Professional Documents
Culture Documents
FortiBridge Administration Guide 09 30000 0163 20061109
FortiBridge Administration Guide 09 30000 0163 20061109
FortiBridge
Version 3.0
www.fortinet.com
FortiBridge Administration Guide
Version 3.0
9 November 2006
09-30000-0163-20061109
© Copyright 2006 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
ABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGuard, FortiGuard-
Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, Fortinet,
FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are
trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies
and products mentioned herein may be the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
Caution: If you install a battery that is not the correct type, it could
! explode. Dispose of used batteries according to local regulations.
Contents
Contents
Introduction ........................................................................................ 7
About FortiBridge .............................................................................................. 7
About this document......................................................................................... 7
Fortinet documentation..................................................................................... 8
Fortinet tools and documentation CD............................................................ 8
Fortinet Knowledge Center ........................................................................... 8
Comments on Fortinet technical documentation ........................................... 8
Customer service and technical support ........................................................ 8
system console................................................................................................ 61
system dns ....................................................................................................... 62
get system status ............................................................................................ 63
system fail_close ............................................................................................. 64
system global................................................................................................... 66
system interface {internal | external}............................................................. 68
system manageip............................................................................................. 69
system route .................................................................................................... 70
system snmp community................................................................................ 71
config hosts ................................................................................................. 71
Index.................................................................................................. 83
Introduction
This chapter introduces you to the FortiBridge-1000 and FortiBridge-1000F
products that provide fail open protection for FortiGate Antivirus Firewalls
operating in transparent mode. Fail open protection keeps network traffic flowing
in the event of a FortiGate unit failure. This chapter contains the following topics:
• About FortiBridge
• About this document
• Fortinet documentation
• Customer service and technical support
About FortiBridge
The FortiBridge products are a solution for enterprise organizations to provide fail
open protection for FortiGate units deployed inline in transparent mode. The
FortiBridge products use multiple probe protocols to detect failures in the
FortiGate unit. FortiBridge zero power fail open technology means that the
FortiBridge unit also fails open if a power failure occurs.
INT 1 EXT 1
BYPASS MODE
MODE FACTORY RESET
PWR
Esc Enter
NORMAL
FortiGate
INT 2 EXT 2
Fortinet documentation
The most up-to-date publications and previous releases of Fortinet product
documentation are available from the Fortinet Technical Documentation web site
at http://docs.forticare.com.
The following FortiBridge product documentation is available:
• FortiBridge QuickStart Guides
Provide basic information about connecting and installing a FortiBridge unit.
• FortiBridge Administration Guide
Describes how to install, configure, and manage a FortiBridge unit.
Internal network
Internet
Internal External Router
(Transparent mode)
To allow users on the internal network to connect to resources on the Internet, add
Internal -> External firewall policies to the FortiGate unit. Add protection profiles
to the firewall policies to apply security services such as virus scanning, web
filtering, spam filtering and IPS to the traffic that passes through the FortiGate unit.
The FortiGate unit acts as an extra layer of protection for your internal network.
While it is operating, the FortiGate unit protects the internal network from threats
originating on the Internet. All users on the internal network connect through the
FortiGate unit to the Internet. This also means that if a failure or other interruption
caused the FortiGate unit to stop functioning, users on the internal network would
not be able to connect to the Internet.
You can install a FortiBridge unit to maintain internet connectivity for the internal
network if the FortiGate unit stops functioning. The FortiBridge unit provides fail
open protection for your network by bypassing the FortiGate unit if a failure
occurs.
(Normal mode)
Internal network
INT 1 EXT 1 Internet
Internal External
(Transparent mode)
Note: Normally, you would use straight-through ethernet cables to connect the
FortiBridge-1000 unit to the FortiGate unit and to your networks. However, for some
connections you may need a crossover ethernet cable (for example, for compatibility with
network devices that do not support Auto MDI/MDIX).
(Normal mode)
Internal network
INT 1 EXT 1 Internet
Internal External
(Transparent mode)
(Normal mode)
Internal network
INT 1 EXT 1 Internet
(Transparent mode)
You can enable ICMP (ping), HTTP, FTP, POP3, SMTP, and IMAP probes to test
connectivity through the FortiGate unit for each of these protocols. The
FortiBridge unit simultaneously tests connectivity through the FortiGate unit for
each probe that is enabled.
The first probe that registers a failure causes the FortiBridge unit to stop sending
all probe packets. The FortiBridge unit responds to the failure according to the
action on failure that you configure. The action on failure can include fail open,
send alert email, send a syslog message, and send an SNMP trap. You can
enable any combination of these actions on failure. Fail open switches the
FortiBridge unit to bypass mode. Other actions on failure alert system
administrators that the FortiBridge has determined that a failure occurred.
(Bypass mode)
Internal network
INT 1 EXT 1 Internet
Internal External
(Transparent mode)
When the FortiBridge unit is operating in bypass mode you can still connect to the
FortiBridge CLI and manage the FortiBridge unit (for example to switch the
FortiBridge unit to normal mode). When the FortiBridge unit operates in bypass
mode, you cannot connect to the FortiGate interfaces that are connected to the
FortiBridge unit.
Note: The FortiBridge-1000F contains a battery to keep the fibers lit in fail open mode. If
the FortiBridge-1000F unit loses power, the battery will power the fail open condition for
approximately three hours. When power is restored, the battery requires approximately
three hours to recharge if completely drained. The FortiBridge-1000 unit does not use a
battery and can maintain a fail open condition indefinitely.
Figure 7: FortiBridge unit providing fail open protection for a FortiGate HA cluster
(Normal mode)
Internal network
INT 1 EXT 1 Internet
Internal External
Probe packets
HA cluster
(Transparent mode)
The network configuration and FortiBridge configuration are the same for a cluster
and for a standalone FortiGate unit. In normal mode, packets pass through the
FortiBridge unit and through the FortiGate HA cluster and back through the
FortiBridge unit. For the cluster to process this traffic, you must add
Internal -> External firewall policies to the cluster configuration. If a failure occurs
and the cluster no longer processes traffic, the FortiBridge unit switches to bypass
mode, bypassing the cluster.
The connection procedure is different depending on whether the FortiBridge unit
uses copper gigabit ethernet network connections or fiber gigabit ethernet
network connections. This section includes the following connection procedures:
• Connecting the FortiBridge-1000 (copper gigabit ethernet)
• Connecting the FortiBridge-1000F (fiber gigabit ethernet)
Note: Normally, you would use straight-through ethernet cables to connect the
FortiBridge-1000 unit to the FortiGate unit and to your networks. However, for some
connections you may need a crossover ethernet cable (for example, for compatibility with
network devices that do not support Auto MDI/MDIX).
Figure 8: FortiBridge unit providing fail open protection for a single FortiGate unit
(Normal mode)
Internal network
INT 1 EXT 1 Internet
Port 5 Port 6
-500A
(Transparent mode)
NORMAL
FortiGate
INT 2 EXT 2
FortiBridge-1000
INT 1 EXT 1
BYPASS MODE
USER MANUAL
MODE FACTORY RESET
PWR Esc Enter
NORMAL
FortiGate
INT 2 EXT 2
Connection INT 2 INT 1 Copyright 2005 Fortinet Incorporated. All rights reserved.
Trademarks
Products mentioned in this document are trademarks.
F
PWR
INT 2
FortiGate
Esc Enter
EXT 2
NORMAL Power Cable Power Supply
RJ-45 to
Power INT 1 EXT 1 Normal Factory DB-9 Serial Cable
Management INT 2 EXT 2 Mode Reset
Back 4 1000Base-SX
SFP Transceivers
DC+5V TO FORTIGATE
FortiBridge-1000
INT 2
FortiGate
Esc Enter
EXT 1
EXT 2
BYPASS MODE
NORMAL
MODE FACTORY RESET
QuickStart Guide
Mounting instructions
Install the FortiBridge unit on any stable surface. Make sure that the unit has at
least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and
cooling.
Technical specifications
LED indicators
Connectors
Right out of the box you can connect, power on, and configure the FortiBridge unit
without interrupting network traffic (except for the interruption required to move
and re-connect network cables). When connected and powered on, the
FortiBridge unit operates in Normal mode. Probes are not configured. The
FortiBridge unit does not provide fail open protection until probes are configured.
TO FORTIGATE
DC+5V
Internal network
INT 1 EXT 1
Internet
Internal External
(Transparent mode)
Note: Normally, you would use straight-through ethernet cables to connect the
FortiBridge-1000 unit to the FortiGate unit and to your networks. However, for some
connections you may need a crossover ethernet cable (for example, for compatibility with
network devices that do not support Auto MDI/MDIX).
The FortiBridge-1000F unit contains 4 multimode fiber optic gigabit interfaces that
connect to the internal and external networks and to the FortiGate interfaces that
were connected to these networks. Use the following steps to connect a
FortiBridge-1000F unit to the network as shown in Figure 12.
DC+5V TO FORTIGATE
Gigabit Fiber connection to FortiGate Internal interface Gigabit Fiber connection to External network
Gigabit Fiber connection to FortiGate External interface Gigabit Fiber connection to Internal network
Internal network
INT 1 EXT 1
Internet
Gigabit Gigabit
Fiber INT 2 EXT 2 Fiber Switch Router
Switch
Gigabit Gigabit
Fiber Fiber
Internal External
(Transparent mode)
Note: The following procedure describes how to connect to the FortiBridge CLI using
Windows HyperTerminal software. You can use any terminal emulation software.
FortiBridge-1000 #
You have connected to the FortiBridge CLI, and you can enter CLI commands.
Note: A maximum of 5 Telnet connections to the FortiBridge unit can be open at the same
time.
FortiBridge-1000 #
You have connected to the FortiBridge CLI, and you can enter CLI commands.
Note: Not all of the following procedures are required to complete the basic FortiBridge unit
configuration. Choose the procedures that apply to your installation.
Procedure Description
Upgrading to a new Upgrade to a new FortiBridge firmware version or to a more
firmware version recent build of the same firmware version.
Reverting to a Revert to a previous firmware version. This procedure reverts
previous firmware the FortiBridge unit to its factory default configuration.
version
Installing firmware Install a new firmware version or revert to a previous firmware
from a system reboot version. To use this procedure you must connect to the CLI
using the FortiBridge console port. This procedure reverts the
FortiBridge unit to its factory default configuration.
When you successfully interrupt the startup process, the => prompt appears:
7 Type upgrade and press Enter to get the new firmware image from the TFTP
server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
8 Type the address of the TFTP server and press Enter.
The following message appears:
Enter local address [192.168.1.188]:
9 Type an IP address that the FortiBridge unit can use to connect to the TFTP
server press Enter.
Note: The local IP address is a temporary address used to download the firmware image.
The local IP address should be on the same subnet as the TFTP server IP address.
Note: The information in this chapter can be applied to any standalone FortiGate
transparent mode network configuration. These procedures can also be applied to a
FortiBridge unit providing fail open protection for a FortiGate HA cluster operating in
transparent mode.
(Normal mode)
Internal network
INT 1 EXT 1 Internet
Internal External
Mail server
Probe settings
Configure probe settings to control the response when a FortiBridge probe
detects that the FortiGate unit has failed. Probe settings consist of:
Note: The FortiBridge unit does not have to fail open if the FortiGate unit fails. The
FortiBridge unit can be configured just to send alerts if the FortiGate unit fails.
Enabling probes
Enable probes to control the protocols that the FortiBridge unit uses to confirm
that the FortiGate unit is functioning normally. You can configure probes for ping
(ICMP), HTTP, FTP, POP3, SMTP, and IMAP protocols. For all probes you can
configure the probe interval (the time between consecutive probe packets), and
the probe threshold (the number of probe packets lost before the FortiBridge unit
registers a failure). For HTTP, FTP, POP3, SMTP, and IMAP probes you can also
change the probe port. You would change the probe port for a protocol if the
FortiGate unit uses a non-standard port for that protocol.
The FortiBridge unit simultaneously tests connectivity through the FortiGate unit
for each probe that you have enabled. The first probe that registers a failure
causes all probes to stop and the configured action on failure to occur.
Before you configure probes, the FortiGate unit must be configured to pass the
probe traffic. A single Internal->External firewall policy that allows all traffic also
allows all probe packets. You can also configure individual policies for each
protocol. For example, you could add the policies shown in Figure 14 to the
FortiGate unit.
Policy 1 processes any network traffic. Policy 2 processes all FTP traffic. Policy 2
is above Policy 1 in the policy list, so FTP traffic is matched by policy 2. In the
same way, Policy 3 processes all IMAP traffic.
FTP and IMAP probes would be processed by policies 2 and 3 respectively. All
other probes would be processed by policy 1. This would include pings, SMTP
traffic and so on.
FortiBridge syslog
If you set the probe action on failure to syslog, you can configure FortiBridge
syslog so that the FortiBridge unit sends a syslog message to one syslog server if
the FortiBridge unit detects a failure. The message informs the recipient that a
FortiGate unit has failed, includes the protocol for which the failure was detected,
and includes the serial number of the FortiGate unit that failed.
Only the first probe to detect a failure triggers the actions on failure. So, even if
multiple probes are configured, when a failure is detected, the FortiBridge unit
sends one message.
FortiBridge SNMP
If you set the probe action on failure to snmp, you can configure FortiBridge SNMP
settings so that the FortiBridge unit sends SNMP v1 and v2c compliant traps to
SNMP v1 and v2c compliant SNMP managers if the FortiBridge unit detects a
failure. The traps inform the recipient that a FortiGate unit has failed and include
the protocol for which the failure was detected.
Only the first probe to detect a failure triggers the actions on failure. So, even if
multiple probes are configured, when a failure is detected, the FortiBridge unit
sends one v1 SNMP trap and one v2c SNMP trap.
Configure FortiBridge SNMP by adding and configuring an SNMP community. An
SNMP community is a grouping of equipment for network administration
purposes. You can add up to three SNMP communities. Each community can
have a different configuration for SNMP traps. You can add the IP addresses of up
to 8 SNMP managers to each community.
3 Restore the system configuration from a text file on the TFTP server. Enter:
execute restore config <filename_str> <tftp-server_ipv4>
The config file is copied from the TFTP server to the FortiBridge unit. The
FortiBridge unit reboots loading the new configuration. While the FortiBridge unit
is rebooting, all network traffic passes directly from INT 1 and EXT 1 bypassing
the FortiGate unit.
CLI basics
The FortiBridge CLI functions the same as the FortiOS v2.80 CLI. For information
about the CLI structure, how to get command help, how to use command
completion, and other CLI features, see the FortiOS v2.80 FortiGate CLI
Reference Guide.
For example, to configure the internal interface to accept SSH connections, enter:
config system interface
edit internal
set allowaccess ssh
end
3 Use the following command to configure an interface to accept Telnet
connections:
config system interface
edit <name_str>
set allowaccess telnet
end
Where <name_str> is the name of the FortiBridge interface to be configured to
accept Telnet connections.
For example, to configure the internal interface to accept Telnet connections,
enter:
config system interface
edit internal
set allowaccess telnet
end
Note: Remember to press Enter at the end of each line in the command example. Also,
type end and press Enter to commit the changes to the FortiBridge configuration.
4 To confirm that you have configured SSH or Telnet access correctly, enter the
following command to view the access settings for the interface:
get system interface <name_str>
The CLI displays the settings, including the management access settings, for the
named interface.
alertemail setting
Use this command to configure the FortiBridge unit to send alert email to up to three recipients when
action on failure is set to send a alert email message.
Examples
This example shows how to configure the SMTP server and user name and password, enable
authentication and add two email addresses.
config alertemail setting
set server mail.ourcompany.com
set username fortigate@ourcompany.com
set authenticate enable
set password pwd23
set mailto1 admin1@ourcompany.com
set mailto2 admin2@ourcompany.com
end
This example shows how to display the alertemail settings.
get alertemail setting
This example shows how to display the configuration of the alertemail setting command.
show alertemail setting
Related Commands
• probe setting
Example
This example shows how to enable logging to a remote syslog server, configure an IP address and
port for the server, and enable logging in CSV format.
config log syslogd setting
set status enable
set server 220.210.200.190
set port 601
set csv enable
end
This example shows how to display the log setting for logging to a remote syslog server.
get log syslogd setting
This example shows how to display the configuration for logging to a remote syslog server.
show log syslogd setting
If the show command returns you to the prompt, the settings are at default.
Related Commands
• probe setting
Example
Use the following command to enable HTTP probes and change the HTTP failure threshold to 5 and
the probe interval to 3.
config probe probe_list http
set status enable
set failure_threshold 5
set probe_interval 3
end
This example shows how to display the settings for the probe probe_list command.
get probe probe_list
This example shows how to display the settings for the http probe.
get probe probe_list http
This example shows how to display the configuration for the probe probe_list command.
show probe probe_list
Related Commands
• probe setting
probe setting
Use this command to configure how the FortiBridge unit responds when a probe determines that the
FortiGate unit has failed. You can also configure the dynamic IP pattern used by probes and add the
FortiGate serial number, which is used in FortiBridge alert messages.
Example
Use the following command to configure the FortiBridge unit to send alert email and fail open when a
probe detects a failure, set the IP pattern to 2.2.2.* and add the FGT8002803923050 FortiGate serial
number
config probe setting
set action_on_failure alertmail failopen
set dynamic_ip_pattern 2.2.2.*
set fgt_serial FGT8002803923050
end
Related Commands
• probe probe_list {ping | http | ftp | pop3 | smtp | imap}
system accprofile
Use this command to add access profiles that control administrator access to FortiBridge features.
Each administrator account must include an access profile. You can create access profiles that deny
access to or allow read only, write only, or both read and write access to FortiBridge features.
Example
Use the following commands to add a new access profile named policy_profile that allows read
and write access system shutdown. An administrator account with this access profile can shutdown the
system and upgrade firmware.
config system accprofile
edit policy_profile
set secgrp rw
end
This example shows how to display the settings for the system accprofile command.
get system accprofile
This example shows how to display the settings for the policy_profile access profile.
get system accprofile policy_profile
This example shows how to display the configuration for the system accprofile command.
show system accprofile
This example shows how to display the configuration for the policy_profile access profile.
get system accprofile policy_profile
Related Commands
• system admin
system admin
Use this command to add, edit, and delete administrator accounts.
Use the admin account or an account with system configuration read and write privileges to add new
administrator accounts and control their permission levels. Each administrator account must include
an access profile. You cannot delete the admin administrator account. You cannot change the admin
administrator account permissions.
Example
Use the following commands to add a new administrator account named new_admin with the
password set to p8ssw0rd and that includes an access profile named policy_profile.
Administrators that log in to this account will have administrator access to the FortiBridge unit from any
IP address.
config system admin
edit new_admin
set password p8ssw0rd
set accprofile policy_profile
end
This example shows how to display the settings for the system admin command.
get system admin
This example shows how to display the settings for the new_admin administrator account.
get system admin new_admin
This example shows how to display the configuration for the system admin command.
show system admin
Related Commands
• system accprofile
system console
Use this command to set the console command mode and output setting.
Example
This example shows how to set the number of lines per page to 25.
config system console
set page 25
end
This example shows how to display the settings for the console command.
get system console
This example shows how to display the configuration for the console command.
show system console
system dns
Use this command to set the DNS server addresses. Several FortiBridge functions, including sending
email alerts and URL blocking, use DNS.
On models numbered 100 and lower, you can use this command to set up DNS forwarding.
Example
This example shows how to set the primary FortiBridge DNS server IP address to 45.37.121.76 and
the secondary FortiBridge DNS server IP address to 45.37.121.77.
config system dns
set primary 45.37.121.76
set secondary 45.37.121.77
end
This example shows how to display the settings for the system dns command.
get system dns
This example shows how to display the configuration for the system dns command.
show system dns
system fail_close
Use this command to configure the fail close feature.
Example
This example shows how to enable the FortiBridge fail_close feature, and set the threshold time to five
seconds.
config system fail_close
set status fail_close
set threshold 5
end
This example shows how to display the configuration for the system fail_close command.
show system fail_close
system global
Use this command to configure global settings that affect various FortiBridge systems and
configurations.
Example
This example shows how to set the FortiBridge system timezone, add the IP address of an NTP
server, and enable synchronization with the NTP server. The IP address of the NTP server is
192.168.20.1.
config system global
set timezone 16
set ntpserver 192.168.20.1
set ntpsync enable
end
This example shows how to display the settings for the system global command.
get system global
This example shows how to display the configuration for the system global command.
show system global
Example
This example shows how to set management access for the INT 1 interface to ping, and ssh.
config system interface internal
set allowaccess ping ssh
end
This example shows how to display the settings for the INT 1interface.
get system interface internal
This example shows how to display the configuration for the INT 1interface.
show system interface internal
system manageip
Configure the FortiBridge management IP address. Use the management IP address for management
access to the FortiBridge unit.
Example
This example shows how to set the management IP address to 192.168.2.80 and the netmask to
255.255.255.0.
config system manageip
set ip 192.168.2.80 255.255.255.0
end
This example shows how to display the settings for the manageip command.
get system manageip
This example shows how to display the configuration for the manageip command.
show system manageip
Related Commands
• system interface {internal | external}
system route
Use this command to add or edit FortiBridge static routes.
Example
This example shows how to edit a FortiBridge static route.
config system route
edit 2
set dst 192.168.22.0 255.255.255.0
set gateway 192.168.22.44
end
This example shows how to display the list of static route numbers.
get system route
This example shows how to display the settings for static route 2.
get system route 2
This example shows how to display the static route configuration.
show system route
This example shows how to display the configuration for static route 2.
show system route 2
config hosts
Access the hosts subcommand using the snmp community command. Use this command to add
SNMP manager IP addresses to an SNMP community.
Example
This example shows how to add a new SNMP community named SNMP_Com1. The default
configuration can be used in most cases with only a few modifications. In the example below the
community is added, given a name, and then because this community is for an SNMP manager that is
SNMP v1 compatible, v2c functionality is disabled. After the community is configured the SNMP
manager is added. The SNMP manager IP address is 192.168.20.34.
config system snmp community
edit 1
set name SNMP_Com1
set trap_v2c_status disable
config hosts
edit 1
set ip 192.168.10.34
end
end
This example shows how to display the settings for the system snmp community command.
get system snmp community
This example shows how to display the settings for the SNMP community with ID 1.
get system snmp community 1
This example shows how to display the configuration for the snmp community command.
show system snmp community
This example shows how to display the configuration for the SNMP community with ID 1.
show system snmp community 1
backup
Backup the FortiBridge configuration to a file on a TFTP server.
Command syntax
execute backup config <filename_str> <tftp-server_ipv4>
Example
This example shows how to backup a system configuration file from the FortiBridge unit to a TFTP
server. The name to give the configuration file on the TFTP server is fbdg.cfg. The IP address of the
TFTP server is 192.168.1.23.
execute backup config fbdg.cfg 192.168.1.23
date
Get or set the system date.
Command syntax
execute date [<date_str>]
date_str has the form mm/dd/yyyy, where
• mm is the month and can be 01 to 12
• dd is the day of the month and can be 01 to 31
• yyyy is the year and can be 2001 to 2100
If you do not specify a date, the command returns the current system date.
Example
This example sets the date to 17 September 2004:
execute date 09/17/2004
factoryreset
Reset the FortiBridge configuration to factory default settings.
Command syntax
execute factoryreset
Caution: This procedure deletes all changes that you have made to the FortiBridge configuration and reverts the
! system to its original configuration, including resetting the management IP address.
ping
Send five ICMP echo requests (pings) to test the network connection between the FortiBridge unit and
another network device.
Command syntax
execute ping {<address_ipv4> | <host-name_str>}
Example
This example shows how to ping a host with the IP address 192.168.1.23.
execute ping 192.168.1.23
reboot
Restart the FortiBridge unit.
Command syntax
execute reboot
restore
Use this command to restore a backup configuration and to change the FortiBridge firmware.
Command syntax
execute restore config <filename_str> <tftp-server_ipv4>
execute restore image <filename_str> <tftp-server_ipv4>
Example
This example shows how to upload a configuration file from a TFTP server to the FortiBridge unit and
restart the FortiBridge unit with this configuration. The name of the configuration file on the TFTP
server is backupconfig. The IP address of the TFTP server is 192.168.1.23.
execute restore config backupconfig 192.168.1.23
switch-mode
Use this command to switch between bypass and normal mode.
Command syntax
execute switch-mode
time
Get or set the system time.
Command syntax
execute time [<time_str>]
time_str has the form hh:mm:ss, where
• hh is the hour and can be 00 to 23
• mm is the minutes and can be 00 to 59
• ss is the seconds and can be 00 to 59
If you do not specify a time, the command returns the current system time.
Example
This example sets the system time to 15:31:03:
execute time 15:31:03
Index
A using 47
cluster
accprofile 59 FortiBridge application 15
action on failure command line interface
fail open 37 connecting to 25
probe 37 community
send alertmail 37 adding an SNMP 43
SNMP trap 37 SNMP 42
syslog 37
config 74, 79
action_on_failure 56 CLI commands 51
admingrp 57 config hosts 71
administrative access configuration
for SSH or Telnet 47 backing up and restoring 44
administrator basic FortiBridge 26
adding a password 27 factory default 22
administrator accounts procedures 35
adding 29 configuration example
admintimeout 66 HA cluster 15
alert email other FortiGate interfaces 16
configuring 41 standalone FortiGate unit 9
sample message 41 connect
alertemail setting 52 FortiBridge unit 10
alertmail to the CLI 25
action on failure 37 connecting
action_on_failure 56 FortiBridge unit 23
alerts connectors
configuring 40 FortiBridge-1000 22
allowaccess {http https ping snmp ssh telnet} 68 FortiBridge-1000F 22
authenticate {disable | enable} 52 console
connecting to 25
B csv {disable | enable} 54
customer service 8
backing up
configuration 44
backup 74
D
basic configuration 26 date 75
basic information changing 29
FortiBridge 19 default
basic settings 36 probe settings 37
bypass mode 14 resetting to factory defaults 30
connecting to the CLI 14 default configuration 22
resuming normal mode 43 distance 70
switching to normal mode 14 DNS server
changing IP addresses 28
C dst 70
dst {disable | enable} 66
CLI
basics 47 dynamic IP pattern
config commands 51 probe setting 37
connecting to 25 dynamic_ip_pattern 56
connecting to in bypass mode 14
connecting to the console 25 E
connecting using SSH or Telnet 47
email
connecting using Telnet 26
alert 41
resetting to factory defaults 30
example configuration 9
HA cluster 15 ftp
other FortiGate interfaces 16 probe_list 55
execute
CLI commands 73 G
switch-mode 44
execute switch-mode 14 gateway 70
EXT 1 get system status 63
management access 29
H
F HA cluster
facility 54 FortiBridge application 15
factory default heartbeat 66
configuration 22 hostname 66
resetting 30 HTTP
factoryreset 76 probe 12
fail bypass 64 http
fail close 64 probe_list 55
fail bypass 64
threshold 64 I
fail open 37 image 79
action_on_failure 56 IMAP
recovering from 43 probe 13
failure probe list 39
recovering from 43 imap
failure threshold probe_list 55
tuning 40 installation 19
failure_threshold 55 installing
fgt_serial 56 FortiBridge unit firmware 30
firewall policy interface speed 66
and probes 12 interval
firmware probe 13
install from a system reboot 33 ip 69, 72
installing 30
IP pattern
reverting to a previous version 32
probe setting 37
upgrading to a new version 31
FortiBridge
about 7 L
FortiBridge-1000 7 layer-2 bridge 10
connecting 10, 23 LED indicators
connectors 22 FortiBridge-1000 21
LED indicators 21 FortiBridge-1000F 21
package contents 19 log message 37
turning on 23 sample 41
FortiBridge-1000F 7 log syslogd setting 54
connecting 11, 24 logging 41
connectors 22 configuring 42
LED indicators 21
loggrp 57
package contents 20
turning on 24
FortiGate M
session list showing probes 40 mailto1 52
FortiGate HA cluster mailto2 52
FortiBridge application 15 mailto3 52
FortiGate unit management access to the EXT 1 interface 29
serial number 37 management IP
Fortinet Knowledge Center 8 FortiBridge 10
front panel management IP address
resetting to factory defaults 30 changing 27
FTP mode
configuring probe 39 switching between modes 14
probe 12 mode {batch | line} 61
v2c 42 Telnet
snmp access to CLI 47
action_on_failure 56 connecting to the CLI 26
SSH test_port 55
access to CLI 47 threshold
standalone FortiGate unit 9 fail close 64
static route probe 13
adding 28 time 81
status 54 changing 29
status {disable | enable} 54, 55, 71 timezone 67
switch traffic flow
switching between modes 14 normal mode 11
switching transparent mode
between operating modes 44 example network 9
switch-mode 14, 80 trap
execute 44 SNMP 42
syncinterval 67 trap_v1_lport 71
sysgrp 57 trap_v1_rport 71
syslog 41 trap_v1_status {disable | enable} 71
action_on_failure 56 trap_v2c_lport 71
configuring 42 trap_v2c_rport 71
sample message 41 trap_v2c_status {disable | enable} 71
syslog message 37 trusthost1 59
sysshutdowngrp 57 trusthost2 59
system accprofile 57 trusthost3 59
system admin 59 turning on
system console 61 FortiBridge unit 23
system dns 62
system global 66 U
system interface {internal | external} 68
upgrading
system manageip 69 FortiBridge firmware 31
system route 70 username 52
system snmp community 71
V
T
verifying
technical specifications 21 probes 39
technical support 8