config system interface

Configure interfaces.

config system interface

Description: Configure interfaces.

edit <name>

set vdom {string}

set vrf {integer}

set cli-conn-status {integer}

set fortilink [enable|disable]

set switch-controller-source-ip [outbound|fixed]

set mode [static|dhcp|...]

config client-options

Description: DHCP client options.

edit <id>

set code {integer}

set type [hex|string|...]

set value {string}

set ip {user}

next

end

set distance {integer}

set priority {integer}

set dhcp-relay-interface-select-method [auto|sdwan|...]

set dhcp-relay-interface {string}

set dhcp-relay-service [disable|enable]

set dhcp-relay-ip {user}

set dhcp-relay-link-selection {ipv4-address}

set dhcp-relay-request-all-server [disable|enable]

set dhcp-relay-type [regular|ipsec]

set dhcp-relay-agent-option [enable|disable]

set dhcp-classless-route-addition [enable|disable]

set management-ip {ipv4-classnet-host}

set ip {ipv4-classnet-host}

set allowaccess {option1}, {option2}, ...

set gwdetect [enable|disable]

set ping-serv-status {integer}

set detectserver {user}

set detectprotocol {option1}, {option2}, ...

set ha-priority {integer}

set fail-detect [enable|disable]

set fail-detect-option {option1}, {option2}, ...

set fail-alert-method [link-failed-signal|link-down]

set fail-action-on-extender [soft-restart|hard-restart|...]

set fail-alert-interfaces <name1>, <name2>, ...

set dhcp-client-identifier {string}

set dhcp-renew-time {integer}

set ipunnumbered {ipv4-address}

set username {string}

set pppoe-unnumbered-negotiate [enable|disable]

set password {password}

set idle-timeout {integer}

set detected-peer-mtu {integer}

set disc-retry-timeout {integer}

set padt-retry-timeout {integer}

set service-name {string}

set ac-name {string}

set lcp-echo-interval {integer}

set lcp-max-echo-fails {integer}

set defaultgw [enable|disable]

set dns-server-override [enable|disable]

set dns-server-protocol {option1}, {option2}, ...

set auth-type [auto|pap|...]

set pptp-client [enable|disable]

set pptp-user {string}

set pptp-password {password}

set pptp-server-ip {ipv4-address}

set pptp-auth-type [auto|pap|...]

set pptp-timeout {integer}

set arpforward [enable|disable]

set ndiscforward [enable|disable]

set broadcast-forward [enable|disable]

set bfd [global|enable|...]

set bfd-desired-min-tx {integer}

set bfd-detect-mult {integer}

set bfd-required-min-rx {integer}

set l2forward [enable|disable]

set icmp-send-redirect [enable|disable]

set icmp-accept-redirect [enable|disable]

set reachable-time {integer}

set vlanforward [enable|disable]

set stpforward [enable|disable]

set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]

set ips-sniffer-mode [enable|disable]

set ident-accept [enable|disable]

set ipmac [enable|disable]

set subst [enable|disable]

set macaddr {mac-address}

set substitute-dst-mac {mac-address}

set poe [enable|disable]

set speed [auto|10full|...]

set status [up|down]

set netbios-forward [disable|enable]

set wins-ip {ipv4-address}

set type [physical|vlan|...]

set dedicated-to [none|management]

set trust-ip-1 {ipv4-classnet-any}

set trust-ip-2 {ipv4-classnet-any}

set trust-ip-3 {ipv4-classnet-any}

set trust-ip6-1 {ipv6-prefix}

set trust-ip6-2 {ipv6-prefix}

set trust-ip6-3 {ipv6-prefix}

set mtu-override [enable|disable]

set mtu {integer}

set wccp [enable|disable]

set netflow-sampler [disable|tx|...]

set sflow-sampler [enable|disable]

set drop-overlapped-fragment [enable|disable]

set drop-fragment [enable|disable]

set src-check [enable|disable]

set sample-rate {integer}

set polling-interval {integer}

set sample-direction [tx|rx|...]

set explicit-web-proxy [enable|disable]

set explicit-ftp-proxy [enable|disable]

set proxy-captive-portal [enable|disable]

set tcp-mss {integer}

set inbandwidth {integer}

set outbandwidth {integer}

set egress-shaping-profile {string}

set ingress-shaping-profile {string}

set disconnect-threshold {integer}

set spillover-threshold {integer}

set ingress-spillover-threshold {integer}

set weight {integer}

set interface {string}

set external [enable|disable]

set vlan-protocol [8021q|8021ad]

set vlanid {integer}

set trunk [enable|disable]

set forward-domain {integer}

set remote-ip {ipv4-classnet-host}

set member <interface-name1>, <interface-name2>, ...

set lacp-mode [static|passive|...]

set lacp-ha-slave [enable|disable]

set system-id-type [auto|user]

set system-id {mac-address}

set lacp-speed [slow|fast]

set min-links {integer}

set min-links-down [operational|administrative]

set algorithm [L2|L3|...]

set link-up-delay {integer}

set priority-override [enable|disable]

set aggregate {string}

set redundant-interface {string}

set devindex {integer}

set vindex {integer}

set switch {string}

set description {var-string}

set alias {string}

set l2tp-client [enable|disable]

config l2tp-client-settings

Description: L2TP client settings.

set user {string}

set password {password}

set peer-host {string}

set peer-mask {ipv4-netmask}

set peer-port {integer}

set auth-type [auto|pap|...]

set mtu {integer}

set distance {integer}

set priority {integer}

set defaultgw [enable|disable]

set ip {ipv4-classnet-host}

set hello-interval {integer}

end

set security-mode [none|captive-portal|...]

set security-mac-auth-bypass [mac-auth-only|enable|...]

set security-8021x-mode [default|dynamic-vlan|...]

set security-8021x-master {string}

set security-8021x-dynamic-vlan-id {integer}

set security-external-web {var-string}

set security-external-logout {string}

set replacemsg-override-group {string}

set security-redirect-url {var-string}

set auth-cert {string}

set auth-portal-addr {string}

set security-exempt-list {string}

set security-groups <name1>, <name2>, ...

set ike-saml-server {string}

set stp [disable|enable]

set stp-ha-secondary [disable|enable|...]

set device-identification [enable|disable]

set device-user-identification [enable|disable]

set lldp-reception [enable|disable|...]

set lldp-transmission [enable|disable|...]

set lldp-network-policy {string}

set estimated-upstream-bandwidth {integer}

set estimated-downstream-bandwidth {integer}

set measured-upstream-bandwidth {integer}

set measured-downstream-bandwidth {integer}

set bandwidth-measure-time {integer}

set monitor-bandwidth [enable|disable]

set vrrp-virtual-mac [enable|disable]

config vrrp

Description: VRRP configuration.

edit <vrid>

set version [2|3]

set vrgrp {integer}

set vrip {ipv4-address-any}

set priority {integer}

set adv-interval {integer}

set start-time {integer}

set preempt [enable|disable]

set accept-mode [enable|disable]

set vrdst {ipv4-address-any}

set vrdst-priority {integer}

set ignore-default-route [enable|disable]

set status [enable|disable]

config proxy-arp

Description: VRRP Proxy ARP configuration.

edit <id>

set ip {user}

next

end

next

end

set role [lan|wan|...]

set snmp-index {integer}

set secondary-IP [enable|disable]

config secondaryip

Description: Second IP address of interface.

edit <id>

set ip {ipv4-classnet-host}

set allowaccess {option1}, {option2}, ...

set gwdetect [enable|disable]

set ping-serv-status {integer}

set detectserver {user}

set detectprotocol {option1}, {option2}, ...

set ha-priority {integer}

next

end

set preserve-session-route [enable|disable]

set auto-auth-extension-device [enable|disable]

set ap-discover [enable|disable]

set fortilink-neighbor-detect [lldp|fortilink]

set ip-managed-by-fortiipam [enable|disable]

set managed-subnetwork-size [32|64|...]

set fortilink-split-interface [enable|disable]

set internal {integer}

set fortilink-backup-link {integer}

set switch-controller-access-vlan [enable|disable]

set switch-controller-traffic-policy {string}

set switch-controller-rspan-mode [disable|enable]

set switch-controller-mgmt-vlan {integer}

set switch-controller-igmp-snooping [enable|disable]

set switch-controller-igmp-snooping-proxy [enable|disable]

set switch-controller-igmp-snooping-fast-leave [enable|disable]

set switch-controller-dhcp-snooping [enable|disable]

set switch-controller-dhcp-snooping-verify-mac [enable|disable]

set switch-controller-dhcp-snooping-option82 [enable|disable]

config dhcp-snooping-server-list

Description: Configure DHCP server access list.

edit <name>

set server-ip {ipv4-address}

next

end

set switch-controller-arp-inspection [enable|disable]

set switch-controller-learning-limit {integer}

set switch-controller-nac {string}

set switch-controller-dynamic {string}

set switch-controller-feature [none|default-vlan|...]

set switch-controller-iot-scanning [enable|disable]

set swc-vlan {integer}

set swc-first-create {integer}

set color {integer}

config tagging

Description: Config object tagging.

edit <name>

set category {string}

set tags <name1>, <name2>, ...

next

end

set eap-supplicant [enable|disable]

set eap-method [tls|peap]

set eap-identity {string}

set eap-password {password}

set eap-ca-cert {string}

set eap-user-cert {string}

config ipv6

Description: IPv6 of interface.

set ip6-mode [static|dhcp|...]

set nd-mode [basic|SEND-compatible]

set nd-cert {string}

set nd-security-level {integer}

set nd-timestamp-delta {integer}

set nd-timestamp-fuzz {integer}

set nd-cga-modifier {user}

set ip6-dns-server-override [enable|disable]

set ip6-address {ipv6-prefix}

config ip6-extra-addr

Description: Extra IPv6 address prefixes of interface.

edit <prefix>

next

end

set ip6-allowaccess {option1}, {option2}, ...

set ip6-send-adv [enable|disable]

set icmp6-send-redirect [enable|disable]

set ip6-manage-flag [enable|disable]

set ip6-other-flag [enable|disable]

set ip6-max-interval {integer}

set ip6-min-interval {integer}

set ip6-link-mtu {integer}

set ra-send-mtu [enable|disable]

set ip6-reachable-time {integer}

set ip6-retrans-time {integer}

set ip6-default-life {integer}

set ip6-hop-limit {integer}

set autoconf [enable|disable]

set unique-autoconf-addr [enable|disable]

set interface-identifier {ipv6-address}

set ip6-prefix-mode [dhcp6|ra]

set ip6-upstream-interface {string}

set ip6-delegated-prefix-iaid {integer}

set ip6-subnet {ipv6-prefix}

config ip6-prefix-list

Description: Advertised prefix list.

edit <prefix>

set autonomous-flag [enable|disable]

set onlink-flag [enable|disable]

set valid-life-time {integer}

set preferred-life-time {integer}

set rdnss {user}

set dnssl <domain1>, <domain2>, ...

next

end

config ip6-delegated-prefix-list

Description: Advertised IPv6 delegated prefix list.

edit <prefix-id>

set upstream-interface {string}

set delegated-prefix-iaid {integer}

set autonomous-flag [enable|disable]

set onlink-flag [enable|disable]

set subnet {ipv6-network}

set rdnss-service [delegated|default|...]

set rdnss {user}

next

end

set dhcp6-relay-service [disable|enable]

set dhcp6-relay-type {option}

set dhcp6-relay-ip {user}

set dhcp6-client-options {option1}, {option2}, ...

set dhcp6-prefix-delegation [enable|disable]

set dhcp6-information-request [enable|disable]

config dhcp6-iapd-list

Description: DHCPv6 IA-PD list.

edit <iaid>

set prefix-hint {ipv6-network}

set prefix-hint-plt {integer}

set prefix-hint-vlt {integer}

next

end

set cli-conn6-status {integer}

set vrrp-virtual-mac6 [enable|disable]

set vrip6_link_local {ipv6-address}

config vrrp6

Description: IPv6 VRRP configuration.

edit <vrid>

set vrgrp {integer}

set vrip6 {ipv6-address}

set priority {integer}

set adv-interval {integer}

set start-time {integer}

set preempt [enable|disable]

set accept-mode [enable|disable]

set vrdst6 {ipv6-address}

set status [enable|disable]

next

end

end

next

end

config system interface

Parameter

Description

Type

Size

Default

vdom

Interface is in this virtual domain (VDOM).

string

Maximum length: 31

vrf

Virtual Routing Forwarding ID.

integer

Minimum value: 0 Maximum value: 63

0

cli-conn-status

CLI connection status.

integer

Minimum value: 0 Maximum value: 4294967295

0

fortilink

Enable FortiLink to dedicate this interface to manage other Fortinet devices.

option

-

disable

Option

Description

enable

Enable FortiLink to dedicated interface for managing FortiSwitch devices.

disable

Disable FortiLink to dedicated interface for managing FortiSwitch devices.

switch-controller-source-ip

Source IP address used in FortiLink over L3 connections.

option

-

outbound

Option

Description

outbound

Source IP address is that of the outbound interface.

fixed

Source IP address is that of the FortiLink interface.

mode

Addressing mode (static, DHCP, PPPoE).

option

-

static

Option

Description

static

Static setting.

dhcp

External DHCP client mode.

pppoe

External PPPoE mode.

distance

Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route.

integer

Minimum value: 1 Maximum value: 255

5

priority

Priority of learned routes.

integer

Minimum value: 1 Maximum value: 65535

1

dhcp-relay-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

dhcp-relay-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-relay-service

Enable/disable allowing this interface to act as a DHCP relay.

option

-

disable

Option

Description

disable

None.

enable

DHCP relay agent.

dhcp-relay-ip

DHCP relay IP address.

user

Not Specified

dhcp-relay-link-selection

DHCP relay link selection.

ipv4-address

Not Specified

0.0.0.0

dhcp-relay-request-all-server

Enable/disable sending of DHCP requests to all servers.

option

-

disable

Option

Description

disable

Send DHCP requests only to a matching server.

enable

Send DHCP requests to all servers.

dhcp-relay-type

DHCP relay type (regular or IPsec).

option

-

regular

Option

Description

regular

Regular DHCP relay.

ipsec

DHCP relay for IPsec.

dhcp-relay-agent-option

Enable/disable DHCP relay agent option.

option

-

enable

Option

Description

enable

Enable DHCP relay agent option.

disable

Disable DHCP relay agent option.

dhcp-classless-route-addition

Enable/disable addition of classless static routes retrieved from DHCP server.

option

-

disable **

Option

Description

enable

Enable addition of classless static routes retrieved from DHCP server.

disable

Disable addition of classless static routes retrieved from DHCP server.

management-ip

High Availability in-band management IP address of this interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

ip

Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

allowaccess

Permitted types of management access to this interface.

option

-

Option

Description

ping

PING access.

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

http

HTTP access.

telnet

TELNET access.

fgfm

FortiManager access.

radius-acct

RADIUS accounting access.

probe-response

Probe access.

fabric

Security Fabric access.

ftm

FTM access.

speed-test

Speed test access.

gwdetect

Enable/disable detect gateway alive for first.

option

-

disable

Option

Description

enable

Enable detect gateway alive for first.

disable

Disable detect gateway alive for first.

ping-serv-status

PING server status.

integer

Minimum value: 0 Maximum value: 255

0

detectserver

Gateway's ping server for this IP.

user

Not Specified

detectprotocol

Protocols used to detect the server.

option

-

ping

Option

Description

ping

PING.

tcp-echo

TCP echo.

udp-echo

UDP echo.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

1

fail-detect

Enable/disable fail detection features for this interface.

option

-

disable

Option

Description

enable

Enable interface failed option status.

disable

Disable interface failed option status.

fail-detect-option

Options for detecting that this interface has failed.

option

-

link-down

Option

Description

detectserver

Use a ping server to determine if the interface has failed.

link-down

Use port detection to determine if the interface has failed.

fail-alert-method

Select link-failed-signal or link-down method to alert about a failed link.

option

-

link-down

Option

Description

link-failed-signal

Link-failed-signal.

link-down

Link-down.

fail-action-on-extender

Action on FortiExtender when interface fail.

option

-

soft-restart

Option

Description

soft-restart

Soft-restart-on-extender.

hard-restart

Hard-restart-on-extender.

reboot

Reboot-on-extender.

fail-alert-interfaces <name>

Names of the FortiGate interfaces to which the link failure alert is sent.

Names of the non-virtual interface.

string

Maximum length: 79

dhcp-client-identifier

DHCP client identifier.

string

Maximum length: 48

dhcp-renew-time

DHCP renew time in seconds , 0 means use the renew time provided by the server.

integer

Minimum value: 300 Maximum value: 604800

0

ipunnumbered

Unnumbered IP used for PPPoE interfaces for which no unique local address is provided.

ipv4-address

Not Specified

0.0.0.0

username

Username of the PPPoE account, provided by your ISP.

string

Maximum length: 64

pppoe-unnumbered-negotiate

Enable/disable PPPoE unnumbered negotiation.

option

-

enable

Option

Description

enable

Enable IP address negotiating for unnumbered.

disable

Disable IP address negotiating for unnumbered.

password

PPPoE account's password.

password

Not Specified

idle-timeout

PPPoE auto disconnect after idle timeout seconds, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 32767

0

detected-peer-mtu

MTU of detected peer .

integer

Minimum value: 0 Maximum value: 4294967295

0

disc-retry-timeout

Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 4294967295

1

padt-retry-timeout

PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time.

integer

Minimum value: 0 Maximum value: 4294967295

1

service-name

PPPoE service name.

string

Maximum length: 63

ac-name

PPPoE server name.

string

Maximum length: 63

lcp-echo-interval

Time in seconds between PPPoE Link Control Protocol (LCP) echo requests.

integer

Minimum value: 0 Maximum value: 32767

5

lcp-max-echo-fails

Maximum missed LCP echo messages before disconnect.

integer

Minimum value: 0 Maximum value: 32767

3

defaultgw

Enable to get the gateway IP from the DHCP or PPPoE server.

option

-

enable

Option

Description

enable

Enable default gateway.

disable

Disable default gateway.

dns-server-override

Enable/disable use DNS acquired by DHCP or PPPoE.

option

-

enable

Option

Description

enable

Use DNS acquired by DHCP or PPPoE.

disable

No not use DNS acquired by DHCP or PPPoE.

dns-server-protocol

DNS transport protocols.

option

-

cleartext

Option

Description

cleartext

DNS over UDP/53, DNS over TCP/53.

dot

DNS over TLS/853.

doh

DNS over HTTPS/443.

auth-type

PPP authentication type to use.

option

-

auto

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

pptp-client

Enable/disable PPTP client.

option

-

disable

Option

Description

enable

Enable PPTP client.

disable

Disable PPTP client.

pptp-user

PPTP user name.

string

Maximum length: 64

pptp-password

PPTP password.

password

Not Specified

pptp-server-ip

PPTP server IP address.

ipv4-address

Not Specified

0.0.0.0