config system interface

Configure interfaces.

config system interface

Description: Configure interfaces.

edit <name>

set vdom {string}

set vrf {integer}

set cli-conn-status {integer}

set fortilink [enable|disable]

set mode [static|dhcp|...]

set distance {integer}

set priority {integer}

set dhcp-relay-interface-select-method [auto|sdwan|...]

set dhcp-relay-interface {string}

set dhcp-relay-service [disable|enable]

set dhcp-relay-ip {user}

set dhcp-relay-type [regular|ipsec]

set dhcp-relay-agent-option [enable|disable]

set management-ip {ipv4-classnet-host}

set ip {ipv4-classnet-host}

set allowaccess {option1}, {option2}, ...

set gwdetect [enable|disable]

set ping-serv-status {integer}

set detectserver {user}

set detectprotocol {option1}, {option2}, ...

set ha-priority {integer}

set fail-detect [enable|disable]

set fail-detect-option {option1}, {option2}, ...

set fail-alert-method [link-failed-signal|link-down]

set fail-action-on-extender [soft-restart|hard-restart|...]

set fail-alert-interfaces <name1>, <name2>, ...

set dhcp-client-identifier {string}

set dhcp-renew-time {integer}

set ipunnumbered {ipv4-address}

set username {string}

set pppoe-unnumbered-negotiate [enable|disable]

set password {password}

set idle-timeout {integer}

set detected-peer-mtu {integer}

set disc-retry-timeout {integer}

set padt-retry-timeout {integer}

set service-name {string}

set ac-name {string}

set lcp-echo-interval {integer}

set lcp-max-echo-fails {integer}

set defaultgw [enable|disable]

set dns-server-override [enable|disable]

set auth-type [auto|pap|...]

set pptp-client [enable|disable]

set pptp-user {string}

set pptp-password {password}

set pptp-server-ip {ipv4-address}

set pptp-auth-type [auto|pap|...]

set pptp-timeout {integer}

set arpforward [enable|disable]

set ndiscforward [enable|disable]

set broadcast-forward [enable|disable]

set bfd [global|enable|...]

set bfd-desired-min-tx {integer}

set bfd-detect-mult {integer}

set bfd-required-min-rx {integer}

set l2forward [enable|disable]

set icmp-send-redirect [enable|disable]

set icmp-accept-redirect [enable|disable]

set vlanforward [enable|disable]

set stpforward [enable|disable]

set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]

set ips-sniffer-mode [enable|disable]

set ident-accept [enable|disable]

set ipmac [enable|disable]

set subst [enable|disable]

set macaddr {mac-address}

set substitute-dst-mac {mac-address}

set speed [auto|10full|...]

set status [up|down]

set netbios-forward [disable|enable]

set wins-ip {ipv4-address}

set type [physical|vlan|...]

set dedicated-to [none|management]

set trust-ip-1 {ipv4-classnet-any}

set trust-ip-2 {ipv4-classnet-any}

set trust-ip-3 {ipv4-classnet-any}

set trust-ip6-1 {ipv6-prefix}

set trust-ip6-2 {ipv6-prefix}

set trust-ip6-3 {ipv6-prefix}

set mtu-override [enable|disable]

set mtu {integer}

set wccp [enable|disable]

set netflow-sampler [disable|tx|...]

set sflow-sampler [enable|disable]

set drop-overlapped-fragment [enable|disable]

set drop-fragment [enable|disable]

set src-check [enable|disable]

set sample-rate {integer}

set polling-interval {integer}

set sample-direction [tx|rx|...]

set explicit-web-proxy [enable|disable]

set explicit-ftp-proxy [enable|disable]

set proxy-captive-portal [enable|disable]

set tcp-mss {integer}

set inbandwidth {integer}

set outbandwidth {integer}

set egress-shaping-profile {string}

set ingress-shaping-profile {string}

set disconnect-threshold {integer}

set spillover-threshold {integer}

set ingress-spillover-threshold {integer}

set weight {integer}

set interface {string}

set external [enable|disable]

set vlanid {integer}

set forward-domain {integer}

set remote-ip {ipv4-classnet-host}

set member <interface-name1>, <interface-name2>, ...

set lacp-mode [static|passive|...]

set lacp-ha-slave [enable|disable]

set lacp-speed [slow|fast]

set min-links {integer}

set min-links-down [operational|administrative]

set algorithm [L2|L3|...]

set link-up-delay {integer}

set priority-override [enable|disable]

set aggregate {string}

set redundant-interface {string}

set devindex {integer}

set vindex {integer}

set switch {string}

set description {var-string}

set alias {string}

set security-mode [none|captive-portal|...]

set security-mac-auth-bypass [mac-auth-only|enable|...]

set security-external-web {string}

set security-external-logout {string}

set replacemsg-override-group {string}

set security-redirect-url {string}

set security-exempt-list {string}

set security-groups <name1>, <name2>, ...

set device-identification [enable|disable]

set device-user-identification [enable|disable]

set lldp-reception [enable|disable|...]

set lldp-transmission [enable|disable|...]

set lldp-network-policy {string}

set broadcast-forticlient-discovery [enable|disable]

set estimated-upstream-bandwidth {integer}

set estimated-downstream-bandwidth {integer}

set vrrp-virtual-mac [enable|disable]

config vrrp

Description: VRRP configuration.

edit <vrid>

set version [2|3]

set vrgrp {integer}

set vrip {ipv4-address-any}

set priority {integer}

set adv-interval {integer}

set start-time {integer}

set preempt [enable|disable]

set accept-mode [enable|disable]

set vrdst {ipv4-address-any}

set vrdst-priority {integer}

set ignore-default-route [enable|disable]

set status [enable|disable]

config proxy-arp

Description: VRRP Proxy ARP configuration.

edit <id>

set ip {user}

next

end

next

end

set role [lan|wan|...]

set snmp-index {integer}

set secondary-IP [enable|disable]

config secondaryip

Description: Second IP address of interface.

edit <id>

set ip {ipv4-classnet-host}

set allowaccess {option1}, {option2}, ...

set gwdetect [enable|disable]

set ping-serv-status {integer}

set detectserver {user}

set detectprotocol {option1}, {option2}, ...

set ha-priority {integer}

next

end

set preserve-session-route [enable|disable]

set auto-auth-extension-device [enable|disable]

set ap-discover [enable|disable]

set fortilink-stacking [enable|disable]

set fortilink-neighbor-detect [lldp|fortilink]

set fortilink-split-interface [enable|disable]

set internal {integer}

set fortilink-backup-link {integer}

set switch-controller-access-vlan [enable|disable]

set switch-controller-traffic-policy {string}

set switch-controller-rspan-mode [disable|enable]

set switch-controller-igmp-snooping [enable|disable]

set switch-controller-igmp-snooping-proxy [enable|disable]

set switch-controller-igmp-snooping-fast-leave [enable|disable]

set switch-controller-dhcp-snooping [enable|disable]

set switch-controller-dhcp-snooping-verify-mac [enable|disable]

set switch-controller-dhcp-snooping-option82 [enable|disable]

set switch-controller-arp-inspection [enable|disable]

set switch-controller-learning-limit {integer}

set color {integer}

config tagging

Description: Config object tagging.

edit <name>

set category {string}

set tags <name1>, <name2>, ...

next

end

config egress-queues

Description: Configure queues of NP port on egress path.

set cos0 {string}

set cos1 {string}

set cos2 {string}

set cos3 {string}

set cos4 {string}

set cos5 {string}

set cos6 {string}

set cos7 {string}

end

set ingress-cos [disable|cos0|...]

set egress-cos [disable|cos0|...]

config ipv6

Description: IPv6 of interface.

set ip6-mode [static|dhcp|...]

set nd-mode [basic|SEND-compatible]

set nd-cert {string}

set nd-security-level {integer}

set nd-timestamp-delta {integer}

set nd-timestamp-fuzz {integer}

set nd-cga-modifier {user}

set ip6-dns-server-override [enable|disable]

set ip6-address {ipv6-prefix}

config ip6-extra-addr

Description: Extra IPv6 address prefixes of interface.

edit <prefix>

next

end

set ip6-allowaccess {option1}, {option2}, ...

set ip6-send-adv [enable|disable]

set ip6-manage-flag [enable|disable]

set ip6-other-flag [enable|disable]

set ip6-max-interval {integer}

set ip6-min-interval {integer}

set ip6-link-mtu {integer}

set ip6-reachable-time {integer}

set ip6-retrans-time {integer}

set ip6-default-life {integer}

set ip6-hop-limit {integer}

set autoconf [enable|disable]

set ip6-upstream-interface {string}

set ip6-subnet {ipv6-prefix}

config ip6-prefix-list

Description: Advertised prefix list.

edit <prefix>

set autonomous-flag [enable|disable]

set onlink-flag [enable|disable]

set valid-life-time {integer}

set preferred-life-time {integer}

set rdnss {user}

set dnssl <domain1>, <domain2>, ...

next

end

config ip6-delegated-prefix-list

Description: Advertised IPv6 delegated prefix list.

edit <prefix-id>

set upstream-interface {string}

set autonomous-flag [enable|disable]

set onlink-flag [enable|disable]

set subnet {ipv6-network}

set rdnss-service [delegated|default|...]

set rdnss {user}

next

end

set dhcp6-relay-service [disable|enable]

set dhcp6-relay-type {option}

set dhcp6-relay-ip {user}

set dhcp6-client-options {option1}, {option2}, ...

set dhcp6-prefix-delegation [enable|disable]

set dhcp6-information-request [enable|disable]

set dhcp6-prefix-hint {ipv6-network}

set dhcp6-prefix-hint-plt {integer}

set dhcp6-prefix-hint-vlt {integer}

set vrrp-virtual-mac6 [enable|disable]

set vrip6_link_local {ipv6-address}

config vrrp6

Description: IPv6 VRRP configuration.

edit <vrid>

set vrgrp {integer}

set vrip6 {ipv6-address}

set priority {integer}

set adv-interval {integer}

set start-time {integer}

set preempt [enable|disable]

set accept-mode [enable|disable]

set vrdst6 {ipv6-address}

set status [enable|disable]

next

end

end

next

end

config system interface

Parameter name

Description

Type

Size

vdom

Interface is in this virtual domain (VDOM).

string

Maximum length: 31

vrf

Virtual Routing Forwarding ID.

integer

Minimum value: 0 Maximum value: 31

cli-conn-status

CLI connection status.

integer

Minimum value: 0 Maximum value: 4294967295

fortilink

Enable FortiLink to dedicate this interface to manage other Fortinet devices.

option

-

 

Option

Description

enable

Enable FortiLink to dedicated interface for managing FortiSwitch devices.

disable

Disable FortiLink to dedicated interface for managing FortiSwitch devices.

mode

Addressing mode (static, DHCP, PPPoE).

option

-

 

Option

Description

static

Static setting.

dhcp

External DHCP client mode.

pppoe

External PPPoE mode.

distance

Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route.

integer

Minimum value: 1 Maximum value: 255

priority

Priority of learned routes.

integer

Minimum value: 0 Maximum value: 4294967295

dhcp-relay-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

dhcp-relay-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-relay-service

Enable/disable allowing this interface to act as a DHCP relay.

option

-

 

Option

Description

disable

None.

enable

DHCP relay agent.

dhcp-relay-ip

DHCP relay IP address.

user

Not Specified

dhcp-relay-type

DHCP relay type (regular or IPsec).

option

-

 

Option

Description

regular

Regular DHCP relay.

ipsec

DHCP relay for IPsec.

dhcp-relay-agent-option

Enable/disable DHCP relay agent option.

option

-

 

Option

Description

enable

Enable DHCP relay agent option.

disable

Disable DHCP relay agent option.

management-ip

High Availability in-band management IP address of this interface.

ipv4-classnet-host

Not Specified

ip

Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.

ipv4-classnet-host

Not Specified

allowaccess

Permitted types of management access to this interface.

option

-

 

Option

Description

ping

PING access.

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

http

HTTP access.

telnet

TELNET access.

fgfm

FortiManager access.

radius-acct

RADIUS accounting access.

probe-response

Probe access.

fabric

Security Fabric access.

ftm

FTM access.

gwdetect

Enable/disable detect gateway alive for first.

option

-

 

Option

Description

enable

Enable detect gateway alive for first.

disable

Disable detect gateway alive for first.

ping-serv-status

PING server status.

integer

Minimum value: 0 Maximum value: 255

detectserver

Gateway's ping server for this IP.

user

Not Specified

detectprotocol

Protocols used to detect the server.

option

-

 

Option

Description

ping

PING.

tcp-echo

TCP echo.

udp-echo

UDP echo.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

fail-detect

Enable/disable fail detection features for this interface.

option

-

 

Option

Description

enable

Enable interface failed option status.

disable

Disable interface failed option status.

fail-detect-option

Options for detecting that this interface has failed.

option

-

 

Option

Description

detectserver

Use a ping server to determine if the interface has failed.

link-down

Use port detection to determine if the interface has failed.

fail-alert-method

Select link-failed-signal or link-down method to alert about a failed link.

option

-

 

Option

Description

link-failed-signal

Link-failed-signal.

link-down

Link-down.

fail-action-on-extender

Action on extender when interface fail .

option

-

 

Option

Description

soft-restart

Soft-restart-on-extender.

hard-restart

Hard-restart-on-extender.

reboot

Reboot-on-extender.

fail-alert-interfaces <name>

Names of the FortiGate interfaces to which the link failure alert is sent.

Names of the non-virtual interface.

string

Maximum length: 79

dhcp-client-identifier

DHCP client identifier.

string

Maximum length: 48

dhcp-renew-time

DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server.

integer

Minimum value: 300 Maximum value: 604800

ipunnumbered

Unnumbered IP used for PPPoE interfaces for which no unique local address is provided.

ipv4-address

Not Specified

username

Username of the PPPoE account, provided by your ISP.

string

Maximum length: 64

pppoe-unnumbered-negotiate

Enable/disable PPPoE unnumbered negotiation.

option

-

 

Option

Description

enable

Enable IP address negotiating for unnumbered.

disable

Disable IP address negotiating for unnumbered.

password

PPPoE account's password.

password

Not Specified

idle-timeout

PPPoE auto disconnect after idle timeout seconds, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 32767

detected-peer-mtu

MTU of detected peer (0 - 4294967295).

integer

Minimum value: 0 Maximum value: 4294967295

disc-retry-timeout

Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 4294967295

padt-retry-timeout

PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time.

integer

Minimum value: 0 Maximum value: 4294967295

service-name

PPPoE service name.

string

Maximum length: 63

ac-name

PPPoE server name.

string

Maximum length: 63

lcp-echo-interval

Time in seconds between PPPoE Link Control Protocol (LCP) echo requests.

integer

Minimum value: 0 Maximum value: 32767

lcp-max-echo-fails

Maximum missed LCP echo messages before disconnect.

integer

Minimum value: 0 Maximum value: 32767

defaultgw

Enable to get the gateway IP from the DHCP or PPPoE server.

option

-

 

Option

Description

enable

Enable default gateway.

disable

Disable default gateway.

dns-server-override

Enable/disable use DNS acquired by DHCP or PPPoE.

option

-

 

Option

Description

enable

Use DNS acquired by DHCP or PPPoE.

disable

No not use DNS acquired by DHCP or PPPoE.

auth-type

PPP authentication type to use.

option

-

 

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

pptp-client

Enable/disable PPTP client.

option

-

 

Option

Description

enable

Enable PPTP client.

disable

Disable PPTP client.

pptp-user

PPTP user name.

string

Maximum length: 64

pptp-password

PPTP password.

password

Not Specified

pptp-server-ip

PPTP server IP address.

ipv4-address

Not Specified

pptp-auth-type

PPTP authentication type.

option

-

 

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

pptp-timeout

Idle timer in minutes (0 for disabled).

integer

Minimum value: 0 Maximum value: 65535

arpforward

Enable/disable ARP forwarding.

option

-

 

Option

Description

enable

Enable ARP forwarding.

disable

Disable ARP forwarding.

ndiscforward

Enable/disable NDISC forwarding.

option

-

 

Option

Description

enable

Enable NDISC forwarding.

disable

Disable NDISC forwarding.

broadcast-forward

Enable/disable broadcast forwarding.

option

-

 

Option

Description

enable

Enable broadcast forwarding.

disable

Disable broadcast forwarding.

bfd

Bidirectional Forwarding Detection (BFD) settings.

option

-

 

Option

Description

global

BFD behavior of this interface will be based on global configuration.

enable

Enable BFD on this interface and ignore global configuration.

disable

Disable BFD on this interface and ignore global configuration.

bfd-desired-min-tx

BFD desired minimal transmit interval.

integer

Minimum value: 1 Maximum value: 100000

bfd-detect-mult

BFD detection multiplier.

integer

Minimum value: 1 Maximum value: 50

bfd-required-min-rx

BFD required minimal receive interval.

integer

Minimum value: 1 Maximum value: 100000

l2forward

Enable/disable l2 forwarding.

option

-

 

Option

Description

enable

Enable L2 forwarding.

disable

Disable L2 forwarding.

icmp-send-redirect

Enable/disable ICMP send redirect.

option

-

 

Option

Description

enable

Enable ICMP send redirect.

disable

Disable ICMP send redirect.

icmp-accept-redirect

Enable/disable ICMP accept redirect.

option

-

 

Option

Description

enable

Enable ICMP accept redirect.

disable

Disable ICMP accept redirect.

vlanforward

Enable/disable traffic forwarding between VLANs on this interface.

option

-

 

Option

Description

enable

Enable traffic forwarding.

disable

Disable traffic forwarding.

stpforward

Enable/disable STP forwarding.

option

-

 

Option

Description

enable

Enable STP forwarding.

disable

Disable STP forwarding.

stpforward-mode

Configure STP forwarding mode.

option

-

 

Option

Description

rpl-all-ext-id

Replace all extension IDs (root, bridge).

rpl-bridge-ext-id

Replace the bridge extension ID only.

rpl-nothing

Replace nothing.

ips-sniffer-mode

Enable/disable the use of this interface as a one-armed sniffer.

option

-

 

Option

Description

enable

Enable IPS sniffer mode.

disable

Disable IPS sniffer mode.

ident-accept

Enable/disable authentication for this interface.

option

-

 

Option

Description

enable

Enable determining a user's identity from packet identification.

disable

Disable determining a user's identity from packet identification.

ipmac

Enable/disable IP/MAC binding.

option

-

 

Option

Description

enable

Enable IP/MAC binding.

disable

Disable IP/MAC binding.

subst

Enable to always send packets from this interface to a destination MAC address.

option

-

 

Option

Description

enable

Send packets from this interface.

disable

Do not send packets from this interface.

macaddr

Change the interface's MAC address.

mac-address

Not Specified

substitute-dst-mac

Destination MAC address that all packets are sent to from this interface.

mac-address

Not Specified

speed

Interface speed. The default setting and the options available depend on the interface hardware.

option

-

 

Option

Description

auto

Automatically adjust speed.

10full

10M full-duplex.

10half

10M half-duplex.

100full

100M full-duplex.

100half

100M half-duplex.

1000full

1000M full-duplex.

1000half

1000M half-duplex.

1000auto

1000M auto adjust.

10000full

10G full-duplex.

status

Bring the interface up or shut the interface down.

option

-

 

Option

Description

up

Bring the interface up.

down

Shut the interface down.

netbios-forward

Enable/disable NETBIOS forwarding.

option

-

 

Option

Description

disable

Disable NETBIOS forwarding.

enable

Enable NETBIOS forwarding.

wins-ip

WINS server IP.

ipv4-address

Not Specified

type

Interface type.

option

-

 

Option

Description

physical

Physical interface.

vlan

VLAN interface.

aggregate

Aggregate interface.

redundant

Redundant interface.

tunnel

Tunnel interface.

vdom-link

VDOM link interface.

loopback

Loopback interface.

switch

Software switch interface.

vap-switch

VAP interface.

wl-mesh

WLAN mesh interface.

fext-wan

FortiExtender interface.

vxlan

VXLAN interface.

geneve

GENEVE interface.

hdlc

T1/E1 interface.

switch-vlan

Switch VLAN interface.

emac-vlan

EMAC VLAN interface.

dedicated-to

Configure interface for single purpose.

option

-

 

Option

Description

none

Interface not dedicated for any purpose.

management

Dedicate this interface for management purposes only.

trust-ip-1

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

trust-ip-2

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

trust-ip-3

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

trust-ip6-1

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

trust-ip6-2

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

trust-ip6-3

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

mtu-override

Enable to set a custom MTU for this interface.

option

-

 

Option

Description

enable

Override default MTU.

disable

Use default MTU (1500).

mtu

MTU value for this interface.

integer

Minimum value: 0 Maximum value: 4294967295

wccp

Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.

option

-

 

Option

Description

enable

Enable WCCP protocol on this interface.

disable

Disable WCCP protocol on this interface.

netflow-sampler

Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).

option

-

 

Option

Description

disable

Disable NetFlow protocol on this interface.

tx

Monitor transmitted traffic on this interface.

rx

Monitor received traffic on this interface.

both

Monitor transmitted/received traffic on this interface.

sflow-sampler

Enable/disable sFlow on this interface.

option

-

 

Option

Description

enable

Enable sFlow protocol on this interface.

disable

Disable sFlow protocol on this interface.

drop-overlapped-fragment

Enable/disable drop overlapped fragment packets.

option

-

 

Option

Description