Fortinet black logo

Handbook

6.1.1
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Configuring network interfaces

Configuring network interfaces

The network interfaces that are bound to physical ports have three uses:

  • Management—Ports mgmt1 and mgmt2 are management interfaces. Management interfaces are used for administrator connections and to send management traffic, like syslog and SNMP traffic. Typically, administrators use mgmt1 for the management interface.
  • HA—If you plan to deploy HA, you must select a physical port for HA heartbeat and synchronization traffic. Typically, administrators use mgmt2 for the HA interface.
  • Traffic—The remaining physical ports can be used for your target traffic—these are your “traffic interfaces.” The FortiDDoS system is deployed inline (between the Internet and your local network resources). Consecutively numbered ports belong to port pairs: Use an odd port numbers (1, 3, 5, and so on) for the LAN-side connection and an even port number (2, 4, 6, and so on) for the WAN-side connection. For example, port1 and port2 are a pair. The port1 interface is connected to a switch that connects servers in the local network; the port2 interface is connected to the network path that receives traffic from the Internet.

By default, 1000Base-T copper ports use auto-negotiation to determine the connection speed.

See Appendix G: SFP Compatibility Reference for more information.

Network interface status page

Management interfaces settings page

Network interface configuration guidelines

Settings Guidelines
Name Network interface name (assigned by system – non-editable)
Speed Auto only.
Logical Name Any description (maximum 15 characters) which provides more information about the network interface.
IPv4/Netmask Management interfaces only.

Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.
IPv6/Prefix Management interfaces only.

Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.
Administrative Access Management interfaces only.

Allow inbound service traffic. Select from the following options:

  • HTTPS—Enables secure connections to the web UI.
  • Ping—Enables ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), the FortiDDoS system replies with ICMP type 0 (ECHO_RESPONSE or “pong”).
  • SSH—Enables SSH connections to the CLI. We recommend this option instead of Telnet.
  • SNMP—Enables SNMP queries to this network interface.
  • HTTP— HTTP is no longer supported. HTTP access will be referred to HTTPS.
  • TELNET—Enables Telnet connections to the CLI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.

Note: We recommend you to enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. SNMP, Telnet and SQL should be used with care.
Configured Status This indicator displays Port Configured State up/down as set by the user. This state can only be changed via CLI.
Link Status The Link Status indicators on the Interface Configuration page display the connectivity status. A green indicator means that the link is connected and negotiation was successful. A red indicator means that the link is not connected or is down.

Note: Settings for speed, duplex, etc. cannot be changed for mgmt1 and mgmt2. The only settings allowed to be changed are:

  • allow access with the interface
  • IP address of interface
  • IP6 IPv6 address of interface
  • Logical Name
  • hardware address
  • static or dhcp mode
  • maximum transportation unit

CLI commands for management ports

Modifying settings: 

    config system interface
	edit {mgmt1|mgmt2}
		set speed {auto|10half|10full|100half|100full|1000half|1000full}
		set status {up|down}
		set ip <address_ipv4> <netmask_ipv4mask>
		set ipv6 <address_ipv6> <netmask_ipv6mask>
		set logicalname {string – 16 characters a-Z, 0-9, “-“, “_”}
		set allowaccess {https ping ssh snmp http telnet sql}
		set mode {static|dhcp}
		set mtu
	end
Confirming settings: 

	config system interface
	   edit {mgmt1|mgmt2}
  	   show
	end

CLI commands for data ports

Modifying settings: 

   	config system interface
   	   edit {portX} (X=1-8|1-16 depending on model)
		set logicalname {string – 16 characters a-Z, 0-9, “-“, “_”}
		set status {up|down}
   	end
Confirming settings:

	config system interface
	   edit {portX} (X=1-8|1-16 depending on model)
	   show
	end
Previous
Next

Configuring network interfaces

The network interfaces that are bound to physical ports have three uses:

  • Management—Ports mgmt1 and mgmt2 are management interfaces. Management interfaces are used for administrator connections and to send management traffic, like syslog and SNMP traffic. Typically, administrators use mgmt1 for the management interface.
  • HA—If you plan to deploy HA, you must select a physical port for HA heartbeat and synchronization traffic. Typically, administrators use mgmt2 for the HA interface.
  • Traffic—The remaining physical ports can be used for your target traffic—these are your “traffic interfaces.” The FortiDDoS system is deployed inline (between the Internet and your local network resources). Consecutively numbered ports belong to port pairs: Use an odd port numbers (1, 3, 5, and so on) for the LAN-side connection and an even port number (2, 4, 6, and so on) for the WAN-side connection. For example, port1 and port2 are a pair. The port1 interface is connected to a switch that connects servers in the local network; the port2 interface is connected to the network path that receives traffic from the Internet.

By default, 1000Base-T copper ports use auto-negotiation to determine the connection speed.

See Appendix G: SFP Compatibility Reference for more information.

Network interface status page

Management interfaces settings page

Network interface configuration guidelines

Settings Guidelines
Name Network interface name (assigned by system – non-editable)
Speed Auto only.
Logical Name Any description (maximum 15 characters) which provides more information about the network interface.
IPv4/Netmask Management interfaces only.

Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.
IPv6/Prefix Management interfaces only.

Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.
Administrative Access Management interfaces only.

Allow inbound service traffic. Select from the following options:

  • HTTPS—Enables secure connections to the web UI.
  • Ping—Enables ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), the FortiDDoS system replies with ICMP type 0 (ECHO_RESPONSE or “pong”).
  • SSH—Enables SSH connections to the CLI. We recommend this option instead of Telnet.
  • SNMP—Enables SNMP queries to this network interface.
  • HTTP— HTTP is no longer supported. HTTP access will be referred to HTTPS.
  • TELNET—Enables Telnet connections to the CLI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.

Note: We recommend you to enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. SNMP, Telnet and SQL should be used with care.
Configured Status This indicator displays Port Configured State up/down as set by the user. This state can only be changed via CLI.
Link Status The Link Status indicators on the Interface Configuration page display the connectivity status. A green indicator means that the link is connected and negotiation was successful. A red indicator means that the link is not connected or is down.

Note: Settings for speed, duplex, etc. cannot be changed for mgmt1 and mgmt2. The only settings allowed to be changed are:

  • allow access with the interface
  • IP address of interface
  • IP6 IPv6 address of interface
  • Logical Name
  • hardware address
  • static or dhcp mode
  • maximum transportation unit

CLI commands for management ports

Modifying settings: 

    config system interface
	edit {mgmt1|mgmt2}
		set speed {auto|10half|10full|100half|100full|1000half|1000full}
		set status {up|down}
		set ip <address_ipv4> <netmask_ipv4mask>
		set ipv6 <address_ipv6> <netmask_ipv6mask>
		set logicalname {string – 16 characters a-Z, 0-9, “-“, “_”}
		set allowaccess {https ping ssh snmp http telnet sql}
		set mode {static|dhcp}
		set mtu
	end
Confirming settings: 

	config system interface
	   edit {mgmt1|mgmt2}
  	   show
	end

CLI commands for data ports

Modifying settings: 

   	config system interface
   	   edit {portX} (X=1-8|1-16 depending on model)
		set logicalname {string – 16 characters a-Z, 0-9, “-“, “_”}
		set status {up|down}
   	end
Confirming settings:

	config system interface
	   edit {portX} (X=1-8|1-16 depending on model)
	   show
	end
Previous
Next