Units (PSUs) 6 (for 3+3 redundancy)
Max Power Consumption 3277W
Average Power Consumption 2330W
Heat Dissipation 11799KJ/hr (11184BTU/hr)

Cooling fans, cooling air flow, and minimum clearance

The FortiGate-7060E chassis contains three hot swappable cooling fan trays installed in the back of the chassis. Each fan tray includes two fans that operate together. When the fan tray LED is green both fans are operating normally. If the LED turns red or goes off, one or both of the fans is not working and the fan tray should be replaced.

Cooling fans, cooling air flow, and minimum clearance

Cooling Fan Tray

Fan

LED

During normal chassis operation, all three fan trays are active and the fan speed is controlled by the active shelf manager. Fan trays are hot swappable. You can replace a failed fan tray while the chassis is operating. To replace a fan tray, unscrew the four retention screws and use the handles to pull the fan tray out of the chassis.

Install a replacement fan tray by sliding it into place in the empty slot and tightening the retention screws. As you slide the new fan into place it will power up and the fan tray LED will light.

The other fan trays will continue to operate and cool the chassis as a fan tray is being removed and replaced. However an open fan tray slot will result in less air flow through the chassis so do not delay installing the replacement fan tray.

Optional Air Filters

Cooling air flow and required minimum air flow clearance

When installing the chassis, make sure there is enough clearance for effective cooling air flow. The following diagram shows the cooling air flow through the chassis and the locations of fan trays. Make sure the cooling air intake and warm air exhaust openings are not blocked by cables or rack construction because this could result in cooling performance reduction and possible overheating and component damage.

FortiGate-7060E cooling air flow and minimum air flow clearance

Most cool air enters the chassis through the chassis front panel and all warm air exhausts out the back. For optimal cooling allow 100 mm of clearance at the front and back of the chassis and 50 mm of clearance at the sides. Under these conditions 80% of cooling air comes from the front panel air intake and 20% from the left and right side panels and 100% exits out the back. Side clearance is optional and chassis cooling will be sufficient if no side clearance is available.

Optional Air Filters

You can purchase an optional NEBS compliant air filter kit that includes a front filter that fits over the front of the chassis and two filters for the side cool air intakes. These filters are not required for normal operation but can be added if you require air filtration.

The air filters should be inspected regularly. If dirty or damaged, the filters should be disposed of and replaced.

The air filters can be fragile and should be handled carefully.

Power Supply Units (PSUs) and supplying power to the chassis

Power Supply Units (PSUs) and supplying power to the chassis

The FortiGate-7060E chassis front panel includes four hot swappable AC or DC PSUs. At least three PSUs (1, 2, and 3) must be connected to power. Power supplies 4 to 6 are backup power supplies that provide 3+1 , 3+2, and 3+3 redundancy. See FortiGate-7060E front panel on page 5 for locations of the PSUs.

All PSUs should be connected to AC power. To improve redundancy you can connect each power supply to a separate power source.

Use a C15 Power cable, supplied with the chassis, to connect power to each PSU C16 power connector. C15/C16 power connectors are used for high temperature environments and are rated up to 120°C.

To remove a PSU from the chassis, press the latch towards the handle until the PSU is detached then pull it out of the chassis. Insert a replacement PSU into the chassis and slide it in until the latch locks into place. Then connect the PSU to AC power. You can do this while the chassis is operating as long as at least three PSUs remain connected to power.

AC Power Supply Unit (PSU) showing C16 power connector

Connector

The PSU LED indicates whether the PSU is operating correctly and connected to power. If this LED is not lit check to make sure the PSU is connected to power. If the power connection is good then the PSU has failed and should be replaced.

Connecting the FortiGate-7060E chassis to ground

The FortiGate-7060E chassis includes a ground terminal on the rear the bottom of the FortiGate-7060E back panel. The ground terminal provides two connectors to be used with a double-holed lug such as Thomas & Betts PN 54850BE. This connector must be connected to a local ground connection. You need the following equipment to connect the FortiGate-7060E chassis to ground:

  • An electrostatic discharge (ESD) preventive wrist strap with connection cord.
  • One green 6 AWG stranded wire with listed closed loop double-hole lug suitable for minimum 6 AWG copper wire, such as Thomas & Betts PN 54850BE.

Power Supply Units (PSUs) and supplying power to the chassis

To connect the FortiGate-7060E chassis to ground

  1. Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal surface on the chassis or frame.
  2. Make sure that the chassis and ground wire are not energized.
  3. Connect the green ground wire from the local ground to the ground connector on the FortiGate-7060E chassis.
  4. Secure the ground wire to the chassis.
  5. Optionally label the wire GND.

Turning on FortiGate-7060E chassis power

Connect AC power to PSUs 1, 2, 3, and 4. Once the FortiGate-7060E chassis is connected to power the chassis powers up. If the chassis is operating correctly, the LEDs on the PSUs and fans should be lit. As well, the LEDs on the FortiGate-7060E management module should be lit.

When the chassis first starts up you should also hear the cooling fans operating.

In addition, if any modules have been installed in the chassis they should power on and their front panel LEDs should indicate that they are starting up and operating normally.

 

 

FortiGate-7060E hardware assembly and rack mounting

FortiGate-7060E hardware assembly and rack mounting

The FortiGate-7060E chassis must be mounted in a standard 19-inch rack and requires 8U of vertical space in the rack. This chapter describes how to attach accessories to the FortiGate-7060E chassis, how to install the chassis in a 4-post or 2-post rack, and how to install FIM and FPM modules in the chassis front panel slots.

If you install the FortiGate-7060E chassis in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient temperature. Make sure the operating ambient temperature does not exceed the manufacturer’s maximum rated ambient temperature.

It is recommended that you mount the FortiGate-7060E chassis near the bottom of the rack to avoid making the rack top-heavy and potentially falling over. If you are going to mount the chassis higher make sure the rack is well anchored. Since the chassis is over 100 lbs use a lift to raise the chassis into position before mounting it.

Installing accessories

These accessories are optional and not required for all configurations. If you have them, before mounting the chassis in a rack you should install the left and right front mounting brackets and the cable management brackets as shown in the following illustration.

Installing FortiGate-7060E accessories

You can also install power cord clamps into the front of the chassis beside each PSU. Install the clamps by inserting them into the holes adjacent each supply at the back of the chassis. Use the clamps to secure the AC power cords so they are not accidentally disconnected.

Mounting the FortiGate-7060E chassis in a four-post rack

The FortiGate-7060E package includes a set of extendable brackets that you can use to mount the chassis in a 4post rack. Install the brackets to create a 4-post rack mount tray that the chassis will slide on to. Attach each side of the tray to the 4-post rack using the front and back brackets as shown below. Make sure you install the tray with enough space above it for the chassis. The length of the tray sides adjusts to match your rack.

Once the 4-post rack mount tray has been installed, slide the chassis onto the tray and secure it to the rack mount tray as shown in the diagram.

Mounting the chassis in a four-post Rack

Mounting the FortiGate-7060E chassis in a two-post rack

The FortiGate-7060E package includes two mid-mount trays and two mid-mount ears that you can use to mount the chassis in a 2-post rack. As shown in the diagram, first attach the mid-mount trays to the rack making sure to leave enough space above the trays for the chassis. Then attach the mid-mount ears to the chassis also as shown in the diagram. Finally line up the mid-mount trays with the mid-mount ears so that the chassis is supported in the rack. Then use screws to attach the mid-mount ears and the chassis to the rack.

Mounting the chassis in a 2-post rack

screws

Air flow

For rack installation, make sure that the amount of air flow required for safe operation of the FortiGate-7060E chassis is not compromised. Make sure that the chassis ventilation openings at the front and back are not blocked by cables or other components. The recommended minimum clearance at the front of the chassis is 100 mm and the recommended clearance from the rear of the chassis is 100 mm. This results in a total footprint of 850 mm from front to back. See Cooling air flow and required minimum air flow clearance on page 13 for more details. hardware assembly and rack mounting Inserting FIM and FPM-7000 series modules

Inserting FIM and FPM-7000 series modules

All FortiGate-7060E chassis are shipped with a protective front panel installed in the chassis to protect internal chassis components. This panel must be removed before you install FIM and FPM modules.

Insert FIM modules into chassis slots 1 and 2. Insert FPM modules into chassis slots 3, 4, 5, and 6.

Do not operate the FortiGate-7060E chassis with open slots on the front or back panel. For optimum cooling performance and safety, each chassis slot must contain an FIM or FPM module or an FIM or FPM blank panel (also called a dummy card). For the same reason, all cooling fan trays, power supplies or power supply slot covers must be installed while the chassis is operating.

To insert FIM and FPM modules, see the guide supplied with the module.

You must carefully slide the module all the way into the chassis slot, close the handles to seat the module into the slot, and tighten the retention screws to make sure the module is fully engaged with the backplane and secured. You must also make sure that the sliding latches are fully closed by gently pushing them down. The handles must be closed, the retention screws tightened and the latches fully closed for the module to get power and start up. If the module is not receiving power all LEDs remain off.

All FIM and FPM-7000 series modules must be protected from static discharge and physical shock. Only handle or work with these boards at a static-free workstation. Always wear a grounded electrostatic discharge (ESD) preventive wrist strap when handling these boards.

Recommended slot locations for interface modules

If you are installing different FIM modules in the FortiGate-7060E chassis, for optimal configuration you should install the module with the lower model number in slot 1 and the module with the higher number in slot 2.

For example:

  • if your chassis includes a FIM-7901E and a FIM-7904E, install the FIM-7901E in chassis slot 1 and the FIM-7904E in chassis slot 2.
  • If your chassis includes a FIM-7904E and a FIM-7920E, install the FIM-7904E in chassis slot 1 and the FIM-7920E in chassis slot 2.

This applies to any combination of two different interface modules.