Fortinet FortiGate FortiGate-5000 Backplane Communications Manual
  1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Chassis
  5. FortiGate-5000
  6. Backplane communications manual
Fortinet FortiGate FortiGate-5000 Backplane Communications Manual

Fortinet FortiGate FortiGate-5000 Backplane Communications Manual

Fortigate-5000 series version 3.0 mr5
Hide thumbs Also See for FortiGate FortiGate-5000:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administration Manual, Quick Manual
B a c k p l a n e C o m m u n i c a t i o n s G u i d e
FortiGate-5000 Series
Version 3.0 MR5
www.fortinet.com

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FortiGate FortiGate-5000 and is the answer not in the manual?

Questions and answers

Related Manuals for Fortinet FortiGate FortiGate-5000

Summary of Contents for Fortinet FortiGate FortiGate-5000

  • Page 1 B a c k p l a n e C o m m u n i c a t i o n s G u i d e FortiGate-5000 Series Version 3.0 MR5 www.fortinet.com...
  • Page 2 FortiGate-5000 Series Backplane Communications Guide 29 August 2007 01-30005-0423-20070829 © Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

  • Page 3: Table Of Contents

    Introduction ... 5 Warnings and cautions ... 5 About this document... 7 Fortinet documentation... 7 Fortinet Tools and Documentation CD ... 7 Fortinet Knowledge Center ... 7 Comments on Fortinet technical documentation ... 7 Customer service and technical support ... 7 FortiGate-5140 base backplane communication ...
  • Page 4 Contents FortiGate-5000 Series Version 3.0 MR5 Backplane Communications Guide 01-30005-0423-20070829...

  • Page 5: Introduction

    FortiGate-5000 series equipment. Read and comply with all warnings, cautions and notices in this document. Caution: You should be aware of the following cautions and warnings before installing FortiGate-5000 series hardware. FortiGate-5000 Series Version 3.0 MR5 Backplane Communications Guide 01-30005-0423-20070829 “Fortinet documentation” on page Guide. Warnings and cautions...
  • Page 6 Refer to nameplate ratings to address this concern. • Make sure all FortiGate components have reliable grounding. Fortinet recommends direct connections to the branch circuit. • If you install a FortiGate component in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient.

  • Page 7: About This Document

    Fortinet Tools and Documentation CD All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For up-to-date versions of Fortinet documentation see the Fortinet Technical Documentation web site at http://docs.forticare.com.
  • Page 8 Customer service and technical support Introduction FortiGate-5000 Series Version 3.0 MR5 Backplane Communications Guide 01-30005-0423-20070829...

  • Page 9: Fortigate-5140 Base Backplane Communication

    FortiGate-5140 base backplane communication FortiGate-5140 base backplane communication Both the FortiGate-5140 and the FortiGate-5050 chassis have two base backplane Ethernet channels. Available connections to these channels vary by slot number. • Slot 1 can connect to the chassis’ first base backplane channel, and thereby all other slots, except slot 2.

  • Page 10: Ha Configurations

    HA configurations HA configurations Table 1: Names of base backplane interfaces by FortiGate model Model Name of base backplane interface 1 (to slot 1) FortiGate-5001SX port9 FortiGate-5001FA2 port9 FortiGate-5005FA2 base1 This section contains example HA and network configurations for each hardware combination.

  • Page 11: Two Fortiswitch Modules Per Chassis

    FortiGate-5140 base backplane communication Default heartbeat interfaces vary by the model of the FortiGate modules, and are not always base backplane interfaces. For example, FortiGate-5005FA2 modules use fabric1 and fabric2, the fabric backplane rather than the base backplane, as the default heartbeat interfaces. If this is the case, to send heartbeat communications through the base backplane, you must enable and adjust the priority of the base backplane interfaces.
  • Page 12 HA configurations Figure 3: Inter-chassis HA cluster with two available base backplane heartbeat interfaces (through FortiSwitch-5003 modules in slot 1 and slot 2) Internal Network internal network 5140SAP SERIAL 1 SERIAL 2 ALARM 5140 MANAGEMENT MANAGEMENT SYSTEM SYSTEM CONSOLE CONSOLE ETH0 ETH1 ETH0 Service...
  • Page 13 FortiGate-5140 base backplane communication If you also want to specify which FortiSwitch module is used as the primary or failover, its priority must be greater than the failover interface, or it must have a higher position in the Heartbeat Interface list. Position in the Heartbeat Interface list varies by the model of the FortiGate modules.
  • Page 14 HA configurations Figure 5: FortiGate-5005FA2 heartbeat failover from slot 1 (base1) to slot 2 (base2) To configure HA interface failover to use two FortiSwitch modules Insert FortiSwitch modules into slot 1 and slot 2 of each chassis. If you want to form HA clusters between FortiGate modules in separate chassis, link the base backplanes of each chassis by connecting FortiSwitch modules’...

  • Page 15: One Fortiswitch Module Per Chassis

    FortiGate-5140 base backplane communication Note: Heartbeat interface precedence can be determined by multiple factors, including Priority and position in the Heartbeat Interface list. For details, see heartbeat interface precedence” on page • If interface priorities are not all equal, set the base backplane interfaces’ priority to a higher value than all other interfaces.
  • Page 16 HA configurations Unlike hardware configurations involving two FortiSwitch modules per chassis, when installing only one FortiSwitch module per chassis, the slot position of the FortiSwitch module becomes an important consideration. Single FortiSwitch-5003 modules should usually be installed in slot 2 for FortiGate-5001SX and FortiGate-5001FA2 clusters, but slot 1 for FortiGate-5005FA2 clusters.
  • Page 17 FortiGate-5140 base backplane communication • if priorities are equal, be the first interface on the indexed Heartbeat Interface list You can satisfy these requirements in multiple ways by adjusting interface priority or by disabling heartbeats over other interfaces. Required steps vary by the slot position of the FortiSwitch module, the model of your FortiGate modules, and the number and Heartbeat Interface list position of other interfaces enabled as heartbeat interfaces.
  • Page 18 HA configurations Figure 8: FortiGate-5005FA2 HA through slot 1 (base1) with failover to a non-base backplane interface To configure HA communications to use one FortiSwitch module Insert FortiSwitch modules into slot 1 or slot 2 of each chassis. When installing only one FortiSwitch module per chassis, recommended slot number varies by the model of the FortiGate modules.
  • Page 19 FortiGate-5140 base backplane communication Select the Mode, then enter the Group Name, and Password. You may also want to set other options, such as the Device Priority or session pick-up. For detailed instructions, see the If the base backplane interface does not have heartbeat interface precedence, increase the precedence of the base backplane interface so that it is selected as the primary heartbeat interface.
  • Page 20 HA configurations Choosing the slot position Depending on the types of communications, HA or other, that you want to pass through your FortiSwitch modules, you may choose to install FortiSwitch-5003 modules in different slots: slot 1, slot 2, or both. (Other hardware configurations are possible but often not preferable for various reasons, such as points of failure or base backplane topology.) When using FortiSwitch modules to provide a network connection to the base...

  • Page 21: Network Configurations

    FortiGate-5140 base backplane communication Note: The FortiGate web-based manager and CLI list interfaces in sort order. Because interface names, and therefore sort order, vary by FortiGate model, the preferred slot number for single FortiSwitch modules varies by FortiGate model. For example, a FortiGate-5001SX or FortiGate-5001FA2 module has interfaces named port1 through port10;...

  • Page 22: Connecting Fortigate Modules To Each Other

    Network configurations Connecting FortiGate modules to each other Connecting FortiGate modules to the network In addition to linking base backplane traffic between FortiGate modules, you can use FortiSwitch modules to link traffic between FortiGate modules’ base backplane interfaces and your network, or the Internet. Connecting a ZRE interface to the network links the base backplane, and any connected FortiGate modules, to the network.

  • Page 23: Fortigate-5050 Base Backplane Communication

    FortiGate-5050 base backplane communication FortiGate-5050 base backplane communication Both the FortiGate-5140 and the FortiGate-5050 chassis have two base backplane Ethernet channels. Available connections to these channels vary by slot number. • Slot 1 can connect to the chassis’ first base backplane channel, and thereby all other slots, except slot 2.

  • Page 24: Ha Configurations

    HA configurations HA configurations Table 4: Names of base backplane interfaces by FortiGate model Model Name of base backplane interface 1 (to slot 1) FortiGate-5001SX port9 FortiGate-5001FA2 port9 FortiGate-5005FA2 base1 This section contains example HA and network configurations for each hardware combination.

  • Page 25: Two Fortiswitch Modules Per Chassis

    FortiGate-5050 base backplane communication Default heartbeat interfaces vary by the model of the FortiGate modules, and are not always base backplane interfaces. For example, FortiGate-5005FA2 modules use fabric1 and fabric2, the fabric backplane rather than the base backplane, as the default heartbeat interfaces. If this is the case, to send heartbeat communications through the base backplane, you must enable and adjust the priority of the base backplane interfaces.
  • Page 26 HA configurations Figure 11: Inter-chassis HA cluster with two available base backplane heartbeat interfaces (through FortiSwitch-5003 modules in slot 1 and slot 2) CONSOLE STA IPM CONSOLE STA IPM POWER 5000SM 5050SAP 5000SM 10/100 10/100 link/Act SERIAL SERIAL link/Act 10/100 10/100 link/Act link/Act...
  • Page 27 FortiGate-5050 base backplane communication You can satisfy these requirements in multiple ways by adjusting interface priority or by disabling heartbeats over other interfaces. Required steps vary by the model of your FortiGate modules, and the number and Heartbeat Interface list position of other interfaces enabled as HA heartbeat interfaces.
  • Page 28 HA configurations Figure 13: FortiGate-5005FA2 heartbeat failover from slot 1 (base1) to slot 2 (base2) To configure HA interface failover to use two FortiSwitch modules Insert FortiSwitch modules into slot 1 and slot 2 of each chassis. If you want to form HA clusters between FortiGate modules in separate chassis, link the base backplanes of each chassis by connecting FortiSwitch modules’...

  • Page 29: One Fortiswitch Module Per Chassis

    FortiGate-5050 base backplane communication If the base backplane interfaces do not have heartbeat interface precedence, increase the precedence of the base backplane interfaces so that they are selected as the primary and first failover heartbeat interface. Note: Heartbeat interface precedence can be determined by multiple factors, including Priority and position in the Heartbeat Interface list.
  • Page 30 HA configurations Note: More than one cluster can use the same base backplane channel for HA communication. To separate HA communications of multiple clusters using the same channel, configure a different HA Group Name and Password for each cluster. Unlike hardware configurations involving two FortiSwitch modules per chassis, when installing only one FortiSwitch module per chassis, the slot position of the FortiSwitch module becomes an important consideration.
  • Page 31 FortiGate-5050 base backplane communication HA configurations Figure 15: FortiGate-5001SX/FortiGate-5001FA2 HA through slot 2 (port10) with failover to a non-base backplane interface FortiGate-5000 Series Version 3.0 MR5 Backplane Communications Guide 01-30005-0423-20070829...
  • Page 32 HA configurations Figure 16: FortiGate-5005FA2 HA through slot 1 (base1) with failover to a non-base backplane interface To configure HA communications to use one FortiSwitch module Insert FortiSwitch modules into slot 1 or slot 2 of each chassis. When installing only one FortiSwitch module per chassis, recommended slot number varies by the model of the FortiGate modules.
  • Page 33 FortiGate-5050 base backplane communication Select the Mode, then enter the Group Name, and Password. You may also want to set other options, such as the Device Priority or session pick-up. For detailed instructions, see the If the base backplane interface does not have heartbeat interface precedence, increase the precedence of the base backplane interface so that it is selected as the primary heartbeat interface.
  • Page 34 HA configurations Choosing the slot position Depending on the types of communications, HA or other, that you want to pass through your FortiSwitch modules, you may choose to install FortiSwitch-5003 modules in different slots: slot 1, slot 2, or both. (Other hardware configurations are possible but often not preferable for various reasons, such as points of failure or base backplane topology.) When using FortiSwitch modules to provide a network connection to the base...

  • Page 35: Network Configurations

    FortiGate-5050 base backplane communication Note: The FortiGate web-based manager and CLI list interfaces in sort order. Because interface names, and therefore sort order, vary by FortiGate model, the preferred slot number for single FortiSwitch modules varies by FortiGate model. For example, a FortiGate-5001SX or FortiGate-5001FA2 module has interfaces named port1 through port10;...

  • Page 36: Connecting Fortigate Modules To Each Other

    Network configurations Connecting FortiGate modules to each other Connecting FortiGate modules to the network In addition to linking base backplane traffic between FortiGate modules, you can use FortiSwitch modules to link traffic between FortiGate modules’ base backplane interfaces and your network, or the Internet. Connecting a ZRE interface to the network links the base backplane, and any connected FortiGate modules, to the network.

  • Page 37: Fortigate-5020 Base Backplane Communication

    FortiGate-5020 base backplane communication FortiGate-5020 base backplane communication The FortiGate-5020 chassis has two base backplane Ethernet channels. FortiGate modules installed in each slot can directly connect to the other slot through either channel. Because of the base backplane’s topology, connecting FortiGate modules to each other through the base backplane does not require any additional hardware (that is, FortiSwitch modules are not required).

  • Page 38: Heartbeat Failover Between Channels

    HA configurations Heartbeat failover between channels To configure your HA cluster with a heartbeat that fails over between the two base backplane interfaces, both base backplane interfaces must be enabled and: • if priorities are not equal, must have the highest priorities of all heartbeat interfaces •...
  • Page 39 FortiGate-5020 base backplane communication HA configurations Figure 18: FortiGate-5001SX/FortiGate-5001FA2 heartbeat failover between base backplane channels FortiGate-5000 Series Version 3.0 MR5 Backplane Communications Guide 01-30005-0423-20070829...
  • Page 40 HA configurations Figure 19: FortiGate-5005FA2 heartbeat failover between base backplane channels To configure heartbeat interface failover between two base backplane channels Insert FortiGate modules into the chassis slots. For details on hardware installation and related warnings and cautions, see the FortiGate-5000 Series Introduction.

  • Page 41: Inter-Chassis Ha Configurations

    FortiGate-5020 base backplane communication • If interface priorities are not all equal, set the base backplane interfaces’ priority to a higher value than all other interfaces. • If interface priorities are all equal, set the base backplane interfaces’ priority to a higher value than all other interfaces, or disable interfaces listed above the base backplane interfaces in the Heartbeat Interface list.
  • Page 42 Inter-chassis HA configurations Figure 20: FortiGate-5020 inter-chassis network and heartbeat connections internal network switch switch PSU A PSU B CONSOLE STA IPM CONSOLE STA IPM switch switch Internet Figure 21: FortiGate-5001SX/FortiGate-5001FA2 inter-chassis heartbeat interface configuration By default, FortiGate-5001SX modules use port9 and port10 (the base backplane interfaces) as heartbeat interfaces.

  • Page 43: Network Configurations

    FortiGate-5020 base backplane communication Network configurations In addition to HA traffic, the FortiGate-5020chassis base backplane can pass other traffic types, including VLAN tagged network traffic. FortiGate modules do not necessarily have to be the same model. For example, if you install a FortiGate-5005FA2 and a FortiGate-5001SX module in the same FortiGate-5020 chassis, you can send network traffic between base1 of the FortiGate-5005FA2 module and port9 of the FortiGate-5001SX module.
  • Page 44 Network configurations Figure 23: Network connection between modules in separate chassis, to the Internet, and to the internal network internal network PSU A PSU B CONSOLE STA IPM CONSOLE STA IPM Internet FortiGate-5000 Series Version 3.0 MR5 Backplane Communications Guide FortiGate-5020 base backplane communication Internal Network switch...

  • Page 45: Index

    24, 25, 28, 29, 32, 33, 34, 35, 38, 40, 41, 43 FortiGate-5020 chassis 37 FortiGate-5050 chassis 23 FortiGate-5140 chassis 9 Fortinet Knowledge Center 7 FortiSwitch-5003 module 9, 10, 20, 23, 34, 37 Group Name 11, 14, 15, 19, 25, 28, 30, 33, 40 heartbeat...
  • Page 46 Index FortiGate-5000 Series Version 3.0 MR5 Backplane Communications Guide 01-30005-0423-20070829...
  • Page 47 www.fortinet.com...

This manual is also suitable for:

Fortigate-5140Fortigate-5050Fortigate-5020

Table of Contents