Preventing certificate warnings (self-signed certificate)

June 9, 2017, 8:15 am

≫ Next: Preventing certificate warnings (default certificate)

≪ Previous: Configuring Property Management in FortiVoice (Video)

$

0

0

In this recipe, you will prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you are using a self-signed certificate, your FortiGate’s default certificate, or a CA-signed certificate. This recipe explains how you can prevent certificate warnings when you are using a self-signed certificate.

When full SSL inspection is used, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in “man-in-the-middle” attacks, which is why a user’s device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL inspection.

Often, when users receive security certificate warnings, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.

_{Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6}

Using a self-signed certificate In this method, you create a self-signed certificate using OpenSSL. You then install this certificate on the FortiGate for use with SSL inspection. In this recipe, OpenSSL for Windows version 1.1.0f is used.
1. Creating a certificate with OpenSSL
If necessary, download and install Open SSL. Make sure that the openssl.cnf file is located in the BIN folder for OpenSSL. Using Command Prompt (CMD), navigate to the BIN folder (in this example, the command is cd c:\OpenSSL-Win64\bin).
Generate an RSA key with the following command: openssl genrsa -aes256 -out fgcaprivkey.pem 2048 -config openssl cnf This RSA key uses AES-256 encryption and a 2048-bit key. When prompted, enter a passphrase for encrypting the private key.
Use the following command to launch OpenSSL, submit a new certificate request, and sign the request: openssl req -new -x509 -days 3650 -extensions v3_ca -key fgcaprivkey.pem -out fgcacert.pem -config openssl.cnf The result is a standard x509 binary certificate that is valid for 3650 days (approximately 10 years) When prompted, re-enter the passphrase for encryption, then enter the details required for the certificate request, such as location and organization name. Two new files are created: a public certificate (fgcacert.pem) and a private key (fgcaprivkey.pem).
2. Importing the self-signed certificate
Go to System > Certificates and select Import > Local Certificate. Set Type to Certificate, then select your Certificate file and Key file. Enter the Password used to create the certificate.
The certificate now appears on the Local CA Certificates list.
3. Editing the SSL inspection profile
To use your certificate in an SSL inspection profile go to Security Profiles > SSL/SSH Inspection. Use the drop-down menu in the top right corner to select deep-inspection, which is the profile used to apply full SSL inspection.
Set CA Certificate to use the new certificate. Select Download Certificate, to download the certificate file needed in the next step.
4. Importing the certificate into web browsers Once you have your self-signed certificate, you need to import the certificate into users’ browsers. The method you use for importing the certificate varies depending on the type of browser.
Internet Explorer, Chrome, and Safari (Windows and macOS): Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS.
If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard. Use the wizard to install the certificate into the Trusted Root Certification Authorities store. If a security warning appears, select Yes to install the certificate.
If you are using macOS, double-click the certificate file to launch Keychain Access. Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.
Firefox (Windows and macOS) Firefox has its own certificate store. To avoid errors in Firefox, the certificate must be installed in this store, instead of the OS. If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.
In Firefox, go to Tools > Options > Advanced or Options > Advanced and select the Certificates tab. Select View Certificates, then select the Authorities list. Import the certificate and set it to be trusted for website identification.
5. Results
Before you installed the certificate, an error message would appear in users’ browsers when they accessed a site that used HTTPS (this example shows an error message in Firefox). After you install the certificate, users should not experience a certificate security issue when they browse to sites on which the FortiGate unit performs SSL content inspection.
Users can view information about the connection and the certificate that is used. If users view information about the connection, they will see that it is verified by Fortinet.
If users view the certificate in the browser, they will see the certificate that is used and information about that certificate.

For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.

• Was this helpful?
• Yes   No

If this page is not visible, go to System > Feature Select and turn on Certificates.

If you have the right environment, such as the Windows Group Policy Management Console, you can push the certificate to users’ browsers using the Windows Group Policy Editor. In this case, you do not have to import the certificate into users’ browsers.

The post Preventing certificate warnings (self-signed certificate) appeared first on Fortinet Cookbook.

---

Preventing certificate warnings (default certificate)

June 9, 2017, 8:15 am

≫ Next: Preventing certificate warnings (CA-signed certificate)

≪ Previous: Preventing certificate warnings (self-signed certificate)

$

0

0

In this recipe, you will prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you are using your FortiGate’s default certificate, a self-signed certificate, or a CA-signed certificate. This recipe explains how you can prevent certificate warnings when you are using your FortiGate’s default certificate.

When full SSL inspection is used, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in “man-in-the-middle” attacks, which is why a user’s device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL inspection.

Often, when users receive security certificate warnings, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.

_{Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6}

Using the default certificate All FortiGates have a default certificate that is used for full SSL inspection. This certificate is also used in the default deep-inspection profile. To prevent users from seeing certificate warnings, you can install this certificate on users’ devices.
1. Generating a unique certificate Run the following CLI command to generate an SSL certificate that is unique to your FortiGate: exec vpn certificate local generate default-ssl-ca
2. Downloading the certificate used for full SSL inspection
Go to Security Profiles > SSL/SSH Inspection. Use the drop-down menu in the top right corner to select deep-inspection, which is the profile used to apply full SSL inspection.
The default FortiGate certificate is listed as the CA Certificate. Select Download Certificate.
3. Importing the certificate into web browsers
Once you have your FortiGate’s default certificate, you need to import the certificate into users’ browsers. The method you use for importing the certificate varies depending on the type of browser.
Internet Explorer, Chrome, and Safari (Windows and macOS): Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS.
If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard. Use the wizard to install the certificate into the Trusted Root Certification Authorities store. If a security warning appears, select Yes to install the certificate.
If you are using macOS, double-click the certificate file to launch Keychain Access. Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.
Firefox (Windows and macOS) Firefox has its own certificate store. To avoid errors in Firefox, you must install the certificate in this store, instead of the OS. If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.
In Firefox, go to Tools > Options > Advanced or Options > Advanced and select the Certificates tab. Select View Certificates, select the Authorities list. Import the certificate and set it to be trusted for website identification.
4. Results
Before you installed the certificate, an error message would appear in users’ browsers when they accessed a site that used HTTPS (this example shows an error message in Firefox). After you install the certificate, users should not experience a certificate security issue when they browse to sites on which the FortiGate unit performs SSL content inspection.
Users can view information about the connection and the certificate that is used. If users view information about the connection, they will see that it is verified by Fortinet.
If users view the certificate in the browser, they will see the certificate that is used and information about that certificate.

For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.

• Was this helpful?
• Yes   No

If you have the right environment, such as the Windows Group Policy Management Console, you can push the certificate to users’ browsers using the Windows Group Policy Editor. In this case, you do not have to import the certificate into users’ browsers.

The post Preventing certificate warnings (default certificate) appeared first on Fortinet Cookbook.

Preventing certificate warnings (CA-signed certificate)

June 9, 2017, 8:15 am

≫ Next: Exempting Google from SSL inspection

≪ Previous: Preventing certificate warnings (default certificate)

$

0

0

In this recipe, you will prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you are using a CA-signed certificate, your FortiGate’s default certificate, or a self-signed certificate. This recipe explains how you can prevent certificate warnings when you are using a CA-signed certificate.

When full SSL inspection is used, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in “man-in-the-middle” attacks, which is why a user’s device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL inspection.

Often, when users receive security certificate warnings, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can  prevent the warning from appearing in the first place.

_{Find this recipe for other FortiOS versions
5.2 | 5.6}

Using a CA-signed certificate In this method, you obtain a CA-signed certificate and install this certificate on your FortiGate for use with SSL inspection. You can use either FortiAuthenticator as a CA or a trusted third-party CA. If you use FortiAuthenticator as a CA, you generate a certificate signing request (CSR) on your FortiGate, have it signed on the FortiAuthenticator, import the certificate into your FortiGate, and configure your FortiGate so the certificate can be used for SSL deep inspection of HTTPS traffic. If you use a trusted third-party CA, you generate a CSR on your FortiGate, apply for an SSL certificate from a trusted third-party CA, import the certificate into your FortiGate, and configure your FortiGate so the certificate can be used for SSL deep inspection of HTTPS traffic.  If your FortiAuthenticator is not configured as a CA, see FortiAuthenticator as a Certificate Authority for more information.
1. Generating a CSR on a FortiGate
On your FortiGate, go to System > Certificates and select Generate to create a new CSR. Enter a Certificate Name, the external IP of your FortiGate, and a valid email address. Make sure to set Key Type to RSA and Key Size to 2048 Bit. This will ensure the certificate is securely encrypted.
Once generated, the certificate will show a Status of Pending. Highlight the certificate and select Download. This will save a .csr file to your local drive.
2. Getting the certificate signed by a CA
Trusted third-party CA: If you want to use a third-party CA to sign the certificate, use the CSR to apply for an SSL certificate with a trusted third-party CA.
FortiAuthenticator: If you want to use a FortiAuthenticator as a CA to sign the certificate, on the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Import. Set Type to CSR to sign, enter a Certificate ID, and import the Example-cert.csr file. Make sure to select the Certificate authority from the drop-down menu and set the Hash algorithm to SHA-256.
Once imported, you should see that Example-cert has been signed by the FortiAuthenticator, showing a Status of Active, and with the CA Type of Intermediate (non-signing) CA. Highlight the certificate and select Export. This will save a .crt file to your local drive.
3. Importing the signed certificate to your FortiGate
On your FortiGate, go to System > Certificates and select Local Certificate from the Import drop-down menu.
Browse to the certificate file and select OK.
You should now see that the certificate has a Status of OK.
4. Editing the SSL inspection profile
To use your certificate in an SSL inspection profile go to Security Profiles > SSL/SSH Inspection. Use the dropdown menu in the top right corner to select deep-inspection, which is the profile used to perform full SSL inspection.
Set CA Certificate to use the new certificate.
5. Importing the certificate into web browsers Once you have your certificate signed by FortiAuthenticator, you need to import the certificate into users’ browsers.  If you used a trusted third-party CA to sign your certificate, you do not need to import the certificate into users’ browsers. The method you use for importing the certificate varies depending on the type of browser.
Internet Explorer, Chrome, and Safari (on Windows and macOS): Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS.
If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard. Use the wizard to install the certificate into the Trusted Root Certificate Authorities store. If a security warning appears, select Yes to install the certificate.
If you are using macOS, double-click the certificate file to launch Keychain Access. Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.
Firefox (on Windows and macOS) Firefox has its own certificate store. To avoid errors in Firefox, the certificate must be installed in this store, rather than in the OS. If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.
In Firefox, go to Tools > Options > Advanced or Options > Advanced and select the Certificates tab. Select View Certificates, then select the Authorities list. Import the certificate and set it to be trusted for website identification.
6. Results
Before you installed the certificate, an error message would appear in the browser when users accessed a site that used HTTPS (the example shows an error message appearing in Firefox). After you install the certificate, users should not experience a certificate security issue when they browse to sites on which the FortiGate unit performs SSL content inspection.
Users can view information about the connection and the certificate that is used. If users view information about the connection, they will see that it is verified by Fortinet.
If users view the certificate in the browser, they will see which certificate is used and information about that certificate.

For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.

• Was this helpful?
• Yes   No

If you have the right environment, such as the Windows Group Policy Management Console, you can push the certificate to users’ browsers using the Windows Group Policy Editor. In this case, you do not have to import the certificate into users’ browsers.

The post Preventing certificate warnings (CA-signed certificate) appeared first on Fortinet Cookbook.

Exempting Google from SSL inspection

June 13, 2017, 9:10 am

≫ Next: Setting up WiFi with a FortiAP

≪ Previous: Preventing certificate warnings (CA-signed certificate)

$

0

0

In this recipe, you will exempt Google websites from deep SSL inspection. Exempting these websites allows the Google Chrome browser to access them without errors.

You should use caution when exempting websites. In general, you should exempt only websites that you know you can trust. You could also consider exempting websites that do not function properly when subjected to SSL inspection, such as a site (or application) that uses certificate/public key pinning.

In this example, google.ca is exempted from SSL inspection. If necessary, substitute your local Google search domain.

_{Find this recipe for other FortiOS versions
5.2 | 5.6}

1. Using the default deep-inspection profile
Go to System > Feature Select. Under Additional Features, make sure Multiple Security Profiles is enabled. If necessary, Apply changes.
Go to Policy & Objects > IPv4 Policy and edit the policy that allows users on the internal network to access the Internet. Under Security Profiles, enable Web Filter using the default profile. SSL/SSH Inspection is enabled by default. Set it to use the deep-inspection profile.
When the deep-inspection profile is used, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the sender. For more information, see Why you should use SSL inspection.
Using Chrome, browse to google.ca. An error appears that you cannot bypass.
This error occurs because Chrome uses certificate pinning (also called SSL pinning or public key pinning). This allows Chrome to determine that the certificate from the website does not match one belonging to Google. Because of this, Chrome believes that a “man in the middle” attack is occurring and blocks you from the compromised website.
2. Creating an SSL/SSH profile that exempts Google
In FortiOS 5.6, the two default profiles, certificate-inspection and deep-inspection, are read-only. In order to exempt Google, you must create a new profile.
Go to Policy & Objects > Addresses and create a new address. Set Type to Wildcard FQDN and set Wildcard FQDN to the domain name used by Google in your region (in the example, *.google.ca).
Go to Policy & Objects > SSL/SSH Inspection and select the list view to view all profiles.
Select the deep-inspection profile, then select Clone to create a copy of this profile. This copy will have all the settings used by the default profile, while also being read-write.
Edit the new SSL profile and change its name (in the example, my-deep-inspection). Exempt web categories and addresses are listed under Exempt from SSL Inspection. Add the address for Google to the list of exempt Addresses.
Go to Policy & Objects > IPv4 and edit the policy that allows users on the internal network to access the Internet. Set SSL/SSH Inspection to use the new profile.
3. Results
Using Chrome, browse to google.ca. The site loads properly.

For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.

• Was this helpful?
• Yes   No

The post Exempting Google from SSL inspection appeared first on Fortinet Cookbook.

Setting up WiFi with a FortiAP

June 13, 2017, 2:00 pm

≫ Next: Hardware: Rack Mounting

≪ Previous: Exempting Google from SSL inspection

$

0

0

In this recipe, you will set up a WiFi network with a FortiGate managing a FortiAP in Tunnel mode.

You can configure a FortiAP unit in either Tunnel mode or Bridge mode. Tunnel mode is the default mode for a FortiAP. A FortiAP in Tunnel mode uses a wireless-only subnet for wireless traffic. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet.

For information about using a FortiAP in Bridge mode, see Setting up a WiFi bridge with a FortiAP.

_{Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6}

1. Connecting and authorizing the FortiAP unit
Go to Network > Interfaces and edit the interface that will connect to the FortiAP (in this example, port 16). Set Addressing Mode to Manual and set an IP/Network Mask. Under Administrative Access, enable CAPWAP and optionally enable PING to test your connection. Under Networked Devices, enable both Device Detection and Active Scanning.
Connect the FortiAP unit to the interface.
Go to WiFi & Switch Controller > Managed FortiAPs. The FortiAP is listed. The device is not yet authorized, as indicated by the  in the State column. By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list but does not authorize them.
Right-click on the FortiAP, and select Authorize.
The device interface will be down initially, but after a few minutes, hit the Refresh button and a  will confirm that the device is authorized.
Make sure that your FortiAP is on the latest firmware. If the OS Version shows the message “A new firmware version is available,” then check the release notes for your product on the Fortinet Support Site.
You can download the firmware images from the Support Site to your Local Hard Disk, or you can select A new firmware version is available and download the latest version directly from FortiGuard.
2. Creating an SSID
Go to WiFi & Switch Controller > SSID and create a new SSID. Set Traffic Mode to Tunnel. Select an IP/Network Mask for the wireless interface and enable DHCP Server. Enable Device Detection and Active Scanning. Name the SSID (in the example, MyNewWiFi). Set the Security Mode as required and enter a secure Pre-shared Key. Enable Broadcast SSID.
3. Creating a custom FortiAP profile
Go to WiFi & Switch Controller > FortiAP Profiles and create a new profile. Set Platform to the FortiAP model you are using (FAP221C in this recipe). Set the Country/Region and you have the option to set your AP Login Password. Make sure the Radio 1 is set to Access Point, and leave the SSID set to Auto.
Go to WiFi & Switch Controller > Managed FortiAPs and right-click on the FortiAP you added earlier. Select Assign Profile and set the FortiAP to use the new SSID profile (in the example, MyProfile). By default, the FortiGate assigns all SSIDs to this profile.
4. Allowing wireless access to the Internet
Go to Policy & Objects > IPv4 Policy and create a new policy. Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface. Confirm that NAT is enabled.
5. Results
Connect to the SSID with a wireless device. After a connection is established, browse the Internet to generate traffic.
From the policy list page, right-click on your wireless policy and select Show in FortiView or go directly to FortiView > All Sessions.
You can view more details by selecting various tabs (Sources, Destinations, Applications, Countries, Sessions).

For further reading, check out Configuring a WiFi LAN in the FortiOS 5.6 Handbook.

• Was this helpful?
• Yes   No

Note that some FortiGate models may not have the Active Scanning option, and it is not required for the recipe.

It may take a few minutes for the FortiAP to appear.

You can disable this in the CLI. See Deploying Wireless Networks.

Alternatively, select the FortiAP unit on the list and select Authorize from the top menu.

The SSID defaults to automatically assign Tunnel-mode SSIDs.

Located under Policy & Objects > IPv4 Policy.

The post Setting up WiFi with a FortiAP appeared first on Fortinet Cookbook.

Hardware: Rack Mounting

June 14, 2017, 8:36 am

≫ Next: Environmental Specifications

≪ Previous: Setting up WiFi with a FortiAP

$

0

0

A variety of different rack-mount brackets are provided, depending on the specific Fortinet device.

To avoid personal injury or damage to the unit, it is strongly recommended that two or more people install the unit into the rack.

The following instructions are available:

• Four-post rack mounting
• Two-post rack mounting
• Surface mounting

• Was this helpful?
• Yes   No

The post Hardware: Rack Mounting appeared first on Fortinet Cookbook.

Environmental Specifications

June 14, 2017, 10:42 am

≫ Next: Safety

≪ Previous: Hardware: Rack Mounting

$

0

0

Environmental Specifications

Elevated Operating Ambient	If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient. Therefore, consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature (Tma) specified by the manufacturer.
Température ambiante élevée	En fonctionnement, si l’installation est réalisée dans une baie fermée ou que cette baie stocke un nombre important de machines, la température ambiante peut être supérieure à la température de la pièce. Par conséquent, il est important d’installer le matériel dans un environnement respectant la température ambiante maximale (Tma) stipulée par le fabricant.
Air Flow	Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the equipment is not compromised.
Ventilation	L’installation du matériel dans la baie doit être exécuté de manière à ne pas compromettre la ventilation nécessaire au fonctionnement traditionnel de la machine.
Circuit Overloading	To avoid overloading, use the ratings on the label. Consider the equipment’s connection to the supply circuit and the effect that circuit overloading might have on current protection and supply wiring. For redundant power sources, connect each to an IEC/UL Listed power source whose output rating is greater than or equal to the equipment.
Surtension	Pour éviter de surcharger le circuit d’alimentation, référez-vous aux notes sur l’étiquette de l’équipement . Envisagez l’effet que la surtension du circuit pourrait avoir sur la protection de surtension et le câblage d’alimentation. Pour les sources d’alimentation redondantes, connectez chacun à une source d’alimentation Mis CEI / UL dont la cote de rendement est supérieur ou égal à l’équipement.
Reliable Earthing	Reliable earthing of rack-mounted equipment should be maintained. Particular attention should be given to supply connections other than direct connections to the branch circuit (e.g. use of power strips).
Mise à la terre	Lorsque le matériel est connecté par la terre il doit être protégée. Veillez tout particulièrement aux branchements électriques autres que les branchements directs au circuit de dérivation (ex: utilisation de multiprises).
Interference	If possible, use Shielded Twisted Pair (STP) Ethernet cables instead of Unshielded Twisted Pair (UTP).
Interférence	Si possible, utilisez des câbles Ethernet de paire torsadée blindée (STP) plutôt que de paire torsadée non blindée (UTP).

 

Refer to specific Product Model Data Sheet for Environmental Specifications (Operating Temperature, Storage Temperature, Humidity, and Altitude).

Référez à la Fiche Technique de ce produit pour les caractéristiques environnementales (Température de fonctionnement, température de stockage, humidité et l’altitude).

• Was this helpful?
• Yes   No

The post Environmental Specifications appeared first on Fortinet Cookbook.

Safety

June 14, 2017, 10:45 am

≫ Next: Installing the 4 Post Rack Mount

≪ Previous: Environmental Specifications

$

0

0

Safety

Mechanical Loading	Mounting of the equipment in the rack should be such that a hazardous condition is not achieved due to uneven mechanical loading.
Branchement	L’installation du matériel à l’intérieur de la baie doit être effectué de façon à éviter toute situation dangereuse liée à un branchement non conforme.
Installation	To avoid personal injury or damage to the appliance, Fortinet recommends that 2 or more people together install the appliance into the rack. Balance the equipment to avoid uneven mechanical loading and tipping. Do not place heavy objects on the appliance.
Installation	Pour éviter des blessures ou des dommages à l’appareil, Fortinet recommande que deux personnes ou plus installent ensemble cet équipement dans un cabinet. L’installation du matériel à l’intérieur de la baie doit être effectuée de façon à éviter toute situation dangereuse liée à une installation non conforme. Ne placez pas d’objets lourds sur l’appareil, celui-ci n’étant pas conçu pour soutenir un poids additionnel.
Electric Shock/Fire	To avoid risk of damage to your equipment, personal injury, or death, disconnect cables while servicing. Do not connect or disconnect cables during lightning. Do not use this product near water for example, near a bathtub, washbowl, kitchen sink or laundry tub, in a wet basement or near a swimming pool. Do not install this equipment in a home or public area accessible to the general population. When installed in schools, this equipment must be installed in a location where access is restricted to trained personnel.
Choc électrique/feu	Débranchez les cordons de la source d’alimentation avant tout entretien. Ne pas brancher ou débrancher les câbles lors d’un orage afin de ne subir aucun dommage corporel et éviter d’endommager votre appareil. Ne pas utiliser ce produit près de l’eau par exemple, près d’une baignoire, d’un lavabo, d’un évier de cuisine ou cuve à lessive, dans un sous-sol humide ou près d’une piscine. Le produit n’a pas vocation à être installé dans un foyer ou un lieu public pour l’ensemble de la population. Dans les écoles, ce matériel doit être installé en lieu sûr, de façon à le rendre accessible seulement aux personnels qualifies.
Battery	Risk of explosion if battery is replaced by an incorrect type. Dispose of used batteries according to your local regulations. IMPORTANT: Switzerland: Annex 4.10 of SR814.013 applies to batteries.
Batterie	Risque d’explosion si vous remplacez la batterie par un modèle incompatible. Jetez les piles usagées selon les réglementations locales en vigueur. IMPORTANT: Suisse: Annexe 4.10 de SR814.013 s’appliquant aux batteries.
警告	本電池如果更換不正確會有爆炸的危險 請依製造商說明書處理用過之電池
Grounding	To prevent damage to your equipment, connections that enter from outside the building should pass through a lightning / surge protector, and be properly grounded. Use an electrostatic discharge workstation (ESD) and/or wear an anti-static wrist strap while you work. In addition to the grounding terminal of the plug, on the back panel, there is another, separate terminal for earthing.
Mise à la terre	Pour éviter d’endommager votre matériel, assurez-vous que les branchements qui entrent à partir de l’extérieur du bâtiment passent par un parafoudre / parasurtenseur et sont correctement mis à la terre. Utilisez un poste de travail de décharge électrostatique (ESD) et / ou portez un bracelet anti-statique lorsque vous travaillez. Ce produit possède une borne de mise à la terre qui est prévu à l’arrière du produit, à ceci s’ajoute la mise à la terre de la prise.
Power over Ethernet (PoE)	Do not connect this device to PoE networks with routing to the outside plant. Use this equipment in a Network Environment 0 per IECTR 62101. Do not use PoE injectors that are not IEEE 802.3af compliant. They may damage your device.
Alimentation par Ethernet	Ce matériel doit être utilisé dans un Environnement Réseau 0 par IECTR 62101. Ce matériel est uniquement connecté aux réseaux PoE sans installation externe de routage. Cet appareil est conforme aux normes IEEE 802.3af. Ne pas utiliser d’autres injecteurs d’alimentation non conformes sous peine d’endommager votre matériel.

For Products with Multiple Power Sources

Caution: Disconnect power supply cords before servicing.
Attention: Débranchez les cordons de la source d’alimentation avant tout entretien.

For Products Permanently Connected to the Mains

Warning: Equipment intended for installation in Restricted Access Location.
Avertissement: Le matériel est conçu pour être installé dans un endroit où l’accès est restreint.

Warning: A readily accessible disconnect device shall be incorporated in the building installation wiring.
Avertissement: Intégrez à l’installation électrique du bâtiment un dispositif de coupure de l’alimentation facile d’accès.

Warning: A UL Listed external disconnect device, i.e. circuit breaker or other, with over current protection suitable for local code shall be installed with this equipment.
Avertissement: un dispositif de déconnection externe homologué UL, exemple d’un disjoncteur ou autre, avec des protections de surintensité appropriées à l’installation de ce matériel.

For products with slotted head “thumbscrews” located behind hazardous circuits and/or parts. (e.g: thumbscrews on removable fan modules)

The product is not intended to be installed and used in a home or public area accessible to the general population.

When installed in schools this equipment must be installed in a secure location accessible only by trained personnel.

Le produit n’a pas vocation à être installé dans un foyer ou un lieu public pour l’ensemble de la population.

Dans les écoles, ce matériel doit être installé en lieu sûr, de façon à le rendre accessible seulement aux personnels qualifies

For products with supplementary earthing terminals

This product has a separate protective earthing terminal provided on the back of the product in addition to the grounding terminal of the attachment plug. This separate protective earthing terminal must be permanently connected to earth with a green with yellow stripe conductor minimum size # 14 AWG and the connection is to be installed by a qualified service personnel.

Ce produit possède une borne de mise à la terre qui est prévu à l’arrière du produit, à ceci s’ajoute la mise à la terre de la prise. Cette séparation protège la borne de mise à la terre qui doit être en permanence reliée au conducteur à rayure verte et jaune de taille minimum #14 AWG. Seul un technicien qualifié est autorisé à effectuer le raccordement.

For products with moving fan blades

WARNING: Hazardous moving parts. Keep away from moving fan blades. AVERTISSEMENT: Pièces mobiles dangereuses. Se tenir éloigné des pales de ventilateurs mobiles.

 

• Was this helpful?
• Yes   No

The post Safety appeared first on Fortinet Cookbook.

---

Installing the 4 Post Rack Mount

June 14, 2017, 10:48 am

≫ Next: Installing 2 Post Rack Mount

≪ Previous: Safety

$

0

0

A variety of different rack-mount brackets are provided, depending on the specific Fortinet device.

To avoid personal injury or damage to the unit, it is strongly recommended that two or more people install the unit into the rack.

Installing the Four Post Rack Mount

The unit can be mounted in any standard 19 inch, 4 post rack unit with the provided rack-mount brackets and screws.

1. Ensure that the unit is placed on a stable surface prior to rack-mount installation.
2. Attach the provided rack-mount brackets to the sides of the unit using the provided screws. 
3. Position the unit in the rack. Ensure there is enough room around the device to allow for sufficient air flow.
4. Line up the rack-mount bracket holes to the holes on the rack and ensure that the device is level.
5. Finger tighten the rack screws to attach the device to the rack.
6. Verify that the spacing around the FortiGate unit conforms to requirements and that the unit is level, then tighten the rack screws with an appropriate screwdriver.

Some devices may have more screw holes than screws. In this case, ensure that there is an equal number of screws used on each side of the device. The number of screws provided are sufficient for safely mounting the device.

 

• Was this helpful?
• Yes   No

The post Installing the 4 Post Rack Mount appeared first on Fortinet Cookbook.

Installing 2 Post Rack Mount

June 14, 2017, 10:50 am

≫ Next: Surface Mounting

≪ Previous: Installing the 4 Post Rack Mount

$

0

0

A variety of different rack-mount brackets are provided, depending on the specific Fortinet device.

To avoid personal injury or damage to the unit, it is strongly recommended that two or more people install the unit into the rack.

Installing Two Post Rack Mount

Units that come with full length rack mount brackets or middle mount brackets can be mounted in any standard 19 inch, 2 post rack unit.

1. If your device came with full length rack-mount brackets, attach the brackets with the handles aligned towards the middle of the device using the provided bracket screws. 
2. If your device comes with middle mounting brackets, attach the brackets to the sides of the device using the provided bracket screws.
3. Position the unit in the rack. Ensure there is enough room around the device to allow for sufficient air flow.
4. Line up the rack-mount bracket holes to the holes on the rack and ensure that the device is level.
   
5. Finger tighten the rack screws to attach the device to the rack.
6. Verify that the spacing around the FortiGate unit conforms to requirements and that the unit is level, then tighten the rack screws with an appropriate screwdriver.

Some devices may have more screw holes than screws. In this case, ensure that there is an equal number of screws used on each side of the device. The number of screws provided are sufficient for safely mounting the device.

 

• Was this helpful?
• Yes   No

The post Installing 2 Post Rack Mount appeared first on Fortinet Cookbook.

Surface Mounting

June 14, 2017, 10:55 am

≫ Next: Rail Mounting

≪ Previous: Installing 2 Post Rack Mount

$

0

0

Only AC units can be installed on a flat surface. DC units must be installed in a rack.

Surface Mounting the Device

1. Ensure that the surface onto which the unit is to be installed is clean, level, and stable and that there is at least 1.5in (3.8cm) of clearance on all sides to allow for adequate airflow.
2. Attach the provided rubber feet to the bottom of the unit.
3. Place the unit in the designated location.
4. Verify that the spacing around the unit conforms to requirements and that the unit is level. 

• Was this helpful?
• Yes   No

The post Surface Mounting appeared first on Fortinet Cookbook.

Rail Mounting

June 14, 2017, 11:01 am

≫ Next: Disassembling the Rail Assembly

≪ Previous: Surface Mounting

$

0

0

Rail Mounting

There are a variety of different rack mounting rails included with Fortinet products, including:

• Basic Sliding Rails
• Sliding Rails with Cable Management Arm
• RapidRails and VersaRails

To mount the unit on a 19-inch rack or cabinet, use the slide rails included with the product. The rails enable you to safely pull the device out from the rack to access the back or top of the unit. Some variations of the rail kits include a Cable Management Arm (CMA) that manages the cables connected to the device, allowing it to be pulled in and out without worrying about the cables being stretched or disconnected.

Some 2U and 3U devices come with handles that connect to the front of the device and aid in pulling the device in and out. They can also be screwed into the rack to help secure the device to the rack. See Front Handles.

To avoid personal or damage to the unit, it is strongly recommended that two or more people install the unit into the rack.

• Was this helpful?
• Yes   No

The post Rail Mounting appeared first on Fortinet Cookbook.

Disassembling the Rail Assembly

June 14, 2017, 11:06 am

≫ Next: Attaching the Inner Rails to the Device

≪ Previous: Rail Mounting

$

0

0

Disassembling the Rail Assembly

1. Identify the left and right rail assemblies.
   
2. Pull out the inner rail until it is fully extended.
3. Press down the locking tab to release the inner rail.
4. Remove the inner rail from the outer rail.
5. Repeat the above steps for the remaining rail assembly.

Next, see Attaching Inner Rails to Device.

• Was this helpful?
• Yes   No

The post Disassembling the Rail Assembly appeared first on Fortinet Cookbook.

Attaching the Inner Rails to the Device

June 14, 2017, 11:39 am

≫ Next: Installing the Outer Rails on a Rack

≪ Previous: Disassembling the Rail Assembly

$

0

0

Attaching the Inner Rails to the Device

1. Ensure that the right and left rails are correctly identified.
   
2. Place the inner rail against the side of the device, ensuring that the hooks on the side of the device align with the holes in the rail.
3. Slide the rail towards the front of the device until the rail clicks into the locked position.
4. Secure the rail to the device using the provided screw.
5. Repeat the above steps for the remaining rail.

Next, see Attaching the Outer Rails to the Rack.

• Was this helpful?
• Yes   No

The post Attaching the Inner Rails to the Device appeared first on Fortinet Cookbook.

Installing the Outer Rails on a Rack

June 14, 2017, 11:41 am

≫ Next: Installing and Removing the Cable Management Arm

≪ Previous: Attaching the Inner Rails to the Device

$

0

0

Installing the Outer Rails on a Rack

1. Press up on the locking tab on the back of the middle rail.
2. Push the middle rail back into the outer rail.
   
3. Hang the hooks on the front of the outer rail to the slot on the rack. If required, use screws to secure the rail to the rack.
   
4. Pull out the back of the outer rail to adjust its length until it fits properly in the rack.
   
5. Hang the hooks on the back of the rail into the slots on the back of the rack. If required, use screws to secure the rail to the rack.
6. Repeat the above steps for the remaining rail.

Next, see Inserting the Device into the Rack.

• Was this helpful?
• Yes   No

The post Installing the Outer Rails on a Rack appeared first on Fortinet Cookbook.

---

Installing and Removing the Cable Management Arm

June 14, 2017, 8:52 am

≫ Next: Cable Management Arm

≪ Previous: Installing the Outer Rails on a Rack

$

0

0

Installing the Cable Management Arm

The CMA can be installed on either the right or left mounting rail. It is recommended that it be mounted on the side of the device opposite to the power supplies, otherwise the CMA must be disconnected prior to removing the power supplies.
The CMA must be removed prior to removing the power supplies.

1. At the back of the system, fit the latch on the front end of the CMA to the innermost bracket of the slide assembly until the latch engages.
   
2. Fit the other latch on the end of the outermost bracket until the latch engages.

Removing the Cable Management Arm

Disengage both latches by pressing the CMA release buttons at the top of the inner and outer latch housings.

• Was this helpful?
• Yes   No

The post Installing and Removing the Cable Management Arm appeared first on Fortinet Cookbook.

Cable Management Arm

June 15, 2017, 9:49 am

≫ Next: Installing or Removing the Cable Management Arm Tray

≪ Previous: Installing and Removing the Cable Management Arm

$

0

0

The Cable Management Arm

The Cable Management Arm assembly has three components:

• Cable Management Arm Tray (provides support and acts as a retainer for the Cable Management Arm)
• Cable Management Arm
• Nylon cable tie wraps

Next, see Installing and Removing the Cable Management Arm Tray.

 

• Was this helpful?
• Yes   No

The post Cable Management Arm appeared first on Fortinet Cookbook.

Installing or Removing the Cable Management Arm Tray

June 15, 2017, 9:53 am

≫ Next: Moving the Cable Management Arm

≪ Previous: Cable Management Arm

$

0

0

Installing or Removing the Cable Management Arm Tray

Align and engage each side of the tray with the receiver brackets on the inner edges of the rails and push forward until the tray clicks into place.

1. Squeeze the latch-release buttons on both sides toward the center
2. Push the tray into or pull the tray out of the receiver brackets.

Next, see Installing or Removing the Cable Management Arm.

• Was this helpful?
• Yes   No

The post Installing or Removing the Cable Management Arm Tray appeared first on Fortinet Cookbook.

Moving the Cable Management Arm

June 15, 2017, 10:05 am

≫ Next: Routing the Cables through the Cable Management Arm

≪ Previous: Installing or Removing the Cable Management Arm Tray

$

0

0

Moving the Cable Management Away from the Cable Management Tray

1. The CMA can be pulled away from the device and extended away from the tray for access to the back of the device.
   
2. At the hinged end, lift the CMA up and off of the tray to unseat it from the tray catch. Once it is unseated from the tray, swing the CMA away from the system.

You can also extend the CMA into the service position after it is cabled to access the back of the device.

Next, see Routing Cables through the Cable Management Arm.

• Was this helpful?
• Yes   No

The post Moving the Cable Management Arm appeared first on Fortinet Cookbook.

Routing the Cables through the Cable Management Arm

June 15, 2017, 10:10 am

≫ Next: Installing the Device into the Rack

≪ Previous: Moving the Cable Management Arm

$

0

0

Routing the Cables through the Cable Management Arm

1. Using the tie wraps provided, bundle the cables together as they enter and exit the baskets so they do not interfere with adjacent systems.
   
2. With the CMA in the service position, route the cable bundle through the inner and outer baskets.
3. Use the preinstalled Velcro straps on either end of the baskets to secure the cables.
4. Adjust the cable slack at the hinge position as needed.
5. Swing the CMA back into place on the tray.
6. Install the status indicator cable at the back of the system and secure the cable by routing it through the CMA. Attach the other end of the cable to the corner of the outer CMA basket.

To avoid potential damage from protruding cables, secure any slack in the status indicator cable before routing this cable through the CMA.

If you have sliding rails, see Sliding rails with Cable Management Arm.

• Was this helpful?
• Yes   No

The post Routing the Cables through the Cable Management Arm appeared first on Fortinet Cookbook.