Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Interface settings

Administrators can configure both physical and virtual FortiGate interfaces in Network > Interfaces. There are different options for configuring interfaces when FortiGate is in NAT mode or transparent mode.

To configure an interface in the GUI:
  1. Go to Network > Interfaces.
  2. Click Create New > Interface.
  3. Configure the interface fields:

    Interface Name

    Physical interface names cannot be changed.

    Alias

    Enter an alternate name for a physical interface on the FortiGate unit. This field appears when you edit an existing physical interface. The alias does not appear in logs.

    The maximum length of the alias is 25 characters.

    Type

    The configuration type for the interface, such as VLAN or Software Switch.

    Link Status

    Indicates whether the interface is connected to a network or not (link status is up or down). This field is available when you edit an existing physical interface.

    Interface

    This field is available when Type is set to VLAN.

    Select the name of the physical interface that you want to add a VLAN interface to. Once created, the VLAN interface is listed below its physical interface in the Interface list.

    You cannot change the physical interface of a VLAN interface except when you add a new VLAN interface.

    VLAN ID

    This field is available when Type is set to VLAN.

    Enter the VLAN ID. The VLAN ID can be any number between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch that is connected to the VLAN subinterface.

    The VLAN ID cannot be edited after the interface is added.

    Virtual Domain

    Select the virtual domain to add the interface to.

    Only administrator accounts with the super_admin profile can change the Virtual Domain.

    Role

    Set the role setting for the interface. Different settings will be shown or hidden when editing an interface depending on the role.

    • LAN: Used to connected to a local network of endpoints. It is default role for new interfaces.
    • WAN: Used to connected to the internet. When WAN is selected, the Estimated bandwidth setting is available, and the following settings are not: DHCP server, Create address object matching subnet, Device detection, Security mode, One-arm sniffer, Dedicate to extension/fortiap modes, and Admission Control.and will show Estimated Bandwidth settings.
    • DMZ: Used to connected to the DMZ. When selected, DHCP server and Security mode are not available.
    • Undefined: The interface has no specific role. When selected, Create address object matching subnet is not available.

    Interface Members

    This section can has different formats depending on the Type:

    Software Switch: This field is read-only, and shows the interfaces that belong to the virtual interface of the software switch.

    802.3ad Aggregate or Redundant Interface: This field includes the available and selected interface lists.

    Addressing mode

    Select the addressing mode for the interface.

    • Manual: Add an IP address and netmask for the interface. If IPv6 configuration is enabled,you can add both an IPv4 and an IPv6 address.
    • DHCP: Get the interface IP address and other network settings from a DHCP server.
    • PPPoE: Get the interface IP address and other network settings from a PPPoE server. This option is only available on the low-end FortiGate models.
    • Auto-managed by FortiIPAM: Assign subnets to prevent duplicate IP addresses from overlapping within the same Security Fabric. See Assign a subnet with the FortiIPAM service.
    • One-Arm Sniffer: Set the interface as a sniffer port so it can be used to detect attacks.

    IP/Netmask

    If Addressing Mode is set to Manual, enter an IPv4 address and subnet mask for the interface. FortiGate interfaces cannot have multiple IP addresses on the same subnet.

    IPv6 Address/Prefix

    If Addressing Mode is set to Manual and IPv6 support is enabled, enter an IPv6 address and subnet mask for the interface. A single interface can have an IPv4 address, IPv6 address, or both.

    Create address object matching subnet

    This option is available when Role is set to LAN or DMZ.

    Enable this option to automatically create an address object that matches the interface subnet.

    Secondary IP Address

    Add additional IPv4 addresses to this interface.

    IPv4 Administrative Access

    Select the types of administrative access permitted for IPv4 connections to this interface. See Configure administrative access to interfaces.

    IPv6 Administrative Access

    Select the types of administrative access permitted for IPv6 connections to this interface. See Configure administrative access to interfaces.

    DHCP Server

    Select to enable a DHCP server for the interface.

    Device Detection Enable/disable passively gathering device identity information about the devices on the network that are connected to this interface.
    Security Mode

    Enable/disable captive portal authentication for this interface. After enabling captive portal authentication, you can configure the authentication portal, user and group access, custom portal messages, exempt sources and destinations/services, and redirect after captive portal.

    Outbound shaping profile Enable/disable traffic shaping on the interface. This allows you to enforce bandwidth limits on individual interfaces.

    Comments

    Enter a description of the interface of up to 255 characters.

    Status

    Enable/disable the interface.

    • Enabled: The interface is active and can accept network traffic.
    • Disabled: The interface is not active and cannot accept traffic.
  4. Click OK.
To configure an interface in the CLI:
config system interface
    edit "<Interface_Name>"
        set vdom "<VDOM_Name>"
        set mode static/dhcp/pppoe
        set ip <IP_address> <netmask>
        set security-mode {none | captive-portal}
        set egress-shaping-profile <Profile_name>
        set device-identification {enable | disable}
        set allowaccess ping https ssh http
        set secondary-IP enable
        config secondaryip
            edit 1
                set ip 9.1.1.2 255.255.255.0
                set allowaccess ping https ssh snmp http
            next
        end
    next
end

Configure administrative access to interfaces

You can configure the protocols that administrators can use to access interfaces on the FortiGate. This helps secure access to the FortiGate by restricting access to a limited number of protocols. It helps prevent users from accessing interfaces that you don't want them to access, such as public-facing ports.

As a best practice, you should configure administrative access when you're setting the IP address for a port.

To configure administrative access to interfaces in the GUI:
  1. Go to Network > Interfaces.
  2. Create or edit an interface.
  3. In the Administrative Access section, select which protocols to enable for IPv4 and IPv6 Administrative Access.

    HTTPS

    Allow secure HTTPS connections to the FortiGate GUI through this interface. If configured, this option is enabled automatically.

    HTTP

    Allow HTTP connections to the FortiGate GUI through this interface. This option can only be enabled if HTTPS is already enabled.

    PING

    The interface responds to pings. Use this setting to verify your installation and for testing.

    FMG-Access

    Allow FortiManager authorization automatically during the communication exchanges between FortiManager and FortiGate devices.

    SSH

    Allow SSH connections to the CLI through this interface.

    SNMP

    Allow a remote SNMP manager to request SNMP information by connecting to this interface.

    FTM

    Allow FortiToken Mobile Push (FTM) access.

    RADIUS Accounting

    Allow RADIUS accounting information on this interface.

    Security Fabric Connection

    Allow Security Fabric access. This enables FortiTelemetry and CAPWAP.

Interface settings

Administrators can configure both physical and virtual FortiGate interfaces in Network > Interfaces. There are different options for configuring interfaces when FortiGate is in NAT mode or transparent mode.

To configure an interface in the GUI:
  1. Go to Network > Interfaces.
  2. Click Create New > Interface.
  3. Configure the interface fields:

    Interface Name

    Physical interface names cannot be changed.

    Alias

    Enter an alternate name for a physical interface on the FortiGate unit. This field appears when you edit an existing physical interface. The alias does not appear in logs.

    The maximum length of the alias is 25 characters.

    Type

    The configuration type for the interface, such as VLAN or Software Switch.

    Link Status

    Indicates whether the interface is connected to a network or not (link status is up or down). This field is available when you edit an existing physical interface.

    Interface

    This field is available when Type is set to VLAN.

    Select the name of the physical interface that you want to add a VLAN interface to. Once created, the VLAN interface is listed below its physical interface in the Interface list.

    You cannot change the physical interface of a VLAN interface except when you add a new VLAN interface.

    VLAN ID

    This field is available when Type is set to VLAN.

    Enter the VLAN ID. The VLAN ID can be any number between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch that is connected to the VLAN subinterface.

    The VLAN ID cannot be edited after the interface is added.

    Virtual Domain

    Select the virtual domain to add the interface to.

    Only administrator accounts with the super_admin profile can change the Virtual Domain.

    Role

    Set the role setting for the interface. Different settings will be shown or hidden when editing an interface depending on the role.

    • LAN: Used to connected to a local network of endpoints. It is default role for new interfaces.
    • WAN: Used to connected to the internet. When WAN is selected, the Estimated bandwidth setting is available, and the following settings are not: DHCP server, Create address object matching subnet, Device detection, Security mode, One-arm sniffer, Dedicate to extension/fortiap modes, and Admission Control.and will show Estimated Bandwidth settings.
    • DMZ: Used to connected to the DMZ. When selected, DHCP server and Security mode are not available.
    • Undefined: The interface has no specific role. When selected, Create address object matching subnet is not available.

    Interface Members

    This section can has different formats depending on the Type:

    Software Switch: This field is read-only, and shows the interfaces that belong to the virtual interface of the software switch.

    802.3ad Aggregate or Redundant Interface: This field includes the available and selected interface lists.

    Addressing mode

    Select the addressing mode for the interface.

    • Manual: Add an IP address and netmask for the interface. If IPv6 configuration is enabled,you can add both an IPv4 and an IPv6 address.
    • DHCP: Get the interface IP address and other network settings from a DHCP server.
    • PPPoE: Get the interface IP address and other network settings from a PPPoE server. This option is only available on the low-end FortiGate models.
    • Auto-managed by FortiIPAM: Assign subnets to prevent duplicate IP addresses from overlapping within the same Security Fabric. See Assign a subnet with the FortiIPAM service.
    • One-Arm Sniffer: Set the interface as a sniffer port so it can be used to detect attacks.

    IP/Netmask

    If Addressing Mode is set to Manual, enter an IPv4 address and subnet mask for the interface. FortiGate interfaces cannot have multiple IP addresses on the same subnet.

    IPv6 Address/Prefix

    If Addressing Mode is set to Manual and IPv6 support is enabled, enter an IPv6 address and subnet mask for the interface. A single interface can have an IPv4 address, IPv6 address, or both.

    Create address object matching subnet

    This option is available when Role is set to LAN or DMZ.

    Enable this option to automatically create an address object that matches the interface subnet.

    Secondary IP Address

    Add additional IPv4 addresses to this interface.

    IPv4 Administrative Access

    Select the types of administrative access permitted for IPv4 connections to this interface. See Configure administrative access to interfaces.

    IPv6 Administrative Access

    Select the types of administrative access permitted for IPv6 connections to this interface. See Configure administrative access to interfaces.

    DHCP Server

    Select to enable a DHCP server for the interface.

    Device Detection Enable/disable passively gathering device identity information about the devices on the network that are connected to this interface.
    Security Mode

    Enable/disable captive portal authentication for this interface. After enabling captive portal authentication, you can configure the authentication portal, user and group access, custom portal messages, exempt sources and destinations/services, and redirect after captive portal.

    Outbound shaping profile Enable/disable traffic shaping on the interface. This allows you to enforce bandwidth limits on individual interfaces.

    Comments

    Enter a description of the interface of up to 255 characters.

    Status

    Enable/disable the interface.

    • Enabled: The interface is active and can accept network traffic.
    • Disabled: The interface is not active and cannot accept traffic.
  4. Click OK.
To configure an interface in the CLI:
config system interface
    edit "<Interface_Name>"
        set vdom "<VDOM_Name>"
        set mode static/dhcp/pppoe
        set ip <IP_address> <netmask>
        set security-mode {none | captive-portal}
        set egress-shaping-profile <Profile_name>
        set device-identification {enable | disable}
        set allowaccess ping https ssh http
        set secondary-IP enable
        config secondaryip
            edit 1
                set ip 9.1.1.2 255.255.255.0
                set allowaccess ping https ssh snmp http
            next
        end
    next
end

Configure administrative access to interfaces

You can configure the protocols that administrators can use to access interfaces on the FortiGate. This helps secure access to the FortiGate by restricting access to a limited number of protocols. It helps prevent users from accessing interfaces that you don't want them to access, such as public-facing ports.

As a best practice, you should configure administrative access when you're setting the IP address for a port.

To configure administrative access to interfaces in the GUI:
  1. Go to Network > Interfaces.
  2. Create or edit an interface.
  3. In the Administrative Access section, select which protocols to enable for IPv4 and IPv6 Administrative Access.

    HTTPS

    Allow secure HTTPS connections to the FortiGate GUI through this interface. If configured, this option is enabled automatically.

    HTTP

    Allow HTTP connections to the FortiGate GUI through this interface. This option can only be enabled if HTTPS is already enabled.

    PING

    The interface responds to pings. Use this setting to verify your installation and for testing.

    FMG-Access

    Allow FortiManager authorization automatically during the communication exchanges between FortiManager and FortiGate devices.

    SSH

    Allow SSH connections to the CLI through this interface.

    SNMP

    Allow a remote SNMP manager to request SNMP information by connecting to this interface.

    FTM

    Allow FortiToken Mobile Push (FTM) access.

    RADIUS Accounting

    Allow RADIUS accounting information on this interface.

    Security Fabric Connection

    Allow Security Fabric access. This enables FortiTelemetry and CAPWAP.