Fortinet white logo
Fortinet white logo

CLI Reference

config system interface

config system interface

Use this command to configure network interfaces.

Before you begin:
  • You must have read-write permission for system settings.

Syntax

config system interface

edit port1

set floating {enable|disable}

set floating-ip <string>

set traffic-group <string>

set allowaccess {http https ping snmp ssh telnet}

set ip <ip&netmask>

set ip6 <ip&netmask>

set mac-addr <xx:xx:xx:xx:xx:xx>

set mode {static|pppoe|DHCP}

set disc-retry-timeout <integer>

set dns-server-override {enable|disable}

set idle-timeout <integer>

set lcp-echo-interval <integer>

set lcp-max-echo-fails <integer>

set pppoe-default-gateway {enable|disable}

set username <string>

set password <passwd>

set mtu <integer>

set retrieve_physical_hwaddr {enable|disable}

set speed {10full | 10half | 100full | 100half | 1000full | 1000half | auto}

set status {down | up}

set vdom <datasource>

set type {vlan|aggregate}

set retrieve_dhcp_gateway {enable | disable}

set dhcp-gateway-distance <integer>

set vlanid <integer>

set interface <datasource>

set aggregate-algorithm {layer2 | layer2-3 | layer3-4}

set aggregate-mode {802.3ad | balance-alb | balance-rr | balance-tlb | balance-xor| broadcast}

set member <datasource>

set secondary-ip {enable|disable}

config secondary-ip-list

edit 1

set allowaccess {http https ping snmp ssh telnet}

set ip <ip&netmask>

set floating {enable|disable}

set floating-ip <string>

set traffic-group <string>

next

end

config ha-node-ip-list

edit <No.>

set ip <ip&netmask>

set node <integer>

set allowaccess {http https ping snmp ssh telnet}

next

end

set ha-node-secondary-ip {enable|disable}

config ha-node-secondary-ip-list

edit <No.>

set ip <ip&netmask>

set node <integer>

set allowaccess {http https ping snmp ssh telnet}

next

end

set trust-ip {enable|disable}

config trust-ip-list

edit <name>

set type {ip-netmask|ip-range}

set ip-network <ip&netmask>

set start-ip <ip>

set end-ip <ip>

next

edit <name>

set type {ip6-netmask|ip6-range}

set ip6-network <ip6&netmask>

set start-ip6 <ip6>

set end-ip6 <ip6>

next

end

next

end

Note: Since the 4.7.0 release, two new interface types (i.e., loop-back and soft-switch) have been supported. When setting the interface type to soft-switch, be sure to set the member ports, as illustrated in the commands below:

config system interface

edit "testint"

set type loopback| aggregate| soft-switch | vlan

set member port8 port9

… …

next

end

Note: In the 6.2.0 release, the inter-VDOM routing feature was introduced, allowing the traffic to be sent between VDOMs without additional physical interfaces that was previously required for multiple VDOM setups. You can create a VDOM-link pair using the config system vdom-link command. This will create a VDOM-link pair in the system interface. However, by default, these VDOM links will not be assigned an IP address or allowaccess options, so you would not be able to route traffic between the VDOM links until these settings are configured.

Use the following commands to configure the interface settings for the VDOM links:

config system interface

edit <vdom-link-name0>

set type vdom-link

set vdom <vdom-name>

set ip <ip&netmask>

set allowaccess {http https ping snmp ssh telnet}

set description "***"

next

edit <vdom-link-name1>

set type vdom-link

set vdom <vdom-name>

set ip <ip&netmask>

set allowaccess {http https ping snmp ssh telnet}

set description "***"

next

end

allowaccess

Allow inbound service traffic. Select from the following options:

  • HTTP—Enables connections to the web UI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.
  • HTTPS—Enables secure connections to the web UI. We recommend this option instead of HTTP.
  • Ping—Enables ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiADC will reply with ICMP type 0 (ECHO_RESPONSE or “ping”).
  • SNMP—Enables SNMP queries to this network interface.
  • SSH—Enables SSH connections to the CLI. We recommend this option instead of Telnet.
  • Telnet—Enables Telnet connections to the CLI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.

mac-addr

The MAC address is read from the interface. If necessary, you can set the MAC address.

retrieve_physical_hwaddr

Enable or disable.

mtu

The default is 1500. We recommend you maintain the default.

speed

Select one of the following speed/duplex settings:

  • Auto—Speed and duplex are negotiated automatically. Recommended.
  • 10half—10 Mbps, half duplex.
  • 10full—10 Mbps, full duplex.
  • 100half—100 Mbps, half duplex.
  • 100full—100 Mbps, full duplex.
  • 1000half—1000 Mbps, half duplex.
  • 1000full—1000 Mbps, full duplex.

status

This Status column is not the detected physical link status; it is the administrative status (Up/Down) that indicates whether you permit the network interface to receive and/or transmit packets.

vdom

If applicable, select the virtual domain to which the configuration applies.

mode

  • Static—Specify a static IP address. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet (i.e. overlapping subnets).
  • PPPoE—Use PPPoE to retrieve a configuration for the IP address, gateway, and DNS server. For example, if this interface uses a DSL connection to the Internet, your ISP may require this option.

type

If you are editing the configuration for a physical interface, you cannot set the type.

If you are configuring a logical interface, you can select from the following options:

  • Aggregate—A logical interface you create to support the aggregation of multiple physical interfaces.
  • VLAN—A logical interface you create to VLAN subinterfaces on a single physical interface.

set mode static

ip

Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.

ip6

Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.

floating

Enable/Disable floating IP.

floating-ip

Enter the floating IP.

Available only if floating is enabled.

Note:

Ensure the Floating IP is different from the Interface IP, otherwise network issues will occur due to the interface/port conflict.

traffic-group

Specify the traffic group object.

set mode pppoe

disc-retry-timeout

Seconds the system waits before it retries to discover the PPPoE server.

dns-server-override

Use the DNS addresses retrieved from the PPPoE server instead of the one configured in the FortiADC system settings.

idle-timeout

Disconnect after idle timeout in seconds. The default is 0. The valid range is 0 to 32,000.

lcp-echo-interval

LCP echo interval in seconds. The default is 5. The valid range is 1 to 255.

lcp-max-echo-fails

Maximum missed LCP echo messages before disconnect. The default is 3. The valid range is 1 to 255.

pppoe-default-gateway

Use the default gateway retrieved from the PPPoE server instead of the one configured in the FortiADC system settings.

username

PPPoE account user name.

password

PPPoE account password.

set type vlan

vlanid

VLAN ID of packets that belong to this VLAN.

If one physical network port (that is, a VLAN trunk) will handle multiple VLANs, create multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received.

If multiple different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs.

The valid range is between 1 and 4094. The value you specify must match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface.

interface

Physical interface associated with the VLAN; for example, port2.

set type aggregate

aggregate-algorithm

Connectivity layers that will be considered when distributing frames among the aggregated physical ports:

  • Layer 2
  • Layer 2-3
  • Layer 3-4

aggregate-mode

Link aggregation type:

  • 802.3ad
  • Balance-alb
  • Balance-rr
  • Balance-tlb
  • Balance-xor
  • Broadcast

member

Specify the physical interfaces that are included in the aggregation.

set type loopback Set as the loopback interface, which is used by other features, such as VS,1-1 NAT, GLB, VT, OSPF, BGP, etc.
set type soft-switch Set the interface type used for transparent mode. All interfaces that belong to the same soft-switch will be in the same broadcast domain. Use of a soft-switch can greatly simplify customer deployment because they do not have to change their network topologies when adding new FortiADC devices to their environment.

config secondary-ip-list

allowaccess

Allow inbound service traffic. Specify a space-separated list of the following options:

  • HTTP—Enables connections to the web UI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.
  • HTTPS—Enables secure connections to the web UI. We recommend this option instead of HTTP.
  • Ping—Enables ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiADC will reply with ICMP type 0 (ECHO_RESPONSE or “pong”).
  • SNMP—Enables SNMP queries to this network interface.
  • SSH—Enables SSH connections to the CLI. We recommend this option instead of Telnet.
  • Telnet—Enables Telnet connections to the CLI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.

ip

Secondary IP addresses can be used when you deploy the system so that it belongs to multiple logical subnets. If you assign multiple IP addresses to an interface, you must assign them static addresses.

To add secondary IP addresses, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add secondary IP addresses and enable inbound traffic to that address.

config ha-node-ip-list

allowaccess

Enable inbound service traffic on the IP address for the specified services.

ip

You use the HA node IP list configuration in an HA active-active deployment. For each HA cluster node, configure an HA node IP list that includes an entry for each cluster node. When the appliance is in standalone mode, it uses the physical port IP address; when it is in HA mode, it uses the HA node IP address.

For each address, specify an IP address using the CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24.

node

ID of the corresponding node.

config ha-node-secondary-ip-list

allowaccess

Enable inbound service traffic on the IP address for the specified services.

ip

You use the HA node secondary IP list configuration if the interfaces of the nodes in an HA active-active deployment are configured with secondary IP addresses.

For each address, specify an IP address using the CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24.

node

ID of the corresponding node.

config trust-ip-list

type

Select the IP address type from the following:

  • ip-netmask

  • ip-range

  • ip6-netmask

  • ip6-range

ip-network

If ip-netmask is selected as the address type, specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.

ip6-network

If ip6-netmask is selected as the address type, specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.

start-ip

If ip-range is selected as the address type, specify the start of a range of IP addresses and CIDR-formatted subnet masks, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.

end-ip

If ip-range is selected as the address type, specify the end of a range of IP addresses and CIDR-formatted subnet masks, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.

start-ip6

If ip6-range is selected as the address type, specify the start of a range of IP addresses and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.

end-ip6

If ip6-range is selected as the address type, specify the end of a range of IP addresses and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.

Example

The following example configures port1 (the management interface):

FortiADC-VM # get system interface port1

type : physical

mode : static

vdom : root

redundant-primary :

ip : 192.168.1.99/24

ip6 : ::/0

allowaccess : https ping ssh snmp http telnet

mtu : 1500

speed : auto

status : up

mac-addr : 00:0c:29:e8:a0:86

secondary-ip : enable

FortiADC-VM # config system interface

FortiADC-VM (interface) # edit port1

FortiADC-VM (port1) # set ip 192.0.2.5/24

FortiADC-VM (port1) # end

FortiADC-VM # get system interface port1

type : physical

mode : static

vdom : root

redundant-primary :

ip : 192.0.2.5/24

ip6 : ::/0

allowaccess : https ping ssh snmp http telnet

mtu : 1500

speed : auto

status : up

mac-addr : 00:0c:29:e8:a0:86

secondary-ip : enable

trust-ip: enable

config system interface

edit port1

set floating enable

set floating-ip 172.1.1.1

set traffic-group traffic-group-1

set secondary-ip enable

config secondary-ip list

edit 1

set allow ping icmp http https

set floating enable

set floating-ip 67.1.1.1

set traffic-group traffic-group-2

next

end

config trust-ip-list

edit 1

set type ip-netmask

set ip-network 192.1.1.1/32

next

edit 2

set type ip6-netmask

set ip6-network 2001:0db8:85a3::8a2e:0370:7334/64

next

edit 3

set type ip-range

set start-ip 192.1.1.1

set end-ip 255.255.255.255

next

edit 4

set type ip6-range}

set start-ip6 ::

set end-ip6 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

next

end

The following example configures vlan interfaces on port7:

FortiADC-VM # config system interface

FortiADC-VM (interface) # edit vlan102

Add new entry 'vlan102' for node 1

FortiADC-VM (vlan102) # set type vlan

FortiADC-VM (vlan102) # set vlanid 102

FortiADC-VM (vlan102) # set ip 10.10.100.102/32

FortiADC-VM (vlan102) # set interface port7

FortiADC-VM (vlan102) # next

FortiADC-VM (interface) # edit vlan103

Add new entry 'vland103' for node 1

FortiADC-VM (vland103) # set type vlan

FortiADC-VM (vland103) # set vlanid 103

FortiADC-VM (vland103) # set ip 10.10.103.102/32

FortiADC-VM (vland103) # set interface port7

FortiADC-VM (vland103) # end

FortiADC-VM # get system interface

== [ vlan102 ]

type: vlan

vdom: root

redundant-primary: 0

ip: 10.10.100.102/32

ip6: ::/0

allowaccess:

status: up

interface: port7

== [ vlan103 ]

type: vlan

vdom: root

redundant-primary: 0

ip: 10.10.103.102/32

ip6: ::/0

allowaccess:

status: up

interface: port7

config system interface

config system interface

Use this command to configure network interfaces.

Before you begin:
  • You must have read-write permission for system settings.

Syntax

config system interface

edit port1

set floating {enable|disable}

set floating-ip <string>

set traffic-group <string>

set allowaccess {http https ping snmp ssh telnet}

set ip <ip&netmask>

set ip6 <ip&netmask>

set mac-addr <xx:xx:xx:xx:xx:xx>

set mode {static|pppoe|DHCP}

set disc-retry-timeout <integer>

set dns-server-override {enable|disable}

set idle-timeout <integer>

set lcp-echo-interval <integer>

set lcp-max-echo-fails <integer>

set pppoe-default-gateway {enable|disable}

set username <string>

set password <passwd>

set mtu <integer>

set retrieve_physical_hwaddr {enable|disable}

set speed {10full | 10half | 100full | 100half | 1000full | 1000half | auto}

set status {down | up}

set vdom <datasource>

set type {vlan|aggregate}

set retrieve_dhcp_gateway {enable | disable}

set dhcp-gateway-distance <integer>

set vlanid <integer>

set interface <datasource>

set aggregate-algorithm {layer2 | layer2-3 | layer3-4}

set aggregate-mode {802.3ad | balance-alb | balance-rr | balance-tlb | balance-xor| broadcast}

set member <datasource>

set secondary-ip {enable|disable}

config secondary-ip-list

edit 1

set allowaccess {http https ping snmp ssh telnet}

set ip <ip&netmask>

set floating {enable|disable}

set floating-ip <string>

set traffic-group <string>

next

end

config ha-node-ip-list

edit <No.>

set ip <ip&netmask>

set node <integer>

set allowaccess {http https ping snmp ssh telnet}

next

end

set ha-node-secondary-ip {enable|disable}

config ha-node-secondary-ip-list

edit <No.>

set ip <ip&netmask>

set node <integer>

set allowaccess {http https ping snmp ssh telnet}

next

end

set trust-ip {enable|disable}

config trust-ip-list

edit <name>

set type {ip-netmask|ip-range}

set ip-network <ip&netmask>

set start-ip <ip>

set end-ip <ip>

next

edit <name>

set type {ip6-netmask|ip6-range}

set ip6-network <ip6&netmask>

set start-ip6 <ip6>

set end-ip6 <ip6>

next

end

next

end

Note: Since the 4.7.0 release, two new interface types (i.e., loop-back and soft-switch) have been supported. When setting the interface type to soft-switch, be sure to set the member ports, as illustrated in the commands below:

config system interface

edit "testint"

set type loopback| aggregate| soft-switch | vlan

set member port8 port9

… …

next

end

Note: In the 6.2.0 release, the inter-VDOM routing feature was introduced, allowing the traffic to be sent between VDOMs without additional physical interfaces that was previously required for multiple VDOM setups. You can create a VDOM-link pair using the config system vdom-link command. This will create a VDOM-link pair in the system interface. However, by default, these VDOM links will not be assigned an IP address or allowaccess options, so you would not be able to route traffic between the VDOM links until these settings are configured.

Use the following commands to configure the interface settings for the VDOM links:

config system interface

edit <vdom-link-name0>

set type vdom-link

set vdom <vdom-name>

set ip <ip&netmask>

set allowaccess {http https ping snmp ssh telnet}

set description "***"

next

edit <vdom-link-name1>

set type vdom-link

set vdom <vdom-name>

set ip <ip&netmask>

set allowaccess {http https ping snmp ssh telnet}

set description "***"

next

end

allowaccess

Allow inbound service traffic. Select from the following options:

  • HTTP—Enables connections to the web UI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.
  • HTTPS—Enables secure connections to the web UI. We recommend this option instead of HTTP.
  • Ping—Enables ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiADC will reply with ICMP type 0 (ECHO_RESPONSE or “ping”).
  • SNMP—Enables SNMP queries to this network interface.
  • SSH—Enables SSH connections to the CLI. We recommend this option instead of Telnet.
  • Telnet—Enables Telnet connections to the CLI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.

mac-addr

The MAC address is read from the interface. If necessary, you can set the MAC address.

retrieve_physical_hwaddr

Enable or disable.

mtu

The default is 1500. We recommend you maintain the default.

speed

Select one of the following speed/duplex settings:

  • Auto—Speed and duplex are negotiated automatically. Recommended.
  • 10half—10 Mbps, half duplex.
  • 10full—10 Mbps, full duplex.
  • 100half—100 Mbps, half duplex.
  • 100full—100 Mbps, full duplex.
  • 1000half—1000 Mbps, half duplex.
  • 1000full—1000 Mbps, full duplex.

status

This Status column is not the detected physical link status; it is the administrative status (Up/Down) that indicates whether you permit the network interface to receive and/or transmit packets.

vdom

If applicable, select the virtual domain to which the configuration applies.

mode

  • Static—Specify a static IP address. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet (i.e. overlapping subnets).
  • PPPoE—Use PPPoE to retrieve a configuration for the IP address, gateway, and DNS server. For example, if this interface uses a DSL connection to the Internet, your ISP may require this option.

type

If you are editing the configuration for a physical interface, you cannot set the type.

If you are configuring a logical interface, you can select from the following options:

  • Aggregate—A logical interface you create to support the aggregation of multiple physical interfaces.
  • VLAN—A logical interface you create to VLAN subinterfaces on a single physical interface.

set mode static

ip

Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.

ip6

Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.

floating

Enable/Disable floating IP.

floating-ip

Enter the floating IP.

Available only if floating is enabled.

Note:

Ensure the Floating IP is different from the Interface IP, otherwise network issues will occur due to the interface/port conflict.

traffic-group

Specify the traffic group object.

set mode pppoe

disc-retry-timeout

Seconds the system waits before it retries to discover the PPPoE server.

dns-server-override

Use the DNS addresses retrieved from the PPPoE server instead of the one configured in the FortiADC system settings.

idle-timeout

Disconnect after idle timeout in seconds. The default is 0. The valid range is 0 to 32,000.

lcp-echo-interval

LCP echo interval in seconds. The default is 5. The valid range is 1 to 255.

lcp-max-echo-fails

Maximum missed LCP echo messages before disconnect. The default is 3. The valid range is 1 to 255.

pppoe-default-gateway

Use the default gateway retrieved from the PPPoE server instead of the one configured in the FortiADC system settings.

username

PPPoE account user name.

password

PPPoE account password.

set type vlan

vlanid

VLAN ID of packets that belong to this VLAN.

If one physical network port (that is, a VLAN trunk) will handle multiple VLANs, create multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received.

If multiple different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs.

The valid range is between 1 and 4094. The value you specify must match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface.

interface

Physical interface associated with the VLAN; for example, port2.

set type aggregate

aggregate-algorithm

Connectivity layers that will be considered when distributing frames among the aggregated physical ports:

  • Layer 2
  • Layer 2-3
  • Layer 3-4

aggregate-mode

Link aggregation type:

  • 802.3ad
  • Balance-alb
  • Balance-rr
  • Balance-tlb
  • Balance-xor
  • Broadcast

member

Specify the physical interfaces that are included in the aggregation.

set type loopback Set as the loopback interface, which is used by other features, such as VS,1-1 NAT, GLB, VT, OSPF, BGP, etc.
set type soft-switch Set the interface type used for transparent mode. All interfaces that belong to the same soft-switch will be in the same broadcast domain. Use of a soft-switch can greatly simplify customer deployment because they do not have to change their network topologies when adding new FortiADC devices to their environment.

config secondary-ip-list

allowaccess

Allow inbound service traffic. Specify a space-separated list of the following options:

  • HTTP—Enables connections to the web UI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.
  • HTTPS—Enables secure connections to the web UI. We recommend this option instead of HTTP.
  • Ping—Enables ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiADC will reply with ICMP type 0 (ECHO_RESPONSE or “pong”).
  • SNMP—Enables SNMP queries to this network interface.
  • SSH—Enables SSH connections to the CLI. We recommend this option instead of Telnet.
  • Telnet—Enables Telnet connections to the CLI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.

ip

Secondary IP addresses can be used when you deploy the system so that it belongs to multiple logical subnets. If you assign multiple IP addresses to an interface, you must assign them static addresses.

To add secondary IP addresses, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add secondary IP addresses and enable inbound traffic to that address.

config ha-node-ip-list

allowaccess

Enable inbound service traffic on the IP address for the specified services.

ip

You use the HA node IP list configuration in an HA active-active deployment. For each HA cluster node, configure an HA node IP list that includes an entry for each cluster node. When the appliance is in standalone mode, it uses the physical port IP address; when it is in HA mode, it uses the HA node IP address.

For each address, specify an IP address using the CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24.

node

ID of the corresponding node.

config ha-node-secondary-ip-list

allowaccess

Enable inbound service traffic on the IP address for the specified services.

ip

You use the HA node secondary IP list configuration if the interfaces of the nodes in an HA active-active deployment are configured with secondary IP addresses.

For each address, specify an IP address using the CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24.

node

ID of the corresponding node.

config trust-ip-list

type

Select the IP address type from the following:

  • ip-netmask

  • ip-range

  • ip6-netmask

  • ip6-range

ip-network

If ip-netmask is selected as the address type, specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.

ip6-network

If ip6-netmask is selected as the address type, specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.

start-ip

If ip-range is selected as the address type, specify the start of a range of IP addresses and CIDR-formatted subnet masks, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.

end-ip

If ip-range is selected as the address type, specify the end of a range of IP addresses and CIDR-formatted subnet masks, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.

start-ip6

If ip6-range is selected as the address type, specify the start of a range of IP addresses and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.

end-ip6

If ip6-range is selected as the address type, specify the end of a range of IP addresses and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.

Example

The following example configures port1 (the management interface):

FortiADC-VM # get system interface port1

type : physical

mode : static

vdom : root

redundant-primary :

ip : 192.168.1.99/24

ip6 : ::/0

allowaccess : https ping ssh snmp http telnet

mtu : 1500

speed : auto

status : up

mac-addr : 00:0c:29:e8:a0:86

secondary-ip : enable

FortiADC-VM # config system interface

FortiADC-VM (interface) # edit port1

FortiADC-VM (port1) # set ip 192.0.2.5/24

FortiADC-VM (port1) # end

FortiADC-VM # get system interface port1

type : physical

mode : static

vdom : root

redundant-primary :

ip : 192.0.2.5/24

ip6 : ::/0

allowaccess : https ping ssh snmp http telnet

mtu : 1500

speed : auto

status : up

mac-addr : 00:0c:29:e8:a0:86

secondary-ip : enable

trust-ip: enable

config system interface

edit port1

set floating enable

set floating-ip 172.1.1.1

set traffic-group traffic-group-1

set secondary-ip enable

config secondary-ip list

edit 1

set allow ping icmp http https

set floating enable

set floating-ip 67.1.1.1

set traffic-group traffic-group-2

next

end

config trust-ip-list

edit 1

set type ip-netmask

set ip-network 192.1.1.1/32

next

edit 2

set type ip6-netmask

set ip6-network 2001:0db8:85a3::8a2e:0370:7334/64

next

edit 3

set type ip-range

set start-ip 192.1.1.1

set end-ip 255.255.255.255

next

edit 4

set type ip6-range}

set start-ip6 ::

set end-ip6 FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

next

end

The following example configures vlan interfaces on port7:

FortiADC-VM # config system interface

FortiADC-VM (interface) # edit vlan102

Add new entry 'vlan102' for node 1

FortiADC-VM (vlan102) # set type vlan

FortiADC-VM (vlan102) # set vlanid 102

FortiADC-VM (vlan102) # set ip 10.10.100.102/32

FortiADC-VM (vlan102) # set interface port7

FortiADC-VM (vlan102) # next

FortiADC-VM (interface) # edit vlan103

Add new entry 'vland103' for node 1

FortiADC-VM (vland103) # set type vlan

FortiADC-VM (vland103) # set vlanid 103

FortiADC-VM (vland103) # set ip 10.10.103.102/32

FortiADC-VM (vland103) # set interface port7

FortiADC-VM (vland103) # end

FortiADC-VM # get system interface

== [ vlan102 ]

type: vlan

vdom: root

redundant-primary: 0

ip: 10.10.100.102/32

ip6: ::/0

allowaccess:

status: up

interface: port7

== [ vlan103 ]

type: vlan

vdom: root

redundant-primary: 0

ip: 10.10.103.102/32

ip6: ::/0

allowaccess:

status: up

interface: port7