Configuring network interfaces

The network interfaces that are bound to physical ports have three uses:

Management—Ports mgmt1 and mgmt2 are management interfaces. Management interfaces are used for administrator connections and to send management traffic, like syslog and SNMP traffic. Typically, administrators use mgmt1 for the management interface.
HA—If you plan to deploy HA, you must select a physical port for HA heartbeat and synchronization traffic. Typically, administrators use mgmt2 for the HA interface.
Traffic—The remaining physical ports can be used for your target traffic—these are your “traffic interfaces.” The FortiDDoS system is deployed inline (between the Internet and your local network resources). Consecutively numbered ports belong to port pairs: Use an odd port numbers (1, 3, 5, and so on) for the LAN-side connection and an even port number (2, 4, 6, and so on) for the WAN-side connection. For example, port1 and port2 are a pair. The port1 interface is connected to a switch that connects servers in the local network; the port2 interface is connected to the network path that receives traffic from the Internet.

By default, 1000Base-T copper ports use auto-negotiation to determine the connection speed.

See Appendix G: SFP Compatibility Reference for more information.

Network interface status page

Management interfaces settings page

Network interface configuration guidelines

Settings	Guidelines
Name	Network interface name (assigned by system – non-editable)
Speed	Auto only.
Logical Name	Any description (maximum 15 characters) which provides more information about the network interface.
IPv4/Netmask	Management interfaces only. Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.
IPv6/Prefix	Management interfaces only. Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.
Administrative Access	Management interfaces only. Allow inbound service traffic. Select from the following options: HTTPS—Enables secure connections to the web UI. Ping—Enables ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), the FortiDDoS system replies with ICMP type 0 (ECHO_RESPONSE or “pong”). SSH—Enables SSH connections to the CLI. We recommend this option instead of Telnet. SNMP—Enables SNMP queries to this network interface. HTTP— HTTP is no longer supported. HTTP access will be referred to HTTPS. TELNET—Enables Telnet connections to the CLI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer. Note: We recommend you to enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. SNMP, Telnet and SQL should be used with care.
Configured Status	This indicator displays Port Configured State up/down as set by the user. This state can only be changed via CLI.
Link Status	The Link Status indicators on the Interface Configuration page display the connectivity status. A green indicator means that the link is connected and negotiation was successful. A red indicator means that the link is not connected or is down.

Note: Settings for speed, duplex, etc. cannot be changed for mgmt1 and mgmt2. The only settings allowed to be changed are:

allow access with the interface
IP address of interface
IP6 IPv6 address of interface
Logical Name
hardware address
static or dhcp mode
maximum transportation unit

CLI commands for management ports

Modifying settings:

    config system interface

	edit {mgmt1|mgmt2}

		set speed {auto|10half|10full|100half|100full|1000half|1000full}

		set status {up|down}

		set ip <address_ipv4> <netmask_ipv4mask>

		set ipv6 <address_ipv6> <netmask_ipv6mask>

		set logicalname {string – 16 characters a-Z, 0-9, “-“, “_”}

		set allowaccess {https ping ssh snmp http telnet sql}

		set mode {static|dhcp}

		set mtu

end

Confirming settings:

	config system interface

	   edit {mgmt1|mgmt2}

  	   show

end

CLI commands for data ports

Modifying settings:

   	config system interface

   	   edit {portX} (X=1-8|1-16 depending on model)

		set logicalname {string – 16 characters a-Z, 0-9, “-“, “_”}

		set status {up|down}

end

Confirming settings:

	config system interface

	   edit {portX} (X=1-8|1-16 depending on model)

	   show

end

CLI commands for network traffic port troubleshooting

   	get transceiver status

   	get transceiver status {portX} (X= 1-20, depending on model)

Optical Transceivers (of all types) vary widely in what readable measurements they support. Fortinet tries to acquire SFPs that support all of the below but cannot guarantee all are supported. You may see 0.0 “N/A” or “??” in fields that are not supported.

Note: Most Short Range and GE or 10EG transceivers do not support reporting of any electrical or optical properties.

Output for get transceiver status (if supported by SFP)

Interface

Temperature (Celsius)

Voltage (v)

Optica Tx Bias

(mA)

Optical Tx Power (dBm)

Optical Rx Power (dBm)

Each cell will have a numerical entry if supported plus characters to indicate quality of the parameter:

++ = high alarm | + = high warning | - = low warning | -- = low alarm | ? = not supported.

Any warning or alarm should be investigated further with the specific port status command.

Example:

port1

31.8

3.32

7.25

-2.3

-3.6

Output for get transceiver status portX (if supported by SFP)

Most vendors will support the following:

Vendor Name: Example - FINSIAR
Part No.: Example - FTL410QE2C
Serial No.: Example - MPM00P9

Support for the following is variable across vendors and types of SFPs.

Note: SR/Multi-Mode transceivers seldom provide any of this information since they are “low stress” parts. 10GE LR transceivers may not provide this information either.

Long Range, higher bandwidth transceivers will usually provide more info.

Output will be formatted as follows:

Measurement Unit	Value	High Alarm	High Warning	Low Warning	Low Alarm
Temperature	Celsius	Look for temperature above High Warning/Alarm
Voltage	Volts	Look for voltage above or below High or Low Warning/Alarm. Nominal voltage is 3.5v
CH1 Tx Bias CH2 Tx Bias CH3 Tx Bias CH4 Tx Bias	mA	Bias is used to indicate aging and infer Tx power and laser aging. Higher Bias is used to increase output power as the laser performance fades with age. Look for Bias that triggers High Warning/Alarm. Note Transceivers use different numbers of channels. GE/10GE/25GE will show a single channel. 40GE/100GE will show 4 channels. Any channel with Warning/Alarm bias level is at best beginning to fail and should be replaced. Use of high bias can increase bit error rates.
CH1 Tx Power CH2 Tx Power CH3 Tx Power CH4 Tx Power	dBm	Very few transceivers will provide explicit Tx power levels. High or low Tx Power can affect bit error rate. High Tx Power may require attenuation on very short connections. Low Tx power may require replacement of the transceiver.
CH1 Rx Power CH2 Rx Power CH3 Rx Power CH4 Rx Power	dBm	Look for Rx above High Warning/Alarm or below Low Warning Alarm. Note Transceivers use different numbers of channels. GE/10GE/25GE will show a single channel. 40GE/100GE will show 4 channels. Even one channel out-of-tolerance will affect bit error rate and reach especially with 40GE/100GE transceivers. If Rx Power is too high, attenuation many be required at the interface. If Rx Power is too low, longer reach transceivers are required at both ends of the link.