FortiController-5903C Session-Aware Load Balancer System Guide

FortiController-5903C Session-Aware Load Balancer System Guide
FortiController-5903C
Session-Aware Load Balancer System Guide
This FortiController-5903C Session-Aware Load Balancer System Guide describes FortiController-5903C hardware
features, how to install a FortiController-5903C board in a FortiGate- 5144C chassis, and how to configure the
FortiController-5903C system for your network.
The most recent versions of this and all FortiGate-5000 series documents are available from the FortiGate-5000 page of
the Fortinet Technical Documentation web site (http://docs.fortinet.com).
Access to Fortinet customer services, such as firmware updates, support, and FortiGuard services, requires product
registration. You can register your FortiController-5903C at http://support.fortinet.com.
FortiController-5903C Session-Aware Load Balancer
System Guide
10-500-234846-20141105
Cautions and Warnings
Environmental specifications
Operating Temperature – If this device is installed in a closed or multi-unit rack assembly, the rack’s ambient temperature
may be greater than the room’s ambient temperature. Make sure the rack environment is compatible with the manufacturer’s
maximum rated ambient temperature (Tma).
Température ambiante élevée — Si cet appareil est installé dans un cabinet fermé, la température ambiante du cabinet peut
être supérieure à la température ambiante de la pièce. Assurez- vous que l’environnement dans le cabinet est compatible avec
la tempГ©rature ambiante maximale du fabricant (Tma).
Air flow – For rack installation, make sure that the amount of air flow required for safe operation of the equipment is not
compromised. For free-standing installation, make sure that the appliance has at least 2 inches (5 cm) of clearance on each
side to allow for adequate air flow and cooling.
Ventilation — Pour une installation dans un cabinet, assurez-vous que la ventilation nécessaire au fonctionnement de
l’équipement n’est pas compromise. Pour une installation autonome, assurez-vous que l’appareil dispose d’au moins 2
pouces (5 cm) de dégagement de chaque côté pour permettre l’écoulement de l’air et un refroidissement adéquat.
Circuit overloading – To avoid overloading, use the ratings on the label. Consider the equipment’s connection to the supply
circuit and the effect that circuit overloading might have on current protection and supply wiring.
For redundant power sources, connect each to an IEC/UL Listed power source whose output rating is greater than or equal to
the equipment.
Surtension – Pour éviter de surcharger le circuit d’alimentation, référez-vous aux notes sur l’étiquette de l’équipement .
Envisagez l’effet que la surtension du circuit pourrait avoir sur la protection de surtension et le câblage d’alimentation .
Pour les sources d'alimentation redondantes, connectez chacun Г une source d'alimentation Mis CEI / UL dont la cote de
rendement est supГ©rieur ou Г©gal Г l'Г©quipement.
Reliable earthing – Make sure all rack-mounted equipment is grounded. This includes supply connections (e .g . power
strips), not only direct connections to the branch circuit.
Mise à la terre – Assurez-vous que tout l’équipement est mis à la terre . Ceci comprend les connexions d’alimentation (par
exemple, les barres d’alimentation) en plus des connexions directes au circuit de dérivation.
Interference – If possible, use Shielded Twisted Pair (STP) Ethernet cables instead of Unshielded Twisted Pair (UTP) .
Interférence – Si possible, utilisez des câbles Ethernet de paire torsadée blindée (STP) plutôt que de paire torsadée non
blindГ©e (UTP).
Mechanical loading – To avoid personal injury or damage to the appliance, Fortinet recommends that 2 or more people
together install the appliance into the rack. Balance the equipment to avoid uneven mechanical loading and tipping. Do not
place heavy objects on the appliance.
Installation – Pour éviter des blessures ou des dommages à l’appareil, Fortinet recommande que deux personnes ou plus
installent ensemble cet équipement dans un cabinet. L’installation du matériel à l’intérieur de la baie doit être effectuée de
façon à éviter toute situation dangereuse liée à une installation non conforme . Ne placez pas d’objets lourds sur l’appareil,
celui-ci n’étant pas conçu pour soutenir un poids additionnel.
Refer to specific Product Model Data Sheet for Environmental Specifications (Operating Temperature, Storage Temperature,
Humidity, and Altitude)
Safety
Moving parts — Hazardous moving parts. Keep away from moving fan blades.
Pièces mobiles – Pièces mobiles dangerouses. Se tenir éloigné des pales de ventilateurs mobiles.
Do not install this equipment in a home or public area accessible to the general population. When installed in schools, this
equipment must be installed in a location where access is restricted to trained personnel.
Dans les écoles, ce matériel doit être installé en lieu sûr, de façon à le rendre accessible seulement aux personnels qualifies.
Battery – Risk of explosion if the battery is replaced by an incorrect type. Do not dispose of batteries in a fire. They may
explode. Dispose of used batteries according to your local regulations. IMPORTANT: Switzerland: Annex 4.10 of SR814.013
applies to batteries.
Batterie – Risque d’explosion si vous remplacez la batterie par un modèle incompatible. Jetez les piles usagées selon les
réglementations locales en vigueur. IMPORTANT: Suisse: Annexe 4.10 de SR814.013 s’appliquant aux batteries.
и­¦е‘Љ
жњ¬й›»ж± е¦‚жћњж›ґжЏ›дёЌж­Јзўєжњѓжњ‰з€†з‚ёзљ„еЌ±йљЄ
и«‹дѕќиЈЅйЂ е•†иЄЄж�Ћж›ёи™•зђ†вЅ¤йЃЋд№‹й›»ж± FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
FortiController-5903C
Contents
Cautions and Warnings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Environmental specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Safety. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
FortiController-5903C system
5
Front panel LEDs and connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
About the SH1 and SH2 LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Front panel connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
FortiController-5903C session-aware load balancing . . . . . . . . . . . . . . . . . . 9
Setting up a single-chassis SALB cluster . . . . . . . . . . . . . . . . . . . . .
12
Hardware installation
13
Installing QSPF+ and SFP+ transceivers . . . . . . . . . . . . . . . . . . . . . . . .
13
FortiController-5903C mounting components . . . . . . . . . . . . . . . . . . . . .
14
Inserting a FortiController-5903C board . . . . . . . . . . . . . . . . . . . . . . . .
15
Shutting down and Removing a FortiController-5903C board . . . . . . . . . . . . .
17
Resetting a FortiController-5903C board. . . . . . . . . . . . . . . . . . . . . . . .
19
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20
FortiController-5903C does not startup . . . . . . . . . . . . . . . . . . . . . .
FortiController-5903C status LED is flashing during system operation . . . . . .
20
20
Basic Configuration
21
Connecting to the FortiController-5903C Web-based manager (GUI) . . . . . . . . .
21
Connecting to the FortiController-5903C command line interface (CLI) . . . . . . . .
21
Factory default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
Initial session-aware load balanced cluster setup . . . . . . . . . . . . . . . . . . .
22
Using the external management address to connect to all units in the cluster . .
24
Upgrading cluster firmware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25
Verifying the configuration and the status of the boards in the cluster . . . . . . . .
26
For more information
28
Training Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
Technical Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . . . .
28
Customer service and support . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . .
28
Regulatory Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
30
Federal Communication Commission (FCC) – USA . . . . . . . . . . . . . . . .
30
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
3
Contents
Industry Canada Equipment Standard for Digital Equipment (ICES) – Canada
Voluntary Control Council for Interference (VCCI) – Japan . . . . . . . . . .
Bureau of Standards Metrology and Inspection (BSMI) – Taiwan . . . . . . .
China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
European Conformity (CE) - EU . . . . . . . . . . . . . . . . . . . . . . . .
4
.
.
.
.
.
.
.
.
.
.
30
30
30
30
30
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
FortiController-5903C
FortiController-5903C system
The FortiController-5903C is an Advanced Telecommunications Computing Architecture
(ATCA) compliant session-aware load balancing hub/switch board that distributes IPv4
TCP and UDP sessions to multiple FortiGate-5000-series boards (called workers) over
the FortiGate-5144C chassis fabric backplane. The FortiController-5903C includes four
front panel 40Gbps Quad Small Formfactor Pluggable + (QSFP+) interfaces (1 to 4) for
connecting to 40Gbps networks. The FortiController-5903C forms a session-aware load
balanced cluster and uses FortiASIC DP processors to load balance millions of sessions
to the cluster, providing up to 40 Gbps of traffic to each cluster member (each worker).
Performance of the cluster shows linear improvement if more workers are added.
Dual dual star clusters can be formed with four FortiController-5903Cs and up to 8
FortiGate-5001D workers. Each FortiGate-5001D worker can handle up to 40 Gbps of
traffic.
Clusters can also be formed with one or two FortiController-5903Cs and up to 12
workers. All of the workers must be the same model. Currently FortiGate-5001B,
FortiGate-5001C, FortiGate-5101C, and FortiGate-5001D workers are supported.
FortiGate-5001C and FortiGate-5001D workers can handle up to 40 Gbps of traffic.
FortiGate-5001B and FortiGate-5101C workers can handle up to 10 Gbps.
The FortiController-5903C can also provide 40-gigabit fabric and 1-gigabit base
backplane channel layer-2 switching in a dual star architecture.
You should install the FortiController-5903C in a FortiGate-5144C chassis to meet
FortiController-5903C power requirements, to have access to a 40G fabric backplane, for
dual dual star architecture and to have enough slots for the number of workers that the
FortiController-5903C can load balance sessions to.
In all ATCA chassis, FortiController-5903Cs are installed in the first and second
hub/switch slots (usually slots 1 and 2). A single FortiController-5903C should be
installed in slot 1 (but you can install it in slot 2). If you add a second
FortiController-5903C it should be installed in slot 2. In dual dual star mode they are
installed in the first four slots.
Figure 1: FortiController-5903C front panel
Base Network
Activity LEDs
Fabric Network
Activity LEDs
Retention
Screw
Extraction
Lever
RJ-45
Console
OOS
LED
STA
LED
PWR
LED
5 and 6
10 Gig Base Channel
SFP+ Interfaces
1 to 4 40 Gig
QSFP+ Network (heartbeat and
management)
Interfaces
IPM
LED
(board
position)
Retention
Screw
MGMT
Extraction
10/100/1000 Copper Lever
Management Interface
Two FortiController-5903Cs can be installed in an active-passive HA configuration that
provides session failover protection.
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
5
Front panel LEDs and connectors
FortiController-5903C system
Two FortiController-5903Cs can also be installed in the same chassis in dual
FortiController mode doubling the amount of network interfaces. The
FortiController-5903C in slot 1 always becomes the primary and the one in slot 2
becomes the backup.
You can also install FortiController-5903Cs in a second chassis with another set of
FortiGate workers to provide chassis failover protection.
The FortiController-5903C includes the following hardware features:
• One 1-gigabit base backplane channel for layer-2 base backplane switching between
workers installed in the same chassis as the FortiController-5903C. This base
backplane channel includes 13 1-gigabit connections to up to 13 other slots in the
chassis (slots 2 to 14).
• One 40-gigabit fabric backplane channel for layer-2 fabric backplane switching
between workers installed in the same chassis as the FortiController-5903C. This
fabric backplane channel includes 13 40-gigabit connections to up to 13 other slots in
the chassis (slots 2 to 14).
• Four front panel 40-gigabit QSFP+ fabric channel interfaces (1 to 4). In a sessionaware load balanced cluster these interfaces are connected to 40-gigabit networks to
distribute sessions to workers installed in chassis slots 3 to 14. These interfaces can
also be configured to operate as 4 x 10-gigabit QSFP+ interfaces, 10-gigabit SFP+
interfaces or 1-gigabit SFP+ interfaces.
• Two front panel 10-gigabit SFP+ base channel interfaces (5 and 6) that connect to the
base backplane channel. These interfaces are used for heartbeat and management
communication between FortiController-5903Cs. These interfaces can also be
configured to operate as 1-gigabit SFP interfaces.
• On-board FortiASIC DP processors to provide high-capacity session-aware load
balancing.
• One 1-gigabit out of band management ethernet interface (MGMT).
• One RJ-45, RS-232 serial console connection (CONSOLE).
• One front panel USB port.
• Mounting hardware.
• LED status indicators.
Front panel LEDs and connectors
From the FortiController-5903C font panel you can view the status of the LEDs to verify
that the FortiController-5903C is functioning normally. You also connect the
FortiController-5903C to your 40-gigabit network using the 1 to 4 front panel QSFP+
connectors. The front panel also includes 5 and 6 SFP+ connectors for the base
channels, an Ethernet management interface (MGMT), an RJ-45 console port for
connecting to the FortiController-5903C CLI and a USB port. The USB port can be used
with any USB key for backing up and restoring configuration files.
FortiController-5903C front panel interfaces 1 to 4 appear on the FortiController-5903C
web-based manager and CLI as interfaces f1 to f4. In single FortiController-5903C
mode, workers see these as fctrl/1 to fctrl/4. In dual FortiController-5903C mode,
workers see these as fctrl1/1 to fctrl1/4 and fctrl2/1 to fctrl2/4.
6
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
FortiController-5903C system
Front panel LEDs and connectors
LEDs
Ports 1 to 4 can operate in 40-gigabit mode or 4 x 10-gigabit mode. The LEDs function
differently in each mode
Table 1: FortiController-5903C Ports 1 to 4 LEDs (40-gigabit mode)
LED
Description
Amber
The correct cable is connected to the interface and the connected
equipment has power.
Flashing Amber
Network activity.
Off
No link is established.
Table 2: FortiController-5903C Ports 1 to 4 LEDs (4 x 10-gigabit mode)
LED
Description
Green
The correct cable is connected to the interface and the connected
equipment has power.
Flashing Green
Network activity.
Off
No link is established.
Table 3: FortiController-5903C LEDs
LED
Fabric
(1/2 to 14)
Base (1/2 to 14)
State
Description
Green
Fabric backplane interface is connected at 40, 10, or 1
Gbps. Backplane Fabric interface slot-14 is not
accessible.
Flashing Network activity at the fabric backplane interface.
Green
Off
No link is established.
Green
Base backplane interface is connected at 1 Gbps.
Flashing Network activity at the base backplane interface.
Green
Off
No link is established.
Off
Normal operation.
OOS
(Out of Service)
Amber
A fault condition exists and the FortiController-5903C
blade is out of service (OOS). This LED may also flash
very briefly during normal startup.
PWR (Power)
Green
The FortiController-5903C is powered on.
Off
The FortiController-5903C is powered on.
STA (Status)
SH1
Flashing The FortiController-5903C is starting up. If this LED is
Green
flashing at any time other than system startup, a fault
condition may exist.
Not used in the default configuration. See “About the SH1 and SH2
LEDs” on page 8.
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
7
Front panel LEDs and connectors
FortiController-5903C system
Table 3: FortiController-5903C LEDs (Continued)
LED
State
SH2
Green or Network activity between the FortiController-5903C and
Flashing one of the shelf managers across the chassis backplane.
Green
If the FortiController-5903C is installed in chassis slot 1,
this LED indicates a connection to shelf manager 2. If the
FortiController-5903C is installed in chassis slot 2, this
LED indicates a connection to shelf manager 1.
Green
5 and 6
The correct cable is connected to the interface and the
connected equipment has power.
Flashing Network activity at the interface.
Green
Off
Link/Act Solid
Green
(Left
LED)
Blinking
Green
MGMT
Speed
(Right
LED)
IPM
Description
No link is established.
Indicates this interface is connected with the correct
cable and the attached network device has power.
Indicates network traffic on this interface.
Off
No Link
Green
Connection at 1 Gbps.
Amber
Connection at 100 Mbps.
Off
Connection at 10 Mbps.
Blue
The FortiController-5903C is ready to be hot-swapped
(removed from the chassis). If the IPM light is blue and no
other LEDs are lit the FortiController-5903C has lost
power
Flashing The FortiController-5903C is changing from hot swap to
Blue
running mode or from running mode to hot swap. This
happens when the FortiController-5903C is starting up or
shutting down.
Off
Normal operation. The FortiController-5903C is in contact
with the chassis backplane.
About the SH1 and SH2 LEDs
SH1 and SH2 are base channel interfaces that can be used to connect the
FortiController-5903C to the chassis shelf managers over the chassis backplane. The
SH1 and SH2 LEDs indicate the status of the connections between the
FortiController-5903C and a shelf manager. Whether or not these LEDs are lit depends on
the configuration of the SH1 and SH2 interfaces on the FortiController-5903C, the
configuration of the chassis backplane, and if one or both shelf managers are installed
and configured to connect using the backplane or their front panel Ethernet interfaces.
By default the SH1 interface is disabled so the SH1 LED will not light.
By default, the SH2 interface is enabled so the SH2 LED will be lit if it can connect to a
shelf manager over the chassis blackplane. If the FortiController-5903C is installed in
chassis slot 1, the SH2 LED indicates a connection to shelf manager 2. If the
FortiController-5903C is installed in chassis slot 2, the SH2 LED indicates a connection to
shelf manager 1.
8
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
FortiController-5903C system
FortiController-5903C session-aware load balancing
Front panel connectors
Table 4: FortiController-5903C connectors
Connector Type
CONSOLE
USB
RJ-45
Speed
Protocol
Description
9600 bps
8/N/1
RS-232
serial
Serial connection to the
command line interface.
USB
Not used.
QSPF+ (40
gigabit),
SFP+ (10
gigabit)
40-gigabit full Ethernet
10-gigabit full
40-gigabit QSPF+ connection
to 40-gigabit networks or 10gigabit SPF+ connection to
10-gigabit networks. Quad
small form-factor pluggable
transceiver. On the
FortiController-5903C GUI and
CLI these interfaces are f1 to
f4. In single
FortiController-5903C mode,
workers see these as fctrl/1 to
fctrl/4. In dual
FortiController-5903C mode,
workers see these as fctrl1/1
to fctrl1/4 and fctrl2/1 to
fctrl2/4.
SFP+ (10
gigabit) or
SPF (1
gigabit)
10-gigabit full Ethernet
1-gigabit
auto
1-gigabit full
10-gigabit SPF+ connection to
10-gigabit networks or
1-gigabit SPF connection to
1-gigabit networks. Small
form-factor pluggable
transceiver. For heartbeat and
management communication
between
FortiController-5903Cs.
RJ-45
10/100/1000
Base-T
Copper 1-gigabit connection
to 10/100/1000Base-T copper
networks for management or
system administration.
1 to 4
5 and 6
MGMT
Ethernet
FortiController-5903C session-aware load balancing
This section provides a brief introduction to FortiController-5903C session-aware load
balancing (SALB). For more information, including example configurations see the
FortiController Session-Aware Load Balancing Guide on the Fortinet documentation
website (http://docs.fortinet.com).
This section provides a brief introduction to FortiController-5903C session-aware load
balancing (SALB). For more information, including example configurations see the
FortiController Session-Aware Load Balancing Guide on the Fortinet documentation
website (http://docs.fortinet.com).
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
9
FortiController-5903C session-aware load balancing
FortiController-5903C system
The FortiController-5903C uses 2 on-board FortiASIC DP processors to perform highperformance session-aware load balancing (SALB). A single FortiController-5903C can
distribute millions of concurrent sessions to up to 12 workers and start millions of new
sessions a second. If a worker fails, sessions are re-distributed to the remaining workers.
Additional FortiController-5903Cs in the same chassis can be added for redundancy or to
increase the number of network interfaces. You can also add a second chassis for
chassis redundancy.
As a session-aware load balancer, the FortiController-5903C maintains the state for each
session and is capable of directing any session to any worker installed in the same
chassis. This session-awareness means that all traffic being processed by a specific
worker continues to be processed by the same worker. Session-awareness also means
that more complex networking features such as network address translation (NAT),
fragmented packets, complex UDP protocols, and complex protocols such as SIP that
use pinholes, can be load balanced by the cluster.
In a FortiController-5903C load balanced cluster, when a worker that is processing SIP
traffic creates a pinhole, this information is communicated to the FortiController-5903C.
The FortiController-5903C then knows to distribute the voice and media sessions to this
worker.
The SIP protocol uses known SIP ports for control traffic but dynamically uses a wide
range of ports for voice and other media traffic. To successfully pass SIP traffic through
a firewall, the firewall must use a session helper or application gateway to look inside the
SIP control traffic and determine the ports to open for voice and media. To allow the
voice and media traffic, the firewall temporarily opens these ports, creating what’s
known as a pinhole that temporarily allows traffic on a port as determined by the SIP
control traffic. The pinhole is closed when the voice or media session ends.
Session-aware load balancing does not support traffic shaping.
The FortiController-5903C supports adding and removing workers from the cluster. So
you can start with a small number of workers and add more as your requirements grow.
When a new worker is added to a chassis slot and switched to forticontroller mode the
cluster automatically detects it, synchronizes its configuration and begins sending new
sessions to it, maintaining existing sessions on the workers that were already in the
cluster. If a worker fails or is removed from the cluster, the FortiController-5903C detects
its absence and re-balances and redistributes sessions to the remaining workers.
The FortiController-5903C supports the following single-chassis SALB configurations:
• One FortiController-5903C and up to 12 workers. The FortiController-5903C receives
all sessions and load balances them to the workers. If the FortiController-5903C fails
the cluster fails.
• Two FortiController-5903Cs in HA mode and up to 12 workers. The primary
FortiController-5903C receives all sessions and load balances them to the workers. If
the primary FortiController-5903C fails, the backup FortiController-5903C takes its
place.
• Two FortiController-5903Cs in dual mode and up to 12 workers. Both
FortiController-5903Cs receive and load balance sessions to the workers. If a
FortiController-5903C fails the other FortiController-5903C continues to operate. All
sessions processed by the failed FortiController-5903C are lost.
10
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
FortiController-5903C system
FortiController-5903C session-aware load balancing
• Four FortiController-5903Cs and up to 10 workers in a chassis with dual dual star
architecture (such as the FortiGate-5144C). The FortiController-5903Cs in slots 1 and
2 receive and load balance sessions to the workers. The FortiController-5903Cs in
slots 1 and 3 and the FortiController-5903Cs in slots 2 and 4 form redundant pairs. If
the FortiController-5903C in slot 1 fails, the FortiController-5903C in slot 3 takes over.
If the FortiController-5903C in slot 2 fails, the FortiController-5903C in slot 4 takes
over.
• Four FortiController-5903Cs and up to 10 workers in a chassis with dual dual star
architecture (such as the FortiGate-5144C). All four FortiController-5903Cs receive
and load balance sessions to the workers. If a FortiController-5903C fails the other
FortiController-5903Cs continue to operate. All sessions processed by the failed
FortiController-5903C are lost.
Figure 2: Example FortiController-5903C load balanced cluster
Load Balanced Traffic
on Fabric Backplane
Single
FortiController
Slot 1
FortiGate
Worker Boards
Slots 3 to 14
1 (fctrl/f1)
2 (fctrl/f2)
Management
(mgmt)
Management and
Control Traffic on
Base Backplane
Internal network
You can also create the following FortiController-5903C dual-chassis SALB
configurations:
• One FortiController-5903C and up to 12 workers in each chassis. The
FortiController-5903C in one chassis receives all sessions and load balances them to
the workers in that chassis. If that FortiController-5903C fails, all sessions failover to
the FortiController-5903C in the other chassis.
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
11
FortiController-5903C session-aware load balancing
FortiController-5903C system
• Two FortiController-5903Cs in HA mode and up to 12 workers in each chassis. The
primary FortiController-5903C in one chassis receives all sessions and load balances
them to the workers in that chassis. If the primary FortiController-5903C fails,
sessions failover to the primary FortiController-5903C in the second chassis. If the
primary FortiController-5903C in the second chassis fails, sessions fail over to one of
the backup FortiController-5903Cs.
• Two FortiController-5903Cs in dual mode and up to 12 workers in each chassis. Both
FortiController-5903Cs in one of the chassis receive and load balance sessions to the
workers in that chassis. If a FortiController-5903C fails, the sessions fail over to the
FortiController-5903Cs in the other chassis.
Setting up a single-chassis SALB cluster
To form a single-chassis SALB cluster you must install a FortiController-5903C in chassis
slot 1, optionally a second FortiController-5903C in chassis slot 2 and configure HA and
load balancing settings.
You then install the workers in slots 3 and up and set them to forticontroller mode. The
workers find each other in the chassis and form a cluster. The worker with the lowest slot
number becomes the primary worker and the others become subordinate workers.
You connect the FortiController-5903C 1 and 2 front panel interfaces to networks. The
workers see these interfaces as fctrl/f1 and fctrl/f2.
Figure 2 shows a FortiController-5903C cluster consisting of one FortiController-5903C
and three FortiGate-5001D workers. FortiController-5903C front panel interface 1 (fctrl/f1)
is connected to the Internet and front panel interface 2 (fctrl/f2) is connected to an
internal network.
12
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
FortiController-5903C
Hardware installation
Before use, the FortiController-5903C must be correctly installed into a FortiGate-5144C
chassis.
This chapter describes:
• Installing QSPF+ and SFP+ transceivers
• FortiController-5903C mounting components
• Inserting a FortiController-5903C board
• Shutting down and Removing a FortiController-5903C board
• Resetting a FortiController-5903C board
• Troubleshooting
Installing QSPF+ and SFP+ transceivers
You must install QSPF+ transceivers to connect FortiController-5903C front panel
interface 1 to 4 to a 40-gigabit network. The QSFP+ transceivers are inserted into cage
sockets numbered 1 to 4 on the FortiController-5903C front panel. You can install the
QSFP+ transceivers before or after inserting the FortiController-5903C board into a
chassis.
You must install SR SFP+ transceivers for normal operation of FortiController-5903C front
panel interfaces 5 and 6. The FortiController-5903C ships with two SR SFP+
transceivers. You can also configure front panel interfaces to operate at 1-gigabit and
install SFP transceivers. You can install the transceivers before or after inserting the
FortiController-5903C board into a chassis.
You can install the following types of transceivers for connectors 5 and 6:
• SFP+ SR (10 gigabits)
• SFP+ LR (10 gigabits)
• SFP (1gigabit)
To install QSFP+ or SFP+ transceivers
To complete this procedure, you need:
• A FortiController-5903C board
• QSFP+ or SFP+ transceivers
• An electrostatic discharge (ESD) preventive wrist or ankle strap with connection cord
FortiController-5903C boards must be protected from static discharge and physical
shock. Only handle or work with FortiController-5903C boards at a static-free
workstation. Always wear a grounded electrostatic discharge (ESD) preventive wrist
strap when handling FortiController-5903C boards.
1 Attach the ESD wrist strap to your wrist and to an available ESD socket or wrist strap
terminal.
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
13
FortiController-5903C mounting components
Hardware installation
2 Remove the caps from QSFP+ or SFP+ cage sockets on the FortiController-5903C
front panel.
Handling the transceivers by holding the release latch can damage the connector. Do
not force the transceivers into the cage slots. If the transceiver does not easily slide in
and click into place, it may not be aligned correctly. If this happens, remove the
transceiver, realign it and slide it in again.
3 Hold the sides of the transceiver and slide it into the cage socket until it clicks into
place.
FortiController-5903C mounting components
To install a FortiController-5903C board you slide the board into a hub/switch slot in the
front of an ATCA chassis (usually slot 1 or 2) and then use the mounting components to
lock the board into place in the slot. When locked into place and positioned correctly the
board front panel is flush with the chassis front panel. The board is also connected to the
chassis backplane.
FortiController-5903C boards are horizontal when inserted into a FortiGate-5060 chassis
and vertical when inserted into a FortiGate-5140-series chassis. The inserting and
removing procedures are the same in either case. For clarity the descriptions in this
document refer to the left (top) and right (bottom) mounting components.\
To position the board correctly you must use the mounting components shown in
Figure 3 for the right (bottom) of the FortiController-5903C front panel. The mounting
components on the left (top) of the front panel are the same but reversed. The
FortiController-5903C mounting components align the board in the chassis slot and are
used to insert and eject the board from the slot.
Figure 3: FortiController-5903C right (bottom) mounting components
Closed
Alignment Pin
Alignment
Pin
Lock
Handle
Retention
Screw
Retention
Screw
Handle
Lock
Open
Alignment Pin
Alignment
Pin
Retention
Screw
Hook
Handle
Lock
Handle
14
Hook
Retention
Screw
Lock
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
Hardware installation
Inserting a FortiController-5903C board
The FortiController-5903C handles align the board in the chassis slot and are used to
insert and eject the board from the slot. The right (bottom) handle activates a microswitch
that turns on or turns off power to the board. When the right (bottom) handle is open the
microswitch is off and the board cannot receive power. When the right (bottom) handle is
fully closed the microswitch is on and if the board is fully inserted into a chassis slot the
board can receive power.
You can reset the board without removing it from the chassis. See “Resetting a
FortiController-5903C board” on page 19.
Inserting a FortiController-5903C board
The FortiController-5903C board must be fully installed in a chassis hub/switch slot
(usually slot 1 or 2), with the handles closed and locked and retention screws fully
tightened for the FortiController-5903C board to receive power and operate normally. If
the FortiController-5903C board is not receiving power, the HS LED glows solid blue and
all other LEDs remain off. See “Front panel LEDs and connectors” on page 6.
It is important to carefully seat the FortiController-5903C board all the way into the
chassis, to not use too much force on the handles, and to make sure that the handles are
properly locked. Only then will the FortiController-5903C board power-on and start up
correctly.
FortiController-5903C boards are hot swappable. The procedure for inserting
a FortiController-5903C board into a chassis slot is the same whether or not the chassis
is powered on.
To insert a FortiController-5903C board into a chassis slot
Do not carry the FortiController-5903C board by holding the handles or retention
screws. When inserting or removing the FortiController-5903C board from a chassis slot,
handle the board by the front panel. The handles are not designed for carrying the
board. If the handles become bent or damaged the FortiController-5903C board may
not align correctly in the chassis slot.
To complete this procedure, you need:
• A FortiController-5903C board
• An ATCA chassis with an empty hub/switch slot
• An electrostatic discharge (ESD) preventive wrist strap with connection cord
FortiController-5903C boards must be protected from static discharge and physical
shock. Only handle or work with FortiController-5903C boards at a static-free
workstation. Always wear a grounded electrostatic discharge (ESD) preventive wrist
strap when handling FortiController-5903C boards.
1 Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal
surface on the chassis or frame.
2 If required, remove the protective metal frame that the FortiController-5903C board
has been shipped in.
3 Insert the FortiController-5903C board into the empty hub/switch slot in the chassis.
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
15
Inserting a FortiController-5903C board
Hardware installation
4 Unlock the handles by squeezing the handle locks.
Unlock
Handle
5 Open the handles to their fully open positions.
To avoid damaging the lock, make sure you squeeze the handles fully to unlock them
before opening. The handles should pop easily out of the board front panel.
Alignment Pin
Alignment Pin
Handle
Open
Lock
Handle
6 Carefully guide the board into the chassis using the rails in the slot.
Insert the board by applying moderate force to the front faceplate (not the handles) to
slide the board into the slot. The board should glide smoothly into the chassis slot. If
you encounter any resistance while sliding the board in, the board could be aligned
incorrectly. Pull the board back out and try inserting it again.
7 Slide the board in until the alignment pins are inserted half way into their sockets in
the chassis.
8 Turn both handles to their fully-closed positions.
The handles should hook into the sides of the chassis slot. Closing the handles draws
the FortiController-5903C board into place in the chassis slot and into full contact with
the chassis backplane. The FortiController-5903C front panel should be in contact
with the chassis front panel. When the handles are fully-closed they lock into place.
As the right (bottom) handle closes the microswitch is turned on, supplying power to
the board. If the chassis is powered on the HS LED starts flashing blue. If the board is
aligned correctly, inserted all the way into the slot, and the right (bottom) handle is
properly closed the HS LED flashes blue for a few seconds. At the same time the ACT
and HTY LEDs turn green. After a few seconds the HS LED goes out and the
FortiController-5903C firmware starts up. If the board is operating correctly, the front
panel LEDs are lit as described in Table 5.
16
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
Hardware installation
Shutting down and Removing a FortiController-5903C board
Table 5: FortiController-5903C normal operating LEDs
LED
State
OOS
Off
Power
Green
Status
Off
ACC
Off (Or flashing green when the system accesses the
FortiController-5903C flash disk.)
IPM
Off
If the board has not been inserted properly the HS LED changes to solid blue and all
other LEDS turn off. If this occurs, open the handles, slide the board part way out, and
repeat the insertion process.
9 Once the board is inserted correctly, fully tighten the retention screws to lock the
FortiController-5903C board into position in the chassis slot.
Retention
Screw
Tighten
Shutting down and Removing a FortiController-5903C board
To avoid potential hardware problems, always shut down the FortiController-5903C
operating system properly before removing the FortiController-5903C board from a
chassis slot or before powering down the chassis.
The following procedure describes how to correctly use the FortiController-5903C
mounting components described in “FortiController-5903C mounting components” on
page 14 to remove a FortiController-5903C board from an ATCA chassis slot.
FortiController-5903C boards are hot swappable. The procedure for removing
a FortiController-5903C board from a chassis slot is the same whether or not the chassis
is powered on.
To remove a FortiController-5903C board from a chassis slot
Do not carry the FortiController-5903C board by holding the handles or retention
screws. When inserting or removing the FortiController-5903C board from a chassis slot,
handle the board by the front panel. The handles are not designed for carrying the
board. If the handles become bent or damaged the FortiController-5903C board may
not align correctly in the chassis slot.
To complete this procedure, you need:
• An ATCA chassis with a FortiController-5903C board installed
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
17
Shutting down and Removing a FortiController-5903C board
Hardware installation
• An electrostatic discharge (ESD) preventive wrist strap with connection cord
FortiController-5903C boards must be protected from static discharge and physical
shock. Only handle or work with FortiController-5903C boards at a static-free
workstation. Always wear a grounded electrostatic discharge (ESD) preventive wrist
strap when handling FortiController-5903C boards.
1 Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal
surface on the chassis or frame.
2 Disconnect all cables from the FortiController-5903C board, including all network
cables and the console cable.
3 Fully loosen the FortiController-5903C retention screws.
Retention
Screw
Loosen
4 Unlock the handles by squeezing the handle locks.
5 Slowly open both handles a small amount (about 8 degrees) until the IPM LED flashes
blue.
6 Keep the handles in this position until the IPM LED stops flashing and becomes solid
blue.
Waiting for the IPM LED to change to solid blue makes sure that the board software
shutdowns completely before disconnecting it from backplane power.
7 Open the handles to their fully open positions.
To avoid damaging the lock, make sure you squeeze the handles fully to unlock them
before opening. The handles should pop easily out of the board front panel.
Opening the handles turns off the microswitch, turns off all LEDs, and ejects the board
from the chassis slot. You need to use moderate pressure on the handles to eject the
board.
Alignment Pin
Alignment Pin
Handle
Open
Lock
Handle
8 Pull the board about half way out.
18
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
Hardware installation
Resetting a FortiController-5903C board
9 Turn both handles to their fully-closed positions.
When the handles are fully-closed they lock into place.
Alignment Pin
Alignment Pin
Close
Handle
Fully Closed
and Locked
Handle
10 Carefully slide the board completely out of the slot.
11 Re-attach the protective metal frame if you are going ship the FortiController-5903C
board or store it outside of a chassis.
Resetting a FortiController-5903C board
You can use the following procedure to reset a FortiController-5903C board without
removing it from the chassis.
To reset a FortiController-5903C without removing the board from the chassis
You do not have to loosen the retention screws or adjust the position of the
FortiController-5903C board to use this procedure.
To complete this procedure, you need:
• An ATCA chassis with a FortiController-5903C board installed
• An electrostatic discharge (ESD) preventive wrist strap with connection cord
FortiController-5903C boards must be protected from static discharge and physical
shock. Only handle or work with FortiController-5903C boards at a static-free
workstation. Always wear a grounded electrostatic discharge (ESD) preventive wrist
strap when handling FortiController-5903C boards.
1 Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal
surface on the chassis or frame.
2 Unlock the right handle by squeezing the handle lock.
3 Pivot the right handle open.
The handle can only pivot a short distance. Pivoting the right handle turns off the
microswitch which powers down the board, turning off all LEDs except the IPM LED
which turns on.
Unlock
Handle
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
19
Troubleshooting
Hardware installation
4 After 10 seconds snap the right handle back into place.
The board powers up, the LEDs light and in a few minutes the FortiController-5903C
board operates normally.
Troubleshooting
This section describes the following troubleshooting topics:
• FortiController-5903C does not startup
FortiController-5903C does not startup
Positioning of FortiController-5903C handles and a few other causes may prevent a
FortiController-5903C board for starting up correctly.
All chassis: handles not fully closed
If the handles are damaged or positioned incorrectly the FortiController-5903C board will
not start up. Make sure the handles are correctly aligned, fully inserted and locked.
All chassis: Firmware problem
If the FortiController-5903C board is receiving power and the handles are fully closed,
and you have restarted the chassis and the FortiController-5903C still does not start up,
the problem could be with FortiOS. Connect to the FortiController-5903C console and try
cycling the power to the board. If the BIOS starts up, interrupt the BIOS startup and
install a new firmware image.
If this does not solve the problem, contact Fortinet Technical Support.
FortiController-5903C status LED is flashing during system operation
Normally, the FortiController-5903C Status LED is off when the FortiController-5903C
board is operating normally. If this LED starts flashing while the board is operating, a fault
condition may exist. At the same time the FortiController-5903C may stop processing
traffic.
To resolve the problem you can try removing and reinserting the FortiController-5903C
board in the chassis slot. Reloading the firmware may also help.
If this does not solve the problem there may have been a hardware failure or other
problem. Contact Fortinet Technical Support for assistance.
20
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
FortiController-5903C
Basic Configuration
This section describes connecting and configuring a session-aware load balanced
cluster consisting of a FortiController-5903C board installed in slot 1 and 2 or more
workers installed in chassis slots 3 and up.
Before using this chapter, your chassis should be mounted and connected to your power
system and the boards should be installed in the chassis. The chassis and the boards
should also be powered up and the front panel LEDs should indicate that the boards are
functioning normally.
This chapter includes the following topics:
• Connecting to the FortiController-5903C Web-based manager (GUI)
• Connecting to the FortiController-5903C command line interface (CLI)
• Factory default settings
• Initial session-aware load balanced cluster setup
• Upgrading cluster firmware
• Verifying the configuration and the status of the boards in the cluster
Connecting to the FortiController-5903C Web-based manager
(GUI)
You can connect to the FortiController-5903C web-based manager by browsing to the
into the FortiController-5903C mgmt interface IP address. From the
FortiController-5903C web-based manager you can add workers to the cluster and
configure load balancing settings.
By default, you can connect to the FortiController-5903C web-based manager by
browsing to https://192.168.1.99.
Connecting to the FortiController-5903C command line interface
(CLI)
You can connect to the FortiController-5903C CLI using the serial connector that came
packaged with your FortiController-5903C board or an Ethernet connection to the mgmt
interface.
To connect to the CLI over an Ethernet network use SSH to connect to the mgmt port
(default IP address 192.168.1.99).
To connect to the CLI using a serial console connection
1 Connect the FortiController-5903C unit’s Console port to the serial communications
(COM) port on your management computer using a serial cable (or using a RS-232 to
USB convertor).
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
21
Factory default settings
Basic Configuration
2 Start the terminal emulation application and configure the following settings.
• Bits per second: 9600
• Data bits: 8
• Parity: None
• Stop bits: 1
• Flow control: None
3 Press Enter to connect to the CLI.
4 Type a valid administrator account name (such as admin) and press Enter.
5 Type the password for that administrator account and press Enter. (In its default state,
there is no password for the admin account.)
The CLI displays the following text:
Welcome!
Type ? to list available commands.
Factory default settings
The FortiController-5903C unit ships with a factory default configuration. The default
configuration allows you to connect to and use the FortiController-5903C web-based
manager or CLI to configure the FortiController-5903C board. To configure the
FortiController-5903C board you add an administrator password, change the
management interface IP address, and, if required, configure the default route for the
management interface.
Table 6: FortiController-5903C factory default settings
Administrator Account
MGMT IP/Netmask
User Name: admin
Password: (none)
192.168.1.99/24
At any time during the configuration process, if you run into problems, you can reset the
FortiController-5903C board or the FortiGate-5001B boards to factory default settings
and start over. From the CLI enter execute factory-reset.
Initial session-aware load balanced cluster setup
This section describes how to setup a session-aware load balancing cluster consisting of
a single FortiGate chassis, a FortiController-5903C board, and three FortiGate-5000
workers, similar to the SALB cluster shown in Figure 2 on page 11.
1 Install the FortiGate-5144C chassis and connect it to power.
2 Install the FortiController-5903C board in chassis slot 1.
3 Install the FortiGate-5001C boards in chassis slots 3, 4, and 5.
4 Power on the chassis.
5 Check the chassis and board LEDs to verify that all components are operating
normally.
22
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
Basic Configuration
Initial session-aware load balanced cluster setup
6 Check the FortiSwitch-ATCA release notes and confirm that your
FortiController-5903C is running the latest supported firmware. You can download the
release notes and the correct firmware from Fortinet’s Support site
(https://support.fortinet.com).
7 From the FortiController GUI Dashboard System Information widget, beside HA Status
select Configure.
8 Set Mode to Active-Passive, change the Group ID, and move the b1 and b2 interfaces
to the Selected column and select OK.
Or from the CLI enter the following command:
config system ha
set mode a-p
set groupid 4
set hbdev b1 b2
end
You can optionally configure other HA settings.
If you have more than one cluster on the same network, each cluster should have a
different Group ID. Changing the Group ID changes the cluster interface MAC
addresses. Its possible that a group ID setting will cause a MAC address conflict. If this
happens select a different Group ID. The default Group ID of 0 is not a good choice and
usually should be changed.
9 From the FortiController go to Load Balance > Config add the workers to the cluster
by selecting Edit and moving the slots that contain workers to the Members list.
10 Set the workers to FortiController mode. Use the following CLI command:
config system elbc
set mode forticontroller
end
11 Configure the cluster external management interface so that you can manage the
worker configuration. From the FortiController-5903C GUI go to Load Balance >
Config and edit the External Management IP/Netmask and change it to an IP address
and netmask for the network that the mgmt interfaces of the FortiController-5903C
and the workers are connected to. The External Management IP/Netmask must be on
the same subnet as the FortiController-5903C management IP address.
12 Connect FortiController-5903C front panel interface F1 to the Internet and front panel
interface F2 to the internal network.
The workers see these interfaces are named fctrl/f1 and fctrl/f2.
13 Log into the workers using the External Management IP/Netmask and configure the
workers to process traffic between fctrl/f1 and fctrl/f2.
if you need to add a default route to connect to the External Management IP/Netmask,
log into the FortiController-5903C CLI and enter the following command:
config route static
edit route 1
set gateway <gateway-ip>
end
To verify that the worker has joined the cluster, from the FortiController-5903C
web-based manager and go to Load Balance > Status and verify that the worker
appears in the correct chassis slot.
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
23
Initial session-aware load balanced cluster setup
Basic Configuration
Figure 4: Example FortiController-5903C status display
14 Repeat these steps to add all of the workers to the cluster.
The worker in the lowest slot number becomes the primary unit.
15 Configure the cluster External Management IP/Netmask so that you can manage the
workers. From the FortiController-5903C GUI go to Load Balance > Config.
16 Change the External Management IP/Netmask to an IP address and netmask for the
network that the mgmt interface is connected to. The External Management
IP/Netmask must be on the same subnet as the FortiController-5903C management
IP address.
Browsing to the External Management IP connects you to the primary worker. From
here you can manage the workers. You can also manage them by logging into the
FortiController-5903C GUI, going to Load Balance > Status and selecting the Config
Master icon beside the primary worker, which is always the top entry in the Worker
Blade list.
Using the external management address to connect to all units in the cluster
If the External Management IP address is 10.10.10.1 you can browse to
https://10.10.10.1 to connect to the primary worker web-based manager. You can
connect to the primary worker CLI using ssh [email protected], or
telnet 10.10.10.1.
You can also use the External Management address to connect to all of the individual
boards in a chassis just by varying the custom port number that you add to the address.
The custom port number begins with the standard port number for the protocol you are
using and is followed by the chassis slot number. For example:
• To connect with a web browser to the FortiController-5903C in slot 1 browse to
https://10.10.10.1:44301
• To connect with a web browser to the worker in slot 4 browse to
https://10.10.10.1:44304
• If HTTP administrative access is enabled, to connect with a web browser to the
worker in slot 3 browse to http://10.10.10.1:8003
24
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
Basic Configuration
Upgrading cluster firmware
• To connect using SSH to the worker in slot 8 enter a command similar to
ssh [email protected] -p2208
• To connect using telnet to the worker in slot 5 enter a command similar to telnet
10.10.10.1 2305
Upgrading cluster firmware
Fortinet periodically updates the FortiController-5903C and worker (FortiGate) firmware
to include enhancements and address issues. After you have registered the
FortiController-5903C boards and workers in your cluster you can download
FortiController-5903C and FortiOS firmware from the support web site
http://support.fortinet.com.
You upgrade the FortiController-5903C firmware from the FortiController-5903C
web-based manager or CLI. You can upgrade the worker firmware from the worker
web-based manager or CLI. The recommended procedure is to upgrade the worker first
and then upgrade the FortiController-5903C firmware.
Upgrading the firmware may briefly interrupt network traffic so it should be done during
a quiet period.
To upgrade worker firmware from the web-based manager
This procedure upgrades the firmware running on all of the workers in the cluster in a
single operation from the worker web-based manager. The firmware running on all of the
workers in the cluster is updated simultaneously.
1 Log into the worker web-based manager.
2 From the Global System Information dashboard widget beside Firmware Version
select Update.
3 Select the new firmware file and select OK.
The firmware image file is uploaded and verified then installed on all of the workers.
After a few minutes the cluster continues operating, the workers running the new
firmware build.
You can confirm that all of the workers are back in the cluster from the Load Balance >
Status page of the FortiController-5903C web-based manager.
To upgrade FortiController-5903C firmware from the web-based manager
If the cluster contains two FortiController-5903C boards, this procedure upgrades the
firmware running on both of them in a single operation.
1 Log into the FortiController-5903C web-based manager.
2 From the System Information dashboard widget beside Firmware Version select
Update.
3 Select the new firmware file and select OK.
The firmware image file is uploaded and verified then installed on all of the
FortiController-5903C boards. After a few minutes the cluster continues operating.
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
25
Verifying the configuration and the status of the boards in the cluster
Basic Configuration
Verifying the configuration and the status of the boards in the
cluster
Use the following command from the FortiController-5903C CLI to verify that the
FortiController-5903C board can communicate with all of the workers in the cluster and
to show the status of each board. For example, for the cluster shown in Figure 4 on
page 24 the command output would be the following if the cluster is operating properly:
get load-balance status
ELBC Master Blade: slot-4
Confsync Master Blade: slot-4
Blades:
Working: 3 [ 3 Active 0 Standby]
Ready:
0 [ 0 Active 0 Standby]
Dead:
0 [ 0 Active 0 Standby]
Total:
3 [ 3 Active 0 Standby]
Slot 4: Status:Working
Function:Active
Link:
Base: Up
Fabric: Up
Heartbeat: Managment: Good
Data: Good
Status Message:"Running"
Slot 6: Status:Working
Function:Active
Link:
Base: Up
Fabric: Up
Heartbeat: Managment: Good
Data: Good
Status Message:"Running"
Slot 8: Status:Working
Function:Active
Link:
Base: Up
Fabric: Up
Heartbeat: Managment: Good
Data: Good
Status Message:"Running"
The command output provides the same information as the Load Balance > Status
web-based manager page, including the slot that contains the primary unit (slot 4), the
number of FortiGate-5001B boards in the cluster, the slots containing all of the
FortiGate-5001B boards (4, 6, and 8) and the status of each board. Status information
includes the status of the connection between the board and the base and fabric
backplanes, whether the heartbeat is active, the status of the board and the data
processed by the board. The status message can also indicate if the board is waiting for
a fabric connection or waiting for a base connection.
You can also use the following commands to display detailed session aware load
balancing diagnostics:
diangnose salb {dp | tcam-rules}
The dp option provides diagnostics for the FortiASIC DP processors and the
tcam-rules option provides diagnostics for content aware routing rules (TCAM).
26
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
Basic Configuration
Verifying the configuration and the status of the boards in the cluster
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
27
FortiController-5903C
For more information
Training Services
Fortinet Training Services offers courses that orient you quickly to your new equipment, and certifications to verify
your knowledge level. Fortinet training programs serve the needs of Fortinet customers and partners world-wide.
Visit Fortinet Training Services at http://campus.training.fortinet.com, or email [email protected]
Technical Documentation
Visit the Fortinet Technical Documentation web site, http://docs.fortinet.com, for the most up-to-date technical
documentation.
The Fortinet Knowledge Base provides troubleshooting, how-to articles, examples, FAQs, technical notes, and
more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.
Comments on Fortinet technical documentation
Send information about any errors or omissions in this or any Fortinet technical document to
[email protected]
Customer service and support
Fortinet is committed to your complete satisfaction. Through our regional Technical Assistance Centers and
partners worldwide, Fortinet provides remedial support during the operation phase of your Fortinet product's
development life cycle. Our Certified Support Partners provide first level technical assistance to Fortinet
customers, while the regional TACs solve complex technical issues that our partners are unable to resolve.
Visit Customer Service and Support at http://support.fortinet.com.
Fortinet products End User License Agreement
See the Fortinet products End User License Agreement.
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
28
For more information
Fortinet products End User License Agreement
FortiController-5903C Session-Aware Load Balancer System Guide
November 5, 2014
10-500-234846-20141105
CopyrightВ© 2014 Fortinet, Inc. All rights reserved. FortinetВ®, FortiGateВ®, FortiCareВ® and FortiGuardВ®, and
certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be
registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of
their respective owners. Performance and other metrics contained herein were attained in internal lab tests under
ideal conditions, and actual performance and other results may vary. Network variables, different network
environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent
Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly
warrants that the identified product will perform according to certain expressly-identified performance metrics
and, in such event, only the specific performance metrics expressly identified in such binding written contract
shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same
ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or
otherwise revise this publication without notice, and the most current version of the publication shall be
applicable.
Visit these links for more information and documentation for your Fortinet products:
Fortinet Knowledge Base - http://kb.fortinet.com
Technical Documentation - http://docs.fortinet.com
Training Services - http://campus.training.fortinet.com
Customer Service and Support - http://support.fortinet.com
You can report errors or omissions in this or any Fortinet technical document to [email protected]
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
29
Regulatory Notices
For more information
Regulatory Notices
Federal Communication Commission (FCC) – USA
This device complies with Part 15 of FCC Rules. Operation is subject to the following two conditions:
(1) this device may not cause harmful interference, and
(2) this device must accept any interference received; including interference that may cause undesired operation.
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part
15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference
when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate
radio frequency energy, and if it is not installed and used in accordance with the instruction manual, it may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause
harmful interference, in which case the user will be required to correct the interference at his own expense.
WARNING: Any changes or modifications to this product not expressly approved by the party responsible for
compliance could void the user’s authority to operate the equipment
Industry Canada Equipment Standard for Digital Equipment (ICES) – Canada
CAN ICES-3 (A) / NMB-3 (A)
This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus set out
in the Radio Interference Regulations of the Canadian Department of Communications.
Le présent appareil numérique n’emet pas de bruits radioélectriques dép¬assant les limites applicables aux
appareils numeriques de la classe A prГ©scrites dans le RГЁglement sur le brouillage radioГ©lectrique Г©dicte par le
ministГЁre des Communications du Canada.
Voluntary Control Council for Interference (VCCI) – Japan
Bureau of Standards Metrology and Inspection (BSMI) – Taiwan
China
European Conformity (CE) - EU
This is a Class A product. In a domestic environment, this product may cause radio interference, in which case the
user may be required to take adequate measures.
30
FortiController-5903C Session-Aware Load Balancer System Guide
10-500-234846-20141105
http://docs.fortinet.com/
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement