Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

system interface

Configure interface settings.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.

Command Description

config vrrp

set ignore-default-route {disable | enable)

New option to configure VRRP to enable or disable ignoring the default route when looking for the vrdst IP address.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set icmp-accept-redirect {enable | disable}

set icmp-send-redirect {enable | disable}

The entry icmp-redirect has been removed and replaced with the ability to enable or disable accepting and sending ICMP redirects.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set disconnect-threshold <milliseconds>

Time in milliseconds to wait before sending a notification that this interface is down or disconnected. Set the range between 0 - 10000 (or no delay to ten seconds).

set vrf <id>

Configure Open Shortest Path First (OSPF) support for multiple virtual routing and forwarding (VRF) instances. Set the range between 0 - 31. FortiOS supports 32 VRFs (numbered 0 to 31) per VDOM.

set switch-controller-arp-inspection {enable | disable}

Enable or disable ARP inspection for FortiSwitch devices.

config ipv6

set vrrp-virtual-mac6 {disable | enable}

set vrip6_link_local

config vrrp6

edit <virtual-router-id>

set vrgrp <group>

set vrip6 <ipv6-address>

set start-time {integer}

set priority <priority>

set adv-interval <time>

set preempt {disable | enable}

set accept-mode {disable | enable}

set vrdst6 <ipv6-ipaddress> [<ipv6-ipaddress>]

set status {disable | enable}

next

...

Virtual Router Redundancy Protocol (VRRP) IPv6 support added.

Optionally, multiple addresses can be specified for vrdst6, with each entry separated by a space.

set type {emac-vlan | ...}

Support for enhanced media access control (MAC) virtual local area networks (VLANs).

set egress-shaping-profile <name>

Apply traffic shaping profiles to outgoing interfaces, to enforce bandwidth limits for individual interfaces, by percentage.

To configure interface-based traffic shaping, you must classify traffic in a traffic shaping policy, assign bandwidth percentages in a traffic shaping profile, and apply the traffic shaping profile as the egress traffic shaper on an interface.

config system interface
    edit {name}
    # Configure interfaces.
        set name {string}   Name. size[15]
        set vdom {string}   Interface is in this virtual domain (VDOM). size[31] - datasource(s): system.vdom.name
        set vrf {integer}   Virtual Routing Forwarding ID. range[0-31]
        set cli-conn-status {integer}   CLI connection status. range[0-4294967295]
        set fortilink {enable | disable}   Enable FortiLink to dedicate this interface to manage other Fortinet devices.
        set mode {static | dhcp | pppoe}   Addressing mode (static, DHCP, PPPoE).
                static  Static setting.
                dhcp    External DHCP client mode.
                pppoe   External PPPoE mode.
        set distance {integer}   Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route. range[1-255]
        set priority {integer}   Priority of learned routes. range[0-4294967295]
        set dhcp-relay-service {disable | enable}   Enable/disable allowing this interface to act as a DHCP relay.
        set dhcp-relay-ip {string}   DHCP relay IP address.
        set dhcp-relay-type {regular | ipsec}   DHCP relay type (regular or IPsec).
                regular  Regular DHCP relay.
                ipsec    DHCP relay for IPsec.
        set dhcp-relay-agent-option {enable | disable}   Enable/disable DHCP relay agent option.
        set management-ip {ipv4 classnet host}   High Availability in-band management IP address of this interface.
        set ip {ipv4 classnet host}   Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.
        set allowaccess {option}   Permitted types of management access to this interface.
                ping            PING access.
                https           HTTPS access.
                ssh             SSH access.
                snmp            SNMP access.
                http            HTTP access.
                telnet          TELNET access.
                fgfm            FortiManager access.
                radius-acct     RADIUS accounting access.
                probe-response  Probe access.
                capwap          CAPWAP access.
                ftm             FTM access.
        set gwdetect {enable | disable}   Enable/disable detect gateway alive for first.
        set ping-serv-status {integer}   PING server status. range[0-255]
        set detectserver {string}   Gateway's ping server for this IP.
        set detectprotocol {ping | tcp-echo | udp-echo}   Protocols used to detect the server.
                ping      PING.
                tcp-echo  TCP echo.
                udp-echo  UDP echo.
        set ha-priority {integer}   HA election priority for the PING server. range[1-50]
        set fail-detect {enable | disable}   Enable/disable fail detection features for this interface.
        set fail-detect-option {detectserver | link-down}   Options for detecting that this interface has failed.
                detectserver  Use a ping server to determine if the interface has failed.
                link-down     Use port detection to determine if the interface has failed.
        set fail-alert-method {link-failed-signal | link-down}   Select link-failed-signal or link-down method to alert about a failed link.
                link-failed-signal  Link-failed-signal.
                link-down           Link-down.
        set fail-action-on-extender {soft-restart | hard-restart | reboot}   Action on extender when interface fail .
                soft-restart  Soft-restart-on-extender.
                hard-restart  Hard-restart-on-extender.
                reboot        Reboot-on-extender.
        config fail-alert-interfaces
            edit {name}
            # Names of the FortiGate interfaces from which the link failure alert is sent for this interface.
                set name {string}   Names of the physical interfaces belonging to the aggregate or redundant interface. size[64] - datasource(s): system.interface.name
            next
        set dhcp-client-identifier {string}   DHCP client identifier. size[48]
        set dhcp-renew-time {integer}   DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server. range[300-604800]
        set ipunnumbered {ipv4 address}   Unnumbered IP used for PPPoE interfaces for which no unique local address is provided.
        set username {string}   Username of the PPPoE account, provided by your ISP. size[64]
        set pppoe-unnumbered-negotiate {enable | disable}   Enable/disable PPPoE unnumbered negotiation.
        set password {password_string}   PPPoE account's password. size[128]
        set idle-timeout {integer}   PPPoE auto disconnect after idle timeout seconds, 0 means no timeout. range[0-32767]
        set detected-peer-mtu {integer}   MTU of detected peer (0 - 4294967295). range[0-4294967295]
        set disc-retry-timeout {integer}   Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout. range[0-4294967295]
        set padt-retry-timeout {integer}   PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time. range[0-4294967295]
        set service-name {string}   PPPoE service name. size[63]
        set ac-name {string}   PPPoE server name. size[63]
        set lcp-echo-interval {integer}   Time in seconds between PPPoE Link Control Protocol (LCP) echo requests. range[0-32767]
        set lcp-max-echo-fails {integer}   Maximum missed LCP echo messages before disconnect. range[0-32767]
        set defaultgw {enable | disable}   Enable to get the gateway IP from the DHCP or PPPoE server.
        set dns-server-override {enable | disable}   Enable/disable use DNS acquired by DHCP or PPPoE.
        set auth-type {option}   PPP authentication type to use.
                auto      Automatically choose authentication.
                pap       PAP authentication.
                chap      CHAP authentication.
                mschapv1  MS-CHAPv1 authentication.
                mschapv2  MS-CHAPv2 authentication.
        set pptp-client {enable | disable}   Enable/disable PPTP client.
        set pptp-user {string}   PPTP user name. size[64]
        set pptp-password {password_string}   PPTP password. size[128]
        set pptp-server-ip {ipv4 address}   PPTP server IP address.
        set pptp-auth-type {option}   PPTP authentication type.
                auto      Automatically choose authentication.
                pap       PAP authentication.
                chap      CHAP authentication.
                mschapv1  MS-CHAPv1 authentication.
                mschapv2  MS-CHAPv2 authentication.
        set pptp-timeout {integer}   Idle timer in minutes (0 for disabled). range[0-65535]
        set arpforward {enable | disable}   Enable/disable ARP forwarding.
        set ndiscforward {enable | disable}   Enable/disable NDISC forwarding.
        set broadcast-forward {enable | disable}   Enable/disable broadcast forwarding.
        set bfd {global | enable | disable}   Bidirectional Forwarding Detection (BFD) settings.
        set bfd-desired-min-tx {integer}   BFD desired minimal transmit interval. range[1-100000]
        set bfd-detect-mult {integer}   BFD detection multiplier. range[1-50]
        set bfd-required-min-rx {integer}   BFD required minimal receive interval. range[1-100000]
        set l2forward {enable | disable}   Enable/disable l2 forwarding.
        set icmp-send-redirect {enable | disable}   Enable/disable ICMP send redirect.
        set icmp-accept-redirect {enable | disable}   Enable/disable ICMP accept redirect.
        set vlanforward {enable | disable}   Enable/disable traffic forwarding between VLANs on this interface.
        set stpforward {enable | disable}   Enable/disable STP forwarding.
        set stpforward-mode {rpl-all-ext-id | rpl-bridge-ext-id | rpl-nothing}   Configure STP forwarding mode.
                rpl-all-ext-id     Replace all extension IDs (root, bridge).
                rpl-bridge-ext-id  Replace the bridge extension ID only.
                rpl-nothing        Replace nothing.
        set ips-sniffer-mode {enable | disable}   Enable/disable the use of this interface as a one-armed sniffer.
        set ident-accept {enable | disable}   Enable/disable authentication for this interface.
        set ipmac {enable | disable}   Enable/disable IP/MAC binding.
        set subst {enable | disable}   Enable to always send packets from this interface to a destination MAC address.
        set macaddr {mac address}   Change the interface's MAC address.
        set substitute-dst-mac {mac address}   Destination MAC address that all packets are sent to from this interface.
        set speed {option}   Interface speed. The default setting and the options available depend on the interface hardware.
                auto       Automatically adjust speed.
                10full     10M full-duplex.
                10half     10M half-duplex.
                100full    100M full-duplex.
                100half    100M half-duplex.
                1000full   1000M full-duplex.
                1000half   1000M half-duplex.
                1000auto   1000M auto adjust.
                10000full  10G full-duplex.
                10000auto  10G auto.
                40000full  40G full-duplex.
                25000full  25G full-duplex.
                100Gfull   100G full-duplex.
        set status {up | down}   Bring the interface up or shut the interface down.
                up    Bring the interface up.
                down  Shut the interface down.
        set netbios-forward {disable | enable}   Enable/disable NETBIOS forwarding.
        set wins-ip {ipv4 address}   WINS server IP.
        set type {option}   Interface type.
                physical     Physical interface.
                vlan         VLAN interface.
                aggregate    Aggregate interface.
                redundant    Redundant interface.
                tunnel       Tunnel interface.
                vdom-link    VDOM link interface.
                loopback     Loopback interface.
                switch       Software switch interface.
                hard-switch  Hardware switch interface.
                vap-switch   VAP interface.
                wl-mesh      WLAN mesh interface.
                fext-wan     FortiExtender interface.
                vxlan        VXLAN interface.
                hdlc         T1/E1 interface.
                switch-vlan  Switch VLAN interface.
                emac-vlan    EMAC VLAN interface.
        set dedicated-to {none | management}   Configure interface for single purpose.
                none        Interface not dedicated for any purpose.
                management  Dedicate this interface for management purposes only.
        set trust-ip-1 {ipv4 classnet any}   Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).
        set trust-ip-2 {ipv4 classnet any}   Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).
        set trust-ip-3 {ipv4 classnet any}   Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).
        set trust-ip6-1 {ipv6 prefix}   Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).
        set trust-ip6-2 {ipv6 prefix}   Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).
        set trust-ip6-3 {ipv6 prefix}   Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).
        set mtu-override {enable | disable}   Enable to set a custom MTU for this interface.
        set mtu {integer}   MTU value for this interface. range[0-4294967295]
        set wccp {enable | disable}   Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.
        set netflow-sampler {disable | tx | rx | both}   Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).
                disable  Disable NetFlow protocol on this interface.
                tx       Monitor transmitted traffic on this interface.
                rx       Monitor received traffic on this interface.
                both     Monitor transmitted/received traffic on this interface.
        set sflow-sampler {enable | disable}   Enable/disable sFlow on this interface.
        set drop-overlapped-fragment {enable | disable}   Enable/disable drop overlapped fragment packets.
        set drop-fragment {enable | disable}   Enable/disable drop fragment packets.
        set scan-botnet-connections {disable | block | monitor}   Enable monitoring or blocking connections to Botnet servers through this interface.
                disable  Do not scan connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set src-check {enable | disable}   Enable/disable source IP check.
        set sample-rate {integer}   sFlow sample rate (10 - 99999). range[10-99999]
        set polling-interval {integer}   sFlow polling interval (1 - 255 sec). range[1-255]
        set sample-direction {tx | rx | both}   Data that NetFlow collects (rx, tx, or both).
                tx    Monitor transmitted traffic on this interface.
                rx    Monitor received traffic on this interface.
                both  Monitor transmitted/received traffic on this interface.
        set explicit-web-proxy {enable | disable}   Enable/disable the explicit web proxy on this interface.
        set explicit-ftp-proxy {enable | disable}   Enable/disable the explicit FTP proxy on this interface.
        set proxy-captive-portal {enable | disable}   Enable/disable proxy captive portal on this interface.
        set tcp-mss {integer}   TCP maximum segment size. 0 means do not change segment size. range[0-4294967295]
        set mediatype {option}   Select SFP media interface type
                sr   Use Short Range transceiver
                lr   Use Long Range transceiver
                cr   Use Copper transceiver
                sr4  Use Short Range transceiver(4 lane)
                lr4  Use Long Range transceiver(4 lane)
                cr4  Use Copper transceiver(4 lane)
        set inbandwidth {integer}   Bandwidth limit for incoming traffic (0 - 16776000 kbps), 0 means unlimited. range[0-16776000]
        set outbandwidth {integer}   Bandwidth limit for outgoing traffic (0 - 16776000 kbps). range[0-16776000]
        set egress-shaping-profile {string}   Outgoing traffic shaping profile. size[35]
        set disconnect-threshold {integer}   Time in milliseconds to wait before sending a notification that this interface is down or disconnected. range[0-10000]
        set spillover-threshold {integer}   Egress Spillover threshold (0 - 16776000 kbps), 0 means unlimited. range[0-16776000]
        set ingress-spillover-threshold {integer}   Ingress Spillover threshold (0 - 16776000 kbps). range[0-16776000]
        set weight {integer}   Default weight for static routes (if route has no weight configured). range[0-255]
        set interface {string}   Interface name. size[15] - datasource(s): system.interface.name
        set external {enable | disable}   Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet).
        set vlanid {integer}   VLAN ID (1 - 4094). range[1-4094]
        set forward-domain {integer}   Transparent mode forward domain. range[0-2147483647]
        set remote-ip {ipv4 classnet host}   Remote IP address of tunnel.
        config member
            edit {interface-name}
            # Physical interfaces that belong to the aggregate or redundant interface.
                set interface-name {string}   Physical interface name. size[64] - datasource(s): system.interface.name
            next
        set lacp-mode {static | passive | active}   LACP mode.
                static   Use static aggregation, do not send and ignore any LACP messages.
                passive  Passively use LACP to negotiate 802.3ad aggregation.
                active   Actively use LACP to negotiate 802.3ad aggregation.
        set lacp-ha-slave {enable | disable}   LACP HA slave.
        set lacp-speed {slow | fast}   How often the interface sends LACP messages.
                slow  Send LACP message every 30 seconds.
                fast  Send LACP message every second.
        set min-links {integer}   Minimum number of aggregated ports that must be up. range[1-32]
        set min-links-down {operational | administrative}   Action to take when less than the configured minimum number of links are active.
                operational     Set the aggregate operationally down.
                administrative  Set the aggregate administratively down.
        set algorithm {L2 | L3 | L4}   Frame distribution algorithm.
                L2  Use layer 2 address for distribution.
                L3  Use layer 3 address for distribution.
                L4  Use layer 4 information for distribution.
        set link-up-delay {integer}   Number of milliseconds to wait before considering a link is up. range[50-3600000]
        set priority-override {enable | disable}   Enable/disable fail back to higher priority port once recovered.
        set aggregate {string}   Aggregate interface. size[15]
        set redundant-interface {string}   Redundant interface. size[15]
        config managed-device
            edit {name}
            # Available when FortiLink is enabled, used for managed devices through FortiLink interface.
                set name {string}   Managed dev identifier. size[64]
            next
        set devindex {integer}   Device Index. range[0-4294967295]
        set vindex {integer}   Switch control interface VLAN ID. range[0-65535]
        set switch {string}   Contained in switch. size[15]
        set description {string}   Description. size[255]
        set alias {string}   Alias will be displayed with the interface name to make it easier to distinguish. size[25]
        set security-mode {none | captive-portal | 802.1X}   Turn on captive portal authentication for this interface.
                none            No security option.
                captive-portal  Captive portal authentication.
                802.1X          802.1X port-based authentication.
        set captive-portal {integer}   Enable/disable captive portal. range[0-4294967295]
        set security-mac-auth-bypass {enable | disable}   Enable/disable MAC authentication bypass.
        set security-external-web {string}   URL of external authentication web server. size[127]
        set security-external-logout {string}   URL of external authentication logout server. size[127]
        set replacemsg-override-group {string}   Replacement message override group. size[35]
        set security-redirect-url {string}   URL redirection after disclaimer/authentication. size[127]
        set security-exempt-list {string}   Name of security-exempt-list. size[35]
        config security-groups
            edit {name}
            # User groups that can authenticate with the captive portal.
                set name {string}   Names of user groups that can authenticate with the captive portal. size[64]
            next
        set device-identification {enable | disable}   Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.
        set device-user-identification {enable | disable}   Enable/disable passive gathering of user identity information about users on this interface.
        set device-identification-active-scan {enable | disable}   Enable/disable active gathering of device identity information about the devices on the network connected to this interface.
        set device-access-list {string}   Device access list. size[35]
        set device-netscan {disable | enable}   Enable/disable inclusion of devices detected on this interface in network vulnerability scans.
        set lldp-transmission {enable | disable | vdom}   Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
        set fortiheartbeat {enable | disable}   Enable/disable FortiHeartBeat (FortiTelemetry on GUI).
        set broadcast-forticlient-discovery {enable | disable}   Enable/disable broadcasting FortiClient discovery messages.
        set endpoint-compliance {enable | disable}   Enable/disable endpoint compliance enforcement.
        set estimated-upstream-bandwidth {integer}   Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization. range[0-4294967295]
        set estimated-downstream-bandwidth {integer}   Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization. range[0-4294967295]
        set vrrp-virtual-mac {enable | disable}   Enable/disable use of virtual MAC for VRRP.
        config vrrp
            edit {vrid}
            # VRRP configuration.
                set vrid {integer}   Virtual router identifier (1 - 255). range[1-255]
                set version {2 | 3}   VRRP version.
                        2  VRRP version 2.
                        3  VRRP version 3.
                set vrgrp {integer}   VRRP group ID (1 - 65535). range[1-65535]
                set vrip {ipv4 address any}   IP address of the virtual router.
                set priority {integer}   Priority of the virtual router (1 - 255). range[1-255]
                set adv-interval {integer}   Advertisement interval (1 - 255 seconds). range[1-255]
                set start-time {integer}   Startup time (1 - 255 seconds). range[1-255]
                set preempt {enable | disable}   Enable/disable preempt mode.
                set accept-mode {enable | disable}   Enable/disable accept mode.
                set vrdst {ipv4 address any}   Monitor the route to this destination.
                set vrdst-priority {integer}   Priority of the virtual router when the virtual router destination becomes unreachable (0 - 254). range[0-254]
                set ignore-default-route {enable | disable}   Enable/disable ignoring of default route when checking destination.
                set status {enable | disable}   Enable/disable this VRRP configuration.
                config proxy-arp
                    edit {id}
                    # VRRP Proxy ARP configuration.
                        set id {integer}   ID. range[0-4294967295]
                        set ip {string}   Set IP addresses of proxy ARP.
                    next
            next
        set role {lan | wan | dmz | undefined}   Interface role.
                lan        Connected to local network of endpoints.
                wan        Connected to Internet.
                dmz        Connected to server zone.
                undefined  Interface has no specific role.
        set snmp-index {integer}   Permanent SNMP Index of the interface. range[0-4294967295]
        set secondary-IP {enable | disable}   Enable/disable adding a secondary IP to this interface.
        config secondaryip
            edit {id}
            # Second IP address of interface.
                set id {integer}   ID. range[0-4294967295]
                set ip {ipv4 classnet host}   Secondary IP address of the interface.
                set allowaccess {option}   Management access settings for the secondary IP address.
                        ping            PING access.
                        https           HTTPS access.
                        ssh             SSH access.
                        snmp            SNMP access.
                        http            HTTP access.
                        telnet          TELNET access.
                        fgfm            FortiManager access.
                        radius-acct     RADIUS accounting access.
                        probe-response  Probe access.
                        capwap          CAPWAP access.
                        ftm             FTM access.
                set gwdetect {enable | disable}   Enable/disable detect gateway alive for first.
                set ping-serv-status {integer}   PING server status. range[0-255]
                set detectserver {string}   Gateway's ping server for this IP.
                set detectprotocol {ping | tcp-echo | udp-echo}   Protocols used to detect the server.
                        ping      PING.
                        tcp-echo  TCP echo.
                        udp-echo  UDP echo.
                set ha-priority {integer}   HA election priority for the PING server. range[1-50]
            next
        set preserve-session-route {enable | disable}   Enable/disable preservation of session route when dirty.
        set auto-auth-extension-device {enable | disable}   Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.
        set ap-discover {enable | disable}   Enable/disable automatic registration of unknown FortiAP devices.
        set fortilink-stacking {enable | disable}   Enable/disable FortiLink switch-stacking on this interface.
        set fortilink-split-interface {enable | disable}   Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy (maximum 2 interfaces in the "members" command).
        set internal {integer}   Implicitly created. range[0-255]
        set fortilink-backup-link {integer}   fortilink split interface backup link. range[0-255]
        set switch-controller-access-vlan {enable | disable}   Block FortiSwitch port-to-port traffic.
        set switch-controller-igmp-snooping {enable | disable}   Switch controller IGMP snooping.
        set switch-controller-dhcp-snooping {enable | disable}   Switch controller DHCP snooping.
        set switch-controller-dhcp-snooping-verify-mac {enable | disable}   Switch controller DHCP snooping verify MAC.
        set switch-controller-dhcp-snooping-option82 {enable | disable}   Switch controller DHCP snooping option82.
        set switch-controller-arp-inspection {enable | disable}   Enable/disable FortiSwitch ARP inspection.
        set switch-controller-learning-limit {integer}   Limit the number of dynamic MAC addresses on this VLAN (1 - 128, 0 = no limit, default). range[0-128]
        set color {integer}   Color of icon on the GUI. range[0-32]
        config tagging
            edit {name}
            # Config object tagging.
                set name {string}   Tagging entry name. size[63]
                set category {string}   Tag category. size[63] - datasource(s): system.object-tagging.category
                config tags
                    edit {name}
                    # Tags.
                        set name {string}   Tag name. size[64] - datasource(s): system.object-tagging.tags.name
                    next
            next
        set forward-error-correction {enable | disable}   Enable/disable forward error correction (FEC Clause 91).
        config ipv6
            set ip6-mode {static | dhcp | pppoe | delegated}   Addressing mode (static, DHCP, delegated).
                    static     Static setting.
                    dhcp       DHCPv6 client mode.
                    pppoe      IPv6 over PPPoE mode.
                    delegated  IPv6 address with delegated prefix.
            set nd-mode {basic | SEND-compatible}   Neighbor discovery mode.
                    basic            Do not support SEND.
                    SEND-compatible  Support SEND.
            set nd-cert {string}   Neighbor discovery certificate. size[35] - datasource(s): certificate.local.name
            set nd-security-level {integer}   Neighbor discovery security level (0 - 7; 0 = least secure, default = 0). range[0-7]
            set nd-timestamp-delta {integer}   Neighbor discovery timestamp delta value (1 - 3600 sec; default = 300). range[1-3600]
            set nd-timestamp-fuzz {integer}   Neighbor discovery timestamp fuzz factor (1 - 60 sec; default = 1). range[1-60]
            set nd-cga-modifier {string}   Neighbor discovery CGA modifier.
            set ip6-dns-server-override {enable | disable}   Enable/disable using the DNS server acquired by DHCP.
            set ip6-address {ipv6 prefix}   Primary IPv6 address prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx
            config ip6-extra-addr
                edit {prefix}
                # Extra IPv6 address prefixes of interface.
                    set prefix {ipv6 prefix}   IPv6 address prefix.
                next
            set ip6-allowaccess {option}   Allow management access to the interface.
                    ping    PING access.
                    https   HTTPS access.
                    ssh     SSH access.
                    snmp    SNMP access.
                    http    HTTP access.
                    telnet  TELNET access.
                    fgfm    FortiManager access.
                    capwap  CAPWAP access.
            set ip6-send-adv {enable | disable}   Enable/disable sending advertisements about the interface.
            set ip6-manage-flag {enable | disable}   Enable/disable the managed flag.
            set ip6-other-flag {enable | disable}   Enable/disable the other IPv6 flag.
            set ip6-max-interval {integer}   IPv6 maximum interval (4 to 1800 sec). range[4-1800]
            set ip6-min-interval {integer}   IPv6 minimum interval (3 to 1350 sec). range[3-1350]
            set ip6-link-mtu {integer}   IPv6 link MTU. range[1280-16000]
            set ip6-reachable-time {integer}   IPv6 reachable time (milliseconds; 0 means unspecified). range[0-3600000]
            set ip6-retrans-time {integer}   IPv6 retransmit time (milliseconds; 0 means unspecified). range[0-4294967295]
            set ip6-default-life {integer}   Default life (sec). range[0-9000]
            set ip6-hop-limit {integer}   Hop limit (0 means unspecified). range[0-255]
            set autoconf {enable | disable}   Enable/disable address auto config.
            set ip6-upstream-interface {string}   Interface name providing delegated information. size[15] - datasource(s): system.interface.name
            set ip6-subnet {ipv6 prefix}    Subnet to routing prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx
            config ip6-prefix-list
                edit {prefix}
                # Advertised prefix list.
                    set prefix {ipv6 network}   IPv6 prefix.
                    set autonomous-flag {enable | disable}   Enable/disable the autonomous flag.
                    set onlink-flag {enable | disable}   Enable/disable the onlink flag.
                    set valid-life-time {integer}   Valid life time (sec). range[0-4294967295]
                    set preferred-life-time {integer}   Preferred life time (sec). range[0-4294967295]
                    set rdnss {string}   Recursive DNS server option.
                    config dnssl
                        edit {domain}
                        # DNS search list option.
                            set domain {string}   Domain name. size[79]
                        next
                next
            config ip6-delegated-prefix-list
                edit {prefix-id}
                # Advertised IPv6 delegated prefix list.
                    set prefix-id {integer}   Prefix ID. range[0-4294967295]
                    set upstream-interface {string}   Name of the interface that provides delegated information. size[15] - datasource(s): system.interface.name
                    set autonomous-flag {enable | disable}   Enable/disable the autonomous flag.
                    set onlink-flag {enable | disable}   Enable/disable the onlink flag.
                    set subnet {ipv6 network}    Add subnet ID to routing prefix.
                    set rdnss-service {delegated | default | specify}   Recursive DNS service option.
                            delegated  Delegated RDNSS settings.
                            default    System RDNSS settings.
                            specify    Specify recursive DNS servers.
                    set rdnss {string}   Recursive DNS server option.
                next
            set dhcp6-relay-service {disable | enable}   Enable/disable DHCPv6 relay.
            set dhcp6-relay-type {regular}   DHCPv6 relay type.
                    regular  Regular DHCP relay.
            set dhcp6-relay-ip {string}   DHCPv6 relay IP address.
            set dhcp6-client-options {rapid | iapd | iana}   DHCPv6 client options.
                    rapid  Send rapid commit option.
                    iapd   Send including IA-PD option.
                    iana   Send including IA-NA option.
            set dhcp6-prefix-delegation {enable | disable}   Enable/disable DHCPv6 prefix delegation.
            set dhcp6-information-request {enable | disable}   Enable/disable DHCPv6 information request.
            set dhcp6-prefix-hint {ipv6 network}   DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server.
            set dhcp6-prefix-hint-plt {integer}   DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time. range[0-4294967295]
            set dhcp6-prefix-hint-vlt {integer}   DHCPv6 prefix hint valid life time (sec). range[0-4294967295]
            set vrrp-virtual-mac6 {enable | disable}   Enable/disable virtual MAC for VRRP.
            set vrip6_link_local {ipv6 address}   Link-local IPv6 address of virtual router.
            config vrrp6
                edit {vrid}
                # IPv6 VRRP configuration.
                    set vrid {integer}   Virtual router identifier (1 - 255). range[1-255]
                    set vrgrp {integer}   VRRP group ID (1 - 65535). range[1-65535]
                    set vrip6 {ipv6 address}   IPv6 address of the virtual router.
                    set priority {integer}   Priority of the virtual router (1 - 255). range[1-255]
                    set adv-interval {integer}   Advertisement interval (1 - 255 seconds). range[1-255]
                    set start-time {integer}   Startup time (1 - 255 seconds). range[1-255]
                    set preempt {enable | disable}   Enable/disable preempt mode.
                    set accept-mode {enable | disable}   Enable/disable accept mode.
                    set vrdst6 {ipv6 address}   Monitor the route to this destination.
                    set status {enable | disable}   Enable/disable VRRP.
                next
    next
end

Additional information

The following section is for those options that require additional explanation.

vdom <string>

Vdom name to which this interface belong, default is root.

mode {static | dhcp | pppoe}

The interface IP addressing: static, from external dhcp or external pppoe.

distance <integer>

The administrative distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route for the same destination, value between 1 to 255.

priority <integer>

The priority of routes using this interface, lower priority indicates preferred route for the same destination, value between 0 to 4294967295, available when mode set to DHCP or PPPoE.

dhcp-relay-agent-option {enable | disable}

Enable or disable DHCP relay option 82. See RFC 3046: DHCP Relay Agent Information Option.

dhcp-relay-ip <ip>

The IP of DHCP relay server.

dhcp-relay-service {disable | enable}

Disable of enable DHCP relay service on this interface, default is disable.

dhcp-relay-type {regular | ipsec}

Set a regular or an IPsec relay type on this interface.

dhcp-client-identifier <string>

Used to override the default DHCP client ID created by the FortiGate.

ip <ip & netmask>

The interface's IP and subnet mask, syntax: X.X.X.X/24.

allowaccess {ping | https | ssh | snmp | http | telnet | ...}

Permitted access type on this interface:

  • fgfm: FortiManager access.
  • radius-acct: RADIUS accounting access.
  • probe-response: Probe access.
  • capwap: CAPWAP access.

fail-detect {enable | disable}

Enable or disable interface failed options.

fail-detect-option {detectserver | link-down}

Select whether the FortiGate detects interface failure by ping server (detectserver) or port detection (link-down), detectserver is only available in NAT mode.

fail-alert-method {link-failed-signal | link-down}

Select link-failed-signal or link-down method to alert about a failed link.

fail-alert-interfaces {port1 | port2 | ...}

The names of the FortiGate interfaces from which the link failure alert is sent for this interface.

ipunnumbered <ip>

The Unnumbered IP used for PPPoE interfaces for which no unique local address is provided. If you have been assigned a block of IP addresses by your ISP you can add any of these IP.

username <string>

The username of the PPPoE account, provided by your ISP.

password <passwd>

The PPPoE account's password.

idle-timeout <integer>

Idle time in seconds after which the PPPoE session is disconnected, 0 for no timeout.

disc-retry-timeout <integer>

The time in seconds to wait before retrying to start a PPPoE discovery, 0 to disable this feature.

padt-retry-timeout <integer>

PPPoE Active Discovery Terminate (PADT) timeout in seconds used to shut down the PPPoE session if it is idle for this number of seconds. PADT must be supported by your ISP.

service-name <string>

Set a name for this PPPoE service.

ac-name <string>

Set the PPPoE server name.

lcp-echo-interval <integer>

The time in seconds between PPPoE Link Control Protocol (LCP) echo requests, default is 5.

lcp-max-echo-fails <integer>

Maximum number of missed LCP echoes before the PPPoE link is disconnected, default is 3.

defaultgw {enable | disable}

Enable to get the gateway IP from the DHCP or PPPoE server, default is enable.

dns-server-override {enable | disable}

Disable to prevent this interface from using a DNS server acquired via DHCP or PPPoE, default is enable.

pptp-client {enable | disable}

Enable or disable the use of point-to-point tunneling protocol (PPTP) client, available in static mode only, default is disable.

pptp-user <string>

PPTP end user name.

pptp-password <passwd>

PPTP end user password.

pptp-server-ip <ip>

PPTP server's IP address.

pptp-auth-type {auto | pap | chap | mschapv1 | mschapv2}

The server authentication type, default is auto.

pptp-timeout <integer>

Idle timeout in minutes to shut down the PPTP session, values between 0 to 65534 (65534 minutes is 45 days), 0 for disabled, default is 0.

arpforward {enable | disable}

Enable or disable ARP packets forwarding on this interface, default is enable.

broadcast-forward {enable | disable}

Enable or disable automatic forwarding of broadcast packets, default is disable.

priority-override {enable | disable}

Enable or disable fail back to higher priority port once recovered. Once enabled, priority-override on redundant interfaces gives greater priority to interfaces that are higher in the member list.

bfd {global | enable | disable}

Use the global setting, enable, or disable Bidirectional Forwarding Detection (bfd) on this interface, global bfd settings is in config system settings, default is global.

l2forward {enable | disable}

Enable or disable layer-2 forwarding for this interface, default is disable.

icmp-accept-redirect {enable | disable}

Enable or disable accepting ICMP redirect messages on this interface. This can be useful if you need to disable accepting ICMP redirects while still permitting the sending of ICMP redirects.

icmp-send-redirect {enable | disable}

Enable or disable sending ICMP redirect messages from this interface. FortiGate send ICMP redirect messages to notify the original sender of packets if there is a better route available, default is enable.

vlanforward {enable | disable}

Enable or disable traffic forwarding between VLANs on this interface, default is disable. This option is only effective in transparent mode.

stpforward {enable | disable}

Enable or disable Spanning Tree Protocol (STP) packets forward. STP creates a spanning tree within a network of connected layer-2 bridges while disabling all other links, leaving a single active path between any two network nodes to prevent any loops which would flood the network.

stpforward-mode {rpl-all-ext-id | rpl-bridge-ext-id | ...}

Set the STP forward mode:

  • rpl-all-ext-id: Replace all root and bridge extension IDs, the default mode.
  • rpl-bridge-ext-id : Replace the bridge extension ID only.
  • rpl-nothing: Do not replace anything.

ips-sniffer-mode {enable | disable}

Enable or disable the use of this interface as a one-armed sniffer as part of configuring a FortiGate unit to operate as an IDS appliance by sniffing packets for attacks without processing packets. when enabled you cannot use the interface for other traffic, default is disable.

ident-accept {enable | disable}

Enable or disable passing packets identification on TCP port 113 to the firewall policy used to determine a user's identity on a particular TCP connection, default is disable.Enable or disable passing packets identification on TCP port 113 to the firewall policy used to determine a user's identity on a particular TCP connection, default is disable.

switch-controller-access-vlan {enable | disable}

Note: This setting's definition has been modified from a previous release.

VLAN access status:

  • enable: Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate.
  • disable: Allow normal VLAN traffic.

switch-controller-arp-inspection {enable | disable}

Enable or disable ARP inspection for FortiSwitch devices.

Dynamic ARP Inspection (DAI) enables FortiSwitch to intercept and examine all ARP request and response packets in a subnet and discard those packets with invalid IP to MAC address bindings. DAI can prevent common man-in-the-middle (MiM) attacks such as ARP cache poisoning and disallow mis-configuration of client IP addresses.

ipmac {enable | disable}

Enable or disable IP/MAC binding for the specified interface, default is disable. More information available in config firewall ipmacbinding setting command.

subst {enable | disable}

Enable to always send packets from this interface to the same destination MAC address. Use substitite-dst-mac to set the destination MAV address. Disabled by default.

macaddr <mac>

Override the factory MAC address of this interface by specifying a new MAC address.

substitute-dst-mac <mac>

The destination MAC address that all packets are sent to from this interface if subst is enabled.

speed {auto | 10full | 10half | etc }

The interface speed. The default setting and the speeds available depend on the interface hardware. Most often speed is set to auto and the interface negotiates with connected equipment to select the best speed. You can set specific speeds if the connected equipment doesn't support negotiation. Some FortiGate interface hardware does not support auto. In which case set the interface speed to match the connected network equipment speed.

Enter a space and a “?” after the speed field to display a list of speeds available for your model and interface.

status {up | down}

Start or stop the interface, when stopped, it does not accept or send packets.

If you stop a physical interface, associated virtual interfaces such as VLAN interfaces will also stop.

netbios-forward {disable | enable}

Enable to forward Network Basic Input Output System (NetBIOS) broadcasts to a Windows Internet Name Service (WINS) server. Enable to forward Network Basic Input Output System (NetBIOS) broadcasts to a Windows Internet Name Service (WINS) server.

wins-ip <ip>

The IP address of a WINS server to which NetBIOS broadcasts is forwarded.

type <interface-type>

Enter set type ? to see a list of the interface types that can be created.

mtu-override {enable | disable}

Select enable to use custom MTU size instead of default 1 500.

mtu <integer>

Set a new MTU value.

wccp {enable | disable}

Enable or disable Web Cache Communication Protocol (WCCP) on this interface, default is disable.

netflow-sampler {disable | tx | rx | both}

Disable or choose how to use netflow on this interface:

  • tx:Monitor transmitted traffic.
  • rx:Monitor received traffic.
  • both:Monitor both direction traffic.

sflow-sampler {enable | disable}

Enable or disable sflow protocol on this interface, default is disable. More information on sflow in config system sflow command.

drop-overlapped-fragment {enable | disable}

Enable or disable dropping overlapped packet fragments, default is disable.

drop-fragment {enable | disable}

Enable to drop fragmented packets, default is disable.

scan-botnet-connections {disable | block | monitor}

Disable or choose how to handle connections to botnet servers:

  • block: Terminate connections
  • monitor: Log connections.

sample-rate <integer>

The average number of packets that the sFlow Agent lets pass before taking a sample. The range is 10 to 99999. The default is 2000.

For example, if you set this to 1000, the sFlow Agent samples 1 out of every 1000 packets.

If you set a lower rate, the sFlow Agent samples a higher number of packets, which increases the accuracy of the sampling data. However, this also increases the amount of CPU resources and network bandwidth that sFlow uses.

In most cases, the default sample rate of 2000 provides enough accuracy.

polling-interval <integer>

The amount of time, in seconds, that the sFlow Agent waits between sending sFlow Datagrams to the sFlow Collector. The range is 1 to 255 seconds. The default is 20 seconds.

If you set a higher polling interval, the sFlow Agent sends less data across your network, but the sFlow Collector’s view of your network won’t be as up-to-date as it would if you set a lower polling interval.

sample-direction {tx | rx | both}

The direction of the traffic that the sFlow Agent samples:

  • tx: Samples the traffic that the interface sends
  • rx: Samples the traffic that the interface receives
  • both: Samples the traffic that the interface sends and receives

 

explicit-web-proxy {enable | disable}

Enable or disable explicit Web proxy on this interface, default is disable.

explicit-ftp-proxy {enable | disable}

Enable or disable explicit FTP proxy on this interface, default is disable.

tcp-mss <integer>

The Maximum Size Segment (mss) for TCP connections, it is used when there is an MTU mismatch or DF (Don't Fragment) bit is set.

inbandwidth <integer>

The limit of ingress traffic, in Kbit/sec, on this interface, default is 0 which indicate unlimited.

outbandwidth <integer>

The limit of egress traffic, in Kbit/sec, on this interface, default is 0 which indicate unlimited.

spillover-threshold <integer>

Egress Spillover threshold in kbps used for load balancing traffic between interfaces, range from 0 to 16776000, default is 0.

ingress-spillover-threshold <integer>

Ingress Spillover threshold in kbps, range from 0 to 16776000, default is 0.

weight <integer>

Set the default weight for static routes on this interface. This applies when the route has no weight configured.

external {enable | disable}

Enable or disable identifying if this interface is connected to external side.

config managed-device

Available when fortilink is enabled, used for managed devices through fortilink interface.

edit <name>

The identifier of the managed device.

description <string>

Optionally describe this interface.

alias <string>

Optionally set an alias which will be displayed with the interface name to make it easier to distinguish.

l2tp-client {enable | disable}

Enable or disable this interface as a Layer 2 Tunneling Protocol (L2TP) client.

You may need to enable l2forward on this interface, default is disable.

security-mode {none | captive-portal}

Available when fortilink is disabled, captive-portal allow access to only authenticated members through this interface.

security-mac-auth-bypass {enable | disable}

Enable or disable MAC address authentication bypass.

security-external-web <string>

The URL of an external authentication web server, available when security-mode is set to captive-portal.

security-external-logout <string>

The URL of an external authentication logout server, available when security-mode is set to captive-portal.

replacemsg-override-group <group-name>

Specify replacement message override group name, this is for captive portal messages when security-mode is set to captive-portal.

security-redirect-url <string>

Specify URL redirection after captive portal authentication or disclaimer.

security-groups <user-group>

Optionally, enter the groups that are allowed access to this interface.

security-exempt-list <name>

Optionally specify the members will bypass the captive portal authentication.

device-identification {enable | disable}

Enable or disable passive gathering of identity information about source hosts on this interface.

device-user-identification {enable | disable}

Enable or disable passive gathering of user identity information about source hosts on this interface.

device-identification-active-scan {enable | disable}

Enable or disable active gathering of identity information about source hosts on this interface.

device-access-list <name>

Specify the device access list to use which is configured in config user device-access-list.

lldp-transmission {enable | disable | vdom}

Enable, disable, or apply to vdom-level the Link Layer Discovery Protocol (LLDP) transmission for this interface, default is vdom.

fortiheartbeat {enable | disable}

Enable or disable FortiHeartBeat (FortiTelemetry on GUI) which used to listen for connections from devices with FortiClient installed, default is disable.

broadcast-forticlient-discovery {enable | disable}

Enable or disable broadcast FortiClient discovery messages, default is disable.

endpoint-compliance {enable | disable}

Enable or disable endpoint compliance enforcement, default is disabled.

estimated-upstream-bandwidth <integer>

Estimated maximum upstream bandwidth in kbps, used to estimate link utilization.

estimated-downstream-bandwidth <integer>

Estimated maximum downstream bandwidth in kbps, used to estimate link utilization.

vrrp-virtual-mac {enable | disable}

Enable or disable the VRRP virtual MAC address feature for the IPv4 VRRP routers added to this interface, default is disable. See RFC3768 For more information about VRRP.

config vrrp

Configure IPv4 VRRP for this interface.

vrgrp <integer>

VRRP group id.

vrip <ip>

IPv4 address of the virtual router.

priority <integer>

The IPv4 VRRP virtual router's priority, value between 1 to 255, default is 100.

adv-interval <integer>

VRRP advertisement interval in seconds, value between 1 to 255

start-time <integer>

VRRP startup time in seconds, value between 1 to 255, default is 3.

preempt {enable | disable}

Enable or disable VRRP preempt mode, default is enable.

ignore-default-route {disable | enable}

Enable to configure VRRP to ignore the default route when looking for the vrdst IP address. Disabled by default.

vrdst <ip> [<ip>]

Monitor the route to one or more destination IP addresses. Register a failure of all of the configured destination addresses cannot be reached.

status {enable | disable}

Enbable or disable this VRRP virtual router. Enabled by default.

role {lan | wan | dmz | undefined}

Optionally choose the interface role: lan:Connected to local network of endpoints. wan:Connected to Internet. dmz: Connected to server zone. undefined: Interface has no specific role.

snmp-index <integer>

Optionally set a permanent SNMP Index of this interface.

secondary-IP {enable | disable}

Enable or disable the use of a secondary address on this interface.

config secondaryip

ip <ip & netmask>

The interface's secondary IP and subnet mask, syntax: X.X.X.X/24.

allowaccess {ping | https | ssh | snmp | http | telnet | ...}

Permitted access type on this secondary IP:

  • fgfm: FortiManager access.
  • radius-acct: RADIUS accounting access.
  • probe-response: Probe access.
  • capwap: CAPWAP access.

auto-auth-extension-device {enable | disable}

Enable or disable automatic authorization of dedicated Fortinet extension devices on this interface, default is disabled.

ap-discover {enable | disable}

Enable or disable automatic registration of unknown FortiAP devices, default is disable.

fortilink {enable | disable}

Enable or disable FortiLink on this interface to manage other Fortinet devices such as FortiSwitch.

fortilink-stacking {enable | disable}

Enable or disable FortiLink switch-stacking on this interface.

config ipv6

ip6-mode {static | dhcp | delegated}

The addressing mode:

  • static: Static setting, default mode.
  • dhcp: DHCPv6 client.
  • delegated: IPv6 address with delegated prefix.

ip6-dns-server-override {enable | disable}

Enable or disable using DNS acquired by DHCP.

ip6-address <ipv6>

Primary IPv6 address prefix of this interface.

config ip6-extra-addr

edit <prefix>

IPv6 address prefix.

ip6-allowaccess {ping | https | ssh | snmp | http | ...}

Allow management access to the interface:

  • fgfm: FortiManager access.
  • capwap: CAPWAP access.

ip6-send-adv {enable | disable}

Enable or disable the flag indicating whether or not to send periodic router advertisements and to respond to router solicitations. When enabled, this interface’s address will be added to all-routers group (FF02::02) and be included in an Multi Listener Discovery (MLD) report. If no interfaces on the FortiGate unit have ip6-send-advip6-send-adv enabled, the FortiGate unit will only listen to the all-hosts group (FF02::01) which is explicitly excluded from MLD reports according to RFC 2710 section 5.

When disabled (by default), and autoconf is enabled, the FortiGate unit acts as a stateless address auto-configuration client (SLAAC).

ip6-manage-flag {enable | disable}

Enable or disable the managed address configuration flag in router advertisements, default is enable.

ip6-other-flag {enable | disable}

Enable or disable the other stateful configuration flag in router advertisements, default is enable.

ip6-max-interval <integer>

The maximum time interval, in seconds, between sending unsolicited multicast router advertisements from the interface, value between 4 to 1800, default is 600.

ip6-min-interval <integer>

The minimum time interval, in seconds, between sending unsolicited multicast router advertisements from the interface,  value between 3 to 1350, default is 198.

ip6-link-mtu <integer>

The link MTU to be added to the router advertisements options field, 0 means that no MTU options are sent.

ip6-reachable-time <integer>

The time, in milliseconds, to be added to the reachable time field in the router advertisements, value between 0 to 3600000, default is 0 which mean no reachable time is specified.

ip6-retrans-time <integer>

The number, in milliseconds, to be added to the Retrans Timer field in the router advertisements, default is 0 which mean that the Retrans Timer is not specified.

ip6-default-life <integer>

The time, in seconds, to be added to the Router Lifetime field of router advertisements sent from the interface, default is 1800.

vrrp-virtual-mac6 {enable | disable}

Enable or disable the VRRP virtual MAC address feature for the IPv6 VRRP routers added to this interface, default is disable. See RFC3768 For more information about VRRP.

config ip6-prefix-list

edit <prefix>

Enter the IPv6 prefix you want to configure.

autonomous-flag {enable | disable}

Set the state of the autonomous flag for this IPv6 prefix, default is disable.

onlink-flag {enable | disable}

Set the state of the on-link flag in this IPv6 prefix, default is disable.

valid-life-time <integer>

The valid lifetime in seconds for this IPv6 prefix, default is 2592000 (30 days).

preferred-life-time <integer>

The preferred lifetime in seconds, default is 604800 (7 days).

config ip6-delegated-prefix-list

edit <prefix-id>

An ID (integer) for this ip6 delegated prefix.

upstream-interface <interface>

The interface name from where delegated information is provided.

autonomous-flag {enable | disable}

Set the state of the autonomous flag for this IPv6 delegated prefix, default is disable.

onlink-flag {enable | disable}

Set the state of the on-link flag in this IPv6 delegated prefix, default is disable.

subnet <ipv6_net>

Subnet to routing prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx

ip6-hop-limit <integer>

The number to be added to the Cur Hop Limit field in the router advertisements sent out this interface, default is 0 which mean no hop limit is specified.

nd-mode {basic | SEND-compatible}

Neighbor discovery mode, default is basic.

dhcp6-relay-service {disable | enable}

Enable or disable DHCP relay service for IPv6.

dhcp6-relay-type {regular}

Regular DHCP relay.

dhcp6-relay-ip <ipv6>

The IPv6 of one or more DHCP relays.

dhcp6-prefix-delegation {disable | enable}

Enable or disable DHCPv6 prefix delegation, default is disable.

dhcp6-prefix-hint <ipv6_net>

DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server.

dhcp6-prefix-hint-plt <integer>

DHCPv6 prefix hint preferred life time in seconds, default is 604800 (7 days).

dhcp6-prefix-hint-vlt <integer>

DHCPv6 prefix hint valid life time in seconds, default is 2592000 (30 days).

config vrrp6

Configure IPv6 VRRP.

vrgrp <integer>

IPv6 VRRP group id.

vrip <ipv6-ip>

IPv6 address of the virtual router.

priority <integer>

The IPv6 VRRP virtual router's priority, value between 1 to 255, default is 100.

adv-interval <integer>

IPv6 VRRP advertisement interval in seconds, value between 1 to 255

start-time <integer>

VRRP startup time in seconds, value between 1 to 255, default is 3.

preempt {enable | disable}

Enable or disable VRRP preempt mode, default is enable.

vrdst <ipv6-ip> [<ipv6-ip>]

Monitor the route to one or more destination IPv6 addresses. Register a failure of all of the configured destination addresses cannot be reached.

status {enable | disable}

Enbable or disable this IPv6 VRRP virtual router. Enabled by default.

config l2tp-client-settings

user <string>

L2TP user name.

Password <passwd>

L2TP password.

peer-host <string>

The host name.

peer-mask <netmask>

The netmask.

peer-port <integer>

The port used to connect to L2TP peers, default is 1701.

auth-type {auto | pap | chap | mschapv1 | mschapv2}

Type of authentication used with this client:

  • auto— automatically choose type of authentication (default).
  • pap — use Password Authentication Protocol.
  • chap — use Challenge-Handshake Authentication Protocol.
  • mschapv1 — use Microsoft version of CHAP version 1.
  • mschapv2 — use Microsoft version of CHAP version 2.

mtu <integer>

The Maximum Transmission Unit (MTU), value between 40 and 65535, default is 1460.

distance <integer>

The administration distance of learned routes, value between 1 to 255, default is 2.

priority <integer>

The routes priority learned through L2TP.

defaultgw {enable | disable}

Enable or disable the use the default gateway, default is disable.

wifi-ap-band {any | 5g-preferred | 5g-only}

For an FortiWiFi WiFi interface operating in client mode, you can configure the WiFi band that the interface can connect to. You can configure the interface to connect to any band, just to the 5G band, or to prefer connecting to the 5G band.

Aggregate and redundant interface options

Options for aggregate and redundant interfaces (some FortiGate models). These options are available only when type is aggregate or redundant.

algorithm {L2 | L3 | L4}

Enter the algorithm used to control how frames are distributed across links in an aggregated interface (also called a Link Aggregation Group (LAG)). The algorithm must match that used by connected switches. Enter one of:

L2 — use source and destination MAC addresses.

L3 — use source and destination IP addresses, fall back to L2 algorithm if IP information is not available.

L4 — (default) use TCP, UDP or ESP header information.

lacp-ha-slave {enable | disable}

This option affects how the aggregate interface participates in Link Aggregation Control Protocol (LACP) negotiation when HA is enabled for the VDOM. It takes effect only if Active-Passive HA is enabled and lacp-mode is not static. Enter enable to participate in LACP negotiation as a slave or disable to not participate. Enabled by default.

lacp-mode {active | passive | static}

Enter one of active, passive, or static.

active — (default) send LACP PDU packets to negotiate link aggregation connections.

passive — respond to LACP PDU packets and negotiate link aggregation connections.

static — link aggregation is configured statically.

lacp-speed {fast | slow}

slow — (default) sends LACP PDU packets every 30 seconds to negotiate link aggregation connections.

fast — sends LACP PDU packets every second, as recommended in the IEEE 802.3ad standard.

Available only when type is aggregate.

member <if_name1> <if_name2> ...

Specify a list of physical interfaces that are part of an aggregate or redundant group. To modify a list, enter the complete revised list.

If VDOMs are enabled, then vdom must be set the same for each interface before you enter the member list.

An interface is available to be part of an aggregate or redundant group only if:

  • it is a physical interface, not a VLAN interface
  • it is not already part of an aggregated or redundant interface
  • it is in the same VDOM as the aggregated interface
  • it has no defined IP address and is not configured for DHCP or PPPoE
  • it has no DHCP server or relay configured on it
  • it does not have any VLAN subinterfaces
  • it is not referenced in any firewall policy, VIP or multicast policy
  • it is not an HA heartbeat device or monitored by HA
  • In a redundant group, failover to the next member interface happens when the active interface fails or is disconnected.

The order you specify the interfaces in the member list is the order they will become active in the redundant group. For example if you enter set member port5 port1, then port5 will be active at the start, and when it fails or is disconnected port1 will become active.

This is only available when type is aggregate or redundant.

min-links <int>

When type is aggregate, set the minimum number of members that must be working. Default is 1.

min-links-down {operational | administrative}

When type is aggregate and the interface is downbecause of min-links limit, choose whether interface is down operationally or only administratively. Default is operational.

system interface

Configure interface settings.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.

Command Description

config vrrp

set ignore-default-route {disable | enable)

New option to configure VRRP to enable or disable ignoring the default route when looking for the vrdst IP address.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set icmp-accept-redirect {enable | disable}

set icmp-send-redirect {enable | disable}

The entry icmp-redirect has been removed and replaced with the ability to enable or disable accepting and sending ICMP redirects.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set disconnect-threshold <milliseconds>

Time in milliseconds to wait before sending a notification that this interface is down or disconnected. Set the range between 0 - 10000 (or no delay to ten seconds).

set vrf <id>

Configure Open Shortest Path First (OSPF) support for multiple virtual routing and forwarding (VRF) instances. Set the range between 0 - 31. FortiOS supports 32 VRFs (numbered 0 to 31) per VDOM.

set switch-controller-arp-inspection {enable | disable}

Enable or disable ARP inspection for FortiSwitch devices.

config ipv6

set vrrp-virtual-mac6 {disable | enable}

set vrip6_link_local

config vrrp6

edit <virtual-router-id>

set vrgrp <group>

set vrip6 <ipv6-address>

set start-time {integer}

set priority <priority>

set adv-interval <time>

set preempt {disable | enable}

set accept-mode {disable | enable}

set vrdst6 <ipv6-ipaddress> [<ipv6-ipaddress>]

set status {disable | enable}

next

...

Virtual Router Redundancy Protocol (VRRP) IPv6 support added.

Optionally, multiple addresses can be specified for vrdst6, with each entry separated by a space.

set type {emac-vlan | ...}

Support for enhanced media access control (MAC) virtual local area networks (VLANs).

set egress-shaping-profile <name>

Apply traffic shaping profiles to outgoing interfaces, to enforce bandwidth limits for individual interfaces, by percentage.

To configure interface-based traffic shaping, you must classify traffic in a traffic shaping policy, assign bandwidth percentages in a traffic shaping profile, and apply the traffic shaping profile as the egress traffic shaper on an interface.

config system interface
    edit {name}
    # Configure interfaces.
        set name {string}   Name. size[15]
        set vdom {string}   Interface is in this virtual domain (VDOM). size[31] - datasource(s): system.vdom.name
        set vrf {integer}   Virtual Routing Forwarding ID. range[0-31]
        set cli-conn-status {integer}   CLI connection status. range[0-4294967295]
        set fortilink {enable | disable}   Enable FortiLink to dedicate this interface to manage other Fortinet devices.
        set mode {static | dhcp | pppoe}   Addressing mode (static, DHCP, PPPoE).
                static  Static setting.
                dhcp    External DHCP client mode.
                pppoe   External PPPoE mode.
        set distance {integer}   Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route. range[1-255]
        set priority {integer}   Priority of learned routes. range[0-4294967295]
        set dhcp-relay-service {disable | enable}   Enable/disable allowing this interface to act as a DHCP relay.
        set dhcp-relay-ip {string}   DHCP relay IP address.
        set dhcp-relay-type {regular | ipsec}   DHCP relay type (regular or IPsec).
                regular  Regular DHCP relay.
                ipsec    DHCP relay for IPsec.
        set dhcp-relay-agent-option {enable | disable}   Enable/disable DHCP relay agent option.
        set management-ip {ipv4 classnet host}   High Availability in-band management IP address of this interface.
        set ip {ipv4 classnet host}   Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.
        set allowaccess {option}   Permitted types of management access to this interface.
                ping            PING access.
                https           HTTPS access.
                ssh             SSH access.
                snmp            SNMP access.
                http            HTTP access.
                telnet          TELNET access.
                fgfm            FortiManager access.
                radius-acct     RADIUS accounting access.
                probe-response  Probe access.
                capwap          CAPWAP access.
                ftm             FTM access.
        set gwdetect {enable | disable}   Enable/disable detect gateway alive for first.
        set ping-serv-status {integer}   PING server status. range[0-255]
        set detectserver {string}   Gateway's ping server for this IP.
        set detectprotocol {ping | tcp-echo | udp-echo}   Protocols used to detect the server.
                ping      PING.
                tcp-echo  TCP echo.
                udp-echo  UDP echo.
        set ha-priority {integer}   HA election priority for the PING server. range[1-50]
        set fail-detect {enable | disable}   Enable/disable fail detection features for this interface.
        set fail-detect-option {detectserver | link-down}   Options for detecting that this interface has failed.
                detectserver  Use a ping server to determine if the interface has failed.
                link-down     Use port detection to determine if the interface has failed.
        set fail-alert-method {link-failed-signal | link-down}   Select link-failed-signal or link-down method to alert about a failed link.
                link-failed-signal  Link-failed-signal.
                link-down           Link-down.
        set fail-action-on-extender {soft-restart | hard-restart | reboot}   Action on extender when interface fail .
                soft-restart  Soft-restart-on-extender.
                hard-restart  Hard-restart-on-extender.
                reboot        Reboot-on-extender.
        config fail-alert-interfaces
            edit {name}
            # Names of the FortiGate interfaces from which the link failure alert is sent for this interface.
                set name {string}   Names of the physical interfaces belonging to the aggregate or redundant interface. size[64] - datasource(s): system.interface.name
            next
        set dhcp-client-identifier {string}   DHCP client identifier. size[48]
        set dhcp-renew-time {integer}   DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server. range[300-604800]
        set ipunnumbered {ipv4 address}   Unnumbered IP used for PPPoE interfaces for which no unique local address is provided.
        set username {string}   Username of the PPPoE account, provided by your ISP. size[64]
        set pppoe-unnumbered-negotiate {enable | disable}   Enable/disable PPPoE unnumbered negotiation.
        set password {password_string}   PPPoE account's password. size[128]
        set idle-timeout {integer}   PPPoE auto disconnect after idle timeout seconds, 0 means no timeout. range[0-32767]
        set detected-peer-mtu {integer}   MTU of detected peer (0 - 4294967295). range[0-4294967295]
        set disc-retry-timeout {integer}   Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout. range[0-4294967295]
        set padt-retry-timeout {integer}   PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time. range[0-4294967295]
        set service-name {string}   PPPoE service name. size[63]
        set ac-name {string}   PPPoE server name. size[63]
        set lcp-echo-interval {integer}   Time in seconds between PPPoE Link Control Protocol (LCP) echo requests. range[0-32767]
        set lcp-max-echo-fails {integer}   Maximum missed LCP echo messages before disconnect. range[0-32767]
        set defaultgw {enable | disable}   Enable to get the gateway IP from the DHCP or PPPoE server.
        set dns-server-override {enable | disable}   Enable/disable use DNS acquired by DHCP or PPPoE.
        set auth-type {option}   PPP authentication type to use.
                auto      Automatically choose authentication.
                pap       PAP authentication.
                chap      CHAP authentication.
                mschapv1  MS-CHAPv1 authentication.
                mschapv2  MS-CHAPv2 authentication.
        set pptp-client {enable | disable}   Enable/disable PPTP client.
        set pptp-user {string}   PPTP user name. size[64]
        set pptp-password {password_string}   PPTP password. size[128]
        set pptp-server-ip {ipv4 address}   PPTP server IP address.
        set pptp-auth-type {option}   PPTP authentication type.
                auto      Automatically choose authentication.
                pap       PAP authentication.
                chap      CHAP authentication.
                mschapv1  MS-CHAPv1 authentication.
                mschapv2  MS-CHAPv2 authentication.
        set pptp-timeout {integer}   Idle timer in minutes (0 for disabled). range[0-65535]
        set arpforward {enable | disable}   Enable/disable ARP forwarding.
        set ndiscforward {enable | disable}   Enable/disable NDISC forwarding.
        set broadcast-forward {enable | disable}   Enable/disable broadcast forwarding.
        set bfd {global | enable | disable}   Bidirectional Forwarding Detection (BFD) settings.
        set bfd-desired-min-tx {integer}   BFD desired minimal transmit interval. range[1-100000]
        set bfd-detect-mult {integer}   BFD detection multiplier. range[1-50]
        set bfd-required-min-rx {integer}   BFD required minimal receive interval. range[1-100000]
        set l2forward {enable | disable}   Enable/disable l2 forwarding.
        set icmp-send-redirect {enable | disable}   Enable/disable ICMP send redirect.
        set icmp-accept-redirect {enable | disable}   Enable/disable ICMP accept redirect.
        set vlanforward {enable | disable}   Enable/disable traffic forwarding between VLANs on this interface.
        set stpforward {enable | disable}   Enable/disable STP forwarding.
        set stpforward-mode {rpl-all-ext-id | rpl-bridge-ext-id | rpl-nothing}   Configure STP forwarding mode.
                rpl-all-ext-id     Replace all extension IDs (root, bridge).
                rpl-bridge-ext-id  Replace the bridge extension ID only.
                rpl-nothing        Replace nothing.
        set ips-sniffer-mode {enable | disable}   Enable/disable the use of this interface as a one-armed sniffer.
        set ident-accept {enable | disable}   Enable/disable authentication for this interface.
        set ipmac {enable | disable}   Enable/disable IP/MAC binding.
        set subst {enable | disable}   Enable to always send packets from this interface to a destination MAC address.
        set macaddr {mac address}   Change the interface's MAC address.
        set substitute-dst-mac {mac address}   Destination MAC address that all packets are sent to from this interface.
        set speed {option}   Interface speed. The default setting and the options available depend on the interface hardware.
                auto       Automatically adjust speed.
                10full     10M full-duplex.
                10half     10M half-duplex.
                100full    100M full-duplex.
                100half    100M half-duplex.
                1000full   1000M full-duplex.
                1000half   1000M half-duplex.
                1000auto   1000M auto adjust.
                10000full  10G full-duplex.
                10000auto  10G auto.
                40000full  40G full-duplex.
                25000full  25G full-duplex.
                100Gfull   100G full-duplex.
        set status {up | down}   Bring the interface up or shut the interface down.
                up    Bring the interface up.
                down  Shut the interface down.
        set netbios-forward {disable | enable}   Enable/disable NETBIOS forwarding.
        set wins-ip {ipv4 address}   WINS server IP.
        set type {option}   Interface type.
                physical     Physical interface.
                vlan         VLAN interface.
                aggregate    Aggregate interface.
                redundant    Redundant interface.
                tunnel       Tunnel interface.
                vdom-link    VDOM link interface.
                loopback     Loopback interface.
                switch       Software switch interface.
                hard-switch  Hardware switch interface.
                vap-switch   VAP interface.
                wl-mesh      WLAN mesh interface.
                fext-wan     FortiExtender interface.
                vxlan        VXLAN interface.
                hdlc         T1/E1 interface.
                switch-vlan  Switch VLAN interface.
                emac-vlan    EMAC VLAN interface.
        set dedicated-to {none | management}   Configure interface for single purpose.
                none        Interface not dedicated for any purpose.
                management  Dedicate this interface for management purposes only.
        set trust-ip-1 {ipv4 classnet any}   Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).
        set trust-ip-2 {ipv4 classnet any}   Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).
        set trust-ip-3 {ipv4 classnet any}   Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).
        set trust-ip6-1 {ipv6 prefix}   Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).
        set trust-ip6-2 {ipv6 prefix}   Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).
        set trust-ip6-3 {ipv6 prefix}   Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).
        set mtu-override {enable | disable}   Enable to set a custom MTU for this interface.
        set mtu {integer}   MTU value for this interface. range[0-4294967295]
        set wccp {enable | disable}   Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.
        set netflow-sampler {disable | tx | rx | both}   Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).
                disable  Disable NetFlow protocol on this interface.
                tx       Monitor transmitted traffic on this interface.
                rx       Monitor received traffic on this interface.
                both     Monitor transmitted/received traffic on this interface.
        set sflow-sampler {enable | disable}   Enable/disable sFlow on this interface.
        set drop-overlapped-fragment {enable | disable}   Enable/disable drop overlapped fragment packets.
        set drop-fragment {enable | disable}   Enable/disable drop fragment packets.
        set scan-botnet-connections {disable | block | monitor}   Enable monitoring or blocking connections to Botnet servers through this interface.
                disable  Do not scan connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set src-check {enable | disable}   Enable/disable source IP check.
        set sample-rate {integer}   sFlow sample rate (10 - 99999). range[10-99999]
        set polling-interval {integer}   sFlow polling interval (1 - 255 sec). range[1-255]
        set sample-direction {tx | rx | both}   Data that NetFlow collects (rx, tx, or both).
                tx    Monitor transmitted traffic on this interface.
                rx    Monitor received traffic on this interface.
                both  Monitor transmitted/received traffic on this interface.
        set explicit-web-proxy {enable | disable}   Enable/disable the explicit web proxy on this interface.
        set explicit-ftp-proxy {enable | disable}   Enable/disable the explicit FTP proxy on this interface.
        set proxy-captive-portal {enable | disable}   Enable/disable proxy captive portal on this interface.
        set tcp-mss {integer}   TCP maximum segment size. 0 means do not change segment size. range[0-4294967295]
        set mediatype {option}   Select SFP media interface type
                sr   Use Short Range transceiver
                lr   Use Long Range transceiver
                cr   Use Copper transceiver
                sr4  Use Short Range transceiver(4 lane)
                lr4  Use Long Range transceiver(4 lane)
                cr4  Use Copper transceiver(4 lane)
        set inbandwidth {integer}   Bandwidth limit for incoming traffic (0 - 16776000 kbps), 0 means unlimited. range[0-16776000]
        set outbandwidth {integer}   Bandwidth limit for outgoing traffic (0 - 16776000 kbps). range[0-16776000]
        set egress-shaping-profile {string}   Outgoing traffic shaping profile. size[35]
        set disconnect-threshold {integer}   Time in milliseconds to wait before sending a notification that this interface is down or disconnected. range[0-10000]
        set spillover-threshold {integer}   Egress Spillover threshold (0 - 16776000 kbps), 0 means unlimited. range[0-16776000]
        set ingress-spillover-threshold {integer}   Ingress Spillover threshold (0 - 16776000 kbps). range[0-16776000]
        set weight {integer}   Default weight for static routes (if route has no weight configured). range[0-255]
        set interface {string}   Interface name. size[15] - datasource(s): system.interface.name
        set external {enable | disable}   Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet).
        set vlanid {integer}   VLAN ID (1 - 4094). range[1-4094]
        set forward-domain {integer}   Transparent mode forward domain. range[0-2147483647]
        set remote-ip {ipv4 classnet host}   Remote IP address of tunnel.
        config member
            edit {interface-name}
            # Physical interfaces that belong to the aggregate or redundant interface.
                set interface-name {string}   Physical interface name. size[64] - datasource(s): system.interface.name
            next
        set lacp-mode {static | passive | active}   LACP mode.
                static   Use static aggregation, do not send and ignore any LACP messages.
                passive  Passively use LACP to negotiate 802.3ad aggregation.
                active   Actively use LACP to negotiate 802.3ad aggregation.
        set lacp-ha-slave {enable | disable}   LACP HA slave.
        set lacp-speed {slow | fast}   How often the interface sends LACP messages.
                slow  Send LACP message every 30 seconds.
                fast  Send LACP message every second.
        set min-links {integer}   Minimum number of aggregated ports that must be up. range[1-32]
        set min-links-down {operational | administrative}   Action to take when less than the configured minimum number of links are active.
                operational     Set the aggregate operationally down.
                administrative  Set the aggregate administratively down.
        set algorithm {L2 | L3 | L4}   Frame distribution algorithm.
                L2  Use layer 2 address for distribution.
                L3  Use layer 3 address for distribution.
                L4  Use layer 4 information for distribution.
        set link-up-delay {integer}   Number of milliseconds to wait before considering a link is up. range[50-3600000]
        set priority-override {enable | disable}   Enable/disable fail back to higher priority port once recovered.
        set aggregate {string}   Aggregate interface. size[15]
        set redundant-interface {string}   Redundant interface. size[15]
        config managed-device
            edit {name}
            # Available when FortiLink is enabled, used for managed devices through FortiLink interface.
                set name {string}   Managed dev identifier. size[64]
            next
        set devindex {integer}   Device Index. range[0-4294967295]
        set vindex {integer}   Switch control interface VLAN ID. range[0-65535]
        set switch {string}   Contained in switch. size[15]
        set description {string}   Description. size[255]
        set alias {string}   Alias will be displayed with the interface name to make it easier to distinguish. size[25]
        set security-mode {none | captive-portal | 802.1X}   Turn on captive portal authentication for this interface.
                none            No security option.
                captive-portal  Captive portal authentication.
                802.1X          802.1X port-based authentication.
        set captive-portal {integer}   Enable/disable captive portal. range[0-4294967295]
        set security-mac-auth-bypass {enable | disable}   Enable/disable MAC authentication bypass.
        set security-external-web {string}   URL of external authentication web server. size[127]
        set security-external-logout {string}   URL of external authentication logout server. size[127]
        set replacemsg-override-group {string}   Replacement message override group. size[35]
        set security-redirect-url {string}   URL redirection after disclaimer/authentication. size[127]
        set security-exempt-list {string}   Name of security-exempt-list. size[35]
        config security-groups
            edit {name}
            # User groups that can authenticate with the captive portal.
                set name {string}   Names of user groups that can authenticate with the captive portal. size[64]
            next
        set device-identification {enable | disable}   Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.
        set device-user-identification {enable | disable}   Enable/disable passive gathering of user identity information about users on this interface.
        set device-identification-active-scan {enable | disable}   Enable/disable active gathering of device identity information about the devices on the network connected to this interface.
        set device-access-list {string}   Device access list. size[35]
        set device-netscan {disable | enable}   Enable/disable inclusion of devices detected on this interface in network vulnerability scans.
        set lldp-transmission {enable | disable | vdom}   Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
        set fortiheartbeat {enable | disable}   Enable/disable FortiHeartBeat (FortiTelemetry on GUI).
        set broadcast-forticlient-discovery {enable | disable}   Enable/disable broadcasting FortiClient discovery messages.
        set endpoint-compliance {enable | disable}   Enable/disable endpoint compliance enforcement.
        set estimated-upstream-bandwidth {integer}   Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization. range[0-4294967295]
        set estimated-downstream-bandwidth {integer}   Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization. range[0-4294967295]
        set vrrp-virtual-mac {enable | disable}   Enable/disable use of virtual MAC for VRRP.
        config vrrp
            edit {vrid}
            # VRRP configuration.
                set vrid {integer}   Virtual router identifier (1 - 255). range[1-255]
                set version {2 | 3}   VRRP version.
                        2  VRRP version 2.
                        3  VRRP version 3.
                set vrgrp {integer}   VRRP group ID (1 - 65535). range[1-65535]
                set vrip {ipv4 address any}   IP address of the virtual router.
                set priority {integer}   Priority of the virtual router (1 - 255). range[1-255]
                set adv-interval {integer}   Advertisement interval (1 - 255 seconds). range[1-255]
                set start-time {integer}   Startup time (1 - 255 seconds). range[1-255]
                set preempt {enable | disable}   Enable/disable preempt mode.
                set accept-mode {enable | disable}   Enable/disable accept mode.
                set vrdst {ipv4 address any}   Monitor the route to this destination.
                set vrdst-priority {integer}   Priority of the virtual router when the virtual router destination becomes unreachable (0 - 254). range[0-254]
                set ignore-default-route {enable | disable}   Enable/disable ignoring of default route when checking destination.
                set status {enable | disable}   Enable/disable this VRRP configuration.
                config proxy-arp
                    edit {id}
                    # VRRP Proxy ARP configuration.
                        set id {integer}   ID. range[0-4294967295]
                        set ip {string}   Set IP addresses of proxy ARP.
                    next
            next
        set role {lan | wan | dmz | undefined}   Interface role.
                lan        Connected to local network of endpoints.
                wan        Connected to Internet.
                dmz        Connected to server zone.
                undefined  Interface has no specific role.
        set snmp-index {integer}   Permanent SNMP Index of the interface. range[0-4294967295]
        set secondary-IP {enable | disable}   Enable/disable adding a secondary IP to this interface.
        config secondaryip
            edit {id}
            # Second IP address of interface.
                set id {integer}   ID. range[0-4294967295]
                set ip {ipv4 classnet host}   Secondary IP address of the interface.
                set allowaccess {option}   Management access settings for the secondary IP address.
                        ping            PING access.
                        https           HTTPS access.
                        ssh             SSH access.
                        snmp            SNMP access.
                        http            HTTP access.
                        telnet          TELNET access.
                        fgfm            FortiManager access.
                        radius-acct     RADIUS accounting access.
                        probe-response  Probe access.
                        capwap          CAPWAP access.
                        ftm             FTM access.
                set gwdetect {enable | disable}   Enable/disable detect gateway alive for first.
                set ping-serv-status {integer}   PING server status. range[0-255]
                set detectserver {string}   Gateway's ping server for this IP.
                set detectprotocol {ping | tcp-echo | udp-echo}   Protocols used to detect the server.
                        ping      PING.
                        tcp-echo  TCP echo.
                        udp-echo  UDP echo.
                set ha-priority {integer}   HA election priority for the PING server. range[1-50]
            next
        set preserve-session-route {enable | disable}   Enable/disable preservation of session route when dirty.
        set auto-auth-extension-device {enable | disable}   Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.
        set ap-discover {enable | disable}   Enable/disable automatic registration of unknown FortiAP devices.
        set fortilink-stacking {enable | disable}   Enable/disable FortiLink switch-stacking on this interface.
        set fortilink-split-interface {enable | disable}   Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy (maximum 2 interfaces in the "members" command).
        set internal {integer}   Implicitly created. range[0-255]
        set fortilink-backup-link {integer}   fortilink split interface backup link. range[0-255]
        set switch-controller-access-vlan {enable | disable}   Block FortiSwitch port-to-port traffic.
        set switch-controller-igmp-snooping {enable | disable}   Switch controller IGMP snooping.
        set switch-controller-dhcp-snooping {enable | disable}   Switch controller DHCP snooping.
        set switch-controller-dhcp-snooping-verify-mac {enable | disable}   Switch controller DHCP snooping verify MAC.
        set switch-controller-dhcp-snooping-option82 {enable | disable}   Switch controller DHCP snooping option82.
        set switch-controller-arp-inspection {enable | disable}   Enable/disable FortiSwitch ARP inspection.
        set switch-controller-learning-limit {integer}   Limit the number of dynamic MAC addresses on this VLAN (1 - 128, 0 = no limit, default). range[0-128]
        set color {integer}   Color of icon on the GUI. range[0-32]
        config tagging
            edit {name}
            # Config object tagging.
                set name {string}   Tagging entry name. size[63]
                set category {string}   Tag category. size[63] - datasource(s): system.object-tagging.category
                config tags
                    edit {name}
                    # Tags.
                        set name {string}   Tag name. size[64] - datasource(s): system.object-tagging.tags.name
                    next
            next
        set forward-error-correction {enable | disable}   Enable/disable forward error correction (FEC Clause 91).
        config ipv6
            set ip6-mode {static | dhcp | pppoe | delegated}   Addressing mode (static, DHCP, delegated).
                    static     Static setting.
                    dhcp       DHCPv6 client mode.
                    pppoe      IPv6 over PPPoE mode.
                    delegated  IPv6 address with delegated prefix.
            set nd-mode {basic | SEND-compatible}   Neighbor discovery mode.
                    basic            Do not support SEND.
                    SEND-compatible  Support SEND.
            set nd-cert {string}   Neighbor discovery certificate. size[35] - datasource(s): certificate.local.name
            set nd-security-level {integer}   Neighbor discovery security level (0 - 7; 0 = least secure, default = 0). range[0-7]
            set nd-timestamp-delta {integer}   Neighbor discovery timestamp delta value (1 - 3600 sec; default = 300). range[1-3600]
            set nd-timestamp-fuzz {integer}   Neighbor discovery timestamp fuzz factor (1 - 60 sec; default = 1). range[1-60]
            set nd-cga-modifier {string}   Neighbor discovery CGA modifier.
            set ip6-dns-server-override {enable | disable}   Enable/disable using the DNS server acquired by DHCP.
            set ip6-address {ipv6 prefix}   Primary IPv6 address prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx
            config ip6-extra-addr
                edit {prefix}
                # Extra IPv6 address prefixes of interface.
                    set prefix {ipv6 prefix}   IPv6 address prefix.
                next
            set ip6-allowaccess {option}   Allow management access to the interface.
                    ping    PING access.
                    https   HTTPS access.
                    ssh     SSH access.
                    snmp    SNMP access.
                    http    HTTP access.
                    telnet  TELNET access.
                    fgfm    FortiManager access.
                    capwap  CAPWAP access.
            set ip6-send-adv {enable | disable}   Enable/disable sending advertisements about the interface.
            set ip6-manage-flag {enable | disable}   Enable/disable the managed flag.
            set ip6-other-flag {enable | disable}   Enable/disable the other IPv6 flag.
            set ip6-max-interval {integer}   IPv6 maximum interval (4 to 1800 sec). range[4-1800]
            set ip6-min-interval {integer}   IPv6 minimum interval (3 to 1350 sec). range[3-1350]
            set ip6-link-mtu {integer}   IPv6 link MTU. range[1280-16000]
            set ip6-reachable-time {integer}   IPv6 reachable time (milliseconds; 0 means unspecified). range[0-3600000]
            set ip6-retrans-time {integer}   IPv6 retransmit time (milliseconds; 0 means unspecified). range[0-4294967295]
            set ip6-default-life {integer}   Default life (sec). range[0-9000]
            set ip6-hop-limit {integer}   Hop limit (0 means unspecified). range[0-255]
            set autoconf {enable | disable}   Enable/disable address auto config.
            set ip6-upstream-interface {string}   Interface name providing delegated information. size[15] - datasource(s): system.interface.name
            set ip6-subnet {ipv6 prefix}    Subnet to routing prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx
            config ip6-prefix-list
                edit {prefix}
                # Advertised prefix list.
                    set prefix {ipv6 network}   IPv6 prefix.
                    set autonomous-flag {enable | disable}   Enable/disable the autonomous flag.
                    set onlink-flag {enable | disable}   Enable/disable the onlink flag.
                    set valid-life-time {integer}   Valid life time (sec). range[0-4294967295]
                    set preferred-life-time {integer}   Preferred life time (sec). range[0-4294967295]
                    set rdnss {string}   Recursive DNS server option.
                    config dnssl
                        edit {domain}
                        # DNS search list option.
                            set domain {string}   Domain name. size[79]
                        next
                next
            config ip6-delegated-prefix-list
                edit {prefix-id}
                # Advertised IPv6 delegated prefix list.
                    set prefix-id {integer}   Prefix ID. range[0-4294967295]
                    set upstream-interface {string}   Name of the interface that provides delegated information. size[15] - datasource(s): system.interface.name
                    set autonomous-flag {enable | disable}   Enable/disable the autonomous flag.
                    set onlink-flag {enable | disable}   Enable/disable the onlink flag.
                    set subnet {ipv6 network}    Add subnet ID to routing prefix.
                    set rdnss-service {delegated | default | specify}   Recursive DNS service option.
                            delegated  Delegated RDNSS settings.
                            default    System RDNSS settings.
                            specify    Specify recursive DNS servers.
                    set rdnss {string}   Recursive DNS server option.
                next
            set dhcp6-relay-service {disable | enable}   Enable/disable DHCPv6 relay.
            set dhcp6-relay-type {regular}   DHCPv6 relay type.
                    regular  Regular DHCP relay.
            set dhcp6-relay-ip {string}   DHCPv6 relay IP address.
            set dhcp6-client-options {rapid | iapd | iana}   DHCPv6 client options.
                    rapid  Send rapid commit option.
                    iapd   Send including IA-PD option.
                    iana   Send including IA-NA option.
            set dhcp6-prefix-delegation {enable | disable}   Enable/disable DHCPv6 prefix delegation.
            set dhcp6-information-request {enable | disable}   Enable/disable DHCPv6 information request.
            set dhcp6-prefix-hint {ipv6 network}   DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server.
            set dhcp6-prefix-hint-plt {integer}   DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time. range[0-4294967295]
            set dhcp6-prefix-hint-vlt {integer}   DHCPv6 prefix hint valid life time (sec). range[0-4294967295]
            set vrrp-virtual-mac6 {enable | disable}   Enable/disable virtual MAC for VRRP.
            set vrip6_link_local {ipv6 address}   Link-local IPv6 address of virtual router.
            config vrrp6
                edit {vrid}
                # IPv6 VRRP configuration.
                    set vrid {integer}   Virtual router identifier (1 - 255). range[1-255]
                    set vrgrp {integer}   VRRP group ID (1 - 65535). range[1-65535]
                    set vrip6 {ipv6 address}   IPv6 address of the virtual router.
                    set priority {integer}   Priority of the virtual router (1 - 255). range[1-255]
                    set adv-interval {integer}   Advertisement interval (1 - 255 seconds). range[1-255]
                    set start-time {integer}   Startup time (1 - 255 seconds). range[1-255]
                    set preempt {enable | disable}   Enable/disable preempt mode.
                    set accept-mode {enable | disable}   Enable/disable accept mode.
                    set vrdst6 {ipv6 address}   Monitor the route to this destination.
                    set status {enable | disable}   Enable/disable VRRP.
                next
    next
end

Additional information

The following section is for those options that require additional explanation.

vdom <string>

Vdom name to which this interface belong, default is root.

mode {static | dhcp | pppoe}

The interface IP addressing: static, from external dhcp or external pppoe.

distance <integer>

The administrative distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route for the same destination, value between 1 to 255.

priority <integer>

The priority of routes using this interface, lower priority indicates preferred route for the same destination, value between 0 to 4294967295, available when mode set to DHCP or PPPoE.

dhcp-relay-agent-option {enable | disable}

Enable or disable DHCP relay option 82. See RFC 3046: DHCP Relay Agent Information Option.

dhcp-relay-ip <ip>

The IP of DHCP relay server.

dhcp-relay-service {disable | enable}

Disable of enable DHCP relay service on this interface, default is disable.

dhcp-relay-type {regular | ipsec}

Set a regular or an IPsec relay type on this interface.

dhcp-client-identifier <string>

Used to override the default DHCP client ID created by the FortiGate.

ip <ip & netmask>

The interface's IP and subnet mask, syntax: X.X.X.X/24.

allowaccess {ping | https | ssh | snmp | http | telnet | ...}

Permitted access type on this interface:

  • fgfm: FortiManager access.
  • radius-acct: RADIUS accounting access.
  • probe-response: Probe access.
  • capwap: CAPWAP access.

fail-detect {enable | disable}

Enable or disable interface failed options.

fail-detect-option {detectserver | link-down}

Select whether the FortiGate detects interface failure by ping server (detectserver) or port detection (link-down), detectserver is only available in NAT mode.

fail-alert-method {link-failed-signal | link-down}

Select link-failed-signal or link-down method to alert about a failed link.

fail-alert-interfaces {port1 | port2 | ...}

The names of the FortiGate interfaces from which the link failure alert is sent for this interface.

ipunnumbered <ip>

The Unnumbered IP used for PPPoE interfaces for which no unique local address is provided. If you have been assigned a block of IP addresses by your ISP you can add any of these IP.

username <string>

The username of the PPPoE account, provided by your ISP.

password <passwd>

The PPPoE account's password.

idle-timeout <integer>

Idle time in seconds after which the PPPoE session is disconnected, 0 for no timeout.

disc-retry-timeout <integer>

The time in seconds to wait before retrying to start a PPPoE discovery, 0 to disable this feature.

padt-retry-timeout <integer>

PPPoE Active Discovery Terminate (PADT) timeout in seconds used to shut down the PPPoE session if it is idle for this number of seconds. PADT must be supported by your ISP.

service-name <string>

Set a name for this PPPoE service.

ac-name <string>

Set the PPPoE server name.

lcp-echo-interval <integer>

The time in seconds between PPPoE Link Control Protocol (LCP) echo requests, default is 5.

lcp-max-echo-fails <integer>

Maximum number of missed LCP echoes before the PPPoE link is disconnected, default is 3.

defaultgw {enable | disable}

Enable to get the gateway IP from the DHCP or PPPoE server, default is enable.

dns-server-override {enable | disable}

Disable to prevent this interface from using a DNS server acquired via DHCP or PPPoE, default is enable.

pptp-client {enable | disable}

Enable or disable the use of point-to-point tunneling protocol (PPTP) client, available in static mode only, default is disable.

pptp-user <string>

PPTP end user name.

pptp-password <passwd>

PPTP end user password.

pptp-server-ip <ip>

PPTP server's IP address.

pptp-auth-type {auto | pap | chap | mschapv1 | mschapv2}

The server authentication type, default is auto.

pptp-timeout <integer>

Idle timeout in minutes to shut down the PPTP session, values between 0 to 65534 (65534 minutes is 45 days), 0 for disabled, default is 0.

arpforward {enable | disable}

Enable or disable ARP packets forwarding on this interface, default is enable.

broadcast-forward {enable | disable}

Enable or disable automatic forwarding of broadcast packets, default is disable.

priority-override {enable | disable}

Enable or disable fail back to higher priority port once recovered. Once enabled, priority-override on redundant interfaces gives greater priority to interfaces that are higher in the member list.

bfd {global | enable | disable}

Use the global setting, enable, or disable Bidirectional Forwarding Detection (bfd) on this interface, global bfd settings is in config system settings, default is global.

l2forward {enable | disable}

Enable or disable layer-2 forwarding for this interface, default is disable.

icmp-accept-redirect {enable | disable}

Enable or disable accepting ICMP redirect messages on this interface. This can be useful if you need to disable accepting ICMP redirects while still permitting the sending of ICMP redirects.

icmp-send-redirect {enable | disable}

Enable or disable sending ICMP redirect messages from this interface. FortiGate send ICMP redirect messages to notify the original sender of packets if there is a better route available, default is enable.

vlanforward {enable | disable}

Enable or disable traffic forwarding between VLANs on this interface, default is disable. This option is only effective in transparent mode.

stpforward {enable | disable}

Enable or disable Spanning Tree Protocol (STP) packets forward. STP creates a spanning tree within a network of connected layer-2 bridges while disabling all other links, leaving a single active path between any two network nodes to prevent any loops which would flood the network.

stpforward-mode {rpl-all-ext-id | rpl-bridge-ext-id | ...}

Set the STP forward mode:

  • rpl-all-ext-id: Replace all root and bridge extension IDs, the default mode.
  • rpl-bridge-ext-id : Replace the bridge extension ID only.
  • rpl-nothing: Do not replace anything.

ips-sniffer-mode {enable | disable}

Enable or disable the use of this interface as a one-armed sniffer as part of configuring a FortiGate unit to operate as an IDS appliance by sniffing packets for attacks without processing packets. when enabled you cannot use the interface for other traffic, default is disable.

ident-accept {enable | disable}

Enable or disable passing packets identification on TCP port 113 to the firewall policy used to determine a user's identity on a particular TCP connection, default is disable.Enable or disable passing packets identification on TCP port 113 to the firewall policy used to determine a user's identity on a particular TCP connection, default is disable.

switch-controller-access-vlan {enable | disable}

Note: This setting's definition has been modified from a previous release.

VLAN access status:

  • enable: Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate.
  • disable: Allow normal VLAN traffic.

switch-controller-arp-inspection {enable | disable}

Enable or disable ARP inspection for FortiSwitch devices.

Dynamic ARP Inspection (DAI) enables FortiSwitch to intercept and examine all ARP request and response packets in a subnet and discard those packets with invalid IP to MAC address bindings. DAI can prevent common man-in-the-middle (MiM) attacks such as ARP cache poisoning and disallow mis-configuration of client IP addresses.

ipmac {enable | disable}

Enable or disable IP/MAC binding for the specified interface, default is disable. More information available in config firewall ipmacbinding setting command.

subst {enable | disable}

Enable to always send packets from this interface to the same destination MAC address. Use substitite-dst-mac to set the destination MAV address. Disabled by default.

macaddr <mac>

Override the factory MAC address of this interface by specifying a new MAC address.

substitute-dst-mac <mac>

The destination MAC address that all packets are sent to from this interface if subst is enabled.

speed {auto | 10full | 10half | etc }

The interface speed. The default setting and the speeds available depend on the interface hardware. Most often speed is set to auto and the interface negotiates with connected equipment to select the best speed. You can set specific speeds if the connected equipment doesn't support negotiation. Some FortiGate interface hardware does not support auto. In which case set the interface speed to match the connected network equipment speed.

Enter a space and a “?” after the speed field to display a list of speeds available for your model and interface.

status {up | down}

Start or stop the interface, when stopped, it does not accept or send packets.

If you stop a physical interface, associated virtual interfaces such as VLAN interfaces will also stop.

netbios-forward {disable | enable}

Enable to forward Network Basic Input Output System (NetBIOS) broadcasts to a Windows Internet Name Service (WINS) server. Enable to forward Network Basic Input Output System (NetBIOS) broadcasts to a Windows Internet Name Service (WINS) server.

wins-ip <ip>

The IP address of a WINS server to which NetBIOS broadcasts is forwarded.

type <interface-type>

Enter set type ? to see a list of the interface types that can be created.

mtu-override {enable | disable}

Select enable to use custom MTU size instead of default 1 500.

mtu <integer>

Set a new MTU value.

wccp {enable | disable}

Enable or disable Web Cache Communication Protocol (WCCP) on this interface, default is disable.

netflow-sampler {disable | tx | rx | both}

Disable or choose how to use netflow on this interface:

  • tx:Monitor transmitted traffic.
  • rx:Monitor received traffic.
  • both:Monitor both direction traffic.

sflow-sampler {enable | disable}

Enable or disable sflow protocol on this interface, default is disable. More information on sflow in config system sflow command.

drop-overlapped-fragment {enable | disable}

Enable or disable dropping overlapped packet fragments, default is disable.

drop-fragment {enable | disable}

Enable to drop fragmented packets, default is disable.

scan-botnet-connections {disable | block | monitor}

Disable or choose how to handle connections to botnet servers:

  • block: Terminate connections
  • monitor: Log connections.

sample-rate <integer>

The average number of packets that the sFlow Agent lets pass before taking a sample. The range is 10 to 99999. The default is 2000.

For example, if you set this to 1000, the sFlow Agent samples 1 out of every 1000 packets.

If you set a lower rate, the sFlow Agent samples a higher number of packets, which increases the accuracy of the sampling data. However, this also increases the amount of CPU resources and network bandwidth that sFlow uses.

In most cases, the default sample rate of 2000 provides enough accuracy.

polling-interval <integer>

The amount of time, in seconds, that the sFlow Agent waits between sending sFlow Datagrams to the sFlow Collector. The range is 1 to 255 seconds. The default is 20 seconds.

If you set a higher polling interval, the sFlow Agent sends less data across your network, but the sFlow Collector’s view of your network won’t be as up-to-date as it would if you set a lower polling interval.

sample-direction {tx | rx | both}

The direction of the traffic that the sFlow Agent samples:

  • tx: Samples the traffic that the interface sends
  • rx: Samples the traffic that the interface receives
  • both: Samples the traffic that the interface sends and receives

 

explicit-web-proxy {enable | disable}

Enable or disable explicit Web proxy on this interface, default is disable.

explicit-ftp-proxy {enable | disable}

Enable or disable explicit FTP proxy on this interface, default is disable.

tcp-mss <integer>

The Maximum Size Segment (mss) for TCP connections, it is used when there is an MTU mismatch or DF (Don't Fragment) bit is set.

inbandwidth <integer>

The limit of ingress traffic, in Kbit/sec, on this interface, default is 0 which indicate unlimited.

outbandwidth <integer>

The limit of egress traffic, in Kbit/sec, on this interface, default is 0 which indicate unlimited.

spillover-threshold <integer>

Egress Spillover threshold in kbps used for load balancing traffic between interfaces, range from 0 to 16776000, default is 0.

ingress-spillover-threshold <integer>

Ingress Spillover threshold in kbps, range from 0 to 16776000, default is 0.

weight <integer>

Set the default weight for static routes on this interface. This applies when the route has no weight configured.

external {enable | disable}

Enable or disable identifying if this interface is connected to external side.

config managed-device

Available when fortilink is enabled, used for managed devices through fortilink interface.

edit <name>

The identifier of the managed device.

description <string>

Optionally describe this interface.

alias <string>

Optionally set an alias which will be displayed with the interface name to make it easier to distinguish.

l2tp-client {enable | disable}

Enable or disable this interface as a Layer 2 Tunneling Protocol (L2TP) client.

You may need to enable l2forward on this interface, default is disable.

security-mode {none | captive-portal}

Available when fortilink is disabled, captive-portal allow access to only authenticated members through this interface.

security-mac-auth-bypass {enable | disable}

Enable or disable MAC address authentication bypass.

security-external-web <string>

The URL of an external authentication web server, available when security-mode is set to captive-portal.

security-external-logout <string>

The URL of an external authentication logout server, available when security-mode is set to captive-portal.

replacemsg-override-group <group-name>

Specify replacement message override group name, this is for captive portal messages when security-mode is set to captive-portal.

security-redirect-url <string>

Specify URL redirection after captive portal authentication or disclaimer.

security-groups <user-group>

Optionally, enter the groups that are allowed access to this interface.

security-exempt-list <name>

Optionally specify the members will bypass the captive portal authentication.

device-identification {enable | disable}

Enable or disable passive gathering of identity information about source hosts on this interface.

device-user-identification {enable | disable}

Enable or disable passive gathering of user identity information about source hosts on this interface.

device-identification-active-scan {enable | disable}

Enable or disable active gathering of identity information about source hosts on this interface.

device-access-list <name>

Specify the device access list to use which is configured in config user device-access-list.

lldp-transmission {enable | disable | vdom}

Enable, disable, or apply to vdom-level the Link Layer Discovery Protocol (LLDP) transmission for this interface, default is vdom.

fortiheartbeat {enable | disable}

Enable or disable FortiHeartBeat (FortiTelemetry on GUI) which used to listen for connections from devices with FortiClient installed, default is disable.

broadcast-forticlient-discovery {enable | disable}

Enable or disable broadcast FortiClient discovery messages, default is disable.

endpoint-compliance {enable | disable}

Enable or disable endpoint compliance enforcement, default is disabled.

estimated-upstream-bandwidth <integer>

Estimated maximum upstream bandwidth in kbps, used to estimate link utilization.

estimated-downstream-bandwidth <integer>

Estimated maximum downstream bandwidth in kbps, used to estimate link utilization.

vrrp-virtual-mac {enable | disable}

Enable or disable the VRRP virtual MAC address feature for the IPv4 VRRP routers added to this interface, default is disable. See RFC3768 For more information about VRRP.

config vrrp

Configure IPv4 VRRP for this interface.

vrgrp <integer>

VRRP group id.

vrip <ip>

IPv4 address of the virtual router.

priority <integer>

The IPv4 VRRP virtual router's priority, value between 1 to 255, default is 100.

adv-interval <integer>

VRRP advertisement interval in seconds, value between 1 to 255

start-time <integer>

VRRP startup time in seconds, value between 1 to 255, default is 3.

preempt {enable | disable}

Enable or disable VRRP preempt mode, default is enable.

ignore-default-route {disable | enable}

Enable to configure VRRP to ignore the default route when looking for the vrdst IP address. Disabled by default.

vrdst <ip> [<ip>]

Monitor the route to one or more destination IP addresses. Register a failure of all of the configured destination addresses cannot be reached.

status {enable | disable}

Enbable or disable this VRRP virtual router. Enabled by default.

role {lan | wan | dmz | undefined}

Optionally choose the interface role: lan:Connected to local network of endpoints. wan:Connected to Internet. dmz: Connected to server zone. undefined: Interface has no specific role.

snmp-index <integer>

Optionally set a permanent SNMP Index of this interface.

secondary-IP {enable | disable}

Enable or disable the use of a secondary address on this interface.

config secondaryip

ip <ip & netmask>

The interface's secondary IP and subnet mask, syntax: X.X.X.X/24.

allowaccess {ping | https | ssh | snmp | http | telnet | ...}

Permitted access type on this secondary IP:

  • fgfm: FortiManager access.
  • radius-acct: RADIUS accounting access.
  • probe-response: Probe access.
  • capwap: CAPWAP access.

auto-auth-extension-device {enable | disable}

Enable or disable automatic authorization of dedicated Fortinet extension devices on this interface, default is disabled.

ap-discover {enable | disable}

Enable or disable automatic registration of unknown FortiAP devices, default is disable.

fortilink {enable | disable}

Enable or disable FortiLink on this interface to manage other Fortinet devices such as FortiSwitch.

fortilink-stacking {enable | disable}

Enable or disable FortiLink switch-stacking on this interface.

config ipv6

ip6-mode {static | dhcp | delegated}

The addressing mode:

  • static: Static setting, default mode.
  • dhcp: DHCPv6 client.
  • delegated: IPv6 address with delegated prefix.

ip6-dns-server-override {enable | disable}

Enable or disable using DNS acquired by DHCP.

ip6-address <ipv6>

Primary IPv6 address prefix of this interface.

config ip6-extra-addr

edit <prefix>

IPv6 address prefix.

ip6-allowaccess {ping | https | ssh | snmp | http | ...}

Allow management access to the interface:

  • fgfm: FortiManager access.
  • capwap: CAPWAP access.

ip6-send-adv {enable | disable}

Enable or disable the flag indicating whether or not to send periodic router advertisements and to respond to router solicitations. When enabled, this interface’s address will be added to all-routers group (FF02::02) and be included in an Multi Listener Discovery (MLD) report. If no interfaces on the FortiGate unit have ip6-send-advip6-send-adv enabled, the FortiGate unit will only listen to the all-hosts group (FF02::01) which is explicitly excluded from MLD reports according to RFC 2710 section 5.

When disabled (by default), and autoconf is enabled, the FortiGate unit acts as a stateless address auto-configuration client (SLAAC).

ip6-manage-flag {enable | disable}

Enable or disable the managed address configuration flag in router advertisements, default is enable.

ip6-other-flag {enable | disable}

Enable or disable the other stateful configuration flag in router advertisements, default is enable.

ip6-max-interval <integer>

The maximum time interval, in seconds, between sending unsolicited multicast router advertisements from the interface, value between 4 to 1800, default is 600.

ip6-min-interval <integer>

The minimum time interval, in seconds, between sending unsolicited multicast router advertisements from the interface,  value between 3 to 1350, default is 198.

ip6-link-mtu <integer>

The link MTU to be added to the router advertisements options field, 0 means that no MTU options are sent.

ip6-reachable-time <integer>

The time, in milliseconds, to be added to the reachable time field in the router advertisements, value between 0 to 3600000, default is 0 which mean no reachable time is specified.

ip6-retrans-time <integer>

The number, in milliseconds, to be added to the Retrans Timer field in the router advertisements, default is 0 which mean that the Retrans Timer is not specified.

ip6-default-life <integer>

The time, in seconds, to be added to the Router Lifetime field of router advertisements sent from the interface, default is 1800.

vrrp-virtual-mac6 {enable | disable}

Enable or disable the VRRP virtual MAC address feature for the IPv6 VRRP routers added to this interface, default is disable. See RFC3768 For more information about VRRP.

config ip6-prefix-list

edit <prefix>

Enter the IPv6 prefix you want to configure.

autonomous-flag {enable | disable}

Set the state of the autonomous flag for this IPv6 prefix, default is disable.

onlink-flag {enable | disable}

Set the state of the on-link flag in this IPv6 prefix, default is disable.

valid-life-time <integer>

The valid lifetime in seconds for this IPv6 prefix, default is 2592000 (30 days).

preferred-life-time <integer>

The preferred lifetime in seconds, default is 604800 (7 days).

config ip6-delegated-prefix-list

edit <prefix-id>

An ID (integer) for this ip6 delegated prefix.

upstream-interface <interface>

The interface name from where delegated information is provided.

autonomous-flag {enable | disable}

Set the state of the autonomous flag for this IPv6 delegated prefix, default is disable.

onlink-flag {enable | disable}

Set the state of the on-link flag in this IPv6 delegated prefix, default is disable.

subnet <ipv6_net>

Subnet to routing prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx

ip6-hop-limit <integer>

The number to be added to the Cur Hop Limit field in the router advertisements sent out this interface, default is 0 which mean no hop limit is specified.

nd-mode {basic | SEND-compatible}

Neighbor discovery mode, default is basic.

dhcp6-relay-service {disable | enable}

Enable or disable DHCP relay service for IPv6.

dhcp6-relay-type {regular}

Regular DHCP relay.

dhcp6-relay-ip <ipv6>

The IPv6 of one or more DHCP relays.

dhcp6-prefix-delegation {disable | enable}

Enable or disable DHCPv6 prefix delegation, default is disable.

dhcp6-prefix-hint <ipv6_net>

DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server.

dhcp6-prefix-hint-plt <integer>

DHCPv6 prefix hint preferred life time in seconds, default is 604800 (7 days).

dhcp6-prefix-hint-vlt <integer>

DHCPv6 prefix hint valid life time in seconds, default is 2592000 (30 days).

config vrrp6

Configure IPv6 VRRP.

vrgrp <integer>

IPv6 VRRP group id.

vrip <ipv6-ip>

IPv6 address of the virtual router.

priority <integer>

The IPv6 VRRP virtual router's priority, value between 1 to 255, default is 100.

adv-interval <integer>

IPv6 VRRP advertisement interval in seconds, value between 1 to 255

start-time <integer>

VRRP startup time in seconds, value between 1 to 255, default is 3.

preempt {enable | disable}

Enable or disable VRRP preempt mode, default is enable.

vrdst <ipv6-ip> [<ipv6-ip>]

Monitor the route to one or more destination IPv6 addresses. Register a failure of all of the configured destination addresses cannot be reached.

status {enable | disable}

Enbable or disable this IPv6 VRRP virtual router. Enabled by default.

config l2tp-client-settings

user <string>

L2TP user name.

Password <passwd>

L2TP password.

peer-host <string>

The host name.

peer-mask <netmask>

The netmask.

peer-port <integer>

The port used to connect to L2TP peers, default is 1701.

auth-type {auto | pap | chap | mschapv1 | mschapv2}

Type of authentication used with this client:

  • auto— automatically choose type of authentication (default).
  • pap — use Password Authentication Protocol.
  • chap — use Challenge-Handshake Authentication Protocol.
  • mschapv1 — use Microsoft version of CHAP version 1.
  • mschapv2 — use Microsoft version of CHAP version 2.

mtu <integer>

The Maximum Transmission Unit (MTU), value between 40 and 65535, default is 1460.

distance <integer>

The administration distance of learned routes, value between 1 to 255, default is 2.

priority <integer>

The routes priority learned through L2TP.

defaultgw {enable | disable}

Enable or disable the use the default gateway, default is disable.

wifi-ap-band {any | 5g-preferred | 5g-only}

For an FortiWiFi WiFi interface operating in client mode, you can configure the WiFi band that the interface can connect to. You can configure the interface to connect to any band, just to the 5G band, or to prefer connecting to the 5G band.

Aggregate and redundant interface options

Options for aggregate and redundant interfaces (some FortiGate models). These options are available only when type is aggregate or redundant.

algorithm {L2 | L3 | L4}

Enter the algorithm used to control how frames are distributed across links in an aggregated interface (also called a Link Aggregation Group (LAG)). The algorithm must match that used by connected switches. Enter one of:

L2 — use source and destination MAC addresses.

L3 — use source and destination IP addresses, fall back to L2 algorithm if IP information is not available.

L4 — (default) use TCP, UDP or ESP header information.

lacp-ha-slave {enable | disable}

This option affects how the aggregate interface participates in Link Aggregation Control Protocol (LACP) negotiation when HA is enabled for the VDOM. It takes effect only if Active-Passive HA is enabled and lacp-mode is not static. Enter enable to participate in LACP negotiation as a slave or disable to not participate. Enabled by default.

lacp-mode {active | passive | static}

Enter one of active, passive, or static.

active — (default) send LACP PDU packets to negotiate link aggregation connections.

passive — respond to LACP PDU packets and negotiate link aggregation connections.

static — link aggregation is configured statically.

lacp-speed {fast | slow}

slow — (default) sends LACP PDU packets every 30 seconds to negotiate link aggregation connections.

fast — sends LACP PDU packets every second, as recommended in the IEEE 802.3ad standard.

Available only when type is aggregate.

member <if_name1> <if_name2> ...

Specify a list of physical interfaces that are part of an aggregate or redundant group. To modify a list, enter the complete revised list.

If VDOMs are enabled, then vdom must be set the same for each interface before you enter the member list.

An interface is available to be part of an aggregate or redundant group only if:

  • it is a physical interface, not a VLAN interface
  • it is not already part of an aggregated or redundant interface
  • it is in the same VDOM as the aggregated interface
  • it has no defined IP address and is not configured for DHCP or PPPoE
  • it has no DHCP server or relay configured on it
  • it does not have any VLAN subinterfaces
  • it is not referenced in any firewall policy, VIP or multicast policy
  • it is not an HA heartbeat device or monitored by HA
  • In a redundant group, failover to the next member interface happens when the active interface fails or is disconnected.

The order you specify the interfaces in the member list is the order they will become active in the redundant group. For example if you enter set member port5 port1, then port5 will be active at the start, and when it fails or is disconnected port1 will become active.

This is only available when type is aggregate or redundant.

min-links <int>

When type is aggregate, set the minimum number of members that must be working. Default is 1.

min-links-down {operational | administrative}

When type is aggregate and the interface is downbecause of min-links limit, choose whether interface is down operationally or only administratively. Default is operational.