Fortinet white logo
Fortinet white logo

Handbook

Configuring network interfaces

Configuring network interfaces

The network interfaces that are bound to physical ports have three uses:

  • Management—Ports mgmt1 and mgmt2 are management interfaces. Management interfaces are used for administrator connections and to send management traffic, like syslog and SNMP traffic. Typically, administrators use mgmt1 for the management interface, but either or both can be used.
    • HA—If you plan to deploy HA, you must select a physical management port for HA heartbeat and synchronization traffic. Typically, administrators use mgmt2 for the HA interface for direct-connection between appliances, but either can be used, even if in use for administrative access, if both devices have Layer 2 connectivity (not direct-cabled). Please see System > High Availability for settings and HA system requirements .
  • Traffic—The remaining physical port-pairs ports can be used for data traffic — these are "Traffic Ports". The FortiDDoS system is deployed inline (between the Internet and your local network resources). Consecutive odd-even ports belong to port pairs: Use odd port numbers (1, 3, 5, and so on) for the LAN-side connection and even port numbers (2, 4, 6, and so on) for the WAN-side connection. For example, port1 and port2 are a pair. The port1 interface is connected to a switch that connects servers in the local network; the port2 interface is connected to the network path that receives traffic from the Internet.

Note:

  • 1000Base-T/GE copper ports use auto-negotiation to determine the connection speed. No other options are available. All 1000Base-T port-pairs support optional (default) fail-open.

  • LC ports house GE or 10GE optical transceivers, depending on the model. No other speed options are available. All LC port-pairs support optional (default) fail-open.

  • SFP ports support GE SFP (optical or copper) or 10GE SFP optical transceivers, depending on the model. FortiDDoS does not support multi-speed GE/10GE transceivers. All SFP Ports are fail-closed only. Fail-open requires an external 3rd-party bypass bridge.

  • FDD-2000F has a separate front panel 2-link Optical Bypass module that is used with up to 2 pairs of SFP+/QSFP optical transceivers (Single Mode, LR only), to provide fail-open functionality.

See the Quick-Start Guide for further port information and traffic bypass (fail-open) information.

For more information, see Appendix G: SFP Compatibility Reference.

Management interface configurations and status page

The Management Ports status page displays the existing management interface configuration and status information. To change the displayed columns, click the (Gear icon).

To edit an existing management interface configuration, click the (Edit icon) or double-click the row.

Management Ports Settings

Setting

Description

Name The name of the management interface — Mgmt1 or mgmt2. This is not configurable.
IPv4/Netmask IP Address of the port with netmask.
IPv6/Prefix IP Address of the port with prefix.
Allow Access

Select either of the following to allow access and monitoring:

  • HTTPS

  • Ping

  • SSH

  • SNMP

  • HTTP

  • Telnet

Note:

HTTP is no longer supported. If enabled, HTTP access will be referred to HTTPS.

System > Admin > Settings has default ports for the above access settings which cannot be deleted. For example, you can use these settings to prevent Telnet access.

Link Status Displays port connection status. This is not configurable.

Config Status

Displays port config status — Enable or Disable.

Network interface status page

The Traffic Ports status page displays the port and link information for existing network interface configurations. To change the displayed columns, click the (Gear icon).

To edit an existing network interface configuration, click the (Edit icon) or double-click the row.

Traffic Ports Settings

Setting

Description

Name The system-defined port and port-pair names. This is not configurable.
Logical Name The user-configured name for Ports or Port Pairs. Maximum 35 characters with following special characters allowed: ! * _ + - , . /
Direction Displays the port direction (WAN-facing or LAN-facing). This is not configurable. Reminder that odd-numbered ports face the inside network and even-numbered ports face the Internet/ISP.

Link Down Sync

Displays the Link Down Sync configured for each port-pair.
Duplex The duplex setting as negotiated automatically by transceivers. This is not configurable.
Link Speed The speed setting as negotiated automatically by transceivers. This is not configurable.
Link Status The link status as determined by transceivers.
Config Status The link status as configured by the administrator.

(Gear icon)

Click to change displayed columns.

(Edit icon)

Click to edit Port Pair and Port settings.

Add Filter

The Traffic Ports list can be filtered by Name, Logical Name, Direction (WAN-facing or LAN-facing), Link Down Sync, Duplex, Link Speed, Link Status and Config Status.

Interface Pair Settings

Setting

Description

Status Enable/Disable this port-pair.
Link Down Sync
  • Wire (recommended) — If a port loses signal (electrical/optical) from the connected device, it will reflect this loss-of-signal to its paired port, propagating the signal loss through the network so that routers and firewalls see the outage and re-route. Higher layer protocols may detect outages as well.

  • Hub — Loss of signal is not propagated to the other paired port.

Add Filter The Interface Pair list can be filtered by Name, Logical Name, Direction (WAN-facing or LAN-facing), Config Status or Link Status.

Settings such as speed, duplex, etc., cannot be changed for mgmt1 and mgmt2. The only settings allowed to be changed are:

  • Protocol access to the interface the interface Note, HTTP, if allowed will always be referred to HTTPS

  • IP address of interface
  • IP6 IPv6 address of interface
  • Logical Name
  • static or dhcp mode
  • maximum transportation unit — MTU

CLI commands for management ports

Modifying settings:

    config system interface
	edit {mgmt1|mgmt2}
		set ip <address_ipv4> <netmask_ipv4mask>
		set ipv6 <address_ipv6> <netmask_ipv6mask>
		set logicalname {string – 16 characters a-Z, 0-9, “-“, “_”}
		set allowaccess {https ping ssh snmp http telnet sql}
		set mode {static|dhcp}
		set mtu
	end
 
Confirming settings:

	config system interface
	   edit {mgmt1|mgmt2}
  	   show
	end

CLI commands for data ports

Modifying settings:

   	config system interface
   	   edit {portX} (X=1-16 depending on model)
		set logicalname {string – 16 characters a-Z, 0-9, “-“, “_”}
		set status {up|down}
   	end
 
Confirming settings:

	config system interface
	   edit {portX} (X=1-16 depending on model)
	   show
	end

CLI commands for network traffic port troubleshooting

   	get transceiver status
   	get transceiver status {portX} (X= 1-16, depending on model)

Optical Transceivers (of all types) vary widely in what readable measurements they support. Fortinet tries to acquire SFPs that support all of the below but cannot guarantee all are supported. You may see 0.0 “N/A” or “??” in fields that are not supported.

Note: Most Short Range and GE or 10EG transceivers do not support reporting of any electrical or optical properties.

Output for get transceiver status (if supported by SFP)

Interface

Temperature (Celsius)

Voltage (v)

Optica Tx Bias

(mA)

Optical Tx Power (dBm)

Optical Rx Power (dBm)

Each cell will have a numerical entry if supported plus characters to indicate quality of the parameter:

++ = high alarm | + = high warning | - = low warning | -- = low alarm | ? = not supported.

Any warning or alarm should be investigated further with the specific port status command.

Example:

port1

31.8

3.32

7.25

-2.3

-3.6

Output for get transceiver status portX (if supported by SFP)

Most vendors will support the following:

  • Vendor Name: Example - FINSIAR
  • Part No.: Example - FTL410QE2C
  • Serial No.: Example - MPM00P9

Support for the following is variable across vendors and types of SFPs.

Note: SR/Multi-Mode transceivers seldom provide any of this information since they are “low stress” parts. 10GE LR transceivers may not provide this information either.

Long Range, higher bandwidth transceivers will usually provide more info.

Output will be formatted as follows:

Measurement Unit

Value

High Alarm

High Warning

Low Warning

Low Alarm

Temperature

Celsius

Look for temperature above High Warning/Alarm

Voltage

Volts

Look for voltage above or below High or Low Warning/Alarm. Nominal voltage is 3.5v

CH1 Tx Bias

CH2 Tx Bias

CH3 Tx Bias

CH4 Tx Bias

mA

Bias is used to indicate aging and infer Tx power and laser aging.

Higher Bias is used to increase output power as the laser performance fades with age. Look for Bias that triggers High Warning/Alarm.

Note Transceivers use different numbers of channels. GE/10GE/25GE will show a single channel. 40GE/100GE will show 4 channels. Any channel with Warning/Alarm bias level is at best beginning to fail and should be replaced. Use of high bias can increase bit error rates.

CH1 Tx Power

CH2 Tx Power

CH3 Tx Power

CH4 Tx Power

dBm

Very few transceivers will provide explicit Tx power levels.

High or low Tx Power can affect bit error rate. High Tx Power may require attenuation on very short connections. Low Tx power may require replacement of the transceiver.

CH1 Rx Power

CH2 Rx Power

CH3 Rx Power

CH4 Rx Power

dBm

Look for Rx above High Warning/Alarm or below Low Warning Alarm.

Note Transceivers use different numbers of channels. GE/10GE/25GE will show a single channel. 40GE/100GE will show 4 channels.

Even one channel out-of-tolerance will affect bit error rate and reach especially with 40GE/100GE transceivers.

If Rx Power is too high, attenuation many be required at the interface. If Rx Power is too low, longer reach transceivers are required at both ends of the link.

Configuring network interfaces

Configuring network interfaces

The network interfaces that are bound to physical ports have three uses:

  • Management—Ports mgmt1 and mgmt2 are management interfaces. Management interfaces are used for administrator connections and to send management traffic, like syslog and SNMP traffic. Typically, administrators use mgmt1 for the management interface, but either or both can be used.
    • HA—If you plan to deploy HA, you must select a physical management port for HA heartbeat and synchronization traffic. Typically, administrators use mgmt2 for the HA interface for direct-connection between appliances, but either can be used, even if in use for administrative access, if both devices have Layer 2 connectivity (not direct-cabled). Please see System > High Availability for settings and HA system requirements .
  • Traffic—The remaining physical port-pairs ports can be used for data traffic — these are "Traffic Ports". The FortiDDoS system is deployed inline (between the Internet and your local network resources). Consecutive odd-even ports belong to port pairs: Use odd port numbers (1, 3, 5, and so on) for the LAN-side connection and even port numbers (2, 4, 6, and so on) for the WAN-side connection. For example, port1 and port2 are a pair. The port1 interface is connected to a switch that connects servers in the local network; the port2 interface is connected to the network path that receives traffic from the Internet.

Note:

  • 1000Base-T/GE copper ports use auto-negotiation to determine the connection speed. No other options are available. All 1000Base-T port-pairs support optional (default) fail-open.

  • LC ports house GE or 10GE optical transceivers, depending on the model. No other speed options are available. All LC port-pairs support optional (default) fail-open.

  • SFP ports support GE SFP (optical or copper) or 10GE SFP optical transceivers, depending on the model. FortiDDoS does not support multi-speed GE/10GE transceivers. All SFP Ports are fail-closed only. Fail-open requires an external 3rd-party bypass bridge.

  • FDD-2000F has a separate front panel 2-link Optical Bypass module that is used with up to 2 pairs of SFP+/QSFP optical transceivers (Single Mode, LR only), to provide fail-open functionality.

See the Quick-Start Guide for further port information and traffic bypass (fail-open) information.

For more information, see Appendix G: SFP Compatibility Reference.

Management interface configurations and status page

The Management Ports status page displays the existing management interface configuration and status information. To change the displayed columns, click the (Gear icon).

To edit an existing management interface configuration, click the (Edit icon) or double-click the row.

Management Ports Settings

Setting

Description

Name The name of the management interface — Mgmt1 or mgmt2. This is not configurable.
IPv4/Netmask IP Address of the port with netmask.
IPv6/Prefix IP Address of the port with prefix.
Allow Access

Select either of the following to allow access and monitoring:

  • HTTPS

  • Ping

  • SSH

  • SNMP

  • HTTP

  • Telnet

Note:

HTTP is no longer supported. If enabled, HTTP access will be referred to HTTPS.

System > Admin > Settings has default ports for the above access settings which cannot be deleted. For example, you can use these settings to prevent Telnet access.

Link Status Displays port connection status. This is not configurable.

Config Status

Displays port config status — Enable or Disable.

Network interface status page

The Traffic Ports status page displays the port and link information for existing network interface configurations. To change the displayed columns, click the (Gear icon).

To edit an existing network interface configuration, click the (Edit icon) or double-click the row.

Traffic Ports Settings

Setting

Description

Name The system-defined port and port-pair names. This is not configurable.
Logical Name The user-configured name for Ports or Port Pairs. Maximum 35 characters with following special characters allowed: ! * _ + - , . /
Direction Displays the port direction (WAN-facing or LAN-facing). This is not configurable. Reminder that odd-numbered ports face the inside network and even-numbered ports face the Internet/ISP.

Link Down Sync

Displays the Link Down Sync configured for each port-pair.
Duplex The duplex setting as negotiated automatically by transceivers. This is not configurable.
Link Speed The speed setting as negotiated automatically by transceivers. This is not configurable.
Link Status The link status as determined by transceivers.
Config Status The link status as configured by the administrator.

(Gear icon)

Click to change displayed columns.

(Edit icon)

Click to edit Port Pair and Port settings.

Add Filter

The Traffic Ports list can be filtered by Name, Logical Name, Direction (WAN-facing or LAN-facing), Link Down Sync, Duplex, Link Speed, Link Status and Config Status.

Interface Pair Settings

Setting

Description

Status Enable/Disable this port-pair.
Link Down Sync
  • Wire (recommended) — If a port loses signal (electrical/optical) from the connected device, it will reflect this loss-of-signal to its paired port, propagating the signal loss through the network so that routers and firewalls see the outage and re-route. Higher layer protocols may detect outages as well.

  • Hub — Loss of signal is not propagated to the other paired port.

Add Filter The Interface Pair list can be filtered by Name, Logical Name, Direction (WAN-facing or LAN-facing), Config Status or Link Status.

Settings such as speed, duplex, etc., cannot be changed for mgmt1 and mgmt2. The only settings allowed to be changed are:

  • Protocol access to the interface the interface Note, HTTP, if allowed will always be referred to HTTPS

  • IP address of interface
  • IP6 IPv6 address of interface
  • Logical Name
  • static or dhcp mode
  • maximum transportation unit — MTU

CLI commands for management ports

Modifying settings:

    config system interface
	edit {mgmt1|mgmt2}
		set ip <address_ipv4> <netmask_ipv4mask>
		set ipv6 <address_ipv6> <netmask_ipv6mask>
		set logicalname {string – 16 characters a-Z, 0-9, “-“, “_”}
		set allowaccess {https ping ssh snmp http telnet sql}
		set mode {static|dhcp}
		set mtu
	end
 
Confirming settings:

	config system interface
	   edit {mgmt1|mgmt2}
  	   show
	end

CLI commands for data ports

Modifying settings:

   	config system interface
   	   edit {portX} (X=1-16 depending on model)
		set logicalname {string – 16 characters a-Z, 0-9, “-“, “_”}
		set status {up|down}
   	end
 
Confirming settings:

	config system interface
	   edit {portX} (X=1-16 depending on model)
	   show
	end

CLI commands for network traffic port troubleshooting

   	get transceiver status
   	get transceiver status {portX} (X= 1-16, depending on model)

Optical Transceivers (of all types) vary widely in what readable measurements they support. Fortinet tries to acquire SFPs that support all of the below but cannot guarantee all are supported. You may see 0.0 “N/A” or “??” in fields that are not supported.

Note: Most Short Range and GE or 10EG transceivers do not support reporting of any electrical or optical properties.

Output for get transceiver status (if supported by SFP)

Interface

Temperature (Celsius)

Voltage (v)

Optica Tx Bias

(mA)

Optical Tx Power (dBm)

Optical Rx Power (dBm)

Each cell will have a numerical entry if supported plus characters to indicate quality of the parameter:

++ = high alarm | + = high warning | - = low warning | -- = low alarm | ? = not supported.

Any warning or alarm should be investigated further with the specific port status command.

Example:

port1

31.8

3.32

7.25

-2.3

-3.6

Output for get transceiver status portX (if supported by SFP)

Most vendors will support the following:

  • Vendor Name: Example - FINSIAR
  • Part No.: Example - FTL410QE2C
  • Serial No.: Example - MPM00P9

Support for the following is variable across vendors and types of SFPs.

Note: SR/Multi-Mode transceivers seldom provide any of this information since they are “low stress” parts. 10GE LR transceivers may not provide this information either.

Long Range, higher bandwidth transceivers will usually provide more info.

Output will be formatted as follows:

Measurement Unit

Value

High Alarm

High Warning

Low Warning

Low Alarm

Temperature

Celsius

Look for temperature above High Warning/Alarm

Voltage

Volts

Look for voltage above or below High or Low Warning/Alarm. Nominal voltage is 3.5v

CH1 Tx Bias

CH2 Tx Bias

CH3 Tx Bias

CH4 Tx Bias

mA

Bias is used to indicate aging and infer Tx power and laser aging.

Higher Bias is used to increase output power as the laser performance fades with age. Look for Bias that triggers High Warning/Alarm.

Note Transceivers use different numbers of channels. GE/10GE/25GE will show a single channel. 40GE/100GE will show 4 channels. Any channel with Warning/Alarm bias level is at best beginning to fail and should be replaced. Use of high bias can increase bit error rates.

CH1 Tx Power

CH2 Tx Power

CH3 Tx Power

CH4 Tx Power

dBm

Very few transceivers will provide explicit Tx power levels.

High or low Tx Power can affect bit error rate. High Tx Power may require attenuation on very short connections. Low Tx power may require replacement of the transceiver.

CH1 Rx Power

CH2 Rx Power

CH3 Rx Power

CH4 Rx Power

dBm

Look for Rx above High Warning/Alarm or below Low Warning Alarm.

Note Transceivers use different numbers of channels. GE/10GE/25GE will show a single channel. 40GE/100GE will show 4 channels.

Even one channel out-of-tolerance will affect bit error rate and reach especially with 40GE/100GE transceivers.

If Rx Power is too high, attenuation many be required at the interface. If Rx Power is too low, longer reach transceivers are required at both ends of the link.