config system interface

Configure interfaces.

config system interface
    Description: Configure interfaces.
    edit <name>
        set ac-name {string}
        set aggregate {string}
        set algorithm [L2|L3|...]
        set alias {string}
        set allowaccess {option1}, {option2}, ...
        set ap-discover [enable|disable]
        set arpforward [enable|disable]
        set atm-protocol [none|ipoa]
        set auth-cert {string}
        set auth-portal-addr {string}
        set auth-type [auto|pap|...]
        set auto-auth-extension-device [enable|disable]
        set bandwidth-measure-time {integer}
        set bfd [global|enable|...]
        set bfd-desired-min-tx {integer}
        set bfd-detect-mult {integer}
        set bfd-required-min-rx {integer}
        set broadcast-forward [enable|disable]
        set cli-conn-status {integer}
        config client-options
            Description: DHCP client options.
            edit <id>
                set code {integer}
                set ip {user}
                set type [hex|string|...]
                set value {string}
            next
        end
        set color {integer}
        set dedicated-to [none|management]
        set defaultgw [enable|disable]
        set description {var-string}
        set detected-peer-mtu {integer}
        set detectprotocol {option1}, {option2}, ...
        set detectserver {user}
        set device-identification [enable|disable]
        set device-user-identification [enable|disable]
        set devindex {integer}
        set dhcp-classless-route-addition [enable|disable]
        set dhcp-client-identifier {string}
        set dhcp-relay-agent-option [enable|disable]
        set dhcp-relay-interface {string}
        set dhcp-relay-interface-select-method [auto|sdwan|...]
        set dhcp-relay-ip {user}
        set dhcp-relay-link-selection {ipv4-address}
        set dhcp-relay-request-all-server [disable|enable]
        set dhcp-relay-service [disable|enable]
        set dhcp-relay-type [regular|ipsec]
        set dhcp-renew-time {integer}
        config dhcp-snooping-server-list
            Description: Configure DHCP server access list.
            edit <name>
                set server-ip {ipv4-address}
            next
        end
        set disc-retry-timeout {integer}
        set disconnect-threshold {integer}
        set distance {integer}
        set dns-server-override [enable|disable]
        set dns-server-protocol {option1}, {option2}, ...
        set drop-fragment [enable|disable]
        set drop-overlapped-fragment [enable|disable]
        set egress-cos [disable|cos0|...]
        config egress-queues
            Description: Configure queues of NP port on egress path.
            set cos0 {string}
            set cos1 {string}
            set cos2 {string}
            set cos3 {string}
            set cos4 {string}
            set cos5 {string}
            set cos6 {string}
            set cos7 {string}
        end
        set egress-shaping-profile {string}
        set eip {ipv4-address-any}
        set estimated-downstream-bandwidth {integer}
        set estimated-upstream-bandwidth {integer}
        set explicit-ftp-proxy [enable|disable]
        set explicit-web-proxy [enable|disable]
        set external [enable|disable]
        set fail-action-on-extender [soft-restart|hard-restart|...]
        set fail-alert-interfaces <name1>, <name2>, ...
        set fail-alert-method [link-failed-signal|link-down]
        set fail-detect [enable|disable]
        set fail-detect-option {option1}, {option2}, ...
        set fortilink [enable|disable]
        set fortilink-backup-link {integer}
        set fortilink-neighbor-detect [lldp|fortilink]
        set fortilink-split-interface [enable|disable]
        set forward-domain {integer}
        set forward-error-correction [none|disable|...]
        set gateway-address {ipv4-address}
        set gi-gk [enable|disable]
        set gwaddr {ipv4-address}
        set gwdetect [enable|disable]
        set ha-priority {integer}
        set icmp-accept-redirect [enable|disable]
        set icmp-send-redirect [enable|disable]
        set ident-accept [enable|disable]
        set idle-timeout {integer}
        set inbandwidth {integer}
        set ingress-cos [disable|cos0|...]
        set ingress-shaping-profile {string}
        set ingress-spillover-threshold {integer}
        set interface {string}
        set internal {integer}
        set ip {ipv4-classnet-host}
        set ip-managed-by-fortiipam [enable|disable]
        set ipmac [enable|disable]
        set ips-sniffer-mode [enable|disable]
        set ipunnumbered {ipv4-address}
        config ipv6
            Description: IPv6 of interface.
            set autoconf [enable|disable]
            set cli-conn6-status {integer}
            set dhcp6-client-options {option1}, {option2}, ...
            config dhcp6-iapd-list
                Description: DHCPv6 IA-PD list.
                edit <iaid>
                    set prefix-hint {ipv6-network}
                    set prefix-hint-plt {integer}
                    set prefix-hint-vlt {integer}
                next
            end
            set dhcp6-information-request [enable|disable]
            set dhcp6-prefix-delegation [enable|disable]
            set dhcp6-relay-ip {user}
            set dhcp6-relay-service [disable|enable]
            set dhcp6-relay-type {option}
            set icmp6-send-redirect [enable|disable]
            set interface-identifier {ipv6-address}
            set ip6-address {ipv6-prefix}
            set ip6-allowaccess {option1}, {option2}, ...
            set ip6-default-life {integer}
            set ip6-delegated-prefix-iaid {integer}
            config ip6-delegated-prefix-list
                Description: Advertised IPv6 delegated prefix list.
                edit <prefix-id>
                    set autonomous-flag [enable|disable]
                    set delegated-prefix-iaid {integer}
                    set onlink-flag [enable|disable]
                    set rdnss {user}
                    set rdnss-service [delegated|default|...]
                    set subnet {ipv6-network}
                    set upstream-interface {string}
                next
            end
            set ip6-dns-server-override [enable|disable]
            config ip6-extra-addr
                Description: Extra IPv6 address prefixes of interface.
                edit <prefix>
                next
            end
            set ip6-hop-limit {integer}
            set ip6-link-mtu {integer}
            set ip6-manage-flag [enable|disable]
            set ip6-max-interval {integer}
            set ip6-min-interval {integer}
            set ip6-mode [static|dhcp|...]
            set ip6-other-flag [enable|disable]
            config ip6-prefix-list
                Description: Advertised prefix list.
                edit <prefix>
                    set autonomous-flag [enable|disable]
                    set dnssl <domain1>, <domain2>, ...
                    set onlink-flag [enable|disable]
                    set preferred-life-time {integer}
                    set rdnss {user}
                    set valid-life-time {integer}
                next
            end
            set ip6-prefix-mode [dhcp6|ra]
            set ip6-reachable-time {integer}
            set ip6-retrans-time {integer}
            set ip6-send-adv [enable|disable]
            set ip6-subnet {ipv6-prefix}
            set ip6-upstream-interface {string}
            set nd-cert {string}
            set nd-cga-modifier {user}
            set nd-mode [basic|SEND-compatible]
            set nd-security-level {integer}
            set nd-timestamp-delta {integer}
            set nd-timestamp-fuzz {integer}
            set ra-send-mtu [enable|disable]
            set unique-autoconf-addr [enable|disable]
            set vrip6_link_local {ipv6-address}
            set vrrp-virtual-mac6 [enable|disable]
            config vrrp6
                Description: IPv6 VRRP configuration.
                edit <vrid>
                    set accept-mode [enable|disable]
                    set adv-interval {integer}
                    set preempt [enable|disable]
                    set priority {integer}
                    set start-time {integer}
                    set status [enable|disable]
                    set vrdst6 {ipv6-address}
                    set vrgrp {integer}
                    set vrip6 {ipv6-address}
                next
            end
        end
        set l2forward [enable|disable]
        set l2tp-client [enable|disable]
        config l2tp-client-settings
            Description: L2TP client settings.
            set auth-type [auto|pap|...]
            set defaultgw [enable|disable]
            set distance {integer}
            set hello-interval {integer}
            set ip {ipv4-classnet-host}
            set mtu {integer}
            set password {password}
            set peer-host {string}
            set peer-mask {ipv4-netmask}
            set peer-port {integer}
            set priority {integer}
            set user {string}
        end
        set lacp-ha-slave [enable|disable]
        set lacp-mode [static|passive|...]
        set lacp-speed [slow|fast]
        set lcp-echo-interval {integer}
        set lcp-max-echo-fails {integer}
        set link-up-delay {integer}
        set lldp-network-policy {string}
        set lldp-reception [enable|disable|...]
        set lldp-transmission [enable|disable|...]
        set macaddr {mac-address}
        set managed-subnetwork-size [32|64|...]
        set management-ip {ipv4-classnet-host}
        set measured-downstream-bandwidth {integer}
        set measured-upstream-bandwidth {integer}
        set mediatype [serdes-sfp|sgmii-sfp|...]
        set member <interface-name1>, <interface-name2>, ...
        set min-links {integer}
        set min-links-down [operational|administrative]
        set mode [static|dhcp|...]
        set monitor-bandwidth [enable|disable]
        set mtu {integer}
        set mtu-override [enable|disable]
        set mux-type [llc-encaps|vc-encaps]
        set ndiscforward [enable|disable]
        set netbios-forward [disable|enable]
        set netflow-sampler [disable|tx|...]
        set np-qos-profile {integer}
        set outbandwidth {integer}
        set padt-retry-timeout {integer}
        set password {password}
        set phy-mode {option}
        set ping-serv-status {integer}
        set poe [enable|disable]
        set polling-interval {integer}
        set pppoe-unnumbered-negotiate [enable|disable]
        set pptp-auth-type [auto|pap|...]
        set pptp-client [enable|disable]
        set pptp-password {password}
        set pptp-server-ip {ipv4-address}
        set pptp-timeout {integer}
        set pptp-user {string}
        set preserve-session-route [enable|disable]
        set priority {integer}
        set priority-override [enable|disable]
        set proxy-captive-portal [enable|disable]
        set pvc-atm-qos [cbr|rt-vbr|...]
        set pvc-chan {integer}
        set pvc-crc {integer}
        set pvc-pcr {integer}
        set pvc-scr {integer}
        set pvc-vlan-id {integer}
        set pvc-vlan-rx-id {integer}
        set pvc-vlan-rx-op [pass-through|replace|...]
        set pvc-vlan-tx-id {integer}
        set pvc-vlan-tx-op [pass-through|replace|...]
        set reachable-time {integer}
        set redundant-interface {string}
        set remote-ip {ipv4-classnet-host}
        set replacemsg-override-group {string}
        set retransmission [disable|enable]
        set ring-rx {integer}
        set ring-tx {integer}
        set role [lan|wan|...]
        set sample-direction [tx|rx|...]
        set sample-rate {integer}
        set secondary-IP [enable|disable]
        config secondaryip
            Description: Second IP address of interface.
            edit <id>
                set allowaccess {option1}, {option2}, ...
                set detectprotocol {option1}, {option2}, ...
                set detectserver {user}
                set gwdetect [enable|disable]
                set ha-priority {integer}
                set ip {ipv4-classnet-host}
                set ping-serv-status {integer}
            next
        end
        set security-8021x-dynamic-vlan-id {integer}
        set security-8021x-master {string}
        set security-8021x-mode [default|dynamic-vlan|...]
        set security-exempt-list {string}
        set security-external-logout {string}
        set security-external-web {var-string}
        set security-groups <name1>, <name2>, ...
        set security-mac-auth-bypass [mac-auth-only|enable|...]
        set security-mode [none|captive-portal|...]
        set security-redirect-url {var-string}
        set service-name {string}
        set sflow-sampler [enable|disable]
        set sfp-dsl [disable|enable]
        set sfp-dsl-adsl-fallback [disable|enable]
        set sfp-dsl-autodetect [disable|enable]
        set sfp-dsl-mac {mac-address}
        set snmp-index {integer}
        set speed [auto|10full|...]
        set spillover-threshold {integer}
        set src-check [enable|disable]
        set status [up|down]
        set stp [disable|enable]
        set stp-ha-secondary [disable|enable|...]
        set stpforward [enable|disable]
        set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]
        set subst [enable|disable]
        set substitute-dst-mac {mac-address}
        set sw-algorithm [l2|l3|...]
        set swc-first-create {integer}
        set swc-vlan {integer}
        set switch {string}
        set switch-controller-access-vlan [enable|disable]
        set switch-controller-arp-inspection [enable|disable]
        set switch-controller-dhcp-snooping [enable|disable]
        set switch-controller-dhcp-snooping-option82 [enable|disable]
        set switch-controller-dhcp-snooping-verify-mac [enable|disable]
        set switch-controller-dynamic {string}
        set switch-controller-feature [none|default-vlan|...]
        set switch-controller-igmp-snooping [enable|disable]
        set switch-controller-igmp-snooping-fast-leave [enable|disable]
        set switch-controller-igmp-snooping-proxy [enable|disable]
        set switch-controller-iot-scanning [enable|disable]
        set switch-controller-learning-limit {integer}
        set switch-controller-mgmt-vlan {integer}
        set switch-controller-nac {string}
        set switch-controller-rspan-mode [disable|enable]
        set switch-controller-source-ip [outbound|fixed]
        set switch-controller-traffic-policy {string}
        set system-id {mac-address}
        set system-id-type [auto|user]
        config tagging
            Description: Config object tagging.
            edit <name>
                set category {string}
                set tags <name1>, <name2>, ...
            next
        end
        set tc-mode {option}
        set tcp-mss {integer}
        set trunk [enable|disable]
        set trust-ip-1 {ipv4-classnet-any}
        set trust-ip-2 {ipv4-classnet-any}
        set trust-ip-3 {ipv4-classnet-any}
        set trust-ip6-1 {ipv6-prefix}
        set trust-ip6-2 {ipv6-prefix}
        set trust-ip6-3 {ipv6-prefix}
        set type [physical|vlan|...]
        set username {string}
        set vci {integer}
        set vdom {string}
        set vectoring [disable|enable]
        set vindex {integer}
        set vlan-protocol [8021q|8021ad]
        set vlanforward [enable|disable]
        set vlanid {integer}
        set vpi {integer}
        set vrf {integer}
        config vrrp
            Description: VRRP configuration.
            edit <vrid>
                set accept-mode [enable|disable]
                set adv-interval {integer}
                set ignore-default-route [enable|disable]
                set preempt [enable|disable]
                set priority {integer}
                config proxy-arp
                    Description: VRRP Proxy ARP configuration.
                    edit <id>
                        set ip {user}
                    next
                end
                set start-time {integer}
                set status [enable|disable]
                set version [2|3]
                set vrdst {ipv4-address-any}
                set vrdst-priority {integer}
                set vrgrp {integer}
                set vrip {ipv4-address-any}
            next
        end
        set vrrp-virtual-mac [enable|disable]
        set wccp [enable|disable]
        set weight {integer}
        set wifi-5g-threshold {string}
        set wifi-acl [allow|deny]
        set wifi-ap-band [any|5g-preferred|...]
        set wifi-auth [PSK|radius|...]
        set wifi-auto-connect [enable|disable]
        set wifi-auto-save [enable|disable]
        set wifi-broadcast-ssid [enable|disable]
        set wifi-encrypt [TKIP|AES]
        set wifi-fragment-threshold {integer}
        set wifi-key {password}
        set wifi-keyindex {integer}
        set wifi-mac-filter [enable|disable]
        config wifi-mac-list
            Description: MAC filter list.
            edit <id>
                set mac {mac-address}
            next
        end
        config wifi-networks
            Description: WiFi network table.
            edit <id>
                set wifi-encrypt [TKIP|AES]
                set wifi-key {password}
                set wifi-keyindex {integer}
                set wifi-passphrase {password}
                set wifi-security [open|wep64|...]
                set wifi-ssid {string}
            next
        end
        set wifi-passphrase {password}
        set wifi-radius-server {string}
        set wifi-rts-threshold {integer}
        set wifi-security [open|wep64|...]
        set wifi-ssid {string}
        set wifi-usergroup {string}
        set wins-ip {ipv4-address}
    next
end

config system interface

Parameter

Description

Type

Size

Default

ac-name

PPPoE server name.

string

Maximum length: 63

aggregate

Aggregate interface. Read-only.

string

Maximum length: 15

algorithm

Frame distribution algorithm.

option

Option	Description
L2	Use layer 2 address for distribution.
L3	Use layer 3 address for distribution.
L4	Use layer 4 information for distribution.

alias

Alias will be displayed with the interface name to make it easier to distinguish.

string

Maximum length: 25

allowaccess

Permitted types of management access to this interface.

option

Option	Description
ping	PING access.
https	HTTPS access.
ssh	SSH access.
snmp	SNMP access.
http	HTTP access.
telnet	TELNET access.
fgfm	FortiManager access.
radius-acct	RADIUS accounting access.
probe-response	Probe access.
fabric	Security Fabric access.
ftm	FTM access.
speed-test	Speed test access.

ap-discover

Enable/disable automatic registration of unknown FortiAP devices.

option

enable

Option	Description
enable	Enable automatic registration of unknown FortiAP devices.
disable	Disable automatic registration of unknown FortiAP devices.

arpforward

Enable/disable ARP forwarding.

option

enable

Option	Description
enable	Enable ARP forwarding.
disable	Disable ARP forwarding.

atm-protocol *

ATM protocol.

option

none

Option	Description
none	Not over ATM.
ipoa	IPoA RFC2684.

auth-cert

HTTPS server certificate.

string

Maximum length: 35

auth-portal-addr

Address of captive portal.

string

Maximum length: 63

auth-type

PPP authentication type to use.

option

auto

Option	Description
auto	Automatically choose authentication.
pap	PAP authentication.
chap	CHAP authentication.
mschapv1	MS-CHAPv1 authentication.
mschapv2	MS-CHAPv2 authentication.

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.

option

disable

Option	Description
enable	Enable automatic authorization of dedicated Fortinet extension device on this interface.
disable	Disable automatic authorization of dedicated Fortinet extension device on this interface.

bandwidth-measure-time

Bandwidth measure time.

integer

Minimum value: 0 Maximum value: 4294967295

bfd

Bidirectional Forwarding Detection (BFD) settings.

option

global

Option	Description
global	BFD behavior of this interface will be based on global configuration.
enable	Enable BFD on this interface and ignore global configuration.
disable	Disable BFD on this interface and ignore global configuration.

bfd-desired-min-tx

BFD desired minimal transmit interval.

integer

Minimum value: 1 Maximum value: 100000

250

bfd-detect-mult

BFD detection multiplier.

integer

Minimum value: 1 Maximum value: 50

bfd-required-min-rx

BFD required minimal receive interval.

integer

Minimum value: 1 Maximum value: 100000

250

broadcast-forward

Enable/disable broadcast forwarding.

option

disable

Option	Description
enable	Enable broadcast forwarding.
disable	Disable broadcast forwarding.

cli-conn-status

CLI connection status. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

dedicated-to

Configure interface for single purpose.

option

none

Option	Description
none	Interface not dedicated for any purpose.
management	Dedicate this interface for management purposes only.

defaultgw

Enable to get the gateway IP from the DHCP or PPPoE server.

option

enable

Option	Description
enable	Enable default gateway.
disable	Disable default gateway.

description

Description.

var-string

Maximum length: 255

detected-peer-mtu

MTU of detected peer (0 - 4294967295). Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

detectprotocol

Protocols used to detect the server.

option

ping

Option	Description
ping	PING.
tcp-echo	TCP echo.
udp-echo	UDP echo.

detectserver

Gateway's ping server for this IP.

user

Not Specified

device-identification

Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.

option

disable

Option	Description
enable	Enable passive gathering of identity information about hosts.
disable	Disable passive gathering of identity information about hosts.

device-user-identification

Enable/disable passive gathering of user identity information about users on this interface.

option

enable

Option	Description
enable	Enable passive gathering of user identity information about users.
disable	Disable passive gathering of user identity information about users.

devindex

Device Index. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

dhcp-classless-route-addition

Enable/disable addition of classless static routes retrieved from DHCP server.

option

disable **

Option	Description
enable	Enable addition of classless static routes retrieved from DHCP server.
disable	Disable addition of classless static routes retrieved from DHCP server.

dhcp-client-identifier

DHCP client identifier.

string

Maximum length: 48

dhcp-relay-agent-option

Enable/disable DHCP relay agent option.

option

enable

Option	Description
enable	Enable DHCP relay agent option.
disable	Disable DHCP relay agent option.

dhcp-relay-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-relay-interface-select-method

Specify how to select outgoing interface to reach server.

option

auto

Option	Description
auto	Set outgoing interface automatically.
sdwan	Set outgoing interface by SD-WAN or policy routing rules.
specify	Set outgoing interface manually.

dhcp-relay-ip

DHCP relay IP address.

user

Not Specified

dhcp-relay-link-selection

DHCP relay link selection.

ipv4-address

Not Specified

0.0.0.0

dhcp-relay-request-all-server

Enable/disable sending of DHCP requests to all servers.

option

disable

Option	Description
disable	Send DHCP requests only to a matching server.
enable	Send DHCP requests to all servers.

dhcp-relay-service

Enable/disable allowing this interface to act as a DHCP relay.

option

disable

Option	Description
disable	None.
enable	DHCP relay agent.

dhcp-relay-type

DHCP relay type (regular or IPsec).

option

regular

Option	Description
regular	Regular DHCP relay.
ipsec	DHCP relay for IPsec.

dhcp-renew-time

DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server.

integer

Minimum value: 300 Maximum value: 604800

disc-retry-timeout

Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 4294967295

disconnect-threshold

Time in milliseconds to wait before sending a notification that this interface is down or disconnected.

integer

Minimum value: 0 Maximum value: 10000

distance

Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route.

integer

Minimum value: 1 Maximum value: 255

dns-server-override

Enable/disable use DNS acquired by DHCP or PPPoE.

option

enable

Option	Description
enable	Use DNS acquired by DHCP or PPPoE.
disable	No not use DNS acquired by DHCP or PPPoE.

dns-server-protocol

DNS transport protocols.

option

cleartext

Option	Description
cleartext	DNS over UDP/53, DNS over TCP/53.
dot	DNS over TLS/853.
doh	DNS over HTTPS/443.

drop-fragment

Enable/disable drop fragment packets.

option

disable

Option	Description
enable	Enable/disable drop fragment packets.
disable	Do not drop fragment packets.

drop-overlapped-fragment

Enable/disable drop overlapped fragment packets.

option

disable

Option	Description
enable	Enable drop of overlapped fragment packets.
disable	Disable drop of overlapped fragment packets.

egress-cos *

Override outgoing CoS in user VLAN tag.

option

disable

Option	Description
disable	Disable.
cos0	CoS 0.
cos1	CoS 1.
cos2	CoS 2.
cos3	CoS 3.
cos4	CoS 4.
cos5	CoS 5.
cos6	CoS 6.
cos7	CoS 7.

egress-shaping-profile

Outgoing traffic shaping profile.

string

Maximum length: 35

eip *

External IP. Read-only.

ipv4-address-any

Not Specified

0.0.0.0

estimated-downstream-bandwidth

Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

estimated-upstream-bandwidth

Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

explicit-ftp-proxy

Enable/disable the explicit FTP proxy on this interface.

option

disable

Option	Description
enable	Enable explicit FTP proxy on this interface.
disable	Disable explicit FTP proxy on this interface.

explicit-web-proxy

Enable/disable the explicit web proxy on this interface.

option

disable

Option	Description
enable	Enable explicit Web proxy on this interface.
disable	Disable explicit Web proxy on this interface.

external

Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet).

option

disable

Option	Description
enable	Enable identifying the interface as an external interface.
disable	Disable identifying the interface as an external interface.

fail-action-on-extender

Action on FortiExtender when interface fail.

option

soft-restart

Option	Description
soft-restart	Soft-restart-on-extender.
hard-restart	Hard-restart-on-extender.
reboot	Reboot-on-extender.

fail-alert-interfaces <name>

Names of the FortiGate interfaces to which the link failure alert is sent.

Names of the non-virtual interface.

string

Maximum length: 79

fail-alert-method

Select link-failed-signal or link-down method to alert about a failed link.

option

link-down

Option	Description
link-failed-signal	Link-failed-signal.
link-down	Link-down.

fail-detect

Enable/disable fail detection features for this interface.

option

disable

Option	Description
enable	Enable interface failed option status.
disable	Disable interface failed option status.

fail-detect-option

Options for detecting that this interface has failed.

option

link-down

Option	Description
detectserver	Use a ping server to determine if the interface has failed.
link-down	Use port detection to determine if the interface has failed.

fortilink *

Enable FortiLink to dedicate this interface to manage other Fortinet devices.

option

disable

Option	Description
enable	Enable FortiLink to dedicated interface for managing FortiSwitch devices.
disable	Disable FortiLink to dedicated interface for managing FortiSwitch devices.

fortilink-backup-link

FortiLink split interface backup link. Read-only.

integer

Minimum value: 0 Maximum value: 255

fortilink-neighbor-detect

Protocol for FortiGate neighbor discovery.

option

fortilink

Option	Description
lldp	Detect FortiLink neighbors using LLDP protocol.
fortilink	Detect FortiLink neighbors using FortiLink protocol.

fortilink-split-interface

Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.

option

enable

Option	Description
enable	Enable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.
disable	Disable FortiLink split interface.

forward-domain

Transparent mode forward domain.

integer

Minimum value: 0 Maximum value: 2147483647

forward-error-correction *

Configure forward error correction (FEC).

option

none

Option	Description
none	none
disable	Disable forward error correction (FEC).
cl91-rs-fec	Reed-Solomon (FEC CL91).
cl74-fc-fec	Fire-Code (FEC CL74).

gateway-address *

Gateway address

ipv4-address

Not Specified

0.0.0.0

gi-gk *

Enable/disable Gi Gatekeeper.

option

disable

Option	Description
enable	enable Gi Gatekeeper
disable	disable Gi Gatekeeper

gwaddr *

Gateway address

ipv4-address

Not Specified

0.0.0.0

gwdetect

Enable/disable detect gateway alive for first.

option

disable

Option	Description
enable	Enable detect gateway alive for first.
disable	Disable detect gateway alive for first.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

icmp-accept-redirect

Enable/disable ICMP accept redirect.

option

enable

Option	Description
enable	Enable ICMP accept redirect.
disable	Disable ICMP accept redirect.

icmp-send-redirect

Enable/disable sending of ICMP redirects.

option

enable

Option	Description
enable	Enable sending of ICMP redirects.
disable	Disable sending of ICMP redirects.

ident-accept

Enable/disable authentication for this interface.

option

disable

Option	Description
enable	Enable determining a user's identity from packet identification.
disable	Disable determining a user's identity from packet identification.

idle-timeout

PPPoE auto disconnect after idle timeout seconds, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 32767

inbandwidth

Bandwidth limit for incoming traffic (0 - 80000000 kbps), 0 means unlimited.

integer

Minimum value: 0 Maximum value: 80000000 **

ingress-cos *

Override incoming CoS in user VLAN tag on VLAN interface or assign a priority VLAN tag on physical interface.

option

disable

Option	Description
disable	Disable.
cos0	CoS 0.
cos1	CoS 1.
cos2	CoS 2.
cos3	CoS 3.
cos4	CoS 4.
cos5	CoS 5.
cos6	CoS 6.
cos7	CoS 7.

ingress-shaping-profile

Incoming traffic shaping profile.

string

Maximum length: 35

ingress-spillover-threshold

Ingress Spillover threshold (0 - 16776000 kbps), 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

interface

Interface name.

string

Maximum length: 15

internal

Implicitly created.

integer

Minimum value: 0 Maximum value: 255

Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

ip-managed-by-fortiipam

Enable/disable automatic IP address assignment of this interface by FortiIPAM.

option

disable

Option	Description
enable	Enable automatic IP address assignment of this interface by FortiIPAM.
disable	Disable automatic IP address assignment of this interface by FortiIPAM.

ipmac

Enable/disable IP/MAC binding.

option

disable

Option	Description
enable	Enable IP/MAC binding.
disable	Disable IP/MAC binding.

ips-sniffer-mode

Enable/disable the use of this interface as a one-armed sniffer.

option

disable

Option	Description
enable	Enable IPS sniffer mode.
disable	Disable IPS sniffer mode.

ipunnumbered

Unnumbered IP used for PPPoE interfaces for which no unique local address is provided.

ipv4-address

Not Specified

0.0.0.0

l2forward

Enable/disable l2 forwarding.

option

disable

Option	Description
enable	Enable L2 forwarding.
disable	Disable L2 forwarding.

l2tp-client *

Enable/disable this interface as a Layer 2 Tunnelling Protocol (L2TP) client.

option

disable

Option	Description
enable	Enable L2TP client.
disable	Disable L2TP client.

lacp-ha-slave

LACP HA slave.

option

enable

Option	Description
enable	Allow HA slave to send/receive LACP messages.
disable	Block HA slave from sending/receiving LACP messages.

lacp-mode

LACP mode.

option

active

Option	Description
static	Use static aggregation, do not send and ignore any LACP messages.
passive	Passively use LACP to negotiate 802.3ad aggregation.
active	Actively use LACP to negotiate 802.3ad aggregation.

lacp-speed

How often the interface sends LACP messages.

option

slow

Option	Description
slow	Send LACP message every 30 seconds.
fast	Send LACP message every second.

lcp-echo-interval

Time in seconds between PPPoE Link Control Protocol (LCP) echo requests.

integer

Minimum value: 0 Maximum value: 32767

lcp-max-echo-fails

Maximum missed LCP echo messages before disconnect.

integer

Minimum value: 0 Maximum value: 32767

link-up-delay

Number of milliseconds to wait before considering a link is up.

integer

Minimum value: 50 Maximum value: 3600000

lldp-network-policy

LLDP-MED network policy profile.

string

Maximum length: 35

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception.

option

vdom

Option	Description
enable	Enable reception of Link Layer Discovery Protocol (LLDP).
disable	Disable reception of Link Layer Discovery Protocol (LLDP).
vdom	Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration setting.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission.

option

vdom

Option	Description
enable	Enable transmission of Link Layer Discovery Protocol (LLDP).
disable	Disable transmission of Link Layer Discovery Protocol (LLDP).
vdom	Use VDOM Link Layer Discovery Protocol (LLDP) transmission configuration setting.

macaddr

Change the interface's MAC address.

mac-address

Not Specified

00:00:00:00:00:00 **

managed-subnetwork-size

Number of IP addresses to be allocated by FortiIPAM and used by this FortiGate unit's DHCP server settings.

option

256

Option	Description
32	Allocate a subnet with 32 IP addresses.
64	Allocate a subnet with 64 IP addresses.
128	Allocate a subnet with 128 IP addresses.
256	Allocate a subnet with 256 IP addresses.
512	Allocate a subnet with 512 IP addresses.
1024	Allocate a subnet with 1024 IP addresses.
2048	Allocate a subnet with 2048 IP addresses.
4096	Allocate a subnet with 4096 IP addresses.
8192	Allocate a subnet with 8192 IP addresses.
16384	Allocate a subnet with 16384 IP addresses.
32768	Allocate a subnet with 32768 IP addresses.
65536	Allocate a subnet with 65536 IP addresses.

management-ip

High Availability in-band management IP address of this interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

measured-downstream-bandwidth

Measured downstream bandwidth (kbps).

integer

Minimum value: 0 Maximum value: 4294967295

measured-upstream-bandwidth

Measured upstream bandwidth (kbps).

integer

Minimum value: 0 Maximum value: 4294967295

mediatype *

Select SFP media interface type

option

serdes-sfp

Option	Description
serdes-sfp	SFP using SerDes Media Interface
sgmii-sfp	SFP using SGMII Media Interface
serdes-copper-sfp	Copper SFP using SerDes media Interface.

member <interface-name>

Physical interfaces that belong to the aggregate or redundant interface.

Physical interface name.

string

Maximum length: 79

min-links

Minimum number of aggregated ports that must be up.

integer

Minimum value: 1 Maximum value: 32

min-links-down

Action to take when less than the configured minimum number of links are active.

option

operational

Option	Description
operational	Set the aggregate operationally down.
administrative	Set the aggregate administratively down.

mode

Addressing mode (static, DHCP, PPPoE).

option

static

Option	Description
static	Static setting.
dhcp	External DHCP client mode.
pppoe	External PPPoE mode.

monitor-bandwidth

Enable monitoring bandwidth on this interface.

option

disable

Option	Description
enable	Enable monitoring bandwidth on this interface.
disable	Disable monitoring bandwidth on this interface.

mtu

MTU value for this interface.

integer

Minimum value: 0 Maximum value: 4294967295

1500

mtu-override

Enable to set a custom MTU for this interface.

option

disable

Option	Description
enable	Override default MTU.
disable	Use default MTU.

mux-type *

Multiplexer type

option

llc-encaps

Option	Description
llc-encaps	LLC encapsulation.
vc-encaps	VC encapsulation.

name

Name.

string

Maximum length: 15

ndiscforward

Enable/disable NDISC forwarding.

option

enable

Option	Description
enable	Enable NDISC forwarding.
disable	Disable NDISC forwarding.

netbios-forward

Enable/disable NETBIOS forwarding.

option

disable

Option	Description
disable	Disable NETBIOS forwarding.
enable	Enable NETBIOS forwarding.

netflow-sampler

Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).

option

disable

Option	Description
disable	Disable NetFlow protocol on this interface.
tx	Monitor transmitted traffic on this interface.
rx	Monitor received traffic on this interface.
both	Monitor transmitted/received traffic on this interface.

np-qos-profile *

NP QoS profile ID.

integer

Minimum value: 0 Maximum value: 15

outbandwidth

Bandwidth limit for outgoing traffic (0 - 80000000 kbps).

integer

Minimum value: 0 Maximum value: 80000000 **

padt-retry-timeout

PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time.

integer

Minimum value: 0 Maximum value: 4294967295

password

PPPoE account's password.

password

Not Specified

phy-mode *

DSL physical mode.

option

vdsl

Option	Description
vdsl	VDSL.

ping-serv-status

PING server status. Read-only.

integer

Minimum value: 0 Maximum value: 255

poe *

Enable/disable PoE status.

option

enable

Option	Description
enable	Enable PoE status.
disable	Disable PoE status.

polling-interval

sFlow polling interval in seconds (1 - 255).

integer

Minimum value: 1 Maximum value: 255

pppoe-unnumbered-negotiate

Enable/disable PPPoE unnumbered negotiation.

option

enable

Option	Description
enable	Enable IP address negotiating for unnumbered.
disable	Disable IP address negotiating for unnumbered.

pptp-auth-type

PPTP authentication type.

option

auto

Option	Description
auto	Automatically choose authentication.
pap	PAP authentication.
chap	CHAP authentication.
mschapv1	MS-CHAPv1 authentication.
mschapv2	MS-CHAPv2 authentication.

pptp-client

Enable/disable PPTP client.

option

disable

Option	Description
enable	Enable PPTP client.
disable	Disable PPTP client.

pptp-password

PPTP password.

password

Not Specified

pptp-server-ip

PPTP server IP address.

ipv4-address

Not Specified

0.0.0.0

pptp-timeout

Idle timer in minutes (0 for disabled).

integer

Minimum value: 0 Maximum value: 65535

pptp-user

PPTP user name.

string

Maximum length: 64

preserve-session-route

Enable/disable preservation of session route when dirty.

option

disable

Option	Description
enable	Enable preservation of session route when dirty.
disable	Disable preservation of session route when dirty.

priority

Priority of learned routes.

integer

Minimum value: 1 Maximum value: 65535

priority-override

Enable/disable fail back to higher priority port once recovered.

option

enable

Option	Description
enable	Enable fail back to higher priority port once recovered.
disable	Disable fail back to higher priority port once recovered.

proxy-captive-portal

Enable/disable proxy captive portal on this interface.

option

disable

Option	Description
enable	Enable proxy captive portal on this interface.
disable	Disable proxy captive portal on this interface.

pvc-atm-qos *

SFP-DSL ADSL Fallback PVC ATM QoS.

option

cbr

Option	Description
cbr	ATM QoS CBR.
rt-vbr	ATM QoS rt-VBR.
nrt-vbr	ATM QoS nrt-VBR.
cbr	ATM QoS CCBR.

pvc-chan *

SFP-DSL ADSL Fallback PVC Channel.

integer

Minimum value: 0 Maximum value: 7

pvc-crc *

SFP-DSL ADSL Fallback PVC CRC Option: bit0: sar LLC preserve, bit1: ream LLC preserve, bit2: ream VC-MUX has crc.

integer

Minimum value: 0 Maximum value: 7

pvc-pcr *

SFP-DSL ADSL Fallback PVC Packet Cell Rate in cells (0 - 5500).

integer

Minimum value: 0 Maximum value: 5500

pvc-scr *

SFP-DSL ADSL Fallback PVC Sustainable Cell Rate in cells (0 - 5500).

integer

Minimum value: 0 Maximum value: 5500

pvc-vlan-id *

SFP-DSL ADSL Fallback PVC VLAN ID.

integer

Minimum value: 1 Maximum value: 4094

pvc-vlan-rx-id *

SFP-DSL ADSL Fallback PVC VLANID RX.

integer

Minimum value: 1 Maximum value: 4094

pvc-vlan-rx-op *

SFP-DSL ADSL Fallback PVC VLAN RX op.

option

pass-through

Option	Description
pass-through	PVC VLAN Tag Passthrough.
replace	PVC VLAN Tag Replace.
remove	PVC VLAN Tag Remove.

pvc-vlan-tx-id *

SFP-DSL ADSL Fallback PVC VLAN ID TX.

integer

Minimum value: 1 Maximum value: 4094

pvc-vlan-tx-op *

SFP-DSL ADSL Fallback PVC VLAN TX op.

option

remove

Option	Description
pass-through	PVC VLAN Tag Passthrough.
replace	PVC VLAN Tag Replace.
remove	PVC VLAN Tag Remove.

reachable-time

IPv4 reachable time in milliseconds (30000 - 3600000, default = 30000).

integer

Minimum value: 30000 Maximum value: 3600000

30000

redundant-interface

Redundant interface. Read-only.

string

Maximum length: 15

remote-ip

Remote IP address of tunnel.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

replacemsg-override-group

Replacement message override group.

string

Maximum length: 35

retransmission *

Enable/disable DSL retransmission.

option

enable

Option	Description
disable	Disable retransmission.
enable	Enable retransmission.

ring-rx *

RX ring size.

integer

Minimum value: 0 Maximum value: 4294967295

ring-tx *

TX ring size.

integer

Minimum value: 0 Maximum value: 4294967295

role

Interface role.

option

undefined

Option	Description
lan	Connected to local network of endpoints.
wan	Connected to Internet.
dmz	Connected to server zone.
undefined	Interface has no specific role.

sample-direction

Data that NetFlow collects (rx, tx, or both).

option

both

Option	Description
tx	Monitor transmitted traffic on this interface.
rx	Monitor received traffic on this interface.
both	Monitor transmitted/received traffic on this interface.

sample-rate

sFlow sample rate (10 - 99999).

integer

Minimum value: 10 Maximum value: 99999

2000

secondary-IP

Enable/disable adding a secondary IP to this interface.

option

disable

Option	Description
enable	Enable secondary IP.
disable	Disable secondary IP.

security-8021x-dynamic-vlan-id *

VLAN ID for virtual switch.

integer

Minimum value: 0 Maximum value: 4094

security-8021x-master *

802.1X master virtual-switch.

string

Maximum length: 15

security-8021x-mode *

802.1X mode.

option

default

Option	Description
default	802.1X default mode.
dynamic-vlan	802.1X dynamic VLAN (master) mode.
fallback	802.1X fallback (master) mode.
slave	802.1X slave mode.

security-exempt-list

Name of security-exempt-list.

string

Maximum length: 35

security-external-logout

URL of external authentication logout server.

string

Maximum length: 127

security-external-web

URL of external authentication web server.

var-string

Maximum length: 1023

security-groups <name>

User groups that can authenticate with the captive portal.

Names of user groups that can authenticate with the captive portal.

string

Maximum length: 79

security-mac-auth-bypass

Enable/disable MAC authentication bypass.

option

disable

Option	Description
mac-auth-only	Enable MAC authentication bypass without EAP.
enable	Enable MAC authentication bypass.
disable	Disable MAC authentication bypass.

security-mode

Turn on captive portal authentication for this interface.

option

none

Option	Description
none	No security option.
captive-portal	Captive portal authentication.
802.1X	802.1X port-based authentication.

security-redirect-url

URL redirection after disclaimer/authentication.

var-string

Maximum length: 1023

service-name

PPPoE service name.

string

Maximum length: 63

sflow-sampler

Enable/disable sFlow on this interface.

option

disable

Option	Description
enable	Enable sFlow protocol on this interface.
disable	Disable sFlow protocol on this interface.

sfp-dsl *

Enable/disable SFP DSL.

option

disable

Option	Description
disable	Disable SFP DSL.
enable	Enable SFP DSL.

sfp-dsl-adsl-fallback *

Enable/disable SFP DSL ADSL fallback.

option

disable

Option	Description
disable	Disable SFP DSL ADSL fallback.
enable	Enable SFP DSL ADSL fallback.

sfp-dsl-autodetect *

Enable/disable SFP DSL MAC address autodetect.

option

enable

Option	Description
disable	Disable SFP DSL MAC address autodetect.
enable	Enable SFP DSL MAC address autodetect.

sfp-dsl-mac *

SFP DSL MAC address.

mac-address

Not Specified

00:00:00:00:00:00

snmp-index

Permanent SNMP Index of the interface.

integer

Minimum value: 1 Maximum value: 2147483647

speed

Interface speed. The default setting and the options available depend on the interface hardware.

option

auto

Option	Description
auto	Automatically adjust speed.
10full	10M full-duplex.
10half	10M half-duplex.
100full	100M full-duplex.
100half	100M half-duplex.
1000full	1000M full-duplex.
1000auto	1000M auto adjust.
10000full	10G full-duplex.
10000auto	10G auto.

spillover-threshold

Egress Spillover threshold (0 - 16776000 kbps), 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

src-check

Enable/disable source IP check.

option

enable

Option	Description
enable	Enable source IP check.
disable	Disable source IP check.

status

Bring the interface up or shut the interface down.

option

Option	Description
up	Bring the interface up.
down	Shut the interface down.

stp *

Enable/disable STP.

option

disable

Option	Description
disable	Disable STP.
enable	Enable STP.

stp-ha-secondary *

Control STP behaviour on HA secondary.

option

priority-adjust

Option	Description
disable	Disable STP negotiation on HA secondary.
enable	Enable STP negotiation on HA secondary.
priority-adjust	Enable STP negotiation on HA secondary and make priority lower than HA primary.

stpforward

Enable/disable STP forwarding.

option

disable

Option	Description
enable	Enable STP forwarding.
disable	Disable STP forwarding.

stpforward-mode

Configure STP forwarding mode.

option

rpl-all-ext-id

Option	Description
rpl-all-ext-id	Replace all extension IDs (root, bridge).
rpl-bridge-ext-id	Replace the bridge extension ID only.
rpl-nothing	Replace nothing.

subst

Enable to always send packets from this interface to a destination MAC address.

option

disable

Option	Description
enable	Send packets from this interface.
disable	Do not send packets from this interface.

substitute-dst-mac

Destination MAC address that all packets are sent to from this interface.

mac-address

Not Specified

00:00:00:00:00:00

sw-algorithm *

Frame distribution algorithm for switch.

option

Option	Description
l2	Use layer 2 address for distribution.
l3	Use layer 3 address for distribution.
eh	Use enhanced hashing for distribution.

swc-first-create *

Initial create for switch-controller VLANs.

integer

Minimum value: 0 Maximum value: 4294967295

swc-vlan *

Creation status for switch-controller VLANs. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

switch

Contained in switch. Read-only.

string

Maximum length: 15

switch-controller-access-vlan *

Block FortiSwitch port-to-port traffic.

option

disable

Option	Description
enable	Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate.
disable	Allow normal VLAN traffic.

switch-controller-arp-inspection *

Enable/disable FortiSwitch ARP inspection.

option

disable

Option	Description
enable	Enable ARP inspection for FortiSwitch devices.
disable	Disable ARP inspection for FortiSwitch devices.

switch-controller-dhcp-snooping *

Switch controller DHCP snooping.

option

disable

Option	Description
enable	Enable DHCP snooping for FortiSwitch devices.
disable	Disable DHCP snooping for FortiSwitch devices.

switch-controller-dhcp-snooping-option82 *

Switch controller DHCP snooping option82.

option

disable

Option	Description
enable	Enable DHCP snooping insert option82 for FortiSwitch devices.
disable	Disable DHCP snooping insert option82 for FortiSwitch devices.

switch-controller-dhcp-snooping-verify-mac *

Switch controller DHCP snooping verify MAC.

option

disable

Option	Description
enable	Enable DHCP snooping verify source MAC for FortiSwitch devices.
disable	Disable DHCP snooping verify source MAC for FortiSwitch devices.

switch-controller-dynamic *

Integrated FortiLink settings for managed FortiSwitch.

string

Maximum length: 35

switch-controller-feature *

Interface's purpose when assigning traffic (read only).

option

none

Option	Description
none	VLAN for generic purpose.
default-vlan	Default VLAN (native) assigned to all switch ports upon discovery.
quarantine	VLAN for quarantined traffic.
rspan	VLAN for RSPAN/ERSPAN mirrored traffic.
voice	VLAN dedicated for voice devices.
video	VLAN dedicated for camera devices.
nac	VLAN dedicated for NAC onboarding devices.
nac-segment	VLAN dedicated for NAC segment devices.

switch-controller-igmp-snooping *

Switch controller IGMP snooping.

option

disable

Option	Description
enable	Enable IGMP snooping.
disable	Disable IGMP snooping.

switch-controller-igmp-snooping-fast-leave *

Switch controller IGMP snooping fast-leave.

option

disable

Option	Description
enable	Enable IGMP snooping fast-leave.
disable	Disable IGMP snooping fast-leave.

switch-controller-igmp-snooping-proxy *

Switch controller IGMP snooping proxy.

option

disable

Option	Description
enable	Enable IGMP snooping proxy.
disable	Disable IGMP snooping proxy.

switch-controller-iot-scanning *

Enable/disable managed FortiSwitch IoT scanning.

option

disable

Option	Description
enable	Enable IoT scanning for managed FortiSwitch devices.
disable	Disable IoT scanning for managed FortiSwitch devices.

switch-controller-learning-limit *

Limit the number of dynamic MAC addresses on this VLAN (1 - 128, 0 = no limit, default).

integer

Minimum value: 0 Maximum value: 128

switch-controller-mgmt-vlan *

VLAN to use for FortiLink management purposes.

integer

Minimum value: 1 Maximum value: 4094

4094

switch-controller-nac *

Integrated FortiLink settings for managed FortiSwitch.

string

Maximum length: 35

switch-controller-rspan-mode *

Stop Layer2 MAC learning and interception of BPDUs and other packets on this interface.

option

disable

Option	Description
disable	Disable RSPAN passthrough mode on this VLAN interface.
enable	Enable RSPAN passthrough mode on this VLAN interface.

switch-controller-source-ip *

Source IP address used in FortiLink over L3 connections.

option

outbound

Option	Description
outbound	Source IP address is that of the outbound interface.
fixed	Source IP address is that of the FortiLink interface.

switch-controller-traffic-policy *

Switch controller traffic policy for the VLAN.

string

Maximum length: 63

system-id

Define a system ID for the aggregate interface.

mac-address

Not Specified

00:00:00:00:00:00

system-id-type

Method in which system ID is generated.

option

auto

Option	Description
auto	Use the MAC address of the first member.
user	User-defined system ID.

tc-mode *

DSL transfer mode.

option

ptm

Option	Description
ptm	Packet transfer mode.

tcp-mss

TCP maximum segment size. 0 means do not change segment size.

integer

Minimum value: 48 Maximum value: 65535

trunk *

Enable/disable VLAN trunk.

option

disable

Option	Description
enable	Enable VLAN trunk on this interface.
disable	Disable VLAN trunk on this interface.

trust-ip-1

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip-2

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip-3

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip6-1

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

trust-ip6-2

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

trust-ip6-3

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

type

Interface type.

option

vlan

Option	Description
physical	Physical interface.
vlan	VLAN interface.
aggregate	Aggregate interface.
redundant	Redundant interface.
tunnel	Tunnel interface.
vdom-link	VDOM link interface.
loopback	Loopback interface.
switch	Software switch interface.
vap-switch	VAP interface.
wl-mesh	WLAN mesh interface.
fext-wan	FortiExtender interface.
vxlan	VXLAN interface.
geneve	GENEVE interface.
hdlc	T1/E1 interface.
switch-vlan	Switch VLAN interface.
emac-vlan	EMAC VLAN interface.
ssl	SSL VPN client interface.
lan-extension	LAN extension interface.

username

Username of the PPPoE account, provided by your ISP.

string

Maximum length: 64

vci *

Virtual Channel ID

integer

Minimum value: 0 Maximum value: 65535

vdom

Interface is in this virtual domain (VDOM).

string

Maximum length: 31

vectoring *

Enable/disable DSL vectoring.

option

enable

Option	Description
disable	Disable vectoring.
enable	Enable vectoring.

vindex *

Switch control interface VLAN ID. Read-only.

integer

Minimum value: 0 Maximum value: 65535

vlan-protocol

Ethernet protocol of VLAN.

option

8021q

Option	Description
8021q	IEEE 802.1Q.
8021ad	IEEE 802.1AD.

vlanforward

Enable/disable traffic forwarding between VLANs on this interface.

option

disable

Option	Description
enable	Enable traffic forwarding.
disable	Disable traffic forwarding.

vlanid

VLAN ID (1 - 4094).

integer

Minimum value: 1 Maximum value: 4094

vpi *

Virtual Path ID.

integer

Minimum value: 0 Maximum value: 255

vrf

Virtual Routing Forwarding ID.

integer

Minimum value: 0 Maximum value: 31

vrrp-virtual-mac

Enable/disable use of virtual MAC for VRRP.

option

disable

Option	Description
enable	Enable use of virtual MAC for VRRP.
disable	Disable use of virtual MAC for VRRP.

wccp

Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.

option

disable

Option	Description
enable	Enable WCCP protocol on this interface.
disable	Disable WCCP protocol on this interface.

weight

Default weight for static routes (if route has no weight configured).

integer

Minimum value: 0 Maximum value: 255

wifi-5g-threshold *

Minimal signal strength to be considered as a good 5G AP.

string

Maximum length: 7

-78

wifi-acl *

Access control for MAC addresses in the MAC list.

option

deny

Option	Description
allow	Allow.
deny	Deny.

wifi-ap-band *

How to select the AP to connect.

option

any

Option	Description
any	Connect to the best 2G or 5G AP.
5g-preferred	Connect to the 5G AP if a good 5G AP exists.
5g-only	Only connect to the 5G AP.

wifi-auth *

WiFi authentication.

option

PSK

Option	Description
PSK	PSK.
radius	RADIUS.
usergroup	User group.

wifi-auto-connect *

Enable/disable WiFi network auto connect.

option

enable

Option	Description
enable	Enable WiFi network auto connect.
disable	Disable WiFi network auto connect.

wifi-auto-save *

Enable/disable WiFi network automatic save.

option

disable

Option	Description
enable	Enable WiFi network automatic save.
disable	Disable WiFi network automatic save.

wifi-broadcast-ssid *

Enable/disable SSID broadcast in the beacon.

option

enable

Option	Description
enable	Enable SSID broadcast in the beacon.
disable	Disable SSID broadcast in the beacon.

wifi-encrypt *

Data encryption.

option

AES

Option	Description
TKIP	TKIP.
AES	AES.

wifi-fragment-threshold *

WiFi fragment threshold (800 - 2346).

integer

Minimum value: 800 Maximum value: 2346

2346

wifi-key *

WiFi WEP Key.

password

Not Specified

wifi-keyindex *

WEP key index (1 - 4).

integer

Minimum value: 1 Maximum value: 4

wifi-mac-filter *

Enable/disable MAC filter status.

option

disable

Option	Description
enable	Enable MAC filter.
disable	Disable MAC filter.

wifi-passphrase *

WiFi pre-shared key for WPA.

password

Not Specified

wifi-radius-server *

WiFi RADIUS server for WPA.

string

Maximum length: 35

wifi-rts-threshold *

WiFi RTS threshold (256 - 2346).

integer

Minimum value: 256 Maximum value: 2346

2346

wifi-security *

Wireless access security of SSID.

option

wpa-personal

Option	Description
open	Open.
wep64	WEP64.
wep128	WEP128.
wpa-personal	WPA personal.
wpa-enterprise	WPA enterprise.
wpa-only-personal	WPA personal only.
wpa-only-enterprise	WPA enterprise only.
wpa2-only-personal	WPA2 personal only.
wpa2-only-enterprise	WPA2 enterprise only.

wifi-ssid *

IEEE 802.11 Service Set Identifier.

string

Maximum length: 32

fortinet

wifi-usergroup *

WiFi user group for WPA.

string

Maximum length: 35

wins-ip

WINS server IP.

ipv4-address

Not Specified

0.0.0.0

* This parameter may not exist in some models.

** Values may differ between models.

config client-options

Parameter

Description

Type

Size

Default

code

DHCP client option code.

integer

Minimum value: 0 Maximum value: 255

ID.

integer

Minimum value: 0 Maximum value: 4294967295

DHCP option IPs.

user

Not Specified

type

DHCP client option type.

option

hex

Option	Description
hex	DHCP option in hex.
string	DHCP option in string.
ip	DHCP option in IP.
fqdn	DHCP option in domain search option format.

value

DHCP client option value.

string

Maximum length: 312

config dhcp-snooping-server-list

Parameter	Description	Type	Size	Default
name	DHCP server name.	string	Maximum length: 35	default
server-ip	IP address for DHCP server.	ipv4-address	Not Specified	0.0.0.0

config egress-queues

Parameter	Description	Type	Size
cos0	CoS profile name for CoS 0.	string	Maximum length: 35
cos1	CoS profile name for CoS 1.	string	Maximum length: 35
cos2	CoS profile name for CoS 2.	string	Maximum length: 35
cos3	CoS profile name for CoS 3.	string	Maximum length: 35
cos4	CoS profile name for CoS 4.	string	Maximum length: 35
cos5	CoS profile name for CoS 5.	string	Maximum length: 35
cos6	CoS profile name for CoS 6.	string	Maximum length: 35
cos7	CoS profile name for CoS 7.	string	Maximum length: 35

config ipv6

Parameter

Description

Type

Size

Default

autoconf

Enable/disable address auto config.

option

disable

Option	Description
enable	Enable auto-configuration.
disable	Disable auto-configuration.

cli-conn6-status

CLI IPv6 connection status. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

dhcp6-client-options

DHCPv6 client options. Read-only.

option

Option	Description
rapid	Send rapid commit option.
iapd	Send including IA-PD option.
iana	Send including IA-NA option.

dhcp6-information-request

Enable/disable DHCPv6 information request.

option

disable

Option	Description
enable	Enable DHCPv6 information request.
disable	Disable DHCPv6 information request.

dhcp6-prefix-delegation

Enable/disable DHCPv6 prefix delegation.

option

disable

Option	Description
enable	Enable DHCPv6 prefix delegation.
disable	Disable DHCPv6 prefix delegation.

dhcp6-relay-ip

DHCPv6 relay IP address.

user

Not Specified

dhcp6-relay-service

Enable/disable DHCPv6 relay.

option

disable

Option	Description
disable	Disable DHCPv6 relay
enable	Enable DHCPv6 relay.

dhcp6-relay-type

DHCPv6 relay type.

option

regular

Option	Description
regular	Regular DHCP relay.

icmp6-send-redirect

Enable/disable sending of ICMPv6 redirects.

option

enable

Option	Description
enable	Enable sending of ICMPv6 redirects.
disable	Disable sending of ICMPv6 redirects.

interface-identifier

IPv6 interface identifier.

ipv6-address

Not Specified

ip6-address

Primary IPv6 address prefix. Syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.

ipv6-prefix

Not Specified

::/0

ip6-allowaccess

Allow management access to the interface.

option

Option	Description
ping	PING access.
https	HTTPS access.
ssh	SSH access.
snmp	SNMP access.
http	HTTP access.
telnet	TELNET access.
fgfm	FortiManager access.
fabric	Fabric access.

ip6-default-life

Default life (sec).

integer

Minimum value: 0 Maximum value: 9000

1800

ip6-delegated-prefix-iaid

IAID of obtained delegated-prefix from the upstream interface.

integer

Minimum value: 0 Maximum value: 4294967295

ip6-dns-server-override

Enable/disable using the DNS server acquired by DHCP.

option

enable

Option	Description
enable	Enable using the DNS server acquired by DHCP.
disable	Disable using the DNS server acquired by DHCP.

ip6-hop-limit

Hop limit (0 means unspecified).

integer

Minimum value: 0 Maximum value: 255

ip6-link-mtu

IPv6 link MTU.

integer

Minimum value: 1280 Maximum value: 16000

ip6-manage-flag

Enable/disable the managed flag.

option

disable

Option	Description
enable	Enable the managed IPv6 flag.
disable	Disable the managed IPv6 flag.

ip6-max-interval

IPv6 maximum interval (4 to 1800 sec).

integer

Minimum value: 4 Maximum value: 1800

600

ip6-min-interval

IPv6 minimum interval (3 to 1350 sec).

integer

Minimum value: 3 Maximum value: 1350

198

ip6-mode

Addressing mode (static, DHCP, delegated).

option

static

Option	Description
static	Static setting.
dhcp	DHCPv6 client mode.
pppoe	IPv6 over PPPoE mode.
delegated	IPv6 address with delegated prefix.

ip6-other-flag

Enable/disable the other IPv6 flag.

option

disable

Option	Description
enable	Enable the other IPv6 flag.
disable	Disable the other IPv6 flag.

ip6-prefix-mode

Assigning a prefix from DHCP or RA.

option

dhcp6

Option	Description
dhcp6	Use delegated prefix from a DHCPv6 client to form a delegated IPv6 address.
ra	Use prefix from RA to form a delegated IPv6 address.

ip6-reachable-time

IPv6 reachable time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 3600000

ip6-retrans-time

IPv6 retransmit time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 4294967295

ip6-send-adv

Enable/disable sending advertisements about the interface.

option

disable

Option	Description
enable	Enable sending advertisements about this interface.
disable	Disable sending advertisements about this interface.

ip6-subnet

Subnet to routing prefix. Syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.

ipv6-prefix

Not Specified

::/0

ip6-upstream-interface

Interface name providing delegated information.

string

Maximum length: 15

nd-cert

Neighbor discovery certificate.

string

Maximum length: 35

nd-cga-modifier

Neighbor discovery CGA modifier.

user

Not Specified

nd-mode

Neighbor discovery mode.

option

basic

Option	Description
basic	Do not support SEND.
SEND-compatible	Support SEND.

nd-security-level

Neighbor discovery security level (0 - 7; 0 = least secure, default = 0).

integer

Minimum value: 0 Maximum value: 7

nd-timestamp-delta

Neighbor discovery timestamp delta value (1 - 3600 sec; default = 300).

integer

Minimum value: 1 Maximum value: 3600

300

nd-timestamp-fuzz

Neighbor discovery timestamp fuzz factor (1 - 60 sec; default = 1).

integer

Minimum value: 1 Maximum value: 60

ra-send-mtu

Enable/disable sending link MTU in RA packet.

option

enable

Option	Description
enable	Enable sending link MTU in RA packet.
disable	Disable sending link MTU in RA packet.

unique-autoconf-addr

Enable/disable unique auto config address.

option

disable

Option	Description
enable	Enable unique auto-configuration address.
disable	Disable unique auto-configuration address.

vrip6_link_local

Link-local IPv6 address of virtual router.

ipv6-address

Not Specified

vrrp-virtual-mac6

Enable/disable virtual MAC for VRRP.

option

disable

Option	Description
enable	Enable virtual MAC for VRRP.
disable	Disable virtual MAC for VRRP.

config dhcp6-iapd-list

Parameter	Description	Type	Size	Default
iaid	Identity association identifier.	integer	Minimum value: 0 Maximum value: 4294967295	0
prefix-hint	DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server.	ipv6-network	Not Specified	::/0
prefix-hint-plt	DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time.	integer	Minimum value: 0 Maximum value: 4294967295	604800
prefix-hint-vlt	DHCPv6 prefix hint valid life time (sec).	integer	Minimum value: 0 Maximum value: 4294967295	2592000

config ip6-delegated-prefix-list

Parameter

Description

Type

Size

Default

autonomous-flag

Enable/disable the autonomous flag.

option

enable

Option	Description
enable	Enable the autonomous flag.
disable	Disable the autonomous flag.

delegated-prefix-iaid

IAID of obtained delegated-prefix from the upstream interface.

integer

Minimum value: 0 Maximum value: 4294967295

onlink-flag

Enable/disable the onlink flag.

option

enable

Option	Description
enable	Enable the onlink flag.
disable	Disable the onlink flag.

prefix-id

Prefix ID.

integer

Minimum value: 0 Maximum value: 4294967295

rdnss

Recursive DNS server option.

user

Not Specified

rdnss-service

Recursive DNS service option.

option

specify

Option	Description
delegated	Delegated RDNSS settings.
default	System RDNSS settings.
specify	Specify recursive DNS servers.

subnet

Add subnet ID to routing prefix.

ipv6-network

Not Specified

::/0

upstream-interface

Name of the interface that provides delegated information.

string

Maximum length: 15

config ip6-extra-addr

Parameter	Description	Type	Size	Default
prefix	IPv6 address prefix.	ipv6-prefix	Not Specified	::/0

config ip6-prefix-list

Parameter

Description

Type

Size

Default

autonomous-flag

Enable/disable the autonomous flag.

option

enable

Option	Description
enable	Enable the autonomous flag.
disable	Disable the autonomous flag.

dnssl <domain>

DNS search list option.

Domain name.

string

Maximum length: 79

onlink-flag

Enable/disable the onlink flag.

option

enable

Option	Description
enable	Enable the onlink flag.
disable	Disable the onlink flag.

preferred-life-time

Preferred life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

604800

prefix

IPv6 prefix.

ipv6-network

Not Specified

::/0

rdnss

Recursive DNS server option.

user

Not Specified

valid-life-time

Valid life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

2592000

config vrrp6

Parameter

Description

Type

Size

Default

accept-mode

Enable/disable accept mode.

option

enable

Option	Description
enable	Enable accept mode.
disable	Disable accept mode.

adv-interval

Advertisement interval (1 - 255 seconds).

integer

Minimum value: 1 Maximum value: 255

preempt

Enable/disable preempt mode.

option

enable

Option	Description
enable	Enable preempt mode.
disable	Disable preempt mode.

priority

Priority of the virtual router (1 - 255).

integer

Minimum value: 1 Maximum value: 255

100

start-time

Startup time (1 - 255 seconds).

integer

Minimum value: 1 Maximum value: 255

status

Enable/disable VRRP.

option

enable

Option	Description
enable	Enable VRRP.
disable	Disable VRRP.

vrdst6

Monitor the route to this destination.

ipv6-address

Not Specified

vrgrp

VRRP group ID (1 - 65535).

integer

Minimum value: 1 Maximum value: 65535

vrid

Virtual router identifier (1 - 255).

integer

Minimum value: 1 Maximum value: 255

vrip6

IPv6 address of the virtual router.

ipv6-address

Not Specified

config l2tp-client-settings

Parameter

Description

Type

Size

Default

auth-type

L2TP authentication type.

option

auto

Option	Description
auto	Automatically choose authentication.
pap	PAP authentication.
chap	CHAP authentication.
mschapv1	MS-CHAPv1 authentication.
mschapv2	MS-CHAPv2 authentication.

defaultgw

Enable/disable default gateway.

option

disable

Option	Description
enable	Enable default gateway.
disable	Disable default gateway.

distance

Distance of learned routes.

integer

Minimum value: 1 Maximum value: 255

hello-interval

L2TP hello message interval in seconds (0 - 3600 sec, default = 60).

integer

Minimum value: 0 Maximum value: 3600

IP. Read-only.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

mtu

L2TP MTU.

integer

Minimum value: 40 Maximum value: 65535

1460

password

L2TP password.

password

Not Specified

peer-host

L2TP peer host address.

string

Maximum length: 255

peer-mask

L2TP peer mask.

ipv4-netmask

Not Specified

255.255.255.255

peer-port

L2TP peer port number.

integer

Minimum value: 1 Maximum value: 65535

1701

priority

Priority of learned routes.

integer

Minimum value: 1 Maximum value: 65535

user

L2TP user name.

string

Maximum length: 127

config secondaryip

Parameter

Description

Type

Size

Default

allowaccess

Management access settings for the secondary IP address.

option

Option	Description
ping	PING access.
https	HTTPS access.
ssh	SSH access.
snmp	SNMP access.
http	HTTP access.
telnet	TELNET access.
fgfm	FortiManager access.
radius-acct	RADIUS accounting access.
probe-response	Probe access.
fabric	Security Fabric access.
ftm	FTM access.
speed-test	Speed test access.

detectprotocol

Protocols used to detect the server.

option

ping

Option	Description
ping	PING.
tcp-echo	TCP echo.
udp-echo	UDP echo.

detectserver

Gateway's ping server for this IP.

user

Not Specified

gwdetect

Enable/disable detect gateway alive for first.

option

disable

Option	Description
enable	Enable detect gateway alive for first.
disable	Disable detect gateway alive for first.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

ID.

integer

Minimum value: 0 Maximum value: 4294967295

Secondary IP address of the interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

ping-serv-status

PING server status. Read-only.

integer

Minimum value: 0 Maximum value: 255

config tagging

Parameter

Description

Type

Size

Default

config vrrp

Parameter

Description

Type

Size

Default

accept-mode

Enable/disable accept mode.

option

enable

Option	Description
enable	Enable accept mode.
disable	Disable accept mode.

adv-interval

Advertisement interval (1 - 255 seconds).

integer

Minimum value: 1 Maximum value: 255

ignore-default-route

Enable/disable ignoring of default route when checking destination.

option

disable

Option	Description
enable	Enable ignoring of default route when checking destination.
disable	Disable ignoring of default route when checking destination.

preempt

Enable/disable preempt mode.

option

enable

Option	Description
enable	Enable preempt mode.
disable	Disable preempt mode.

priority

Priority of the virtual router (1 - 255).

integer

Minimum value: 1 Maximum value: 255

100

start-time

Startup time (1 - 255 seconds).

integer

Minimum value: 1 Maximum value: 255

status

Enable/disable this VRRP configuration.

option

enable

Option	Description
enable	Enable this VRRP configuration.
disable	Disable this VRRP configuration.

version

VRRP version.

option

Option	Description
2	VRRP version 2.
3	VRRP version 3.

vrdst

Monitor the route to this destination.

ipv4-address-any

Not Specified

vrdst-priority

Priority of the virtual router when the virtual router destination becomes unreachable (0 - 254).

integer

Minimum value: 0 Maximum value: 254

vrgrp

VRRP group ID (1 - 65535).

integer

Minimum value: 1 Maximum value: 65535

vrid

Virtual router identifier (1 - 255).

integer

Minimum value: 1 Maximum value: 255

vrip

IP address of the virtual router.

ipv4-address-any

Not Specified

0.0.0.0

config proxy-arp

Parameter	Description	Type	Size	Default
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
ip	Set IP addresses of proxy ARP.	user	Not Specified

config wifi-mac-list

Parameter	Description	Type	Size	Default
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
mac	MAC address.	mac-address	Not Specified	00:00:00:00:00:00

config wifi-networks

Parameter

Description

Type

Size

Default

ID.

integer

Minimum value: 0 Maximum value: 4294967295

wifi-encrypt

Data encryption.

option

AES

Option	Description
TKIP	TKIP.
AES	AES.

wifi-key

WiFi WEP Key.

password

Not Specified

wifi-keyindex

WEP key index (1 - 4).

integer

Minimum value: 1 Maximum value: 4

wifi-passphrase

WiFi pre-shared key for WPA.

password

Not Specified

wifi-security

Wireless access security of SSID.

option

wpa-personal

Option	Description
open	Open.
wep64	WEP64.
wep128	WEP128.
wpa-personal	WPA personal.
wpa-only-personal	WPA personal only.
wpa2-only-personal	WPA2 personal only.

wifi-ssid

IEEE 802.11 Service Set Identifier.

string

Maximum length: 32

fortinet

config system interface

Configure interfaces.

config system interface
    Description: Configure interfaces.
    edit <name>
        set ac-name {string}
        set aggregate {string}
        set algorithm [L2|L3|...]
        set alias {string}
        set allowaccess {option1}, {option2}, ...
        set ap-discover [enable|disable]
        set arpforward [enable|disable]
        set atm-protocol [none|ipoa]
        set auth-cert {string}
        set auth-portal-addr {string}
        set auth-type [auto|pap|...]
        set auto-auth-extension-device [enable|disable]
        set bandwidth-measure-time {integer}
        set bfd [global|enable|...]
        set bfd-desired-min-tx {integer}
        set bfd-detect-mult {integer}
        set bfd-required-min-rx {integer}
        set broadcast-forward [enable|disable]
        set cli-conn-status {integer}
        config client-options
            Description: DHCP client options.
            edit <id>
                set code {integer}
                set ip {user}
                set type [hex|string|...]
                set value {string}
            next
        end
        set color {integer}
        set dedicated-to [none|management]
        set defaultgw [enable|disable]
        set description {var-string}
        set detected-peer-mtu {integer}
        set detectprotocol {option1}, {option2}, ...
        set detectserver {user}
        set device-identification [enable|disable]
        set device-user-identification [enable|disable]
        set devindex {integer}
        set dhcp-classless-route-addition [enable|disable]
        set dhcp-client-identifier {string}
        set dhcp-relay-agent-option [enable|disable]
        set dhcp-relay-interface {string}
        set dhcp-relay-interface-select-method [auto|sdwan|...]
        set dhcp-relay-ip {user}
        set dhcp-relay-link-selection {ipv4-address}
        set dhcp-relay-request-all-server [disable|enable]
        set dhcp-relay-service [disable|enable]
        set dhcp-relay-type [regular|ipsec]
        set dhcp-renew-time {integer}
        config dhcp-snooping-server-list
            Description: Configure DHCP server access list.
            edit <name>
                set server-ip {ipv4-address}
            next
        end
        set disc-retry-timeout {integer}
        set disconnect-threshold {integer}
        set distance {integer}
        set dns-server-override [enable|disable]
        set dns-server-protocol {option1}, {option2}, ...
        set drop-fragment [enable|disable]
        set drop-overlapped-fragment [enable|disable]
        set egress-cos [disable|cos0|...]
        config egress-queues
            Description: Configure queues of NP port on egress path.
            set cos0 {string}
            set cos1 {string}
            set cos2 {string}
            set cos3 {string}
            set cos4 {string}
            set cos5 {string}
            set cos6 {string}
            set cos7 {string}
        end
        set egress-shaping-profile {string}
        set eip {ipv4-address-any}
        set estimated-downstream-bandwidth {integer}
        set estimated-upstream-bandwidth {integer}
        set explicit-ftp-proxy [enable|disable]
        set explicit-web-proxy [enable|disable]
        set external [enable|disable]
        set fail-action-on-extender [soft-restart|hard-restart|...]
        set fail-alert-interfaces <name1>, <name2>, ...
        set fail-alert-method [link-failed-signal|link-down]
        set fail-detect [enable|disable]
        set fail-detect-option {option1}, {option2}, ...
        set fortilink [enable|disable]
        set fortilink-backup-link {integer}
        set fortilink-neighbor-detect [lldp|fortilink]
        set fortilink-split-interface [enable|disable]
        set forward-domain {integer}
        set forward-error-correction [none|disable|...]
        set gateway-address {ipv4-address}
        set gi-gk [enable|disable]
        set gwaddr {ipv4-address}
        set gwdetect [enable|disable]
        set ha-priority {integer}
        set icmp-accept-redirect [enable|disable]
        set icmp-send-redirect [enable|disable]
        set ident-accept [enable|disable]
        set idle-timeout {integer}
        set inbandwidth {integer}
        set ingress-cos [disable|cos0|...]
        set ingress-shaping-profile {string}
        set ingress-spillover-threshold {integer}
        set interface {string}
        set internal {integer}
        set ip {ipv4-classnet-host}
        set ip-managed-by-fortiipam [enable|disable]
        set ipmac [enable|disable]
        set ips-sniffer-mode [enable|disable]
        set ipunnumbered {ipv4-address}
        config ipv6
            Description: IPv6 of interface.
            set autoconf [enable|disable]
            set cli-conn6-status {integer}
            set dhcp6-client-options {option1}, {option2}, ...
            config dhcp6-iapd-list
                Description: DHCPv6 IA-PD list.
                edit <iaid>
                    set prefix-hint {ipv6-network}
                    set prefix-hint-plt {integer}
                    set prefix-hint-vlt {integer}
                next
            end
            set dhcp6-information-request [enable|disable]
            set dhcp6-prefix-delegation [enable|disable]
            set dhcp6-relay-ip {user}
            set dhcp6-relay-service [disable|enable]
            set dhcp6-relay-type {option}
            set icmp6-send-redirect [enable|disable]
            set interface-identifier {ipv6-address}
            set ip6-address {ipv6-prefix}
            set ip6-allowaccess {option1}, {option2}, ...
            set ip6-default-life {integer}
            set ip6-delegated-prefix-iaid {integer}
            config ip6-delegated-prefix-list
                Description: Advertised IPv6 delegated prefix list.
                edit <prefix-id>
                    set autonomous-flag [enable|disable]
                    set delegated-prefix-iaid {integer}
                    set onlink-flag [enable|disable]
                    set rdnss {user}
                    set rdnss-service [delegated|default|...]
                    set subnet {ipv6-network}
                    set upstream-interface {string}
                next
            end
            set ip6-dns-server-override [enable|disable]
            config ip6-extra-addr
                Description: Extra IPv6 address prefixes of interface.
                edit <prefix>
                next
            end
            set ip6-hop-limit {integer}
            set ip6-link-mtu {integer}
            set ip6-manage-flag [enable|disable]
            set ip6-max-interval {integer}
            set ip6-min-interval {integer}
            set ip6-mode [static|dhcp|...]
            set ip6-other-flag [enable|disable]
            config ip6-prefix-list
                Description: Advertised prefix list.
                edit <prefix>
                    set autonomous-flag [enable|disable]
                    set dnssl <domain1>, <domain2>, ...
                    set onlink-flag [enable|disable]
                    set preferred-life-time {integer}
                    set rdnss {user}
                    set valid-life-time {integer}
                next
            end
            set ip6-prefix-mode [dhcp6|ra]
            set ip6-reachable-time {integer}
            set ip6-retrans-time {integer}
            set ip6-send-adv [enable|disable]
            set ip6-subnet {ipv6-prefix}
            set ip6-upstream-interface {string}
            set nd-cert {string}
            set nd-cga-modifier {user}
            set nd-mode [basic|SEND-compatible]
            set nd-security-level {integer}
            set nd-timestamp-delta {integer}
            set nd-timestamp-fuzz {integer}
            set ra-send-mtu [enable|disable]
            set unique-autoconf-addr [enable|disable]
            set vrip6_link_local {ipv6-address}
            set vrrp-virtual-mac6 [enable|disable]
            config vrrp6
                Description: IPv6 VRRP configuration.
                edit <vrid>
                    set accept-mode [enable|disable]
                    set adv-interval {integer}
                    set preempt [enable|disable]
                    set priority {integer}
                    set start-time {integer}
                    set status [enable|disable]
                    set vrdst6 {ipv6-address}
                    set vrgrp {integer}
                    set vrip6 {ipv6-address}
                next
            end
        end
        set l2forward [enable|disable]
        set l2tp-client [enable|disable]
        config l2tp-client-settings
            Description: L2TP client settings.
            set auth-type [auto|pap|...]
            set defaultgw [enable|disable]
            set distance {integer}
            set hello-interval {integer}
            set ip {ipv4-classnet-host}
            set mtu {integer}
            set password {password}
            set peer-host {string}
            set peer-mask {ipv4-netmask}
            set peer-port {integer}
            set priority {integer}
            set user {string}
        end
        set lacp-ha-slave [enable|disable]
        set lacp-mode [static|passive|...]
        set lacp-speed [slow|fast]
        set lcp-echo-interval {integer}
        set lcp-max-echo-fails {integer}
        set link-up-delay {integer}
        set lldp-network-policy {string}
        set lldp-reception [enable|disable|...]
        set lldp-transmission [enable|disable|...]
        set macaddr {mac-address}
        set managed-subnetwork-size [32|64|...]
        set management-ip {ipv4-classnet-host}
        set measured-downstream-bandwidth {integer}
        set measured-upstream-bandwidth {integer}
        set mediatype [serdes-sfp|sgmii-sfp|...]
        set member <interface-name1>, <interface-name2>, ...
        set min-links {integer}
        set min-links-down [operational|administrative]
        set mode [static|dhcp|...]
        set monitor-bandwidth [enable|disable]
        set mtu {integer}
        set mtu-override [enable|disable]
        set mux-type [llc-encaps|vc-encaps]
        set ndiscforward [enable|disable]
        set netbios-forward [disable|enable]
        set netflow-sampler [disable|tx|...]
        set np-qos-profile {integer}
        set outbandwidth {integer}
        set padt-retry-timeout {integer}
        set password {password}
        set phy-mode {option}
        set ping-serv-status {integer}
        set poe [enable|disable]
        set polling-interval {integer}
        set pppoe-unnumbered-negotiate [enable|disable]
        set pptp-auth-type [auto|pap|...]
        set pptp-client [enable|disable]
        set pptp-password {password}
        set pptp-server-ip {ipv4-address}
        set pptp-timeout {integer}
        set pptp-user {string}
        set preserve-session-route [enable|disable]
        set priority {integer}
        set priority-override [enable|disable]
        set proxy-captive-portal [enable|disable]
        set pvc-atm-qos [cbr|rt-vbr|...]
        set pvc-chan {integer}
        set pvc-crc {integer}
        set pvc-pcr {integer}
        set pvc-scr {integer}
        set pvc-vlan-id {integer}
        set pvc-vlan-rx-id {integer}
        set pvc-vlan-rx-op [pass-through|replace|...]
        set pvc-vlan-tx-id {integer}
        set pvc-vlan-tx-op [pass-through|replace|...]
        set reachable-time {integer}
        set redundant-interface {string}
        set remote-ip {ipv4-classnet-host}
        set replacemsg-override-group {string}
        set retransmission [disable|enable]
        set ring-rx {integer}
        set ring-tx {integer}
        set role [lan|wan|...]
        set sample-direction [tx|rx|...]
        set sample-rate {integer}
        set secondary-IP [enable|disable]
        config secondaryip
            Description: Second IP address of interface.
            edit <id>
                set allowaccess {option1}, {option2}, ...
                set detectprotocol {option1}, {option2}, ...
                set detectserver {user}
                set gwdetect [enable|disable]
                set ha-priority {integer}
                set ip {ipv4-classnet-host}
                set ping-serv-status {integer}
            next
        end
        set security-8021x-dynamic-vlan-id {integer}
        set security-8021x-master {string}
        set security-8021x-mode [default|dynamic-vlan|...]
        set security-exempt-list {string}
        set security-external-logout {string}
        set security-external-web {var-string}
        set security-groups <name1>, <name2>, ...
        set security-mac-auth-bypass [mac-auth-only|enable|...]
        set security-mode [none|captive-portal|...]
        set security-redirect-url {var-string}
        set service-name {string}
        set sflow-sampler [enable|disable]
        set sfp-dsl [disable|enable]
        set sfp-dsl-adsl-fallback [disable|enable]
        set sfp-dsl-autodetect [disable|enable]
        set sfp-dsl-mac {mac-address}
        set snmp-index {integer}
        set speed [auto|10full|...]
        set spillover-threshold {integer}
        set src-check [enable|disable]
        set status [up|down]
        set stp [disable|enable]
        set stp-ha-secondary [disable|enable|...]
        set stpforward [enable|disable]
        set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]
        set subst [enable|disable]
        set substitute-dst-mac {mac-address}
        set sw-algorithm [l2|l3|...]
        set swc-first-create {integer}
        set swc-vlan {integer}
        set switch {string}
        set switch-controller-access-vlan [enable|disable]
        set switch-controller-arp-inspection [enable|disable]
        set switch-controller-dhcp-snooping [enable|disable]
        set switch-controller-dhcp-snooping-option82 [enable|disable]
        set switch-controller-dhcp-snooping-verify-mac [enable|disable]
        set switch-controller-dynamic {string}
        set switch-controller-feature [none|default-vlan|...]
        set switch-controller-igmp-snooping [enable|disable]
        set switch-controller-igmp-snooping-fast-leave [enable|disable]
        set switch-controller-igmp-snooping-proxy [enable|disable]
        set switch-controller-iot-scanning [enable|disable]
        set switch-controller-learning-limit {integer}
        set switch-controller-mgmt-vlan {integer}
        set switch-controller-nac {string}
        set switch-controller-rspan-mode [disable|enable]
        set switch-controller-source-ip [outbound|fixed]
        set switch-controller-traffic-policy {string}
        set system-id {mac-address}
        set system-id-type [auto|user]
        config tagging
            Description: Config object tagging.
            edit <name>
                set category {string}
                set tags <name1>, <name2>, ...
            next
        end
        set tc-mode {option}
        set tcp-mss {integer}
        set trunk [enable|disable]
        set trust-ip-1 {ipv4-classnet-any}
        set trust-ip-2 {ipv4-classnet-any}
        set trust-ip-3 {ipv4-classnet-any}
        set trust-ip6-1 {ipv6-prefix}
        set trust-ip6-2 {ipv6-prefix}
        set trust-ip6-3 {ipv6-prefix}
        set type [physical|vlan|...]
        set username {string}
        set vci {integer}
        set vdom {string}
        set vectoring [disable|enable]
        set vindex {integer}
        set vlan-protocol [8021q|8021ad]
        set vlanforward [enable|disable]
        set vlanid {integer}
        set vpi {integer}
        set vrf {integer}
        config vrrp
            Description: VRRP configuration.
            edit <vrid>
                set accept-mode [enable|disable]
                set adv-interval {integer}
                set ignore-default-route [enable|disable]
                set preempt [enable|disable]
                set priority {integer}
                config proxy-arp
                    Description: VRRP Proxy ARP configuration.
                    edit <id>
                        set ip {user}
                    next
                end
                set start-time {integer}
                set status [enable|disable]
                set version [2|3]
                set vrdst {ipv4-address-any}
                set vrdst-priority {integer}
                set vrgrp {integer}
                set vrip {ipv4-address-any}
            next
        end
        set vrrp-virtual-mac [enable|disable]
        set wccp [enable|disable]
        set weight {integer}
        set wifi-5g-threshold {string}
        set wifi-acl [allow|deny]
        set wifi-ap-band [any|5g-preferred|...]
        set wifi-auth [PSK|radius|...]
        set wifi-auto-connect [enable|disable]
        set wifi-auto-save [enable|disable]
        set wifi-broadcast-ssid [enable|disable]
        set wifi-encrypt [TKIP|AES]
        set wifi-fragment-threshold {integer}
        set wifi-key {password}
        set wifi-keyindex {integer}
        set wifi-mac-filter [enable|disable]
        config wifi-mac-list
            Description: MAC filter list.
            edit <id>
                set mac {mac-address}
            next
        end
        config wifi-networks
            Description: WiFi network table.
            edit <id>
                set wifi-encrypt [TKIP|AES]
                set wifi-key {password}
                set wifi-keyindex {integer}
                set wifi-passphrase {password}
                set wifi-security [open|wep64|...]
                set wifi-ssid {string}
            next
        end
        set wifi-passphrase {password}
        set wifi-radius-server {string}
        set wifi-rts-threshold {integer}
        set wifi-security [open|wep64|...]
        set wifi-ssid {string}
        set wifi-usergroup {string}
        set wins-ip {ipv4-address}
    next
end

config system interface

Parameter

Description

Type

Size

Default

ac-name

PPPoE server name.

string

Maximum length: 63

aggregate

Aggregate interface. Read-only.

string

Maximum length: 15

algorithm

Frame distribution algorithm.

option

Option	Description
L2	Use layer 2 address for distribution.
L3	Use layer 3 address for distribution.
L4	Use layer 4 information for distribution.

alias

Alias will be displayed with the interface name to make it easier to distinguish.

string

Maximum length: 25

allowaccess

Permitted types of management access to this interface.

option

Option	Description
ping	PING access.
https	HTTPS access.
ssh	SSH access.
snmp	SNMP access.
http	HTTP access.
telnet	TELNET access.
fgfm	FortiManager access.
radius-acct	RADIUS accounting access.
probe-response	Probe access.
fabric	Security Fabric access.
ftm	FTM access.
speed-test	Speed test access.

ap-discover

Enable/disable automatic registration of unknown FortiAP devices.

option

enable

Option	Description
enable	Enable automatic registration of unknown FortiAP devices.
disable	Disable automatic registration of unknown FortiAP devices.

arpforward

Enable/disable ARP forwarding.

option

enable

Option	Description
enable	Enable ARP forwarding.
disable	Disable ARP forwarding.

atm-protocol *

ATM protocol.

option

none

Option	Description
none	Not over ATM.
ipoa	IPoA RFC2684.

auth-cert

HTTPS server certificate.

string

Maximum length: 35

auth-portal-addr

Address of captive portal.

string

Maximum length: 63

auth-type

PPP authentication type to use.

option

auto

Option	Description
auto	Automatically choose authentication.
pap	PAP authentication.
chap	CHAP authentication.
mschapv1	MS-CHAPv1 authentication.
mschapv2	MS-CHAPv2 authentication.

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.

option

disable

Option	Description
enable	Enable automatic authorization of dedicated Fortinet extension device on this interface.
disable	Disable automatic authorization of dedicated Fortinet extension device on this interface.

bandwidth-measure-time

Bandwidth measure time.

integer

Minimum value: 0 Maximum value: 4294967295

bfd

Bidirectional Forwarding Detection (BFD) settings.

option

global

Option	Description
global	BFD behavior of this interface will be based on global configuration.
enable	Enable BFD on this interface and ignore global configuration.
disable	Disable BFD on this interface and ignore global configuration.

bfd-desired-min-tx

BFD desired minimal transmit interval.

integer

Minimum value: 1 Maximum value: 100000

250

bfd-detect-mult

BFD detection multiplier.

integer

Minimum value: 1 Maximum value: 50

bfd-required-min-rx

BFD required minimal receive interval.

integer

Minimum value: 1 Maximum value: 100000

250

broadcast-forward

Enable/disable broadcast forwarding.

option

disable

Option	Description
enable	Enable broadcast forwarding.
disable	Disable broadcast forwarding.

cli-conn-status

CLI connection status. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

dedicated-to

Configure interface for single purpose.

option

none

Option	Description
none	Interface not dedicated for any purpose.
management	Dedicate this interface for management purposes only.

defaultgw

Enable to get the gateway IP from the DHCP or PPPoE server.

option

enable

Option	Description
enable	Enable default gateway.
disable	Disable default gateway.

description

Description.

var-string

Maximum length: 255

detected-peer-mtu

MTU of detected peer (0 - 4294967295). Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

detectprotocol

Protocols used to detect the server.

option

ping

Option	Description
ping	PING.
tcp-echo	TCP echo.
udp-echo	UDP echo.

detectserver

Gateway's ping server for this IP.

user

Not Specified

device-identification

Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.

option

disable

Option	Description
enable	Enable passive gathering of identity information about hosts.
disable	Disable passive gathering of identity information about hosts.

device-user-identification

Enable/disable passive gathering of user identity information about users on this interface.

option

enable

Option	Description
enable	Enable passive gathering of user identity information about users.
disable	Disable passive gathering of user identity information about users.

devindex

Device Index. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

dhcp-classless-route-addition

Enable/disable addition of classless static routes retrieved from DHCP server.

option

disable **

Option	Description
enable	Enable addition of classless static routes retrieved from DHCP server.
disable	Disable addition of classless static routes retrieved from DHCP server.

dhcp-client-identifier

DHCP client identifier.

string

Maximum length: 48

dhcp-relay-agent-option

Enable/disable DHCP relay agent option.

option

enable

Option	Description
enable	Enable DHCP relay agent option.
disable	Disable DHCP relay agent option.

dhcp-relay-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-relay-interface-select-method

Specify how to select outgoing interface to reach server.

option

auto

Option	Description
auto	Set outgoing interface automatically.
sdwan	Set outgoing interface by SD-WAN or policy routing rules.
specify	Set outgoing interface manually.

dhcp-relay-ip

DHCP relay IP address.

user

Not Specified

dhcp-relay-link-selection

DHCP relay link selection.

ipv4-address

Not Specified

0.0.0.0

dhcp-relay-request-all-server

Enable/disable sending of DHCP requests to all servers.

option

disable

Option	Description
disable	Send DHCP requests only to a matching server.
enable	Send DHCP requests to all servers.

dhcp-relay-service

Enable/disable allowing this interface to act as a DHCP relay.

option

disable

Option	Description
disable	None.
enable	DHCP relay agent.

dhcp-relay-type

DHCP relay type (regular or IPsec).

option

regular

Option	Description
regular	Regular DHCP relay.
ipsec	DHCP relay for IPsec.

dhcp-renew-time

DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server.

integer

Minimum value: 300 Maximum value: 604800

disc-retry-timeout

Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 4294967295

disconnect-threshold

Time in milliseconds to wait before sending a notification that this interface is down or disconnected.

integer

Minimum value: 0 Maximum value: 10000

distance

Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route.

integer

Minimum value: 1 Maximum value: 255

dns-server-override

Enable/disable use DNS acquired by DHCP or PPPoE.

option

enable

Option	Description
enable	Use DNS acquired by DHCP or PPPoE.
disable	No not use DNS acquired by DHCP or PPPoE.

dns-server-protocol

DNS transport protocols.

option

cleartext

Option	Description
cleartext	DNS over UDP/53, DNS over TCP/53.
dot	DNS over TLS/853.
doh	DNS over HTTPS/443.

drop-fragment

Enable/disable drop fragment packets.

option

disable

Option	Description
enable	Enable/disable drop fragment packets.
disable	Do not drop fragment packets.

drop-overlapped-fragment

Enable/disable drop overlapped fragment packets.

option

disable

Option	Description
enable	Enable drop of overlapped fragment packets.
disable	Disable drop of overlapped fragment packets.

egress-cos *

Override outgoing CoS in user VLAN tag.

option

disable

Option	Description
disable	Disable.
cos0	CoS 0.
cos1	CoS 1.
cos2	CoS 2.
cos3	CoS 3.
cos4	CoS 4.
cos5	CoS 5.
cos6	CoS 6.
cos7	CoS 7.

egress-shaping-profile

Outgoing traffic shaping profile.

string

Maximum length: 35

eip *

External IP. Read-only.

ipv4-address-any

Not Specified

0.0.0.0

estimated-downstream-bandwidth

Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

estimated-upstream-bandwidth

Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

explicit-ftp-proxy

Enable/disable the explicit FTP proxy on this interface.

option

disable

Option	Description
enable	Enable explicit FTP proxy on this interface.
disable	Disable explicit FTP proxy on this interface.

explicit-web-proxy

Enable/disable the explicit web proxy on this interface.

option

disable

Option	Description
enable	Enable explicit Web proxy on this interface.
disable	Disable explicit Web proxy on this interface.

external

Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet).

option

disable

Option	Description
enable	Enable identifying the interface as an external interface.
disable	Disable identifying the interface as an external interface.

fail-action-on-extender

Action on FortiExtender when interface fail.

option

soft-restart

Option	Description
soft-restart	Soft-restart-on-extender.
hard-restart	Hard-restart-on-extender.
reboot	Reboot-on-extender.

fail-alert-interfaces <name>

Names of the FortiGate interfaces to which the link failure alert is sent.

Names of the non-virtual interface.

string

Maximum length: 79

fail-alert-method

Select link-failed-signal or link-down method to alert about a failed link.

option

link-down

Option	Description
link-failed-signal	Link-failed-signal.
link-down	Link-down.

fail-detect

Enable/disable fail detection features for this interface.

option

disable

Option	Description
enable	Enable interface failed option status.
disable	Disable interface failed option status.

fail-detect-option

Options for detecting that this interface has failed.

option

link-down

Option	Description
detectserver	Use a ping server to determine if the interface has failed.
link-down	Use port detection to determine if the interface has failed.

fortilink *

Enable FortiLink to dedicate this interface to manage other Fortinet devices.

option

disable

Option	Description
enable	Enable FortiLink to dedicated interface for managing FortiSwitch devices.
disable	Disable FortiLink to dedicated interface for managing FortiSwitch devices.

fortilink-backup-link

FortiLink split interface backup link. Read-only.

integer

Minimum value: 0 Maximum value: 255

fortilink-neighbor-detect

Protocol for FortiGate neighbor discovery.

option

fortilink

Option	Description
lldp	Detect FortiLink neighbors using LLDP protocol.
fortilink	Detect FortiLink neighbors using FortiLink protocol.

fortilink-split-interface

Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.

option

enable

Option	Description
enable	Enable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.
disable	Disable FortiLink split interface.

forward-domain

Transparent mode forward domain.

integer

Minimum value: 0 Maximum value: 2147483647

forward-error-correction *

Configure forward error correction (FEC).

option

none

Option	Description
none	none
disable	Disable forward error correction (FEC).
cl91-rs-fec	Reed-Solomon (FEC CL91).
cl74-fc-fec	Fire-Code (FEC CL74).

gateway-address *

Gateway address

ipv4-address

Not Specified

0.0.0.0

gi-gk *

Enable/disable Gi Gatekeeper.

option

disable

Option	Description
enable	enable Gi Gatekeeper
disable	disable Gi Gatekeeper

gwaddr *

Gateway address

ipv4-address

Not Specified

0.0.0.0

gwdetect

Enable/disable detect gateway alive for first.

option

disable

Option	Description
enable	Enable detect gateway alive for first.
disable	Disable detect gateway alive for first.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

icmp-accept-redirect

Enable/disable ICMP accept redirect.

option

enable

Option	Description
enable	Enable ICMP accept redirect.
disable	Disable ICMP accept redirect.

icmp-send-redirect

Enable/disable sending of ICMP redirects.

option

enable

Option	Description
enable	Enable sending of ICMP redirects.
disable	Disable sending of ICMP redirects.

ident-accept

Enable/disable authentication for this interface.

option

disable

Option	Description
enable	Enable determining a user's identity from packet identification.
disable	Disable determining a user's identity from packet identification.

idle-timeout

PPPoE auto disconnect after idle timeout seconds, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 32767

inbandwidth

Bandwidth limit for incoming traffic (0 - 80000000 kbps), 0 means unlimited.

integer

Minimum value: 0 Maximum value: 80000000 **

ingress-cos *

Override incoming CoS in user VLAN tag on VLAN interface or assign a priority VLAN tag on physical interface.

option

disable

Option	Description
disable	Disable.
cos0	CoS 0.
cos1	CoS 1.
cos2	CoS 2.
cos3	CoS 3.
cos4	CoS 4.
cos5	CoS 5.
cos6	CoS 6.
cos7	CoS 7.

ingress-shaping-profile

Incoming traffic shaping profile.

string

Maximum length: 35

ingress-spillover-threshold

Ingress Spillover threshold (0 - 16776000 kbps), 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

interface

Interface name.

string

Maximum length: 15

internal

Implicitly created.

integer

Minimum value: 0 Maximum value: 255

Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

ip-managed-by-fortiipam

Enable/disable automatic IP address assignment of this interface by FortiIPAM.

option

disable

Option	Description
enable	Enable automatic IP address assignment of this interface by FortiIPAM.
disable	Disable automatic IP address assignment of this interface by FortiIPAM.

ipmac

Enable/disable IP/MAC binding.

option

disable

Option	Description
enable	Enable IP/MAC binding.
disable	Disable IP/MAC binding.

ips-sniffer-mode

Enable/disable the use of this interface as a one-armed sniffer.

option

disable

Option	Description
enable	Enable IPS sniffer mode.
disable	Disable IPS sniffer mode.

ipunnumbered

Unnumbered IP used for PPPoE interfaces for which no unique local address is provided.

ipv4-address

Not Specified

0.0.0.0

l2forward

Enable/disable l2 forwarding.

option

disable

Option	Description
enable	Enable L2 forwarding.
disable	Disable L2 forwarding.

l2tp-client *

Enable/disable this interface as a Layer 2 Tunnelling Protocol (L2TP) client.

option

disable

Option	Description
enable	Enable L2TP client.
disable	Disable L2TP client.

lacp-ha-slave

LACP HA slave.

option

enable

Option	Description
enable	Allow HA slave to send/receive LACP messages.
disable	Block HA slave from sending/receiving LACP messages.

lacp-mode

LACP mode.

option

active

Option	Description
static	Use static aggregation, do not send and ignore any LACP messages.
passive	Passively use LACP to negotiate 802.3ad aggregation.
active	Actively use LACP to negotiate 802.3ad aggregation.

lacp-speed

How often the interface sends LACP messages.

option

slow

Option	Description
slow	Send LACP message every 30 seconds.
fast	Send LACP message every second.

lcp-echo-interval

Time in seconds between PPPoE Link Control Protocol (LCP) echo requests.

integer

Minimum value: 0 Maximum value: 32767

lcp-max-echo-fails

Maximum missed LCP echo messages before disconnect.

integer

Minimum value: 0 Maximum value: 32767

link-up-delay

Number of milliseconds to wait before considering a link is up.

integer

Minimum value: 50 Maximum value: 3600000

lldp-network-policy

LLDP-MED network policy profile.

string

Maximum length: 35

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception.

option

vdom

Option	Description
enable	Enable reception of Link Layer Discovery Protocol (LLDP).
disable	Disable reception of Link Layer Discovery Protocol (LLDP).
vdom	Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration setting.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission.

option

vdom

Option	Description
enable	Enable transmission of Link Layer Discovery Protocol (LLDP).
disable	Disable transmission of Link Layer Discovery Protocol (LLDP).
vdom	Use VDOM Link Layer Discovery Protocol (LLDP) transmission configuration setting.

macaddr

Change the interface's MAC address.

mac-address

Not Specified

00:00:00:00:00:00 **

managed-subnetwork-size

Number of IP addresses to be allocated by FortiIPAM and used by this FortiGate unit's DHCP server settings.

option

256

Option	Description
32	Allocate a subnet with 32 IP addresses.
64	Allocate a subnet with 64 IP addresses.
128	Allocate a subnet with 128 IP addresses.
256	Allocate a subnet with 256 IP addresses.
512	Allocate a subnet with 512 IP addresses.
1024	Allocate a subnet with 1024 IP addresses.
2048	Allocate a subnet with 2048 IP addresses.
4096	Allocate a subnet with 4096 IP addresses.
8192	Allocate a subnet with 8192 IP addresses.
16384	Allocate a subnet with 16384 IP addresses.
32768	Allocate a subnet with 32768 IP addresses.
65536	Allocate a subnet with 65536 IP addresses.

management-ip

High Availability in-band management IP address of this interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

measured-downstream-bandwidth

Measured downstream bandwidth (kbps).

integer

Minimum value: 0 Maximum value: 4294967295

measured-upstream-bandwidth

Measured upstream bandwidth (kbps).

integer

Minimum value: 0 Maximum value: 4294967295

mediatype *

Select SFP media interface type

option

serdes-sfp

Option	Description
serdes-sfp	SFP using SerDes Media Interface
sgmii-sfp	SFP using SGMII Media Interface
serdes-copper-sfp	Copper SFP using SerDes media Interface.

member <interface-name>

Physical interfaces that belong to the aggregate or redundant interface.

Physical interface name.

string

Maximum length: 79

min-links

Minimum number of aggregated ports that must be up.

integer

Minimum value: 1 Maximum value: 32

min-links-down

Action to take when less than the configured minimum number of links are active.

option

operational

Option	Description
operational	Set the aggregate operationally down.
administrative	Set the aggregate administratively down.

mode

Addressing mode (static, DHCP, PPPoE).

option

static

Option	Description
static	Static setting.
dhcp	External DHCP client mode.
pppoe	External PPPoE mode.

monitor-bandwidth

Enable monitoring bandwidth on this interface.

option

disable

Option	Description
enable	Enable monitoring bandwidth on this interface.
disable	Disable monitoring bandwidth on this interface.

mtu

MTU value for this interface.

integer

Minimum value: 0 Maximum value: 4294967295

1500

mtu-override

Enable to set a custom MTU for this interface.

option

disable

Option	Description
enable	Override default MTU.
disable	Use default MTU.

mux-type *

Multiplexer type

option

llc-encaps

Option	Description
llc-encaps	LLC encapsulation.
vc-encaps	VC encapsulation.

name

Name.

string

Maximum length: 15

ndiscforward

Enable/disable NDISC forwarding.

option

enable

Option	Description
enable	Enable NDISC forwarding.
disable	Disable NDISC forwarding.

netbios-forward

Enable/disable NETBIOS forwarding.

option

disable

Option	Description
disable	Disable NETBIOS forwarding.
enable	Enable NETBIOS forwarding.

netflow-sampler

Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).

option

disable

Option	Description
disable	Disable NetFlow protocol on this interface.
tx	Monitor transmitted traffic on this interface.
rx	Monitor received traffic on this interface.
both	Monitor transmitted/received traffic on this interface.

np-qos-profile *

NP QoS profile ID.

integer

Minimum value: 0 Maximum value: 15

outbandwidth

Bandwidth limit for outgoing traffic (0 - 80000000 kbps).

integer

Minimum value: 0 Maximum value: 80000000 **

padt-retry-timeout

PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time.

integer

Minimum value: 0 Maximum value: 4294967295

password

PPPoE account's password.

password

Not Specified

phy-mode *

DSL physical mode.

option

vdsl

Option	Description
vdsl	VDSL.

ping-serv-status

PING server status. Read-only.

integer

Minimum value: 0 Maximum value: 255

poe *

Enable/disable PoE status.

option

enable

Option	Description
enable	Enable PoE status.
disable	Disable PoE status.

polling-interval

sFlow polling interval in seconds (1 - 255).

integer

Minimum value: 1 Maximum value: 255

pppoe-unnumbered-negotiate

Enable/disable PPPoE unnumbered negotiation.

option

enable

Option	Description
enable	Enable IP address negotiating for unnumbered.
disable	Disable IP address negotiating for unnumbered.

pptp-auth-type

PPTP authentication type.

option

auto

Option	Description
auto	Automatically choose authentication.
pap	PAP authentication.
chap	CHAP authentication.
mschapv1	MS-CHAPv1 authentication.
mschapv2	MS-CHAPv2 authentication.

pptp-client

Enable/disable PPTP client.

option

disable

Option	Description
enable	Enable PPTP client.
disable	Disable PPTP client.

pptp-password

PPTP password.

password

Not Specified

pptp-server-ip

PPTP server IP address.

ipv4-address

Not Specified

0.0.0.0

pptp-timeout

Idle timer in minutes (0 for disabled).

integer

Minimum value: 0 Maximum value: 65535

pptp-user

PPTP user name.

string

Maximum length: 64

preserve-session-route

Enable/disable preservation of session route when dirty.

option

disable

Option	Description
enable	Enable preservation of session route when dirty.
disable	Disable preservation of session route when dirty.

priority

Priority of learned routes.

integer

Minimum value: 1 Maximum value: 65535

priority-override

Enable/disable fail back to higher priority port once recovered.

option

enable

Option	Description
enable	Enable fail back to higher priority port once recovered.
disable	Disable fail back to higher priority port once recovered.

proxy-captive-portal

Enable/disable proxy captive portal on this interface.

option

disable

Option	Description
enable	Enable proxy captive portal on this interface.
disable	Disable proxy captive portal on this interface.

pvc-atm-qos *

SFP-DSL ADSL Fallback PVC ATM QoS.

option

cbr

Option	Description
cbr	ATM QoS CBR.
rt-vbr	ATM QoS rt-VBR.
nrt-vbr	ATM QoS nrt-VBR.
cbr	ATM QoS CCBR.

pvc-chan *

SFP-DSL ADSL Fallback PVC Channel.

integer

Minimum value: 0 Maximum value: 7

pvc-crc *

SFP-DSL ADSL Fallback PVC CRC Option: bit0: sar LLC preserve, bit1: ream LLC preserve, bit2: ream VC-MUX has crc.

integer

Minimum value: 0 Maximum value: 7

pvc-pcr *

SFP-DSL ADSL Fallback PVC Packet Cell Rate in cells (0 - 5500).

integer

Minimum value: 0 Maximum value: 5500

pvc-scr *

SFP-DSL ADSL Fallback PVC Sustainable Cell Rate in cells (0 - 5500).

integer

Minimum value: 0 Maximum value: 5500

pvc-vlan-id *

SFP-DSL ADSL Fallback PVC VLAN ID.

integer

Minimum value: 1 Maximum value: 4094

pvc-vlan-rx-id *

SFP-DSL ADSL Fallback PVC VLANID RX.

integer

Minimum value: 1 Maximum value: 4094

pvc-vlan-rx-op *

SFP-DSL ADSL Fallback PVC VLAN RX op.

option

pass-through

Option	Description
pass-through	PVC VLAN Tag Passthrough.
replace	PVC VLAN Tag Replace.
remove	PVC VLAN Tag Remove.

pvc-vlan-tx-id *

SFP-DSL ADSL Fallback PVC VLAN ID TX.

integer

Minimum value: 1 Maximum value: 4094

pvc-vlan-tx-op *

SFP-DSL ADSL Fallback PVC VLAN TX op.

option

remove

Option	Description
pass-through	PVC VLAN Tag Passthrough.
replace	PVC VLAN Tag Replace.
remove	PVC VLAN Tag Remove.

reachable-time

IPv4 reachable time in milliseconds (30000 - 3600000, default = 30000).

integer

Minimum value: 30000 Maximum value: 3600000

30000

redundant-interface

Redundant interface. Read-only.

string

Maximum length: 15

remote-ip

Remote IP address of tunnel.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

replacemsg-override-group

Replacement message override group.

string

Maximum length: 35

retransmission *

Enable/disable DSL retransmission.

option

enable

Option	Description
disable	Disable retransmission.
enable	Enable retransmission.

ring-rx *

RX ring size.

integer

Minimum value: 0 Maximum value: 4294967295

ring-tx *

TX ring size.

integer

Minimum value: 0 Maximum value: 4294967295

role

Interface role.

option

undefined

Option	Description
lan	Connected to local network of endpoints.
wan	Connected to Internet.
dmz	Connected to server zone.
undefined	Interface has no specific role.

sample-direction

Data that NetFlow collects (rx, tx, or both).

option

both

Option	Description
tx	Monitor transmitted traffic on this interface.
rx	Monitor received traffic on this interface.
both	Monitor transmitted/received traffic on this interface.

sample-rate

sFlow sample rate (10 - 99999).

integer

Minimum value: 10 Maximum value: 99999

2000

secondary-IP

Enable/disable adding a secondary IP to this interface.

option

disable

Option	Description
enable	Enable secondary IP.
disable	Disable secondary IP.

security-8021x-dynamic-vlan-id *

VLAN ID for virtual switch.

integer

Minimum value: 0 Maximum value: 4094

security-8021x-master *

802.1X master virtual-switch.

string

Maximum length: 15

security-8021x-mode *

802.1X mode.

option

default

Option	Description
default	802.1X default mode.
dynamic-vlan	802.1X dynamic VLAN (master) mode.
fallback	802.1X fallback (master) mode.
slave	802.1X slave mode.

security-exempt-list

Name of security-exempt-list.

string

Maximum length: 35

security-external-logout

URL of external authentication logout server.

string

Maximum length: 127

security-external-web

URL of external authentication web server.

var-string

Maximum length: 1023

security-groups <name>

User groups that can authenticate with the captive portal.

Names of user groups that can authenticate with the captive portal.

string

Maximum length: 79

security-mac-auth-bypass

Enable/disable MAC authentication bypass.

option

disable

Option	Description
mac-auth-only	Enable MAC authentication bypass without EAP.
enable	Enable MAC authentication bypass.
disable	Disable MAC authentication bypass.

security-mode

Turn on captive portal authentication for this interface.

option

none

Option	Description
none	No security option.
captive-portal	Captive portal authentication.
802.1X	802.1X port-based authentication.

security-redirect-url

URL redirection after disclaimer/authentication.

var-string

Maximum length: 1023

service-name

PPPoE service name.

string

Maximum length: 63

sflow-sampler

Enable/disable sFlow on this interface.

option

disable

Option	Description
enable	Enable sFlow protocol on this interface.
disable	Disable sFlow protocol on this interface.

sfp-dsl *

Enable/disable SFP DSL.

option

disable

Option	Description
disable	Disable SFP DSL.
enable	Enable SFP DSL.

sfp-dsl-adsl-fallback *

Enable/disable SFP DSL ADSL fallback.

option

disable

Option	Description
disable	Disable SFP DSL ADSL fallback.
enable	Enable SFP DSL ADSL fallback.

sfp-dsl-autodetect *

Enable/disable SFP DSL MAC address autodetect.

option

enable

Option	Description
disable	Disable SFP DSL MAC address autodetect.
enable	Enable SFP DSL MAC address autodetect.

sfp-dsl-mac *

SFP DSL MAC address.

mac-address

Not Specified

00:00:00:00:00:00

snmp-index

Permanent SNMP Index of the interface.

integer

Minimum value: 1 Maximum value: 2147483647

speed

Interface speed. The default setting and the options available depend on the interface hardware.

option

auto

Option	Description
auto	Automatically adjust speed.
10full	10M full-duplex.
10half	10M half-duplex.
100full	100M full-duplex.
100half	100M half-duplex.
1000full	1000M full-duplex.
1000auto	1000M auto adjust.
10000full	10G full-duplex.
10000auto	10G auto.

spillover-threshold

Egress Spillover threshold (0 - 16776000 kbps), 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

src-check

Enable/disable source IP check.

option

enable

Option	Description
enable	Enable source IP check.
disable	Disable source IP check.

status

Bring the interface up or shut the interface down.

option

Option	Description
up	Bring the interface up.
down	Shut the interface down.

stp *

Enable/disable STP.

option

disable

Option	Description
disable	Disable STP.
enable	Enable STP.

stp-ha-secondary *

Control STP behaviour on HA secondary.

option

priority-adjust

Option	Description
disable	Disable STP negotiation on HA secondary.
enable	Enable STP negotiation on HA secondary.
priority-adjust	Enable STP negotiation on HA secondary and make priority lower than HA primary.

stpforward

Enable/disable STP forwarding.

option

disable

Option	Description
enable	Enable STP forwarding.
disable	Disable STP forwarding.

stpforward-mode

Configure STP forwarding mode.

option

rpl-all-ext-id

Option	Description
rpl-all-ext-id	Replace all extension IDs (root, bridge).
rpl-bridge-ext-id	Replace the bridge extension ID only.
rpl-nothing	Replace nothing.

subst

Enable to always send packets from this interface to a destination MAC address.

option

disable

Option	Description
enable	Send packets from this interface.
disable	Do not send packets from this interface.

substitute-dst-mac

Destination MAC address that all packets are sent to from this interface.

mac-address

Not Specified

00:00:00:00:00:00

sw-algorithm *

Frame distribution algorithm for switch.

option

Option	Description
l2	Use layer 2 address for distribution.
l3	Use layer 3 address for distribution.
eh	Use enhanced hashing for distribution.

swc-first-create *

Initial create for switch-controller VLANs.

integer

Minimum value: 0 Maximum value: 4294967295

swc-vlan *

Creation status for switch-controller VLANs. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

switch

Contained in switch. Read-only.

string

Maximum length: 15

switch-controller-access-vlan *

Block FortiSwitch port-to-port traffic.

option

disable

Option	Description
enable	Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate.
disable	Allow normal VLAN traffic.

switch-controller-arp-inspection *

Enable/disable FortiSwitch ARP inspection.

option

disable

Option	Description
enable	Enable ARP inspection for FortiSwitch devices.
disable	Disable ARP inspection for FortiSwitch devices.

switch-controller-dhcp-snooping *

Switch controller DHCP snooping.

option

disable

Option	Description
enable	Enable DHCP snooping for FortiSwitch devices.
disable	Disable DHCP snooping for FortiSwitch devices.

switch-controller-dhcp-snooping-option82 *

Switch controller DHCP snooping option82.

option

disable

Option	Description
enable	Enable DHCP snooping insert option82 for FortiSwitch devices.
disable	Disable DHCP snooping insert option82 for FortiSwitch devices.

switch-controller-dhcp-snooping-verify-mac *

Switch controller DHCP snooping verify MAC.

option

disable

Option	Description
enable	Enable DHCP snooping verify source MAC for FortiSwitch devices.
disable	Disable DHCP snooping verify source MAC for FortiSwitch devices.

switch-controller-dynamic *

Integrated FortiLink settings for managed FortiSwitch.

string

Maximum length: 35

switch-controller-feature *

Interface's purpose when assigning traffic (read only).

option

none

Option	Description
none	VLAN for generic purpose.
default-vlan	Default VLAN (native) assigned to all switch ports upon discovery.
quarantine	VLAN for quarantined traffic.
rspan	VLAN for RSPAN/ERSPAN mirrored traffic.
voice	VLAN dedicated for voice devices.
video	VLAN dedicated for camera devices.
nac	VLAN dedicated for NAC onboarding devices.
nac-segment	VLAN dedicated for NAC segment devices.

switch-controller-igmp-snooping *

Switch controller IGMP snooping.

option

disable

Option	Description
enable	Enable IGMP snooping.
disable	Disable IGMP snooping.

switch-controller-igmp-snooping-fast-leave *

Switch controller IGMP snooping fast-leave.

option

disable

Option	Description
enable	Enable IGMP snooping fast-leave.
disable	Disable IGMP snooping fast-leave.

switch-controller-igmp-snooping-proxy *

Switch controller IGMP snooping proxy.

option

disable

Option	Description
enable	Enable IGMP snooping proxy.
disable	Disable IGMP snooping proxy.

switch-controller-iot-scanning *

Enable/disable managed FortiSwitch IoT scanning.

option

disable

Option	Description
enable	Enable IoT scanning for managed FortiSwitch devices.
disable	Disable IoT scanning for managed FortiSwitch devices.

switch-controller-learning-limit *

Limit the number of dynamic MAC addresses on this VLAN (1 - 128, 0 = no limit, default).

integer

Minimum value: 0 Maximum value: 128

switch-controller-mgmt-vlan *

VLAN to use for FortiLink management purposes.

integer

Minimum value: 1 Maximum value: 4094

4094

switch-controller-nac *

Integrated FortiLink settings for managed FortiSwitch.

string

Maximum length: 35

switch-controller-rspan-mode *

Stop Layer2 MAC learning and interception of BPDUs and other packets on this interface.

option

disable

Option	Description
disable	Disable RSPAN passthrough mode on this VLAN interface.
enable	Enable RSPAN passthrough mode on this VLAN interface.

switch-controller-source-ip *

Source IP address used in FortiLink over L3 connections.

option

outbound

Option	Description
outbound	Source IP address is that of the outbound interface.
fixed	Source IP address is that of the FortiLink interface.

switch-controller-traffic-policy *

Switch controller traffic policy for the VLAN.

string

Maximum length: 63

system-id

Define a system ID for the aggregate interface.

mac-address

Not Specified

00:00:00:00:00:00

system-id-type

Method in which system ID is generated.

option

auto

Option	Description
auto	Use the MAC address of the first member.
user	User-defined system ID.

tc-mode *

DSL transfer mode.

option

ptm

Option	Description
ptm	Packet transfer mode.

tcp-mss

TCP maximum segment size. 0 means do not change segment size.

integer

Minimum value: 48 Maximum value: 65535

trunk *

Enable/disable VLAN trunk.

option

disable

Option	Description
enable	Enable VLAN trunk on this interface.
disable	Disable VLAN trunk on this interface.

trust-ip-1

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip-2

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip-3

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip6-1

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

trust-ip6-2

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

trust-ip6-3

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

type

Interface type.

option

vlan

Option	Description
physical	Physical interface.
vlan	VLAN interface.
aggregate	Aggregate interface.
redundant	Redundant interface.
tunnel	Tunnel interface.
vdom-link	VDOM link interface.
loopback	Loopback interface.
switch	Software switch interface.
vap-switch	VAP interface.
wl-mesh	WLAN mesh interface.
fext-wan	FortiExtender interface.
vxlan	VXLAN interface.
geneve	GENEVE interface.
hdlc	T1/E1 interface.
switch-vlan	Switch VLAN interface.
emac-vlan	EMAC VLAN interface.
ssl	SSL VPN client interface.
lan-extension	LAN extension interface.

username

Username of the PPPoE account, provided by your ISP.

string

Maximum length: 64

vci *

Virtual Channel ID

integer

Minimum value: 0 Maximum value: 65535

vdom

Interface is in this virtual domain (VDOM).

string

Maximum length: 31

vectoring *

Enable/disable DSL vectoring.

option

enable

Option	Description
disable	Disable vectoring.
enable	Enable vectoring.

vindex *

Switch control interface VLAN ID. Read-only.

integer

Minimum value: 0 Maximum value: 65535

vlan-protocol

Ethernet protocol of VLAN.

option

8021q

Option	Description
8021q	IEEE 802.1Q.
8021ad	IEEE 802.1AD.

vlanforward

Enable/disable traffic forwarding between VLANs on this interface.

option

disable

Option	Description
enable	Enable traffic forwarding.
disable	Disable traffic forwarding.

vlanid

VLAN ID (1 - 4094).

integer

Minimum value: 1 Maximum value: 4094

vpi *

Virtual Path ID.

integer

Minimum value: 0 Maximum value: 255

vrf

Virtual Routing Forwarding ID.

integer

Minimum value: 0 Maximum value: 31

vrrp-virtual-mac

Enable/disable use of virtual MAC for VRRP.

option

disable

Option	Description
enable	Enable use of virtual MAC for VRRP.
disable	Disable use of virtual MAC for VRRP.

wccp

Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.

option

disable

Option	Description
enable	Enable WCCP protocol on this interface.
disable	Disable WCCP protocol on this interface.

weight

Default weight for static routes (if route has no weight configured).

integer

Minimum value: 0 Maximum value: 255

wifi-5g-threshold *

Minimal signal strength to be considered as a good 5G AP.

string

Maximum length: 7

-78

wifi-acl *

Access control for MAC addresses in the MAC list.

option

deny

Option	Description
allow	Allow.
deny	Deny.

wifi-ap-band *

How to select the AP to connect.

option

any

Option	Description
any	Connect to the best 2G or 5G AP.
5g-preferred	Connect to the 5G AP if a good 5G AP exists.
5g-only	Only connect to the 5G AP.

wifi-auth *

WiFi authentication.

option

PSK

Option	Description
PSK	PSK.
radius	RADIUS.
usergroup	User group.

wifi-auto-connect *

Enable/disable WiFi network auto connect.

option

enable

Option	Description
enable	Enable WiFi network auto connect.
disable	Disable WiFi network auto connect.

wifi-auto-save *

Enable/disable WiFi network automatic save.

option

disable

Option	Description
enable	Enable WiFi network automatic save.
disable	Disable WiFi network automatic save.

wifi-broadcast-ssid *

Enable/disable SSID broadcast in the beacon.

option

enable

Option	Description
enable	Enable SSID broadcast in the beacon.
disable	Disable SSID broadcast in the beacon.

wifi-encrypt *

Data encryption.

option

AES

Option	Description
TKIP	TKIP.
AES	AES.

wifi-fragment-threshold *

WiFi fragment threshold (800 - 2346).

integer

Minimum value: 800 Maximum value: 2346

2346

wifi-key *

WiFi WEP Key.

password

Not Specified

wifi-keyindex *

WEP key index (1 - 4).

integer

Minimum value: 1 Maximum value: 4

wifi-mac-filter *

Enable/disable MAC filter status.

option

disable

Option	Description
enable	Enable MAC filter.
disable	Disable MAC filter.

wifi-passphrase *

WiFi pre-shared key for WPA.

password

Not Specified

wifi-radius-server *

WiFi RADIUS server for WPA.

string

Maximum length: 35

wifi-rts-threshold *

WiFi RTS threshold (256 - 2346).

integer

Minimum value: 256 Maximum value: 2346

2346

wifi-security *

Wireless access security of SSID.

option

wpa-personal

Option	Description
open	Open.
wep64	WEP64.
wep128	WEP128.
wpa-personal	WPA personal.
wpa-enterprise	WPA enterprise.
wpa-only-personal	WPA personal only.
wpa-only-enterprise	WPA enterprise only.
wpa2-only-personal	WPA2 personal only.
wpa2-only-enterprise	WPA2 enterprise only.

wifi-ssid *

IEEE 802.11 Service Set Identifier.

string

Maximum length: 32

fortinet

wifi-usergroup *

WiFi user group for WPA.

string

Maximum length: 35

wins-ip

WINS server IP.

ipv4-address

Not Specified

0.0.0.0

* This parameter may not exist in some models.

** Values may differ between models.

config client-options

Parameter

Description

Type

Size

Default

code

DHCP client option code.

integer

Minimum value: 0 Maximum value: 255

ID.

integer

Minimum value: 0 Maximum value: 4294967295

DHCP option IPs.

user

Not Specified

type

DHCP client option type.

option

hex

Option	Description
hex	DHCP option in hex.
string	DHCP option in string.
ip	DHCP option in IP.
fqdn	DHCP option in domain search option format.

value

DHCP client option value.

string

Maximum length: 312

config dhcp-snooping-server-list

Parameter	Description	Type	Size	Default
name	DHCP server name.	string	Maximum length: 35	default
server-ip	IP address for DHCP server.	ipv4-address	Not Specified	0.0.0.0

config egress-queues

Parameter	Description	Type	Size
cos0	CoS profile name for CoS 0.	string	Maximum length: 35
cos1	CoS profile name for CoS 1.	string	Maximum length: 35
cos2	CoS profile name for CoS 2.	string	Maximum length: 35
cos3	CoS profile name for CoS 3.	string	Maximum length: 35
cos4	CoS profile name for CoS 4.	string	Maximum length: 35
cos5	CoS profile name for CoS 5.	string	Maximum length: 35
cos6	CoS profile name for CoS 6.	string	Maximum length: 35
cos7	CoS profile name for CoS 7.	string	Maximum length: 35

config ipv6

Parameter

Description

Type

Size

Default

autoconf

Enable/disable address auto config.

option

disable

Option	Description
enable	Enable auto-configuration.
disable	Disable auto-configuration.

cli-conn6-status

CLI IPv6 connection status. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

dhcp6-client-options

DHCPv6 client options. Read-only.

option

Option	Description
rapid	Send rapid commit option.
iapd	Send including IA-PD option.
iana	Send including IA-NA option.

dhcp6-information-request

Enable/disable DHCPv6 information request.

option

disable

Option	Description
enable	Enable DHCPv6 information request.
disable	Disable DHCPv6 information request.

dhcp6-prefix-delegation

Enable/disable DHCPv6 prefix delegation.

option

disable

Option	Description
enable	Enable DHCPv6 prefix delegation.
disable	Disable DHCPv6 prefix delegation.

dhcp6-relay-ip

DHCPv6 relay IP address.

user

Not Specified

dhcp6-relay-service

Enable/disable DHCPv6 relay.

option

disable

Option	Description
disable	Disable DHCPv6 relay
enable	Enable DHCPv6 relay.

dhcp6-relay-type

DHCPv6 relay type.

option

regular

Option	Description
regular	Regular DHCP relay.

icmp6-send-redirect

Enable/disable sending of ICMPv6 redirects.

option

enable

Option	Description
enable	Enable sending of ICMPv6 redirects.
disable	Disable sending of ICMPv6 redirects.

interface-identifier

IPv6 interface identifier.

ipv6-address

Not Specified

ip6-address

Primary IPv6 address prefix. Syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.

ipv6-prefix

Not Specified

::/0

ip6-allowaccess

Allow management access to the interface.

option

Option	Description
ping	PING access.
https	HTTPS access.
ssh	SSH access.
snmp	SNMP access.
http	HTTP access.
telnet	TELNET access.
fgfm	FortiManager access.
fabric	Fabric access.

ip6-default-life

Default life (sec).

integer

Minimum value: 0 Maximum value: 9000

1800

ip6-delegated-prefix-iaid

IAID of obtained delegated-prefix from the upstream interface.

integer

Minimum value: 0 Maximum value: 4294967295

ip6-dns-server-override

Enable/disable using the DNS server acquired by DHCP.

option

enable

Option	Description
enable	Enable using the DNS server acquired by DHCP.
disable	Disable using the DNS server acquired by DHCP.

ip6-hop-limit

Hop limit (0 means unspecified).

integer

Minimum value: 0 Maximum value: 255

ip6-link-mtu

IPv6 link MTU.

integer

Minimum value: 1280 Maximum value: 16000

ip6-manage-flag

Enable/disable the managed flag.

option

disable

Option	Description
enable	Enable the managed IPv6 flag.
disable	Disable the managed IPv6 flag.

ip6-max-interval

IPv6 maximum interval (4 to 1800 sec).

integer

Minimum value: 4 Maximum value: 1800

600

ip6-min-interval

IPv6 minimum interval (3 to 1350 sec).

integer

Minimum value: 3 Maximum value: 1350

198

ip6-mode

Addressing mode (static, DHCP, delegated).

option

static

Option	Description
static	Static setting.
dhcp	DHCPv6 client mode.
pppoe	IPv6 over PPPoE mode.
delegated	IPv6 address with delegated prefix.

ip6-other-flag

Enable/disable the other IPv6 flag.

option

disable

Option	Description
enable	Enable the other IPv6 flag.
disable	Disable the other IPv6 flag.

ip6-prefix-mode

Assigning a prefix from DHCP or RA.

option

dhcp6

Option	Description
dhcp6	Use delegated prefix from a DHCPv6 client to form a delegated IPv6 address.
ra	Use prefix from RA to form a delegated IPv6 address.

ip6-reachable-time

IPv6 reachable time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 3600000

ip6-retrans-time

IPv6 retransmit time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 4294967295

ip6-send-adv

Enable/disable sending advertisements about the interface.

option

disable

Option	Description
enable	Enable sending advertisements about this interface.
disable	Disable sending advertisements about this interface.

ip6-subnet

Subnet to routing prefix. Syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.

ipv6-prefix

Not Specified

::/0

ip6-upstream-interface

Interface name providing delegated information.

string

Maximum length: 15

nd-cert

Neighbor discovery certificate.

string

Maximum length: 35

nd-cga-modifier

Neighbor discovery CGA modifier.

user

Not Specified

nd-mode

Neighbor discovery mode.

option

basic

Option	Description
basic	Do not support SEND.
SEND-compatible	Support SEND.

nd-security-level

Neighbor discovery security level (0 - 7; 0 = least secure, default = 0).

integer

Minimum value: 0 Maximum value: 7

nd-timestamp-delta

Neighbor discovery timestamp delta value (1 - 3600 sec; default = 300).

integer

Minimum value: 1 Maximum value: 3600

300

nd-timestamp-fuzz

Neighbor discovery timestamp fuzz factor (1 - 60 sec; default = 1).

integer

Minimum value: 1 Maximum value: 60

ra-send-mtu

Enable/disable sending link MTU in RA packet.

option

enable

Option	Description
enable	Enable sending link MTU in RA packet.
disable	Disable sending link MTU in RA packet.

unique-autoconf-addr

Enable/disable unique auto config address.

option

disable

Option	Description
enable	Enable unique auto-configuration address.
disable	Disable unique auto-configuration address.

vrip6_link_local

Link-local IPv6 address of virtual router.

ipv6-address

Not Specified

vrrp-virtual-mac6

Enable/disable virtual MAC for VRRP.

option

disable

Option	Description
enable	Enable virtual MAC for VRRP.
disable	Disable virtual MAC for VRRP.

config dhcp6-iapd-list

Parameter	Description	Type	Size	Default
iaid	Identity association identifier.	integer	Minimum value: 0 Maximum value: 4294967295	0
prefix-hint	DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server.	ipv6-network	Not Specified	::/0
prefix-hint-plt	DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time.	integer	Minimum value: 0 Maximum value: 4294967295	604800
prefix-hint-vlt	DHCPv6 prefix hint valid life time (sec).	integer	Minimum value: 0 Maximum value: 4294967295	2592000

config ip6-delegated-prefix-list

Parameter

Description

Type

Size

Default

autonomous-flag

Enable/disable the autonomous flag.

option

enable

Option	Description
enable	Enable the autonomous flag.
disable	Disable the autonomous flag.

delegated-prefix-iaid

IAID of obtained delegated-prefix from the upstream interface.

integer

Minimum value: 0 Maximum value: 4294967295

onlink-flag

Enable/disable the onlink flag.

option

enable

Option	Description
enable	Enable the onlink flag.
disable	Disable the onlink flag.

prefix-id

Prefix ID.

integer

Minimum value: 0 Maximum value: 4294967295

rdnss

Recursive DNS server option.

user

Not Specified

rdnss-service

Recursive DNS service option.

option

specify

Option	Description
delegated	Delegated RDNSS settings.
default	System RDNSS settings.
specify	Specify recursive DNS servers.

subnet

Add subnet ID to routing prefix.

ipv6-network

Not Specified

::/0

upstream-interface

Name of the interface that provides delegated information.

string

Maximum length: 15

config ip6-extra-addr

Parameter	Description	Type	Size	Default
prefix	IPv6 address prefix.	ipv6-prefix	Not Specified	::/0

config ip6-prefix-list

Parameter

Description

Type

Size

Default

autonomous-flag

Enable/disable the autonomous flag.

option

enable

Option	Description
enable	Enable the autonomous flag.
disable	Disable the autonomous flag.

dnssl <domain>

DNS search list option.

Domain name.

string

Maximum length: 79

onlink-flag

Enable/disable the onlink flag.

option

enable

Option	Description
enable	Enable the onlink flag.
disable	Disable the onlink flag.

preferred-life-time

Preferred life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

604800

prefix

IPv6 prefix.

ipv6-network

Not Specified

::/0

rdnss

Recursive DNS server option.

user

Not Specified

valid-life-time

Valid life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

2592000

config vrrp6

Parameter

Description

Type

Size

Default

accept-mode

Enable/disable accept mode.

option

enable

Option	Description
enable	Enable accept mode.
disable	Disable accept mode.

adv-interval

Advertisement interval (1 - 255 seconds).

integer

Minimum value: 1 Maximum value: 255

preempt

Enable/disable preempt mode.

option

enable

Option	Description
enable	Enable preempt mode.
disable	Disable preempt mode.

priority

Priority of the virtual router (1 - 255).

integer

Minimum value: 1 Maximum value: 255

100

start-time

Startup time (1 - 255 seconds).

integer

Minimum value: 1 Maximum value: 255

status

Enable/disable VRRP.

option

enable

Option	Description
enable	Enable VRRP.
disable	Disable VRRP.

vrdst6

Monitor the route to this destination.

ipv6-address

Not Specified

vrgrp

VRRP group ID (1 - 65535).

integer

Minimum value: 1 Maximum value: 65535

vrid

Virtual router identifier (1 - 255).

integer

Minimum value: 1 Maximum value: 255

vrip6

IPv6 address of the virtual router.

ipv6-address

Not Specified

config l2tp-client-settings

Parameter

Description

Type

Size

Default

auth-type

L2TP authentication type.

option

auto

Option	Description
auto	Automatically choose authentication.
pap	PAP authentication.
chap	CHAP authentication.
mschapv1	MS-CHAPv1 authentication.
mschapv2	MS-CHAPv2 authentication.

defaultgw

Enable/disable default gateway.

option

disable

Option	Description
enable	Enable default gateway.
disable	Disable default gateway.

distance

Distance of learned routes.

integer

Minimum value: 1 Maximum value: 255

hello-interval

L2TP hello message interval in seconds (0 - 3600 sec, default = 60).

integer

Minimum value: 0 Maximum value: 3600

IP. Read-only.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

mtu

L2TP MTU.

integer

Minimum value: 40 Maximum value: 65535

1460

password

L2TP password.

password

Not Specified

peer-host

L2TP peer host address.

string

Maximum length: 255

peer-mask

L2TP peer mask.

ipv4-netmask

Not Specified

255.255.255.255

peer-port

L2TP peer port number.

integer

Minimum value: 1 Maximum value: 65535

1701

priority

Priority of learned routes.

integer

Minimum value: 1 Maximum value: 65535

user

L2TP user name.

string

Maximum length: 127

config secondaryip

Parameter

Description

Type

Size

Default

allowaccess

Management access settings for the secondary IP address.

option

Option	Description
ping	PING access.
https	HTTPS access.
ssh	SSH access.
snmp	SNMP access.
http	HTTP access.
telnet	TELNET access.
fgfm	FortiManager access.
radius-acct	RADIUS accounting access.
probe-response	Probe access.
fabric	Security Fabric access.
ftm	FTM access.
speed-test	Speed test access.

detectprotocol

Protocols used to detect the server.

option

ping

Option	Description
ping	PING.
tcp-echo	TCP echo.
udp-echo	UDP echo.

detectserver

Gateway's ping server for this IP.

user

Not Specified

gwdetect

Enable/disable detect gateway alive for first.

option

disable

Option	Description
enable	Enable detect gateway alive for first.
disable	Disable detect gateway alive for first.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

ID.

integer

Minimum value: 0 Maximum value: 4294967295

Secondary IP address of the interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

ping-serv-status

PING server status. Read-only.

integer

Minimum value: 0 Maximum value: 255

config tagging

Parameter

Description

Type

Size

Default

config vrrp

Parameter

Description

Type

Size

Default

accept-mode

Enable/disable accept mode.

option

enable

Option	Description
enable	Enable accept mode.
disable	Disable accept mode.

adv-interval

Advertisement interval (1 - 255 seconds).

integer

Minimum value: 1 Maximum value: 255

ignore-default-route

Enable/disable ignoring of default route when checking destination.

option

disable

Option	Description
enable	Enable ignoring of default route when checking destination.
disable	Disable ignoring of default route when checking destination.

preempt

Enable/disable preempt mode.

option

enable

Option	Description
enable	Enable preempt mode.
disable	Disable preempt mode.

priority

Priority of the virtual router (1 - 255).

integer

Minimum value: 1 Maximum value: 255

100

start-time

Startup time (1 - 255 seconds).

integer

Minimum value: 1 Maximum value: 255

status

Enable/disable this VRRP configuration.

option

enable

Option	Description
enable	Enable this VRRP configuration.
disable	Disable this VRRP configuration.

version

VRRP version.

option

Option	Description
2	VRRP version 2.
3	VRRP version 3.

vrdst

Monitor the route to this destination.

ipv4-address-any

Not Specified

vrdst-priority

Priority of the virtual router when the virtual router destination becomes unreachable (0 - 254).

integer

Minimum value: 0 Maximum value: 254

vrgrp

VRRP group ID (1 - 65535).

integer

Minimum value: 1 Maximum value: 65535

vrid

Virtual router identifier (1 - 255).

integer

Minimum value: 1 Maximum value: 255

vrip

IP address of the virtual router.

ipv4-address-any

Not Specified

0.0.0.0

config proxy-arp

Parameter	Description	Type	Size	Default
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
ip	Set IP addresses of proxy ARP.	user	Not Specified

config wifi-mac-list

Parameter	Description	Type	Size	Default
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
mac	MAC address.	mac-address	Not Specified	00:00:00:00:00:00

config wifi-networks

Parameter

Description

Type

Size

Default

ID.

integer

Minimum value: 0 Maximum value: 4294967295

wifi-encrypt

Data encryption.

option

AES

Option	Description
TKIP	TKIP.
AES	AES.

wifi-key

WiFi WEP Key.

password

Not Specified

wifi-keyindex

WEP key index (1 - 4).

integer

Minimum value: 1 Maximum value: 4

wifi-passphrase

WiFi pre-shared key for WPA.

password

Not Specified

wifi-security

Wireless access security of SSID.

option

wpa-personal

Option	Description
open	Open.
wep64	WEP64.
wep128	WEP128.
wpa-personal	WPA personal.
wpa-only-personal	WPA personal only.
wpa2-only-personal	WPA2 personal only.

wifi-ssid

IEEE 802.11 Service Set Identifier.

string

Maximum length: 32

fortinet

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference

config system interface

config system interface

config system interface

config client-options

config dhcp-snooping-server-list

config egress-queues

config ipv6

config dhcp6-iapd-list

config ip6-delegated-prefix-list

config ip6-extra-addr

config ip6-prefix-list