Fortinet white logo
Fortinet white logo

FortiGate-7000F Administration Guide

FIM-7921F interface module

FIM-7921F interface module

The FIM-7921F interface module is a hot swappable module that provides data, management, and session sync/heartbeat interfaces, base backplane switching, hardware acceleration, and fabric backplane session-aware load balancing for a FortiGate 7000F series chassis. The FIM-7921F includes an integrated switch fabric, five NP7 processors to load balance millions of data sessions over the FortiGate 7000F 400Gbps fabric backplane channel to FPM processor modules. The FIM-7921F also includes a 50Gbps base backplane channel for base backplane management communication with each FPM in the chassis, one 1Tbps fabric backplane channel for fabric backplane communication with the other FIM in the chassis, and a second 50Gbps base backplane channel for base backplane communication with the other FIM in the chassis. The FIM-7921F also includes two 4TByte SSD log disks in a RAID-1 configuration. The SSDs are accessible from the FIM-7921F front panel but should not be removed.

The FIM-7921F can be installed in any FortiGate 7000F series chassis in chassis hub/switch slots 1 or 2. The FIM-7921F includes eighteen front panel 100GigE QSFP28 fabric channel data network interfaces (1 to 18) and two 400GigE QSFP-DD fabric channel data network interfaces (19 and 20). Interfaces 1 to 18 can be connected to 100Gbps data networks. Interfaces 19 and 20 can be connected to 400Gbps data networks. You can also change the interface type of interfaces 19 and 20 and change the speeds of all of the data interfaces. You can also split interfaces 1 to 8, 19, and 20.

The FIM-7921F also includes two 100 GigE QSFP28 base channel management interfaces (M1 and M2) and two 25 GigE SPF28 base channel management interfaces (M3 and M4). The management interfaces can be used for HA heartbeat communication and session synchronization between two chassis in HA mode or for other management functions such as remote logging. You can also change the speeds of the management interfaces. You can also split the M1 and M2 interfaces.

The FIM-7921F includes a console port to provide console access to the FIM-7921F CLI.

FIM-7921F front panel

Front panel interfaces

You connect the FIM-7921F to your 100Gbps data networks using the 1 to 18 front panel QSFP28 interfaces. You can also connect the FIM-7921F to your 400Gbps data networks using the 19 and 20 front panel QSFP-DD interfaces. You can create link aggregation groups that can include data interfaces from multiple FIMs and FPMs in the same chassis.

The front panel also includes M1 and M2 QSFP28, M3 and M4 SFP28 interfaces that connect to the base channel, two Ethernet management interfaces (MGMT1 and MGMT2), and a USB port. The USB port can be used with any USB key for backing up and restoring configuration files and installing and restoring firmware.

Connector Type Speed Protocol Description
1 to 18 QSFP28

100Gbps

40Gbps

4 x 25Gbps (split)

4 x 10Gbps (split)

Ethernet

Eighteen front panel 100GigE QSFP28 fabric channel data interfaces that can be connected to 100Gbps data networks to distribute sessions to the FPMs in chassis slots 3 and up. The speed of these interfaces can be changed to 40Gbps. Interfaces 3 to 8 can be split into four interfaces. Each split interface can operate at 25Gbps or 10Gbps.

19 and 20

QSFP-DD

400Gbps

100Gbps

40Gbps

4 x 100Gbps (split)

4 x 25Gbps (split)

4 x 10Gbps (split)

Ethernet

Two front panel 400GigE QSFP-DD fabric channel data interfaces that can be connected to 400Gbps data networks to distribute sessions to the FPMs in chassis slots 3 and up. These interfaces can be changed to 100GigE QSFP28 interfaces and the speed changed to 40Gbps. These Interfaces can be split into four interfaces. Each split interface can operate at 100Gbps, 25Gbps, or 10Gbps.

M1 and M2 QSFP28

100Gbps

40Gbps

4 x 25Gbps (split)

4 x 10Gbps (split)

Ethernet

Two front panel 100GigE QSFP28 base channel management interfaces. These interfaces are used for HA heartbeat, and session synchronization between FIM-7921Fs in different chassis. These interfaces can also be used for management communication (for example, for remote logging). The speed of these interfaces can be changed to 40Gbps. These interfaces can be split into four interfaces. Each split interface can operate at 25Gbps or 10Gbps.

M3 and M4

SFP28

25Gbps

10Gbps

Ethernet

Two front panel 25GigE SFP28 base channel management interfaces. These interfaces are used for HA heartbeat, and session synchronization between FIM-7921Fs in different chassis. These interfaces can also be used for management communication (for example, for remote logging). The speed of these interfaces can be changed to 10Gbps.

MGMT1 and MGMT2 RJ-45

10Mbps

100Mbps

1000Mbps

Ethernet Two 10/100/1000BASE-T copper out of band management ethernet interfaces.
USB USB 3.0 Type A USB 3.0 USB 2.0 Standard USB connector.
Console RJ-45 9600 bps
8/N/1
RS-232 serial Serial connection to the FIM-7921F CLI.

Changing the FIM-7921F 1 to 8, M1, and M2 interfaces

By default, the FIM-7921F 1 to 8 (P1 to P8) , M1, and M2 interfaces are configured as 100GigE QSFP28 interfaces. You can make the following changes to these interfaces:

  • Change the interface speed to 40G using the config system interface command.

  • Split one or more of the 3 to 8 (P3 to P8) , M1, and M2 interfaces into four 25GigE interfaces.

  • Change the interface speed of one or more of the split interfaces to 10Gig.

Note

You should configure split interfaces on both FortiGate 7000Fs before forming an FGCP HA cluster. If you decide to change the split interface configuration after forming a cluster, you need to remove the secondary FortiGate 7000F from the cluster and change the split interface configuration on both FortiGate 7000Fs separately. After the FortiGate 7000Fs restart, you can re-form the cluster. This process will cause traffic interruptions.

You can use the following command to split the P3 interface of the FIM-7921F in slot 1 and the P8 and M1 interfaces of the FIM-7921F in slot 2:

config system global

set split-port 1-P3 2-P8 2-M1

end

The FortiGate 7000F reboots and when it starts up:

  • Interface 1-P3 has been replaced by four 25GigE CR2 interfaces named 1-P3/1 to 1-P3/4.

  • Interface 2-P8 has been replaced by four 25GigE CR2 interfaces named 2-P8/1 to 2-P8/4.

  • Interface 2-M1 has been replaced by four 25GigE CR2 interfaces named 2-M1/1 to 2-M1/4.

You can use the config system interface command to change the speeds of each of the split interfaces. You can change the speed of some or all of the individual split interfaces depending on whether the transceiver installed in the interface slot supports different speeds for the split interfaces.

For example, to change the speed of the 2-P8/3 interface to 10Gig:

config system interface

edit 2-P8/3

set speed 10000full

end

Changing the FIM-7921F 19 and 20 interfaces

By default, the FIM-7921F 19 and 20 (P19 and P20) interfaces are configured as 400GigE QSFP-DD interfaces. You can make the following changes to one or both of interfaces:

  • Change the interface speed to 400G, 100G, or 40G using the config system interface command.

  • Split the interface into four 100GigE CR2 interfaces.

  • Split the interface into four 25GigE CR or 10GigE SR interfaces.

All of these operations, except changing the interface speed using the config system interface command, require a system restart. Fortinet recommends that you perform these operations during a maintenance window and plan the changes to avoid traffic disruption.

Note

You should change interface types or split interfaces on both FortiGate 7000Fs before forming an FGCP HA cluster. If you decide to change interface type or split interfaces after forming a cluster, you need to remove the secondary FortiGate 7000F from the cluster and change interfaces as required on both FortiGate 7000Fs separately. After the FortiGate 7000Fs restart, you can re-form the cluster. This process will cause traffic interruptions.

Splitting the P19 or P20 interfaces into four 100GigE CR2 interfaces

You can use the following command to split the P19 or P20 interfaces into four 100GigE CR2 interfaces. To split P19 of the FIM-7921F in slot 1 (1-P19) and P20 of the FIM-7921F in slot 2 (2-P20) enter the following command:

config system global

set split-port 1-P19 2-P20

end

The FortiGate 7000F reboots and when it starts up:

  • Interface 1-P19 has been replaced by four 100GigE CR2 interfaces named 1-P19/1 to 1-P19/4.

  • Interface 2-P20 has been replaced by four 100GigE CR2 interfaces named 2-P20/1 to 2-P20/4.

Splitting the P19 or P20 interfaces into four 25GigE CR or 10GigE SR interfaces

You can use the following command to split the P19 or P20 interfaces into four 25GigE CR interfaces. The following command converts the interface into a 100GigE QSFP28 interface then splits this interface into four 25 GigE CR interfaces. To change P19 of the FIM-7921F in slot 1 (1-P19) and P20 of the FIM-7921F in slot 2 (2-P20) enter the following command:

config system global

set qsfpdd-100g-port 1-P19 2-P20

set split-port 1-P19 2-P20

end

The FortiGate 7000F reboots and when it starts up:

  • Interface 1-P19 has been replaced by four 25GigE CR interfaces named 1-P19/1 to 1-P19/4.

  • Interface 2-P20 has been replaced by four 25GigE CR interfaces named 2-P20/1 to 2-P20/4.

If you want some or all of these interfaces to operate as 10GigE SR interfaces you can use the config system interface command to change the interface speed. You can change the speed of some or all of the individual split interfaces depending on whether the transceiver installed in the interface slot supports different speeds for the split interfaces.

FIM-7921F hardware architecture

The FIM-7921F includes an integrated switch fabric (ISF) that connects the front panel interfaces and the chassis fabric backplane to the NP7 processors. The NP7 processors receive sessions from the FIM front panel data interfaces and the FPM front panel data interfaces over the fabric backplane. The NP7 processors use SLBC to distribute sessions to FPMs over the fabric backplane.

The FIM-7921F also includes the following backplane communication channels:

  • Ten 400Gbps fabric backplane channel to distribute traffic to the FPMs.
  • Ten 50Gbps base backplane channel for base backplane communication with the FPMs.
  • One 1Tbps fabric backplane channel for fabric backplane communication with the other FIM.
  • One 50Gbps base backplane channel for base backplane communication with the other FIM.
FIM-7921F hardware architecture

FIM-7921F NP7 processors

Since FIM NP7 processors are used for SLBC load balancing:

  • They are not used for host protection engine (HPE) DoS protection. HPE is applied by the NP7 processors in the FPMs. For information about HPE, see NP7 Host Protection Engine (HPE).

  • You can't configure NP7 groups for FIM NP7 processors. NP7 groups can be configured for the NP7 processors in FPMs.

  • The output of the diagnose npu np7 port-list command shows that FIM NP7 processors are connected to all FIM-7921F interfaces and shows the maximum and default speeds of the interfaces. Sample output from the FIM CLI:

diagnose npu np7 port-list
Front Panel Port:
Name     Max_speed(Mbps) Dflt_speed(Mbps) NP_group        Switch_id SW_port_id SW_port_name
-------- --------------- ---------------  --------------- --------- ---------- ------------
1-P1     100000          100000           n/a             0         7          ce27
1-P1-2   25000           25000            n/a             0         8
1-P1-3   25000           25000            n/a             0         9
1-P1-4   25000           25000            n/a             0         10
1-P2     100000          100000           n/a             0         15         ce31
.
.
.

FIM-7921F interface module

FIM-7921F interface module

The FIM-7921F interface module is a hot swappable module that provides data, management, and session sync/heartbeat interfaces, base backplane switching, hardware acceleration, and fabric backplane session-aware load balancing for a FortiGate 7000F series chassis. The FIM-7921F includes an integrated switch fabric, five NP7 processors to load balance millions of data sessions over the FortiGate 7000F 400Gbps fabric backplane channel to FPM processor modules. The FIM-7921F also includes a 50Gbps base backplane channel for base backplane management communication with each FPM in the chassis, one 1Tbps fabric backplane channel for fabric backplane communication with the other FIM in the chassis, and a second 50Gbps base backplane channel for base backplane communication with the other FIM in the chassis. The FIM-7921F also includes two 4TByte SSD log disks in a RAID-1 configuration. The SSDs are accessible from the FIM-7921F front panel but should not be removed.

The FIM-7921F can be installed in any FortiGate 7000F series chassis in chassis hub/switch slots 1 or 2. The FIM-7921F includes eighteen front panel 100GigE QSFP28 fabric channel data network interfaces (1 to 18) and two 400GigE QSFP-DD fabric channel data network interfaces (19 and 20). Interfaces 1 to 18 can be connected to 100Gbps data networks. Interfaces 19 and 20 can be connected to 400Gbps data networks. You can also change the interface type of interfaces 19 and 20 and change the speeds of all of the data interfaces. You can also split interfaces 1 to 8, 19, and 20.

The FIM-7921F also includes two 100 GigE QSFP28 base channel management interfaces (M1 and M2) and two 25 GigE SPF28 base channel management interfaces (M3 and M4). The management interfaces can be used for HA heartbeat communication and session synchronization between two chassis in HA mode or for other management functions such as remote logging. You can also change the speeds of the management interfaces. You can also split the M1 and M2 interfaces.

The FIM-7921F includes a console port to provide console access to the FIM-7921F CLI.

FIM-7921F front panel

Front panel interfaces

You connect the FIM-7921F to your 100Gbps data networks using the 1 to 18 front panel QSFP28 interfaces. You can also connect the FIM-7921F to your 400Gbps data networks using the 19 and 20 front panel QSFP-DD interfaces. You can create link aggregation groups that can include data interfaces from multiple FIMs and FPMs in the same chassis.

The front panel also includes M1 and M2 QSFP28, M3 and M4 SFP28 interfaces that connect to the base channel, two Ethernet management interfaces (MGMT1 and MGMT2), and a USB port. The USB port can be used with any USB key for backing up and restoring configuration files and installing and restoring firmware.

Connector Type Speed Protocol Description
1 to 18 QSFP28

100Gbps

40Gbps

4 x 25Gbps (split)

4 x 10Gbps (split)

Ethernet

Eighteen front panel 100GigE QSFP28 fabric channel data interfaces that can be connected to 100Gbps data networks to distribute sessions to the FPMs in chassis slots 3 and up. The speed of these interfaces can be changed to 40Gbps. Interfaces 3 to 8 can be split into four interfaces. Each split interface can operate at 25Gbps or 10Gbps.

19 and 20

QSFP-DD

400Gbps

100Gbps

40Gbps

4 x 100Gbps (split)

4 x 25Gbps (split)

4 x 10Gbps (split)

Ethernet

Two front panel 400GigE QSFP-DD fabric channel data interfaces that can be connected to 400Gbps data networks to distribute sessions to the FPMs in chassis slots 3 and up. These interfaces can be changed to 100GigE QSFP28 interfaces and the speed changed to 40Gbps. These Interfaces can be split into four interfaces. Each split interface can operate at 100Gbps, 25Gbps, or 10Gbps.

M1 and M2 QSFP28

100Gbps

40Gbps

4 x 25Gbps (split)

4 x 10Gbps (split)

Ethernet

Two front panel 100GigE QSFP28 base channel management interfaces. These interfaces are used for HA heartbeat, and session synchronization between FIM-7921Fs in different chassis. These interfaces can also be used for management communication (for example, for remote logging). The speed of these interfaces can be changed to 40Gbps. These interfaces can be split into four interfaces. Each split interface can operate at 25Gbps or 10Gbps.

M3 and M4

SFP28

25Gbps

10Gbps

Ethernet

Two front panel 25GigE SFP28 base channel management interfaces. These interfaces are used for HA heartbeat, and session synchronization between FIM-7921Fs in different chassis. These interfaces can also be used for management communication (for example, for remote logging). The speed of these interfaces can be changed to 10Gbps.

MGMT1 and MGMT2 RJ-45

10Mbps

100Mbps

1000Mbps

Ethernet Two 10/100/1000BASE-T copper out of band management ethernet interfaces.
USB USB 3.0 Type A USB 3.0 USB 2.0 Standard USB connector.
Console RJ-45 9600 bps
8/N/1
RS-232 serial Serial connection to the FIM-7921F CLI.

Changing the FIM-7921F 1 to 8, M1, and M2 interfaces

By default, the FIM-7921F 1 to 8 (P1 to P8) , M1, and M2 interfaces are configured as 100GigE QSFP28 interfaces. You can make the following changes to these interfaces:

  • Change the interface speed to 40G using the config system interface command.

  • Split one or more of the 3 to 8 (P3 to P8) , M1, and M2 interfaces into four 25GigE interfaces.

  • Change the interface speed of one or more of the split interfaces to 10Gig.

Note

You should configure split interfaces on both FortiGate 7000Fs before forming an FGCP HA cluster. If you decide to change the split interface configuration after forming a cluster, you need to remove the secondary FortiGate 7000F from the cluster and change the split interface configuration on both FortiGate 7000Fs separately. After the FortiGate 7000Fs restart, you can re-form the cluster. This process will cause traffic interruptions.

You can use the following command to split the P3 interface of the FIM-7921F in slot 1 and the P8 and M1 interfaces of the FIM-7921F in slot 2:

config system global

set split-port 1-P3 2-P8 2-M1

end

The FortiGate 7000F reboots and when it starts up:

  • Interface 1-P3 has been replaced by four 25GigE CR2 interfaces named 1-P3/1 to 1-P3/4.

  • Interface 2-P8 has been replaced by four 25GigE CR2 interfaces named 2-P8/1 to 2-P8/4.

  • Interface 2-M1 has been replaced by four 25GigE CR2 interfaces named 2-M1/1 to 2-M1/4.

You can use the config system interface command to change the speeds of each of the split interfaces. You can change the speed of some or all of the individual split interfaces depending on whether the transceiver installed in the interface slot supports different speeds for the split interfaces.

For example, to change the speed of the 2-P8/3 interface to 10Gig:

config system interface

edit 2-P8/3

set speed 10000full

end

Changing the FIM-7921F 19 and 20 interfaces

By default, the FIM-7921F 19 and 20 (P19 and P20) interfaces are configured as 400GigE QSFP-DD interfaces. You can make the following changes to one or both of interfaces:

  • Change the interface speed to 400G, 100G, or 40G using the config system interface command.

  • Split the interface into four 100GigE CR2 interfaces.

  • Split the interface into four 25GigE CR or 10GigE SR interfaces.

All of these operations, except changing the interface speed using the config system interface command, require a system restart. Fortinet recommends that you perform these operations during a maintenance window and plan the changes to avoid traffic disruption.

Note

You should change interface types or split interfaces on both FortiGate 7000Fs before forming an FGCP HA cluster. If you decide to change interface type or split interfaces after forming a cluster, you need to remove the secondary FortiGate 7000F from the cluster and change interfaces as required on both FortiGate 7000Fs separately. After the FortiGate 7000Fs restart, you can re-form the cluster. This process will cause traffic interruptions.

Splitting the P19 or P20 interfaces into four 100GigE CR2 interfaces

You can use the following command to split the P19 or P20 interfaces into four 100GigE CR2 interfaces. To split P19 of the FIM-7921F in slot 1 (1-P19) and P20 of the FIM-7921F in slot 2 (2-P20) enter the following command:

config system global

set split-port 1-P19 2-P20

end

The FortiGate 7000F reboots and when it starts up:

  • Interface 1-P19 has been replaced by four 100GigE CR2 interfaces named 1-P19/1 to 1-P19/4.

  • Interface 2-P20 has been replaced by four 100GigE CR2 interfaces named 2-P20/1 to 2-P20/4.

Splitting the P19 or P20 interfaces into four 25GigE CR or 10GigE SR interfaces

You can use the following command to split the P19 or P20 interfaces into four 25GigE CR interfaces. The following command converts the interface into a 100GigE QSFP28 interface then splits this interface into four 25 GigE CR interfaces. To change P19 of the FIM-7921F in slot 1 (1-P19) and P20 of the FIM-7921F in slot 2 (2-P20) enter the following command:

config system global

set qsfpdd-100g-port 1-P19 2-P20

set split-port 1-P19 2-P20

end

The FortiGate 7000F reboots and when it starts up:

  • Interface 1-P19 has been replaced by four 25GigE CR interfaces named 1-P19/1 to 1-P19/4.

  • Interface 2-P20 has been replaced by four 25GigE CR interfaces named 2-P20/1 to 2-P20/4.

If you want some or all of these interfaces to operate as 10GigE SR interfaces you can use the config system interface command to change the interface speed. You can change the speed of some or all of the individual split interfaces depending on whether the transceiver installed in the interface slot supports different speeds for the split interfaces.

FIM-7921F hardware architecture

The FIM-7921F includes an integrated switch fabric (ISF) that connects the front panel interfaces and the chassis fabric backplane to the NP7 processors. The NP7 processors receive sessions from the FIM front panel data interfaces and the FPM front panel data interfaces over the fabric backplane. The NP7 processors use SLBC to distribute sessions to FPMs over the fabric backplane.

The FIM-7921F also includes the following backplane communication channels:

  • Ten 400Gbps fabric backplane channel to distribute traffic to the FPMs.
  • Ten 50Gbps base backplane channel for base backplane communication with the FPMs.
  • One 1Tbps fabric backplane channel for fabric backplane communication with the other FIM.
  • One 50Gbps base backplane channel for base backplane communication with the other FIM.
FIM-7921F hardware architecture

FIM-7921F NP7 processors

Since FIM NP7 processors are used for SLBC load balancing:

  • They are not used for host protection engine (HPE) DoS protection. HPE is applied by the NP7 processors in the FPMs. For information about HPE, see NP7 Host Protection Engine (HPE).

  • You can't configure NP7 groups for FIM NP7 processors. NP7 groups can be configured for the NP7 processors in FPMs.

  • The output of the diagnose npu np7 port-list command shows that FIM NP7 processors are connected to all FIM-7921F interfaces and shows the maximum and default speeds of the interfaces. Sample output from the FIM CLI:

diagnose npu np7 port-list
Front Panel Port:
Name     Max_speed(Mbps) Dflt_speed(Mbps) NP_group        Switch_id SW_port_id SW_port_name
-------- --------------- ---------------  --------------- --------- ---------- ------------
1-P1     100000          100000           n/a             0         7          ce27
1-P1-2   25000           25000            n/a             0         8
1-P1-3   25000           25000            n/a             0         9
1-P1-4   25000           25000            n/a             0         10
1-P2     100000          100000           n/a             0         15         ce31
.
.
.