Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiGate-6000 Handbook

Managing individual FPCs

In some cases, you may want to connect to the individual FPCs. For example, you may want to view traffic being processed by a specific FPC. You can connect to the GUI or CLI of individual FPCs using the MGMT1 interface IP address with a special port number.

For example, if the MGMT1 interface IP address is 192.168.1.99 you can connect to the GUI of the first FPC (the FPC in slot 1) by browsing to :

https://192.168.1.99:44301

The special port number (in this case, 44301) is a combination of the service port (for HTTPS, the service port is 443) and the FPC slot number (in this example, 01). The following table lists the special ports to use to connect to each FPC slot using common management protocols. The FortiGate-6300F and 6301F have 7 slots (0 to 6) and the FortiGate-6500F and 6501F have 11 slots (0 to 10). Slot 0 is the management board (MBD) slot. Slots 1 to 10 are FPC slots.

FortiGate-6000 special management port numbers
Slot Address HTTP (80) HTTPS (443) Telnet (23) SSH (22) SNMP (161)
Slot 0, (MBD) 8000 44300 2300 2200 16100
Slot 1 (FPC01) 8001 44301 2301 2201 16101
Slot 2 (FPC02) 8002 44302 2302 2202 16102
Slot 3 (FPC03) 8003 44303 2303 2203 16103
Slot 4 (FPC04) 8004 44304 2304 2204 16104
Slot 5 (FPC05) 8005 44305 2305 2205 16105
Slot 6 (FPC06) 8006 44306 2306 2206 16106
Slot 7 (FPC07) 8007 44307 2307 2207 16107
Slot 8 (FPC08) 8008 44308 2308 2208 16108
Slot 9 (FPC09) 8009 44309 2309 2209 16109
Slot 10 (FPC10) 8010 44310 2310 2210 16110

For example, to connect to the CLI of the FPC in slot 3 using SSH, you would connect to ssh://192.168.1.99:2203.

To verify which slot you have logged into, the GUI header banner and the CLI prompt shows its hostname. The CLI prompt also shows slot address in the format <hostname> [<slot address>] #.

Logging in to different FPCs allows you to use the FortiView or Monitor GUI pages to view the activity on that FPC. Even though you can log in to different FPCs, you can only make configuration changes from the management board.

Connecting to individual FPC consoles

From the management board CLI, you can use the execute system console-server command to access to individual FPC consoles. Console access can be useful for troubleshooting. For example, if an FPC does not boot properly, you can use console access to view the state of the FPC and enter commands to fix the problem or restart the FPC.

From the console, you can also perform BIOS-related operations, such as rebooting the FPC, interrupting the boot process, and installing new firmware.

For example, from the management board CLI, use the following command to log in to the console of the FPC in slot 3:

execute system console-server connect 3

Authenticate to log in to the console and use CLI commands to view information, make changes, or restart the FPC. When you are done, use Ctrl-X to exit from the console back to the management board CLI. Using Ctrl-X may not work if you are accessing the CLI console from the GUI. Instead you may need to log out of the GUI and then log in again.

Also from the management board CLI you can use the execute system console-server showline command to list any active console server sessions. Only one console session can be active for each FPC, so before you connect to an FPC console, you can use the following command to verify whether or not there is an active console session. The following command output shows an active console session with the FPC in slot 4:

execute system console-server showline

MB console line connected - 1

Telnet-to-console line connected - 4

To clear an active console session, use the execute system console-server clearline command . For example, to clear an active console session with the FPC in slot 4, enter:

execute system console-server clearline 4

note icon In an HA configuration, the execute system console-server commands only allow access to FPCs in the FortiGate-6000 that you are logged into. You can't use this command to access FPCs in the other FortiGate-6000 in an HA cluster

Connecting to individual FPC CLIs

From the management board CLI you can use the following command to switch between FPCs and perform different operations on the FPC in each slot:

execute load-balance slot {manage | nmi-reset | power-off | power-on | reboot} <chassis-number>.<slot-number>

Use manage to connect to the CLI of a different FPC. Use the other options to perform an action on an individual FPC.

For example, to connect to the FPC in chassis 1 slot 4, enter the following command:

execute load-balance slot manage 1.4

To reboot the FPC in chassis 1 slot 3, enter the following command:

execute load-balance slot reboot 1.3

From any CLI you can also use the execute load-balance slot manage [<chassis>.]<slot> command to log into the CLI of any FPC. You can use this command to view the status or configuration of the FPC, restart the FPC, or perform other operations. You should not change the configuration of individual FPCs because this can cause configuration synchronization errors.

<chassis> is the HA chassis ID and can be 1 or 2. The chassis ID is required only in an HA configuration where you are attempting to log in to the other chassis. In HA mode, if you skip the chassis ID, you can log in to another component in the same chassis.

<slot> is the slot number of the component that you want to log in to. The management board is in slot 0 and the FPC slot numbers start at 1.

For example, in a FortiGate-6000 standalone configuration, if you logged in to the CLI of the management board, enter the following command to log in to the FPC in slot 5:

execute load-balance slot manage 5

In a FortiGate-6000 HA configuration, if you logged into the CLI of the management board in chassis 1, enter the following command to log into the FPC in chassis 2 slot 5:

execute load-balance slot manage 2.5

In a FortiGate-6000 HA configuration, if you logged into the CLI of the management board in chassis 2, enter the following command to log in to the FPC in chassis 1 slot 3:

execute load-balance slot manage 1.3

In a FortiGate-6000 HA configuration, if you logged in to the CLI of the management board in chassis 1, enter the following command to log in to the FPC in slot 3 of the same chassis:

execute load-balance slot manage 3

After you log in to a different component in this way, you can't use the execute load-balance slot manage command to log into another component. Instead you must use the exit command to revert back to the CLI of the component that you originally logged into. Then, you can use the execute load-balance slot manage command to log in to another component.

 

Managing individual FPCs

In some cases, you may want to connect to the individual FPCs. For example, you may want to view traffic being processed by a specific FPC. You can connect to the GUI or CLI of individual FPCs using the MGMT1 interface IP address with a special port number.

For example, if the MGMT1 interface IP address is 192.168.1.99 you can connect to the GUI of the first FPC (the FPC in slot 1) by browsing to :

https://192.168.1.99:44301

The special port number (in this case, 44301) is a combination of the service port (for HTTPS, the service port is 443) and the FPC slot number (in this example, 01). The following table lists the special ports to use to connect to each FPC slot using common management protocols. The FortiGate-6300F and 6301F have 7 slots (0 to 6) and the FortiGate-6500F and 6501F have 11 slots (0 to 10). Slot 0 is the management board (MBD) slot. Slots 1 to 10 are FPC slots.

FortiGate-6000 special management port numbers
Slot Address HTTP (80) HTTPS (443) Telnet (23) SSH (22) SNMP (161)
Slot 0, (MBD) 8000 44300 2300 2200 16100
Slot 1 (FPC01) 8001 44301 2301 2201 16101
Slot 2 (FPC02) 8002 44302 2302 2202 16102
Slot 3 (FPC03) 8003 44303 2303 2203 16103
Slot 4 (FPC04) 8004 44304 2304 2204 16104
Slot 5 (FPC05) 8005 44305 2305 2205 16105
Slot 6 (FPC06) 8006 44306 2306 2206 16106
Slot 7 (FPC07) 8007 44307 2307 2207 16107
Slot 8 (FPC08) 8008 44308 2308 2208 16108
Slot 9 (FPC09) 8009 44309 2309 2209 16109
Slot 10 (FPC10) 8010 44310 2310 2210 16110

For example, to connect to the CLI of the FPC in slot 3 using SSH, you would connect to ssh://192.168.1.99:2203.

To verify which slot you have logged into, the GUI header banner and the CLI prompt shows its hostname. The CLI prompt also shows slot address in the format <hostname> [<slot address>] #.

Logging in to different FPCs allows you to use the FortiView or Monitor GUI pages to view the activity on that FPC. Even though you can log in to different FPCs, you can only make configuration changes from the management board.

Connecting to individual FPC consoles

From the management board CLI, you can use the execute system console-server command to access to individual FPC consoles. Console access can be useful for troubleshooting. For example, if an FPC does not boot properly, you can use console access to view the state of the FPC and enter commands to fix the problem or restart the FPC.

From the console, you can also perform BIOS-related operations, such as rebooting the FPC, interrupting the boot process, and installing new firmware.

For example, from the management board CLI, use the following command to log in to the console of the FPC in slot 3:

execute system console-server connect 3

Authenticate to log in to the console and use CLI commands to view information, make changes, or restart the FPC. When you are done, use Ctrl-X to exit from the console back to the management board CLI. Using Ctrl-X may not work if you are accessing the CLI console from the GUI. Instead you may need to log out of the GUI and then log in again.

Also from the management board CLI you can use the execute system console-server showline command to list any active console server sessions. Only one console session can be active for each FPC, so before you connect to an FPC console, you can use the following command to verify whether or not there is an active console session. The following command output shows an active console session with the FPC in slot 4:

execute system console-server showline

MB console line connected - 1

Telnet-to-console line connected - 4

To clear an active console session, use the execute system console-server clearline command . For example, to clear an active console session with the FPC in slot 4, enter:

execute system console-server clearline 4

note icon In an HA configuration, the execute system console-server commands only allow access to FPCs in the FortiGate-6000 that you are logged into. You can't use this command to access FPCs in the other FortiGate-6000 in an HA cluster

Connecting to individual FPC CLIs

From the management board CLI you can use the following command to switch between FPCs and perform different operations on the FPC in each slot:

execute load-balance slot {manage | nmi-reset | power-off | power-on | reboot} <chassis-number>.<slot-number>

Use manage to connect to the CLI of a different FPC. Use the other options to perform an action on an individual FPC.

For example, to connect to the FPC in chassis 1 slot 4, enter the following command:

execute load-balance slot manage 1.4

To reboot the FPC in chassis 1 slot 3, enter the following command:

execute load-balance slot reboot 1.3

From any CLI you can also use the execute load-balance slot manage [<chassis>.]<slot> command to log into the CLI of any FPC. You can use this command to view the status or configuration of the FPC, restart the FPC, or perform other operations. You should not change the configuration of individual FPCs because this can cause configuration synchronization errors.

<chassis> is the HA chassis ID and can be 1 or 2. The chassis ID is required only in an HA configuration where you are attempting to log in to the other chassis. In HA mode, if you skip the chassis ID, you can log in to another component in the same chassis.

<slot> is the slot number of the component that you want to log in to. The management board is in slot 0 and the FPC slot numbers start at 1.

For example, in a FortiGate-6000 standalone configuration, if you logged in to the CLI of the management board, enter the following command to log in to the FPC in slot 5:

execute load-balance slot manage 5

In a FortiGate-6000 HA configuration, if you logged into the CLI of the management board in chassis 1, enter the following command to log into the FPC in chassis 2 slot 5:

execute load-balance slot manage 2.5

In a FortiGate-6000 HA configuration, if you logged into the CLI of the management board in chassis 2, enter the following command to log in to the FPC in chassis 1 slot 3:

execute load-balance slot manage 1.3

In a FortiGate-6000 HA configuration, if you logged in to the CLI of the management board in chassis 1, enter the following command to log in to the FPC in slot 3 of the same chassis:

execute load-balance slot manage 3

After you log in to a different component in this way, you can't use the execute load-balance slot manage command to log into another component. Instead you must use the exit command to revert back to the CLI of the component that you originally logged into. Then, you can use the execute load-balance slot manage command to log in to another component.