Fortinet FortiGate FortiGate-5001FA2 Installation Manual
  1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Firewall
  5. FortiGate FortiGate-5001FA2
  6. Installation manual
Fortinet FortiGate FortiGate-5001FA2 Installation Manual

Fortinet FortiGate FortiGate-5001FA2 Installation Manual

Fortigate 5000 series
Hide thumbs Also See for FortiGate FortiGate-5001FA2:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administration Manual, Quick Manual
FortiGate 5000 Series
13
11
9
7
5
3
1
MANAGEMENT
SYSTEM
CONSOLE
E2
E1
14
15
12
13
10
11
8
9
6
7
4
5
2
3
0
1
ZRE
CLK
OK
EXT
INT
FLT
FLT
HOT SWAP
RESET
LED MODE
5140
2
4
6
8
10
12
14
MANAGEMENT
E
E
T
T
H
H
O
O
SYSTEM
CONSOLE
R
R
S
S
2
2
3
3
2
2
Z
Z
R
R
E
E
0
0
Z
Z
R
R
E
E
1
1
Z
Z
R
R
E
E
2
2
E2
E1
14
15
12
13
10
11
8
9
6
7
4
5
2
3
0
1
ZRE
CLK
OK
EXT
INT
FLT
FLT
HOT SWAP
RESET
LED MODE
Version 2.80 MR11
01-28011-0259-20060209

Installation Guide

CONSOLE
5
PWR ACC
Crit.
CONSOLE
4
Maj.
Min.
PWR ACC
3
2
1
CONSOLE
3
PWR ACC
Rst
2
1
Link
Act
100
ShMC
2
ETH 0
Prim.
ShMC
Stat.
Link
Act
100
ETH 0
Sec.
ShMC
Stat.
USB
CONSOLE
RESET
STATUS
USB
CONSOLE
RESET
STATUS
9 February 2006
USB
1
2
3
4
5
6
7
8
STA IPM
USB
1
2
3
4
5
6
7
8
STA IPM
USB
1
2
3
4
5
6
7
8
STA IPM
Critical
Major
Minor
Alarm
Alarm
Console
Ethernet
Reset
1
2
6
5
3
4
5
6
ALT
ON/OFF
PWR
IPM
1
6
2
3
5
4
5
6
ALT
ON/OFF
PWR
IPM
POWER
ShMC
Hot Swap
Status
1
PSU A
PSU B

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FortiGate FortiGate-5001FA2 and is the answer not in the manual?

Questions and answers

Related Manuals for Fortinet FortiGate FortiGate-5001FA2

Summary of Contents for Fortinet FortiGate FortiGate-5001FA2

  • Page 1: Installation Guide

    FortiGate 5000 Series MANAGEMENT MANAGEMENT SYSTEM SYSTEM CONSOLE CONSOLE HOT SWAP HOT SWAP RESET RESET LED MODE LED MODE Installation Guide 5140 CONSOLE PWR ACC Crit. CONSOLE Maj. Min. PWR ACC CONSOLE PWR ACC Link ShMC ETH 0 Prim. ShMC Stat.
  • Page 2 CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.

  • Page 3: Table Of Contents

    FortiSwitch-5003 module ... 7 Document conventions ... 7 Fortinet documentation ... 9 Fortinet Knowledge Center ... 9 Comments on Fortinet technical documentation... 9 Customer service and technical support... 9 Configuring the FortiGate for the Network... 11 Configuration options ... 14 Web-based manager and setup wizard ...
  • Page 4 Transparent mode network configuration ... 59 Firewall configuration ... 59 Protection profiles ... 60 Restoring the default settings ... 61 Restoring the default settings using the web-based manager ... 61 Restoring the default settings using the CLI ... 61 Index ... 63 01-28011-0259-20060210 Fortinet Inc.

  • Page 5: Introduction

    FortiGate-5000 series Installation Guide Version 2.80 MR11 Introduction Welcome and thank you for selecting Fortinet products for your real-time network protection. FortiGate Antivirus Firewalls improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network.

  • Page 6: About The Fortigate-5000 Series Hardware Guide

    AC to DC power supplies that connect to AC power. The FortiGate-5020 chassis also includes an internal cooling fan tray. For details about the FortiGate-5020 chassis, see the Guide, which is a detailed guide to all three Guide. FortiGate-5000 series Hardware 01-28011-0259-20060210 Introduction FortiGate-5000 series Hardware Guide. Fortinet Inc.

  • Page 7: About The Fortigate-5000 Series Modules

    Gigabit ethernet interfaces. The FortiGate-5001FA2 module is similar to the FortiGate-5001SX module except that two of the FortiGate-5001FA2 interfaces include Fortinet technology to accelerate small packet performance. For details about the FortiGate-5001FA2 module, see the Hardware...
  • Page 8 In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove. 01-28011-0259-20060210 Introduction Fortinet Inc.

  • Page 9: Fortinet Documentation

    Fortinet technical documentation, to techdoc@fortinet.com. Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network. Please visit the Fortinet Technical Support web site at learn about the technical support services that Fortinet provides.
  • Page 10 Customer service and technical support Introduction 01-28011-0259-20060210 Fortinet Inc.

  • Page 11: Configuring The Fortigate For The Network

    FortiGate-5000 series Installation Guide Version 2.80 MR11 Configuring the FortiGate for the Network This chapter provides an overview of the operating modes of the FortiGate unit. Before beginning to configure the FortiGate-5000 security system module, you need to plan how to integrate the unit into your network. Your configuration plan is dependent upon the operating mode that you select: NAT/Route mode or Transparent mode.

  • Page 12: Transparent Mode Standalone Configuration

    You typically use a FortiGate-5000 antivirus firewall module in Transparent mode on a private network behind an existing firewall or behind a router. The FortiGate-5000 module performs most of the same firewall functions in Transparent mode as in NAT/Route mode.
  • Page 13 FortiGate-5001SX HA Cluster in Transparent mode in a FortiGate-5020 chassis Gateway to public network 204.23.1.5 192.168.1.1 CONSOLE Internet PWR ACC CONSOLE (firewall, router) Port1 PWR ACC 01-28011-0259-20060210 Internal network Port1 192.168.1.99 PSU A PSU B CONSOLE PWR ACC...

  • Page 14: Configuration Options

    Internet Explorer version 6.0 or higher an optical fiber patch or copper ethernet cable required to connect port 1 of the FortiGate-5000 module to your network 01-28011-0259-20060210 Configuring the FortiGate for the Network Fortinet Inc.
  • Page 15 Configuring the FortiGate for the Network By default, you can connect to the web-based manager using the FortiGate-5000 module port 1. If you cannot connect port 1 to your network, you can use the FortiGate CLI to add an IP address to one of the other FortiGate module ports. Note: You may not be able to connect port 1 to your network if port 1 is an optical interface and you do not have access to an optical network) you can change.

  • Page 16: Connecting To The Command Line Interface (Cli)

    Select the following port settings and select OK. a computer with an available communications port the serial cable included in your FortiGate package terminal emulation software such as HyperTerminal for Windows 01-28011-0259-20060210 Configuring the FortiGate for the Network Fortinet Inc.

  • Page 17: Nat/Route Mode Installation

    Configuring the FortiGate for the Network Bits per second 9600 Data bits Parity Stop bits Flow control Press Enter to connect to the FortiGate CLI. A prompt similar to the following is displayed: FortiGate-5001 login: Type admin and press Enter twice. The following prompt is displayed: Welcome ! Type ? to list available commands.
  • Page 18 Primary DNS Server: Secondary DNS Server: 01-28011-0259-20060210 Configuring the FortiGate for the Network _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ Fortinet Inc.

  • Page 19: Using The Web-Based Manager

    Configuring the FortiGate for the Network DHCP or PPPoE configuration You can configure any FortiGate interface to acquire its IP address from a DHCP or PPPoE server. Your ISP may provide IP addresses using one of these protocols. To use the FortiGate DHCP server, you need to configure an IP address range and default route for the server.

  • Page 20: Using The Command Line Interface

    DHCP or PPPoE. Go to System > Router > Static. If the Static Route table contains a default route (IP and Mask set to 0.0.0.0), select the Delete icon to delete this route.
  • Page 21 Configuring the FortiGate for the Network Configuring the FortiGate module to operate in NAT/Route mode Use the information that you gathered in procedures. To add/change the administrator password Log in to the CLI. Change the admin administrator password. Enter: To configure interfaces Log in to the CLI.
  • Page 22 Set the primary and secondary DNS server IP addresses. Enter config system dns set primary <address_ip> set secondary <address_ip> config system dns set primary 293.44.75.21 set secondary 293.44.75.22 01-28011-0259-20060210 Configuring the FortiGate for the Network Fortinet Inc.

  • Page 23: Using The Setup Wizard

    Table 3: Setup wizard settings Password Internal Interface External Interface FortiGate-5000 series Installation Guide Set the default route to the Default Gateway IP address. Enter: config router static edit 1 set dst 0.0.0.0 0.0.0.0 set gateway <gateway_IP> set device <interface> config router static edit 1 set dst 0.0.0.0 0.0.0.0...

  • Page 24: Starting The Setup Wizard

    Create a protection profile that enables virus scanning, for HTTP, FTP, IMAP, POP3, and SMTP (recommended). Add this protection profile to a default firewall policy. Do not configure antivirus protection. to fill in the wizard fields. Fortinet Inc.

  • Page 25: Connecting The Fortigate Unit To The Network(S)

    Figure 7: FortiGate-5001SX example NAT/Route mode connections FortiGate-5000 series Installation Guide Internal Network Hub or Switch Port 1 CONSOLE PWR ACC Port 2 Public Switch or Router Internet 01-28011-0259-20060210 NAT/Route mode installation Network Port 6 STA IPM FortiGate-5001SX Web Server...

  • Page 26: Configuring The Networks

    Connecting the FortiGate unit to the network(s) Table 4 to gather the information that you need to customize Transparent mode the web-based manager GUI command line interface (CLI) setup wizard 01-28011-0259-20060210 Configuring the FortiGate for the Network “NAT/Route 32. For more Fortinet Inc.

  • Page 27: Using The Web-Based Manager

    The management IP address and netmask must be valid for the network from which you will manage the FortiGate unit. Add a default gateway if the FortiGate unit must connect to a router to reach the management computer. Primary DNS Server: Secondary DNS Server: _____._____._____._____...

  • Page 28: Using The Command Line Interface

    Otherwise, you can reconnect to the web-based manager by browsing to https://10.10.10.1. If you connect to the management interface through a router, make sure that you have added a default gateway for that router to the management IP default gateway field.
  • Page 29 <address_ip> set secondary <address_ip> config system dns set primary 293.44.75.21 set secondary 293.44.75.22 config router static edit 1 set dst 0.0.0.0 0.0.0.0 set gateway <address_gateway> set device <interface> 01-28011-0259-20060210 Transparent mode installation...

  • Page 30: Using The Setup Wizard

    Otherwise, you can reconnect to the web-based manager by browsing to https://10.10.10.1. If you connect to the management interface through a router, make sure that you have added a default gateway for that router to the management IP default gateway field.

  • Page 31: Connecting The Fortigate Module To Your Network

    Figure 8: FortiGate-5001SX example Transparent mode connections FortiGate-5001SX FortiGate-5000 series Installation Guide Internal Network Hub or Switch Por t 5 Port 1 CONSOLE PWR ACC Port 2 Public Switch or Router Internet 01-28011-0259-20060210 Transparent mode installation Other Network STA IPM Port 6 Other Network...

  • Page 32: High Availability Installation

    Connecting the cluster to your networks Installing and configuring the cluster High availability configuration settings Configuring FortiGate-5000 modules for HA using the web-based manager Configuring FortiGate-5000 modules for HA using the CLI 01-28011-0259-20060210 Configuring the FortiGate for the Network Fortinet Inc.
  • Page 33 Configuring the FortiGate for the Network Table 5: High availability settings Mode Group ID Unit priority Override Master FortiGate-5000 series Installation Guide Active-Active Load balancing and failover HA. Each FortiGate-5000 module in the HA cluster actively processes connections and monitors the status of the other FortiGate-5000 modules in the cluster.
  • Page 34 IP Port to distribute traffic to units in a cluster based on the Source IP, Source Port, Destination IP, and Destination port of the packet. “Connecting to the web-based manager” on page 01-28011-0259-20060210 Configuring the FortiGate for the Network Fortinet Inc.
  • Page 35 Configuring the FortiGate for the Network Go to System > Status. In the Host Name field of the Unit Information section, select Change. Type a new host name and select OK. To configure a FortiGate-5000 module for HA operation Go to System > Config > HA. Select High Availability.
  • Page 36 <password_str> set schedule {hub | ip | ipport | leastconnection | none | random | round-robin | weight-round-robin} 01-28011-0259-20060210 Configuring the FortiGate for the Network “Connecting the cluster to your networks” “Connecting the cluster to your networks” Fortinet Inc.

  • Page 37: Using The Fortiswitch-5003 In An Ha Cluster

    Configuring the FortiGate for the Network Allow the FortiGate-5000 module to restart in Transparent mode. Repeat this procedure for all of the FortiGate-5000 modules in the cluster then continue with Using the FortiSwitch-5003 in an HA cluster The FortiSwitch-5003 module is an HA component designed for use in the FortiGate-5050 and FortiGate-5140 chassis to provide full HA clustering capabilities between FortiGate-5000 modules.
  • Page 38 PSU B STA IPM STA IPM Port 3 Internet Port 3 STA IPM Port 3 STA IPM Port 3 STA IPM POWER CRITICAL MAJOR HOT SWAP ShMC STATUS ALARM MINOR ALARMS RESET Hub or Switch Router Internet Router Fortinet Inc.

  • Page 39: Installing And Configuring The Cluster

    Configuring the FortiGate for the Network Installing and configuring the cluster When negotiation is complete the you can configure the cluster as if it was a single FortiGate-5000 module. • • The configurations of all of the FortiGate-5000 in the cluster are synchronized so that the FortiGate-5000 modules can function as a cluster.

  • Page 40: Next Steps

    FortiGate unit. 01-28011-0259-20060210 Configuring the FortiGate for the Network CONSOLE PWR ACC CONSOLE PWR ACC CONSOLE PWR ACC POWER ShMC STA IPM STA IPM STA IPM POWER CRITICAL MAJOR HOT SWAP ShMC STATUS MINOR ALARM ALARMS RESET Fortinet Inc.

  • Page 41: Register Your Fortigate Chassis And Modules

    After purchasing and installing a new FortiGate appliances, you can register them by going to the System Update Support page, or using a web browser to connect to http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the FortiGate chassis and modules that you or your organization has purchased.
  • Page 42 Next steps Configuring the FortiGate for the Network 01-28011-0259-20060210 Fortinet Inc.

  • Page 43: Fortigate Firmware

    FortiGate administrators whose access profiles contain system configuration read and write privileges and the FortiGate admin user can change the FortiGate firmware. After you download a FortiGate firmware image from Fortinet, you can use the procedures listed in module.

  • Page 44: Upgrading To A New Firmware Version

    To upgrade the firmware using the CLI Make sure that the TFTP server is running. Copy the new firmware image file to the root directory of the TFTP server. the FortiGate Administration Guide. execute update_now 01-28011-0259-20060210 FortiGate Firmware to update the antivirus and attack Fortinet Inc.

  • Page 45: Reverting To A Previous Firmware Version

    Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build183-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build183-FORTINET.out...

  • Page 46: Reverting To A Previous Firmware Version Using The Cli

    IPS custom signatures, web content lists, email filtering lists, and changes to replacement messages. Back up the FortiGate-5000 module configuration. Back up the IPS custom signatures. Back up web content and email filtering lists. the FortiGate Administration Guide 01-28011-0259-20060210 FortiGate Firmware the FortiGate Administration the FortiGate Administration Fortinet Inc.
  • Page 47 Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v280-build158-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image FGT_300-v280-build158-FORTINET.out...

  • Page 48: Installing Firmware Images From A System Reboot Using The Cli

    FortiGate Administration Guide Back up the IPS custom signatures. For information, see the FortiGate Administration Guide Back up web content and email filtering lists. For information, see the FortiGate Administration Guide. 01-28011-0259-20060210 FortiGate Firmware , or from the CLI, enter: Fortinet Inc.
  • Page 49 FortiGate Firmware If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.80 to FortiOS v2.50), you might not be able to restore your previous configuration from the backup configuration file. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
  • Page 50 FortiGate-5000 module running v2.x BIOS Do You Want To Save The Image? [Y/n] Type Y. FortiGate-5000 module running v3.x BIOS Save as Default firmware/Run image without saving:[D/R] Save as Default firmware/Backup firmware/Run image without saving:[D/B/R] 01-28011-0259-20060210 FortiGate Firmware Fortinet Inc.

  • Page 51: Testing A New Firmware Image Before Installing It

    FortiGate Firmware The FortiGate-5000 module installs the new firmware image and restarts. The installation might take a few minutes to complete. Restoring the previous configuration Change the internal interface address if required. You can do this from the CLI using the command: config system interface After changing the interface address, you can access the FortiGate-5000 module from...
  • Page 52 FortiGate-5000 module running v3.x BIOS [G]: Get firmware image from TFTP server. [F]: Format boot device. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,Q,or H: 01-28011-0259-20060210 FortiGate Firmware execute reboot Fortinet Inc.

  • Page 53: Installing And Using A Backup Firmware Image

    FortiGate Firmware Type the number of the interface that connects to the same network as the TFTP server. The default interface is port8. To accept the default interface, press Enter. The following message appears: Enter TFTP server address [192.168.1.168]: Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: Type an IP address that can be used by the FortiGate-5000 module to connect to the...

  • Page 54: Installing A Backup Firmware Image

    “Installing firmware images from a system reboot using the CLI” on page Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options. 01-28011-0259-20060210 FortiGate Firmware execute reboot Fortinet Inc.
  • Page 55 FortiGate Firmware Type an IP address that can be used by the FortiGate-5000 module to connect to the FTP server. The IP address can be any IP address that is valid for the network that the interface is connected to. Make sure you do not enter the IP address of another device on this network.
  • Page 56 Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options. 01-28011-0259-20060210 FortiGate Firmware Fortinet Inc.

  • Page 57: Factory Defaults

    FortiGate-5000 series Installation Guide Version 2.80 MR11 Factory defaults The FortiGate-5000 module ships with a factory default configuration. The default configuration allows you to connect to and use the FortiGate web-based manager to configure the FortiGate-5000 module onto the network. To configure the FortiGate- 5000 module onto the network you add an administrator password, change network interface IP addresses, add DNS server IP addresses, and configure basic routing, if required.
  • Page 58 Primary DNS Server Secondary DNS Server 01-28011-0259-20060210 Factory defaults 192.168.100.99 255.255.255.0 Ping 0.0.0.0 0.0.0.0 Ping 0.0.0.0 0.0.0.0 Ping 0.0.0.0 0.0.0.0 Ping 0.0.0.0 0.0.0.0 Ping 0.0.0.0 0.0.0.0 Ping 0.0.0.0 0.0.0.0 Ping 192.168.100.1 port2 207.192.200.1 207.192.200.129 Fortinet Inc.

  • Page 59: Transparent Mode Network Configuration

    Factory defaults Transparent mode network configuration In Transparent mode, the FortiGate-5000 module has the default network configuration listed in Table 8: Factory default Transparent mode network configuration Administrator account Management IP Administrative access Firewall configuration FortiGate firewall policies control how all traffic is processed by the FortiGate-5000 module.

  • Page 60: Protection Profiles

    To apply no scanning, blocking or IPS. Use if you do not want to apply content protection to content traffic. You can add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. 01-28011-0259-20060210 Factory defaults Fortinet Inc.

  • Page 61: Restoring The Default Settings

    Factory defaults Figure 13: Web protection profile settings Restoring the default settings Should you mistakenly change a network setting and cannot connect to the FortiGate- 5000 module, you can revert to the factory default settings and start over again. Restoring the default settings using the web-based manager To reset the default settings Go to System >...
  • Page 62 The FortiGate-5000 module loads the default firmware image and restarts. Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options. 01-28011-0259-20060210 Factory defaults Fortinet Inc.

  • Page 63: Index

    FortiGate-5000 series Installation Guide FortiGate-5020 chassis 6 FortiGate-5050 chassis 6 FortiGate-5140 chassis 6 Fortinet Knowledge Center 9 FortiSwitch-5003 introduction 7 configuring FortiGate units for HA operation 32 connecting an HA cluster 37, 39 High availability 32 internal network configuring 26...
  • Page 64 IP address 29 upgrading firmware 44 firmware using the CLI 44, 46 firmware using the web-based manager 44, 45, 61 web-based manager connecting to 17 wizard setting up firewall 19, 23, 27, 30 starting 19, 24, 27, 30 01-28011-0259-20060210 Fortinet Inc.

This manual is also suitable for:

Fortigate-5001sxFortigate-5002fb2Fortigate-5020Fortigate-5050Fortigate-5140Fortiswitch-5003

Table of Contents