config system interface

Configure interfaces.

config system interface
    Description: Configure interfaces.
    edit <name>
        set ac-name {string}
        set aggregate {string}
        set aggregate-type [physical|vxlan]
        set algorithm [L2|L3|...]
        set alias {string}
        set allowaccess {option1}, {option2}, ...
        set ap-discover [enable|disable]
        set arpforward [enable|disable]
        set atm-protocol [none|ipoa]
        set auth-cert {string}
        set auth-portal-addr {string}
        set auth-type [auto|pap|...]
        set auto-auth-extension-device [enable|disable]
        set bandwidth-measure-time {integer}
        set bfd [global|enable|...]
        set bfd-desired-min-tx {integer}
        set bfd-detect-mult {integer}
        set bfd-required-min-rx {integer}
        set broadcast-forward [enable|disable]
        set cli-conn-status {integer}
        config client-options
            Description: DHCP client options.
            edit <id>
                set code {integer}
                set type [hex|string|...]
                set value {string}
                set ip {user}
            next
        end
        set color {integer}
        set dedicated-to [none|management]
        set default-purdue-level [1|1.5|...]
        set defaultgw [enable|disable]
        set description {var-string}
        set detected-peer-mtu {integer}
        set detectprotocol {option1}, {option2}, ...
        set detectserver {user}
        set device-identification [enable|disable]
        set device-user-identification [enable|disable]
        set devindex {integer}
        set dhcp-broadcast-flag [disable|enable]
        set dhcp-classless-route-addition [enable|disable]
        set dhcp-client-identifier {string}
        set dhcp-relay-agent-option [enable|disable]
        set dhcp-relay-circuit-id {string}
        set dhcp-relay-interface {string}
        set dhcp-relay-interface-select-method [auto|sdwan|...]
        set dhcp-relay-ip {user}
        set dhcp-relay-link-selection {ipv4-address}
        set dhcp-relay-request-all-server [disable|enable]
        set dhcp-relay-service [disable|enable]
        set dhcp-relay-source-ip {ipv4-address}
        set dhcp-relay-type [regular|ipsec]
        set dhcp-renew-time {integer}
        set dhcp-smart-relay [disable|enable]
        config dhcp-snooping-server-list
            Description: Configure DHCP server access list.
            edit <name>
                set server-ip {ipv4-address}
            next
        end
        set disc-retry-timeout {integer}
        set distance {integer}
        set dns-server-override [enable|disable]
        set dns-server-protocol {option1}, {option2}, ...
        set drop-fragment [enable|disable]
        set drop-overlapped-fragment [enable|disable]
        set eap-ca-cert {string}
        set eap-identity {string}
        set eap-method [tls|peap]
        set eap-password {password}
        set eap-supplicant [enable|disable]
        set eap-user-cert {string}
        set egress-cos [disable|cos0|...]
        config egress-queues
            Description: Configure queues of NP port on egress path.
            set cos0 {string}
            set cos1 {string}
            set cos2 {string}
            set cos3 {string}
            set cos4 {string}
            set cos5 {string}
            set cos6 {string}
            set cos7 {string}
        end
        set egress-shaping-profile {string}
        set estimated-downstream-bandwidth {integer}
        set estimated-upstream-bandwidth {integer}
        set explicit-ftp-proxy [enable|disable]
        set explicit-web-proxy [enable|disable]
        set external [enable|disable]
        set fail-action-on-extender [soft-restart|hard-restart|...]
        set fail-alert-interfaces <name1>, <name2>, ...
        set fail-alert-method [link-failed-signal|link-down]
        set fail-detect [enable|disable]
        set fail-detect-option {option1}, {option2}, ...
        set fortilink [enable|disable]
        set fortilink-backup-link {integer}
        set fortilink-neighbor-detect [lldp|fortilink]
        set fortilink-split-interface [enable|disable]
        set forward-domain {integer}
        set forward-error-correction [none|disable|...]
        set gateway-address {ipv4-address}
        set gi-gk [enable|disable]
        set gwaddr {ipv4-address}
        set gwdetect [enable|disable]
        set ha-priority {integer}
        set icmp-accept-redirect [enable|disable]
        set icmp-send-redirect [enable|disable]
        set ident-accept [enable|disable]
        set idle-timeout {integer}
        set ike-saml-server {string}
        set inbandwidth {integer}
        set ingress-cos [disable|cos0|...]
        set ingress-shaping-profile {string}
        set ingress-spillover-threshold {integer}
        set interconnect-profile [default|profile1|...]
        set interface {string}
        set internal {integer}
        set ip {ipv4-classnet-host}
        set ip-managed-by-fortiipam [inherit-global|enable|...]
        set ipmac [enable|disable]
        set ips-sniffer-mode [enable|disable]
        set ipunnumbered {ipv4-address}
        config ipv6
            Description: IPv6 of interface.
            set ip6-mode [static|dhcp|...]
            set nd-mode [basic|SEND-compatible]
            set nd-cert {string}
            set nd-security-level {integer}
            set nd-timestamp-delta {integer}
            set nd-timestamp-fuzz {integer}
            set nd-cga-modifier {user}
            set ip6-dns-server-override [enable|disable]
            set ip6-address {ipv6-prefix}
            config ip6-extra-addr
                Description: Extra IPv6 address prefixes of interface.
                edit <prefix>
                next
            end
            set ip6-allowaccess {option1}, {option2}, ...
            set ip6-send-adv [enable|disable]
            set icmp6-send-redirect [enable|disable]
            set ip6-manage-flag [enable|disable]
            set ip6-other-flag [enable|disable]
            set ip6-max-interval {integer}
            set ip6-min-interval {integer}
            set ip6-link-mtu {integer}
            set ra-send-mtu [enable|disable]
            set ip6-reachable-time {integer}
            set ip6-retrans-time {integer}
            set ip6-default-life {integer}
            set ip6-hop-limit {integer}
            set autoconf [enable|disable]
            set unique-autoconf-addr [enable|disable]
            set interface-identifier {ipv6-address}
            set ip6-prefix-mode [dhcp6|ra]
            set ip6-delegated-prefix-iaid {integer}
            set ip6-upstream-interface {string}
            set ip6-subnet {ipv6-prefix}
            config ip6-prefix-list
                Description: Advertised prefix list.
                edit <prefix>
                    set autonomous-flag [enable|disable]
                    set onlink-flag [enable|disable]
                    set valid-life-time {integer}
                    set preferred-life-time {integer}
                    set rdnss {user}
                    set dnssl <domain1>, <domain2>, ...
                next
            end
            config ip6-delegated-prefix-list
                Description: Advertised IPv6 delegated prefix list.
                edit <prefix-id>
                    set upstream-interface {string}
                    set delegated-prefix-iaid {integer}
                    set autonomous-flag [enable|disable]
                    set onlink-flag [enable|disable]
                    set subnet {ipv6-network}
                    set rdnss-service [delegated|default|...]
                    set rdnss {user}
                next
            end
            set dhcp6-relay-service [disable|enable]
            set dhcp6-relay-type {option}
            set dhcp6-relay-source-interface [disable|enable]
            set dhcp6-relay-ip {user}
            set dhcp6-relay-source-ip {ipv6-address}
            set dhcp6-relay-interface-id {string}
            set dhcp6-client-options {option1}, {option2}, ...
            set dhcp6-prefix-delegation [enable|disable]
            set dhcp6-information-request [enable|disable]
            config dhcp6-iapd-list
                Description: DHCPv6 IA-PD list.
                edit <iaid>
                    set prefix-hint {ipv6-network}
                    set prefix-hint-plt {integer}
                    set prefix-hint-vlt {integer}
                next
            end
            set cli-conn6-status {integer}
            set vrrp-virtual-mac6 [enable|disable]
            set vrip6_link_local {ipv6-address}
            config vrrp6
                Description: IPv6 VRRP configuration.
                edit <vrid>
                    set vrgrp {integer}
                    set vrip6 {ipv6-address}
                    set priority {integer}
                    set adv-interval {integer}
                    set start-time {integer}
                    set preempt [enable|disable]
                    set accept-mode [enable|disable]
                    set vrdst6 {ipv6-address}
                    set ignore-default-route [enable|disable]
                    set status [enable|disable]
                next
            end
        end
        set l2forward [enable|disable]
        set l2tp-client [enable|disable]
        config l2tp-client-settings
            Description: L2TP client settings.
            set user {string}
            set password {password}
            set peer-host {string}
            set peer-mask {ipv4-netmask}
            set peer-port {integer}
            set auth-type [auto|pap|...]
            set mtu {integer}
            set distance {integer}
            set priority {integer}
            set defaultgw [enable|disable]
            set ip {ipv4-classnet-host}
            set hello-interval {integer}
        end
        set lacp-ha-secondary [enable|disable]
        set lacp-mode [static|passive|...]
        set lacp-speed [slow|fast]
        set lcp-echo-interval {integer}
        set lcp-max-echo-fails {integer}
        set link-up-delay {integer}
        set lldp-network-policy {string}
        set lldp-reception [enable|disable|...]
        set lldp-transmission [enable|disable|...]
        set macaddr {mac-address}
        set managed-subnetwork-size [32|64|...]
        set management-ip {ipv4-classnet-host}
        set measured-downstream-bandwidth {integer}
        set measured-upstream-bandwidth {integer}
        set mediatype [serdes-sfp|sgmii-sfp|...]
        set member <interface-name1>, <interface-name2>, ...
        set min-links {integer}
        set min-links-down [operational|administrative]
        set mirroring-direction [rx|tx|...]
        config mirroring-filter
            Description: Mirroring filter.
            set filter-srcip {ipv4-classnet-host}
            set filter-dstip {ipv4-classnet-host}
            set filter-sport {integer}
            set filter-dport {integer}
            set filter-protocol {integer}
        end
        set mirroring-port {string}
        set mode [static|dhcp|...]
        set monitor-bandwidth [enable|disable]
        set mtu {integer}
        set mtu-override [enable|disable]
        set mux-type [llc-encaps|vc-encaps]
        set ndiscforward [enable|disable]
        set netbios-forward [disable|enable]
        set netflow-sampler [disable|tx|...]
        set np-qos-profile {integer}
        set outbandwidth {integer}
        set padt-retry-timeout {integer}
        set password {password}
        set phy-mode {option}
        set ping-serv-status {integer}
        set poe [enable|disable]
        set polling-interval {integer}
        set port-mirroring [disable|enable]
        set pppoe-unnumbered-negotiate [enable|disable]
        set pptp-auth-type [auto|pap|...]
        set pptp-client [enable|disable]
        set pptp-password {password}
        set pptp-server-ip {ipv4-address}
        set pptp-timeout {integer}
        set pptp-user {string}
        set preserve-session-route [enable|disable]
        set priority {integer}
        set priority-override [enable|disable]
        set proxy-captive-portal [enable|disable]
        set pvc-atm-qos [cbr|rt-vbr|...]
        set pvc-chan {integer}
        set pvc-crc {integer}
        set pvc-pcr {integer}
        set pvc-scr {integer}
        set pvc-vlan-id {integer}
        set pvc-vlan-rx-id {integer}
        set pvc-vlan-rx-op [pass-through|replace|...]
        set pvc-vlan-tx-id {integer}
        set pvc-vlan-tx-op [pass-through|replace|...]
        set reachable-time {integer}
        set redundant-interface {string}
        set remote-ip {ipv4-classnet-host}
        set replacemsg-override-group {string}
        set retransmission [disable|enable]
        set ring-rx {integer}
        set ring-tx {integer}
        set role [lan|wan|...]
        set sample-direction [tx|rx|...]
        set sample-rate {integer}
        set secondary-IP [enable|disable]
        config secondaryip
            Description: Second IP address of interface.
            edit <id>
                set ip {ipv4-classnet-host}
                set secip-relay-ip {user}
                set allowaccess {option1}, {option2}, ...
                set gwdetect [enable|disable]
                set ping-serv-status {integer}
                set detectserver {user}
                set detectprotocol {option1}, {option2}, ...
                set ha-priority {integer}
            next
        end
        set security-8021x-dynamic-vlan-id {integer}
        set security-8021x-master {string}
        set security-8021x-member-mode [switch|disable]
        set security-8021x-mode [default|dynamic-vlan|...]
        set security-exempt-list {string}
        set security-external-logout {string}
        set security-external-web {var-string}
        set security-groups <name1>, <name2>, ...
        set security-mac-auth-bypass [mac-auth-only|enable|...]
        set security-mode [none|captive-portal|...]
        set security-redirect-url {var-string}
        set service-name {string}
        set sflow-sampler [enable|disable]
        set sfp-dsl [disable|enable]
        set sfp-dsl-adsl-fallback [disable|enable]
        set sfp-dsl-autodetect [disable|enable]
        set sfp-dsl-mac {mac-address}
        set snmp-index {integer}
        set speed [auto|10full|...]
        set spillover-threshold {integer}
        set src-check [enable|disable]
        set status [up|down]
        set stp [disable|enable]
        set stp-edge [disable|enable]
        set stp-ha-secondary [disable|enable|...]
        set stpforward [enable|disable]
        set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]
        set subst [enable|disable]
        set substitute-dst-mac {mac-address}
        set sw-algorithm [l2|l3|...]
        set swc-first-create {integer}
        set swc-vlan {integer}
        set switch {string}
        set switch-controller-access-vlan [enable|disable]
        set switch-controller-arp-inspection [enable|disable]
        set switch-controller-dhcp-snooping [enable|disable]
        set switch-controller-dhcp-snooping-option82 [enable|disable]
        set switch-controller-dhcp-snooping-verify-mac [enable|disable]
        set switch-controller-dynamic {string}
        set switch-controller-feature [none|default-vlan|...]
        set switch-controller-igmp-snooping [enable|disable]
        set switch-controller-igmp-snooping-fast-leave [enable|disable]
        set switch-controller-igmp-snooping-proxy [enable|disable]
        set switch-controller-iot-scanning [enable|disable]
        set switch-controller-learning-limit {integer}
        set switch-controller-mgmt-vlan {integer}
        set switch-controller-nac {string}
        set switch-controller-netflow-collect [disable|enable]
        set switch-controller-offload [enable|disable]
        set switch-controller-offload-gw [enable|disable]
        set switch-controller-offload-ip {ipv4-address}
        set switch-controller-rspan-mode [disable|enable]
        set switch-controller-source-ip [outbound|fixed]
        set switch-controller-traffic-policy {string}
        set system-id {mac-address}
        set system-id-type [auto|user]
        config tagging
            Description: Config object tagging.
            edit <name>
                set category {string}
                set tags <name1>, <name2>, ...
            next
        end
        set tc-mode {option}
        set tcp-mss {integer}
        set trunk [enable|disable]
        set trust-ip-1 {ipv4-classnet-any}
        set trust-ip-2 {ipv4-classnet-any}
        set trust-ip-3 {ipv4-classnet-any}
        set trust-ip6-1 {ipv6-prefix}
        set trust-ip6-2 {ipv6-prefix}
        set trust-ip6-3 {ipv6-prefix}
        set type [physical|vlan|...]
        set username {string}
        set vci {integer}
        set vdom {string}
        set vectoring [disable|enable]
        set vindex {integer}
        set vlan-protocol [8021q|8021ad]
        set vlanforward [enable|disable]
        set vlanid {integer}
        set vpi {integer}
        set vrf {integer}
        config vrrp
            Description: VRRP configuration.
            edit <vrid>
                set version [2|3]
                set vrgrp {integer}
                set vrip {ipv4-address-any}
                set priority {integer}
                set adv-interval {integer}
                set start-time {integer}
                set preempt [enable|disable]
                set accept-mode [enable|disable]
                set vrdst {ipv4-address-any}
                set vrdst-priority {integer}
                set ignore-default-route [enable|disable]
                set status [enable|disable]
                config proxy-arp
                    Description: VRRP Proxy ARP configuration.
                    edit <id>
                        set ip {user}
                    next
                end
            next
        end
        set vrrp-virtual-mac [enable|disable]
        set wccp [enable|disable]
        set weight {integer}
        set wifi-5g-threshold {string}
        set wifi-acl [allow|deny]
        set wifi-ap-band [any|5g-preferred|...]
        set wifi-auth [PSK|radius|...]
        set wifi-auto-connect [enable|disable]
        set wifi-auto-save [enable|disable]
        set wifi-broadcast-ssid [enable|disable]
        set wifi-dns-server1 {ipv4-address}
        set wifi-dns-server2 {ipv4-address}
        set wifi-encrypt [TKIP|AES]
        set wifi-fragment-threshold {integer}
        set wifi-gateway {ipv4-address}
        set wifi-key {password}
        set wifi-keyindex {integer}
        set wifi-mac-filter [enable|disable]
        config wifi-mac-list
            Description: MAC filter list.
            edit <id>
                set mac {mac-address}
            next
        end
        config wifi-networks
            Description: WiFi network table.
            edit <id>
                set wifi-ssid {string}
                set wifi-security [open|wep64|...]
                set wifi-encrypt [TKIP|AES]
                set wifi-keyindex {integer}
                set wifi-key {password}
                set wifi-passphrase {password}
                set wifi-eap-type [both|tls|...]
                set wifi-username {string}
                set wifi-client-certificate {string}
                set wifi-private-key {string}
                set wifi-private-key-password {password}
                set wifi-ca-certificate {string}
            next
        end
        set wifi-passphrase {password}
        set wifi-radius-server {string}
        set wifi-rts-threshold {integer}
        set wifi-security [open|wep64|...]
        set wifi-ssid {string}
        set wifi-usergroup {string}
        set wins-ip {ipv4-address}
    next
end

config system interface

Parameter

Description

Type

Size

Default

ac-name

PPPoE server name.

string

Maximum length: 63

aggregate

Aggregate interface.

string

Maximum length: 15

aggregate-type

Type of aggregation.

option

physical

Option	Description
physical	Physical interface aggregation.
vxlan	VXLAN interface aggregation.

algorithm

Frame distribution algorithm.

option

Option	Description
L2	Use layer 2 address for distribution.
L3	Use layer 3 address for distribution.
L4	Use layer 4 information for distribution.
Source-MAC	Use source MAC address for distribution.

alias

Alias will be displayed with the interface name to make it easier to distinguish.

string

Maximum length: 25

allowaccess

Permitted types of management access to this interface.

option

Option	Description
ping	PING access.
https	HTTPS access.
ssh	SSH access.
snmp	SNMP access.
http	HTTP access.
telnet	TELNET access.
fgfm	FortiManager access.
radius-acct	RADIUS accounting access.
probe-response	Probe access.
fabric	Security Fabric access.
ftm	FTM access.
speed-test	Speed test access.

ap-discover

Enable/disable automatic registration of unknown FortiAP devices.

option

enable

Option	Description
enable	Enable automatic registration of unknown FortiAP devices.
disable	Disable automatic registration of unknown FortiAP devices.

arpforward

Enable/disable ARP forwarding.

option

enable

Option	Description
enable	Enable ARP forwarding.
disable	Disable ARP forwarding.

atm-protocol *

ATM protocol.

option

none

Option	Description
none	Not over ATM.
ipoa	IPoA RFC2684.

auth-cert

HTTPS server certificate.

string

Maximum length: 35

auth-portal-addr

Address of captive portal.

string

Maximum length: 63

auth-type

PPP authentication type to use.

option

auto

Option	Description
auto	Automatically choose authentication.
pap	PAP authentication.
chap	CHAP authentication.
mschapv1	MS-CHAPv1 authentication.
mschapv2	MS-CHAPv2 authentication.

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.

option

disable

Option	Description
enable	Enable automatic authorization of dedicated Fortinet extension device on this interface.
disable	Disable automatic authorization of dedicated Fortinet extension device on this interface.

bandwidth-measure-time

Bandwidth measure time.

integer

Minimum value: 0 Maximum value: 4294967295

bfd

Bidirectional Forwarding Detection (BFD) settings.

option

global

Option	Description
global	BFD behavior of this interface will be based on global configuration.
enable	Enable BFD on this interface and ignore global configuration.
disable	Disable BFD on this interface and ignore global configuration.

bfd-desired-min-tx

BFD desired minimal transmit interval.

integer

Minimum value: 1 Maximum value: 100000

250

bfd-detect-mult

BFD detection multiplier.

integer

Minimum value: 1 Maximum value: 50

bfd-required-min-rx

BFD required minimal receive interval.

integer

Minimum value: 1 Maximum value: 100000

250

broadcast-forward

Enable/disable broadcast forwarding.

option

disable

Option	Description
enable	Enable broadcast forwarding.
disable	Disable broadcast forwarding.

cli-conn-status

CLI connection status.

integer

Minimum value: 0 Maximum value: 4294967295

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

dedicated-to

Configure interface for single purpose.

option

none

Option	Description
none	Interface not dedicated for any purpose.
management	Dedicate this interface for management purposes only.

default-purdue-level

default purdue level of device detected on this interface.

option

Option	Description
1	Level 1 - Basic Control
1.5	Level 1.5
2	Level 2 - Area Supervisory Control
2.5	Level 2.5
3	Level 3 - Operations & Control
3.5	Level 3.5
4	Level 4 - Business Planning & Logistics
5	Level 5 - Enterprise Network
5.5	Level 5.5

defaultgw

Enable to get the gateway IP from the DHCP or PPPoE server.

option

enable

Option	Description
enable	Enable default gateway.
disable	Disable default gateway.

description

Description.

var-string

Maximum length: 255

detected-peer-mtu

MTU of detected peer.

integer

Minimum value: 0 Maximum value: 4294967295

detectprotocol

Protocols used to detect the server.

option

ping

Option	Description
ping	PING.
tcp-echo	TCP echo.
udp-echo	UDP echo.

detectserver

Gateway's ping server for this IP.

user

Not Specified

device-identification

Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.

option

disable

Option	Description
enable	Enable passive gathering of identity information about hosts.
disable	Disable passive gathering of identity information about hosts.

device-user-identification

Enable/disable passive gathering of user identity information about users on this interface.

option

enable

Option	Description
enable	Enable passive gathering of user identity information about users.
disable	Disable passive gathering of user identity information about users.

devindex

Device Index.

integer

Minimum value: 0 Maximum value: 4294967295

dhcp-broadcast-flag

Enable/disable setting of the broadcast flag in messages sent by the DHCP client.

option

enable

Option	Description
disable	Disable broadcast flag.
enable	Enable broadcast flag.

dhcp-classless-route-addition

Enable/disable addition of classless static routes retrieved from DHCP server.

option

disable **

Option	Description
enable	Enable addition of classless static routes retrieved from DHCP server.
disable	Disable addition of classless static routes retrieved from DHCP server.

dhcp-client-identifier

DHCP client identifier.

string

Maximum length: 48

dhcp-relay-agent-option

Enable/disable DHCP relay agent option.

option

enable

Option	Description
enable	Enable DHCP relay agent option.
disable	Disable DHCP relay agent option.

dhcp-relay-circuit-id

DHCP relay circuit ID.

string

Maximum length: 64

dhcp-relay-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-relay-interface-select-method

Specify how to select outgoing interface to reach server.

option

auto

Option	Description
auto	Set outgoing interface automatically.
sdwan	Set outgoing interface by SD-WAN or policy routing rules.
specify	Set outgoing interface manually.

dhcp-relay-ip

DHCP relay IP address.

user

Not Specified

dhcp-relay-link-selection

DHCP relay link selection.

ipv4-address

Not Specified

0.0.0.0

dhcp-relay-request-all-server

Enable/disable sending of DHCP requests to all servers.

option

disable

Option	Description
disable	Send DHCP requests only to a matching server.
enable	Send DHCP requests to all servers.

dhcp-relay-service

Enable/disable allowing this interface to act as a DHCP relay.

option

disable

Option	Description
disable	None.
enable	DHCP relay agent.

dhcp-relay-source-ip

IP address used by the DHCP relay as its source IP.

ipv4-address

Not Specified

0.0.0.0

dhcp-relay-type

DHCP relay type (regular or IPsec).

option

regular

Option	Description
regular	Regular DHCP relay.
ipsec	DHCP relay for IPsec.

dhcp-renew-time

DHCP renew time in seconds , 0 means use the renew time provided by the server.

integer

Minimum value: 300 Maximum value: 604800

dhcp-smart-relay

Enable/disable DHCP smart relay.

option

disable

Option	Description
disable	Disable DHCP smart relay.
enable	Enable DHCP smart relay.

disc-retry-timeout

Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 4294967295

distance

Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route.

integer

Minimum value: 1 Maximum value: 255

dns-server-override

Enable/disable use DNS acquired by DHCP or PPPoE.

option

enable

Option	Description
enable	Use DNS acquired by DHCP or PPPoE.
disable	No not use DNS acquired by DHCP or PPPoE.

dns-server-protocol

DNS transport protocols.

option

cleartext

Option	Description
cleartext	DNS over UDP/53, DNS over TCP/53.
dot	DNS over TLS/853.
doh	DNS over HTTPS/443.

drop-fragment

Enable/disable drop fragment packets.

option

disable

Option	Description
enable	Enable/disable drop fragment packets.
disable	Do not drop fragment packets.

drop-overlapped-fragment

Enable/disable drop overlapped fragment packets.

option

disable

Option	Description
enable	Enable drop of overlapped fragment packets.
disable	Disable drop of overlapped fragment packets.

eap-ca-cert

EAP CA certificate name.

string

Maximum length: 79

eap-identity

EAP identity.

string

Maximum length: 35

eap-method

EAP method.

option

Option	Description
tls	TLS.
peap	PEAP.

eap-password

EAP password.

password

Not Specified

eap-supplicant

Enable/disable EAP-Supplicant.

option

disable

Option	Description
enable	Enable EAP Supplicant.
disable	Disable EAP Supplicant.

eap-user-cert

EAP user certificate name.

string

Maximum length: 35

egress-cos *

Override outgoing CoS in user VLAN tag.

option

disable

Option	Description
disable	Disable.
cos0	CoS 0.
cos1	CoS 1.
cos2	CoS 2.
cos3	CoS 3.
cos4	CoS 4.
cos5	CoS 5.
cos6	CoS 6.
cos7	CoS 7.

egress-shaping-profile

Outgoing traffic shaping profile.

string

Maximum length: 35

estimated-downstream-bandwidth

Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

estimated-upstream-bandwidth

Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

explicit-ftp-proxy

Enable/disable the explicit FTP proxy on this interface.

option

disable

Option	Description
enable	Enable explicit FTP proxy on this interface.
disable	Disable explicit FTP proxy on this interface.

explicit-web-proxy

Enable/disable the explicit web proxy on this interface.

option

disable

Option	Description
enable	Enable explicit Web proxy on this interface.
disable	Disable explicit Web proxy on this interface.

external

Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet).

option

disable

Option	Description
enable	Enable identifying the interface as an external interface.
disable	Disable identifying the interface as an external interface.

fail-action-on-extender

Action on FortiExtender when interface fail.

option

soft-restart

Option	Description
soft-restart	Soft-restart-on-extender.
hard-restart	Hard-restart-on-extender.
reboot	Reboot-on-extender.

fail-alert-interfaces <name>

Names of the FortiGate interfaces to which the link failure alert is sent.

Names of the non-virtual interface.

string

Maximum length: 15

fail-alert-method

Select link-failed-signal or link-down method to alert about a failed link.

option

link-down

Option	Description
link-failed-signal	Link-failed-signal.
link-down	Link-down.

fail-detect

Enable/disable fail detection features for this interface.

option

disable

Option	Description
enable	Enable interface failed option status.
disable	Disable interface failed option status.

fail-detect-option

Options for detecting that this interface has failed.

option

link-down

Option	Description
detectserver	Use a ping server to determine if the interface has failed.
link-down	Use port detection to determine if the interface has failed.

fortilink *

Enable FortiLink to dedicate this interface to manage other Fortinet devices.

option

disable

Option	Description
enable	Enable FortiLink to dedicated interface for managing FortiSwitch devices.
disable	Disable FortiLink to dedicated interface for managing FortiSwitch devices.

fortilink-backup-link

FortiLink split interface backup link.

integer

Minimum value: 0 Maximum value: 255

fortilink-neighbor-detect

Protocol for FortiGate neighbor discovery.

option

fortilink

Option	Description
lldp	Detect FortiLink neighbors using LLDP protocol.
fortilink	Detect FortiLink neighbors using FortiLink protocol.

fortilink-split-interface

Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.

option

enable

Option	Description
enable	Enable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.
disable	Disable FortiLink split interface.

forward-domain

Transparent mode forward domain.

integer

Minimum value: 0 Maximum value: 2147483647

forward-error-correction *

Configure forward error correction (FEC).

option

none

Option	Description
none	none
disable	Disable forward error correction (FEC).
cl91-rs-fec	Reed-Solomon (FEC CL91).
cl74-fc-fec	Fire-Code (FEC CL74).
auto	Negotaite forward error correction (FEC).

gateway-address *

Gateway address.

ipv4-address

Not Specified

0.0.0.0

gi-gk *

Enable/disable Gi Gatekeeper.

option

disable

Option	Description
enable	enable Gi Gatekeeper
disable	disable Gi Gatekeeper

gwaddr *

Gateway address.

ipv4-address

Not Specified

0.0.0.0

gwdetect

Enable/disable detect gateway alive for first.

option

disable

Option	Description
enable	Enable detect gateway alive for first.
disable	Disable detect gateway alive for first.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

icmp-accept-redirect

Enable/disable ICMP accept redirect.

option

enable

Option	Description
enable	Enable ICMP accept redirect.
disable	Disable ICMP accept redirect.

icmp-send-redirect

Enable/disable sending of ICMP redirects.

option

enable

Option	Description
enable	Enable sending of ICMP redirects.
disable	Disable sending of ICMP redirects.

ident-accept

Enable/disable authentication for this interface.

option

disable

Option	Description
enable	Enable determining a user's identity from packet identification.
disable	Disable determining a user's identity from packet identification.

idle-timeout

PPPoE auto disconnect after idle timeout seconds, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 32767

ike-saml-server

Configure IKE authentication SAML server.

string

Maximum length: 35

inbandwidth

Bandwidth limit for incoming traffic , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 80000000 **

ingress-cos *

Override incoming CoS in user VLAN tag on VLAN interface or assign a priority VLAN tag on physical interface.

option

disable

Option	Description
disable	Disable.
cos0	CoS 0.
cos1	CoS 1.
cos2	CoS 2.
cos3	CoS 3.
cos4	CoS 4.
cos5	CoS 5.
cos6	CoS 6.
cos7	CoS 7.

ingress-shaping-profile

Incoming traffic shaping profile.

string

Maximum length: 35

ingress-spillover-threshold

Ingress Spillover threshold , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

interconnect-profile *

Set interconnect profile.

option

default

Option	Description
default	default interconnect profile
profile1	interconnect profile1 [(10G & IC > 7m/20db-loss) or (25G/27G & IC < 1m)]
profile2	interconnect profile2 [(27G in AP (106G) Auto Profile)]

interface

Interface name.

string

Maximum length: 15

internal

Implicitly created.

integer

Minimum value: 0 Maximum value: 255

Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

ip-managed-by-fortiipam

Enable/disable automatic IP address assignment of this interface by FortiIPAM.

option

inherit-global

Option	Description
inherit-global	Control automatic IP address assignment status using the central FortiIPAM config.
enable	Enable automatic IP address assignment of this interface by FortiIPAM.
disable	Disable automatic IP address assignment of this interface by FortiIPAM.

ipmac

Enable/disable IP/MAC binding.

option

disable

Option	Description
enable	Enable IP/MAC binding.
disable	Disable IP/MAC binding.

ips-sniffer-mode

Enable/disable the use of this interface as a one-armed sniffer.

option

disable

Option	Description
enable	Enable IPS sniffer mode.
disable	Disable IPS sniffer mode.

ipunnumbered

Unnumbered IP used for PPPoE interfaces for which no unique local address is provided.

ipv4-address

Not Specified

0.0.0.0

l2forward

Enable/disable l2 forwarding.

option

disable

Option	Description
enable	Enable L2 forwarding.
disable	Disable L2 forwarding.

l2tp-client *

Enable/disable this interface as a Layer 2 Tunnelling Protocol (L2TP) client.

option

disable

Option	Description
enable	Enable L2TP client.
disable	Disable L2TP client.

lacp-ha-secondary

LACP HA secondary member.

option

enable

Option	Description
enable	Allow HA secondary member to send/receive LACP messages.
disable	Block HA secondary member from sending/receiving LACP messages.

lacp-mode

LACP mode.

option

active

Option	Description
static	Use static aggregation, do not send and ignore any LACP messages.
passive	Passively use LACP to negotiate 802.3ad aggregation.
active	Actively use LACP to negotiate 802.3ad aggregation.

lacp-speed

How often the interface sends LACP messages.

option

slow

Option	Description
slow	Send LACP message every 30 seconds.
fast	Send LACP message every second.

lcp-echo-interval

Time in seconds between PPPoE Link Control Protocol (LCP) echo requests.

integer

Minimum value: 0 Maximum value: 32767

lcp-max-echo-fails

Maximum missed LCP echo messages before disconnect.

integer

Minimum value: 0 Maximum value: 32767

link-up-delay

Number of milliseconds to wait before considering a link is up.

integer

Minimum value: 50 Maximum value: 3600000

lldp-network-policy

LLDP-MED network policy profile.

string

Maximum length: 35

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception.

option

vdom

Option	Description
enable	Enable reception of Link Layer Discovery Protocol (LLDP).
disable	Disable reception of Link Layer Discovery Protocol (LLDP).
vdom	Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration setting.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission.

option

vdom

Option	Description
enable	Enable transmission of Link Layer Discovery Protocol (LLDP).
disable	Disable transmission of Link Layer Discovery Protocol (LLDP).
vdom	Use VDOM Link Layer Discovery Protocol (LLDP) transmission configuration setting.

macaddr

Change the interface's MAC address.

mac-address

Not Specified

00:00:00:00:00:00

managed-subnetwork-size

Number of IP addresses to be allocated by FortiIPAM and used by this FortiGate unit's DHCP server settings.

option

256

Option	Description
32	Allocate a subnet with 32 IP addresses.
64	Allocate a subnet with 64 IP addresses.
128	Allocate a subnet with 128 IP addresses.
256	Allocate a subnet with 256 IP addresses.
512	Allocate a subnet with 512 IP addresses.
1024	Allocate a subnet with 1024 IP addresses.
2048	Allocate a subnet with 2048 IP addresses.
4096	Allocate a subnet with 4096 IP addresses.
8192	Allocate a subnet with 8192 IP addresses.
16384	Allocate a subnet with 16384 IP addresses.
32768	Allocate a subnet with 32768 IP addresses.
65536	Allocate a subnet with 65536 IP addresses.

management-ip

High Availability in-band management IP address of this interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

measured-downstream-bandwidth

Measured downstream bandwidth (kbps).

integer

Minimum value: 0 Maximum value: 4294967295

measured-upstream-bandwidth

Measured upstream bandwidth (kbps).

integer

Minimum value: 0 Maximum value: 4294967295

mediatype *

Select SFP media interface type

option

serdes-sfp **

Option	Description
serdes-sfp	SFP using SerDes Media Interface
sgmii-sfp	SFP using SGMII Media Interface
serdes-copper-sfp	Copper SFP using SerDes media Interface.

member <interface-name>

Physical interfaces that belong to the aggregate or redundant interface.

Physical interface name.

string

Maximum length: 79

min-links

Minimum number of aggregated ports that must be up.

integer

Minimum value: 1 Maximum value: 32

min-links-down

Action to take when less than the configured minimum number of links are active.

option

operational

Option	Description
operational	Set the aggregate operationally down.
administrative	Set the aggregate administratively down.

mirroring-direction *

Port mirroring direction.

option

Option	Description
rx	Port mirroring receive direction only.
tx	Port mirroring transmit direction only.
both	Port mirroring both directions.

mirroring-port *

Mirroring port.

string

Maximum length: 15

mode

Addressing mode (static, DHCP, PPPoE).

option

static

Option	Description
static	Static setting.
dhcp	External DHCP client mode.
pppoe	External PPPoE mode.

monitor-bandwidth

Enable monitoring bandwidth on this interface.

option

disable

Option	Description
enable	Enable monitoring bandwidth on this interface.
disable	Disable monitoring bandwidth on this interface.

mtu

MTU value for this interface.

integer

Minimum value: 0 Maximum value: 4294967295

1500

mtu-override

Enable to set a custom MTU for this interface.

option

disable

Option	Description
enable	Override default MTU.
disable	Use default MTU.

mux-type *

Multiplexer type.

option

llc-encaps

Option	Description
llc-encaps	LLC encapsulation.
vc-encaps	VC encapsulation.

name

Name.

string

Maximum length: 15

ndiscforward

Enable/disable NDISC forwarding.

option

enable

Option	Description
enable	Enable NDISC forwarding.
disable	Disable NDISC forwarding.

netbios-forward

Enable/disable NETBIOS forwarding.

option

disable

Option	Description
disable	Disable NETBIOS forwarding.
enable	Enable NETBIOS forwarding.

netflow-sampler

Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).

option

disable

Option	Description
disable	Disable NetFlow protocol on this interface.
tx	Monitor transmitted traffic on this interface.
rx	Monitor received traffic on this interface.
both	Monitor transmitted/received traffic on this interface.

np-qos-profile *

NP QoS profile ID.

integer

Minimum value: 0 Maximum value: 15

outbandwidth

Bandwidth limit for outgoing traffic.

integer

Minimum value: 0 Maximum value: 80000000 **

padt-retry-timeout

PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time.

integer

Minimum value: 0 Maximum value: 4294967295

password

PPPoE account's password.

password

Not Specified

phy-mode *

DSL physical mode.

option

vdsl

Option	Description
vdsl	VDSL.

ping-serv-status

PING server status.

integer

Minimum value: 0 Maximum value: 255

poe *

Enable/disable PoE status.

option

enable

Option	Description
enable	Enable PoE status.
disable	Disable PoE status.

polling-interval

sFlow polling interval in seconds.

integer

Minimum value: 1 Maximum value: 255

port-mirroring *

Enable/disable NP port mirroring.

option

disable

Option	Description
disable	Disable NP port mirroring.
enable	Enable NP port mirroring.

pppoe-unnumbered-negotiate

Enable/disable PPPoE unnumbered negotiation.

option

enable

Option	Description
enable	Enable IP address negotiating for unnumbered.
disable	Disable IP address negotiating for unnumbered.

pptp-auth-type

PPTP authentication type.

option

auto

Option	Description
auto	Automatically choose authentication.
pap	PAP authentication.
chap	CHAP authentication.
mschapv1	MS-CHAPv1 authentication.
mschapv2	MS-CHAPv2 authentication.

pptp-client

Enable/disable PPTP client.

option

disable

Option	Description
enable	Enable PPTP client.
disable	Disable PPTP client.

pptp-password

PPTP password.

password

Not Specified

pptp-server-ip

PPTP server IP address.

ipv4-address

Not Specified

0.0.0.0

pptp-timeout

Idle timer in minutes (0 for disabled).

integer

Minimum value: 0 Maximum value: 65535

pptp-user

PPTP user name.

string

Maximum length: 64

preserve-session-route

Enable/disable preservation of session route when dirty.

option

disable

Option	Description
enable	Enable preservation of session route when dirty.
disable	Disable preservation of session route when dirty.

priority

Priority of learned routes.

integer

Minimum value: 1 Maximum value: 65535

priority-override

Enable/disable fail back to higher priority port once recovered.

option

enable

Option	Description
enable	Enable fail back to higher priority port once recovered.
disable	Disable fail back to higher priority port once recovered.

proxy-captive-portal

Enable/disable proxy captive portal on this interface.

option

disable

Option	Description
enable	Enable proxy captive portal on this interface.
disable	Disable proxy captive portal on this interface.

pvc-atm-qos *

SFP-DSL ADSL Fallback PVC ATM QoS.

option

cbr

Option	Description
cbr	ATM QoS CBR.
rt-vbr	ATM QoS rt-VBR.
nrt-vbr	ATM QoS nrt-VBR.
cbr	ATM QoS CCBR.

pvc-chan *

SFP-DSL ADSL Fallback PVC Channel.

integer

Minimum value: 0 Maximum value: 7

pvc-crc *

SFP-DSL ADSL Fallback PVC CRC Option: bit0: sar LLC preserve, bit1: ream LLC preserve, bit2: ream VC-MUX has crc.

integer

Minimum value: 0 Maximum value: 7

pvc-pcr *

SFP-DSL ADSL Fallback PVC Packet Cell Rate in cells.

integer

Minimum value: 0 Maximum value: 5500

pvc-scr *

SFP-DSL ADSL Fallback PVC Sustainable Cell Rate in cells.

integer

Minimum value: 0 Maximum value: 5500

pvc-vlan-id *

SFP-DSL ADSL Fallback PVC VLAN ID.

integer

Minimum value: 1 Maximum value: 4094

pvc-vlan-rx-id *

SFP-DSL ADSL Fallback PVC VLANID RX.

integer

Minimum value: 1 Maximum value: 4094

pvc-vlan-rx-op *

SFP-DSL ADSL Fallback PVC VLAN RX op.

option

pass-through

Option	Description
pass-through	PVC VLAN Tag Passthrough.
replace	PVC VLAN Tag Replace.
remove	PVC VLAN Tag Remove.

pvc-vlan-tx-id *

SFP-DSL ADSL Fallback PVC VLAN ID TX.

integer

Minimum value: 1 Maximum value: 4094

pvc-vlan-tx-op *

SFP-DSL ADSL Fallback PVC VLAN TX op.

option

remove

Option	Description
pass-through	PVC VLAN Tag Passthrough.
replace	PVC VLAN Tag Replace.
remove	PVC VLAN Tag Remove.

reachable-time

IPv4 reachable time in milliseconds.

integer

Minimum value: 30000 Maximum value: 3600000

30000

redundant-interface

Redundant interface.

string

Maximum length: 15

remote-ip

Remote IP address of tunnel.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

replacemsg-override-group

Replacement message override group.

string

Maximum length: 35

retransmission *

Enable/disable DSL retransmission.

option

enable

Option	Description
disable	Disable retransmission.
enable	Enable retransmission.

ring-rx *

RX ring size.

integer

Minimum value: 0 Maximum value: 4294967295

ring-tx *

TX ring size.

integer

Minimum value: 0 Maximum value: 4294967295

role

Interface role.

option

undefined

Option	Description
lan	Connected to local network of endpoints.
wan	Connected to Internet.
dmz	Connected to server zone.
undefined	Interface has no specific role.

sample-direction

Data that NetFlow collects (rx, tx, or both).

option

both

Option	Description
tx	Monitor transmitted traffic on this interface.
rx	Monitor received traffic on this interface.
both	Monitor transmitted/received traffic on this interface.

sample-rate

sFlow sample rate.

integer

Minimum value: 10 Maximum value: 99999

2000

secondary-IP

Enable/disable adding a secondary IP to this interface.

option

disable

Option	Description
enable	Enable secondary IP.
disable	Disable secondary IP.

security-8021x-dynamic-vlan-id *

VLAN ID for virtual switch.

integer

Minimum value: 0 Maximum value: 4094

security-8021x-master *

802.1X master virtual-switch.

string

Maximum length: 15

security-8021x-member-mode *

802.1X member mode.

option

switch

Option	Description
switch	This member will use switch 802.1X configuration.
disable	This member will disable 802.1X configuration.

security-8021x-mode *

802.1X mode.

option

default

Option	Description
default	802.1X default mode.
dynamic-vlan	802.1X dynamic VLAN (master) mode.
fallback	802.1X fallback (master) mode.
slave	802.1X slave mode.

security-exempt-list

Name of security-exempt-list.

string

Maximum length: 35

security-external-logout

URL of external authentication logout server.

string

Maximum length: 127

security-external-web

URL of external authentication web server.

var-string

Maximum length: 1023

security-groups <name>

User groups that can authenticate with the captive portal.

Names of user groups that can authenticate with the captive portal.

string

Maximum length: 79

security-mac-auth-bypass

Enable/disable MAC authentication bypass.

option

disable

Option	Description
mac-auth-only	Enable MAC authentication bypass without EAP.
enable	Enable MAC authentication bypass.
disable	Disable MAC authentication bypass.

security-mode

Turn on captive portal authentication for this interface.

option

none

Option	Description
none	No security option.
captive-portal	Captive portal authentication.
802.1X	802.1X port-based authentication.

security-redirect-url

URL redirection after disclaimer/authentication.

var-string

Maximum length: 1023

service-name

PPPoE service name.

string

Maximum length: 63

sflow-sampler

Enable/disable sFlow on this interface.

option

disable

Option	Description
enable	Enable sFlow protocol on this interface.
disable	Disable sFlow protocol on this interface.

sfp-dsl *

Enable/disable SFP DSL.

option

disable

Option	Description
disable	Disable SFP DSL.
enable	Enable SFP DSL.

sfp-dsl-adsl-fallback *

Enable/disable SFP DSL ADSL fallback.

option

disable

Option	Description
disable	Disable SFP DSL ADSL fallback.
enable	Enable SFP DSL ADSL fallback.

sfp-dsl-autodetect *

Enable/disable SFP DSL MAC address autodetect.

option

enable

Option	Description
disable	Disable SFP DSL MAC address autodetect.
enable	Enable SFP DSL MAC address autodetect.

sfp-dsl-mac *

SFP DSL MAC address.

mac-address

Not Specified

00:00:00:00:00:00

snmp-index

Permanent SNMP Index of the interface.

integer

Minimum value: 1 Maximum value: 2147483647

speed

Interface speed. The default setting and the options available depend on the interface hardware.

option

auto

Option	Description
auto	Automatically adjust speed.
10full	10M full-duplex.
10half	10M half-duplex.
100full	100M full-duplex.
100half	100M half-duplex.
1000full	1000M full-duplex.
1000auto	1000M auto adjust.
10000full	10G full-duplex.
10000auto	10G auto.

spillover-threshold

Egress Spillover threshold , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

src-check

Enable/disable source IP check.

option

enable

Option	Description
enable	Enable source IP check.
disable	Disable source IP check.

status

Bring the interface up or shut the interface down.

option

Option	Description
up	Bring the interface up.
down	Shut the interface down.

stp *

Enable/disable STP.

option

disable

Option	Description
disable	Disable STP.
enable	Enable STP.

stp-edge *

Enable/disable as STP edge port.

option

disable

Option	Description
disable	Disable STP edge port.
enable	Enable STP edge port.

stp-ha-secondary *

Control STP behavior on HA secondary.

option

priority-adjust

Option	Description
disable	Disable STP negotiation on HA secondary.
enable	Enable STP negotiation on HA secondary.
priority-adjust	Enable STP negotiation on HA secondary and make priority lower than HA primary.

stpforward

Enable/disable STP forwarding.

option

disable

Option	Description
enable	Enable STP forwarding.
disable	Disable STP forwarding.

stpforward-mode

Configure STP forwarding mode.

option

rpl-all-ext-id

Option	Description
rpl-all-ext-id	Replace all extension IDs (root, bridge).
rpl-bridge-ext-id	Replace the bridge extension ID only.
rpl-nothing	Replace nothing.

subst

Enable to always send packets from this interface to a destination MAC address.

option

disable

Option	Description
enable	Send packets from this interface.
disable	Do not send packets from this interface.

substitute-dst-mac

Destination MAC address that all packets are sent to from this interface.

mac-address

Not Specified

00:00:00:00:00:00

sw-algorithm *

Frame distribution algorithm for switch.

option

Option	Description
l2	Use layer 2 address for distribution.
l3	Use layer 3 address for distribution.
eh	Use enhanced hashing for distribution.

swc-first-create *

Initial create for switch-controller VLANs.

integer

Minimum value: 0 Maximum value: 4294967295

swc-vlan *

Creation status for switch-controller VLANs.

integer

Minimum value: 0 Maximum value: 4294967295

switch

Contained in switch.

string

Maximum length: 15

switch-controller-access-vlan *

Block FortiSwitch port-to-port traffic.

option

disable

Option	Description
enable	Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate.
disable	Allow normal VLAN traffic.

switch-controller-arp-inspection *

Enable/disable FortiSwitch ARP inspection.

option

disable

Option	Description
enable	Enable ARP inspection for FortiSwitch devices.
disable	Disable ARP inspection for FortiSwitch devices.

switch-controller-dhcp-snooping *

Switch controller DHCP snooping.

option

disable

Option	Description
enable	Enable DHCP snooping for FortiSwitch devices.
disable	Disable DHCP snooping for FortiSwitch devices.

switch-controller-dhcp-snooping-option82 *

Switch controller DHCP snooping option82.

option

disable

Option	Description
enable	Enable DHCP snooping insert option82 for FortiSwitch devices.
disable	Disable DHCP snooping insert option82 for FortiSwitch devices.

switch-controller-dhcp-snooping-verify-mac *

Switch controller DHCP snooping verify MAC.

option

disable

Option	Description
enable	Enable DHCP snooping verify source MAC for FortiSwitch devices.
disable	Disable DHCP snooping verify source MAC for FortiSwitch devices.

switch-controller-dynamic *

Integrated FortiLink settings for managed FortiSwitch.

string

Maximum length: 35

switch-controller-feature *

Interface's purpose when assigning traffic (read only).

option

none

Option	Description
none	VLAN for generic purpose.
default-vlan	Default VLAN (native) assigned to all switch ports upon discovery.
quarantine	VLAN for quarantined traffic.
rspan	VLAN for RSPAN/ERSPAN mirrored traffic.
voice	VLAN dedicated for voice devices.
video	VLAN dedicated for camera devices.
nac	VLAN dedicated for NAC onboarding devices.
nac-segment	VLAN dedicated for NAC segment devices.

switch-controller-igmp-snooping *

Switch controller IGMP snooping.

option

disable

Option	Description
enable	Enable IGMP snooping.
disable	Disable IGMP snooping.

switch-controller-igmp-snooping-fast-leave *

Switch controller IGMP snooping fast-leave.

option

disable

Option	Description
enable	Enable IGMP snooping fast-leave.
disable	Disable IGMP snooping fast-leave.

switch-controller-igmp-snooping-proxy *

Switch controller IGMP snooping proxy.

option

disable

Option	Description
enable	Enable IGMP snooping proxy.
disable	Disable IGMP snooping proxy.

switch-controller-iot-scanning *

Enable/disable managed FortiSwitch IoT scanning.

option

disable

Option	Description
enable	Enable IoT scanning for managed FortiSwitch devices.
disable	Disable IoT scanning for managed FortiSwitch devices.

switch-controller-learning-limit *

Limit the number of dynamic MAC addresses on this VLAN.

integer

Minimum value: 0 Maximum value: 128

switch-controller-mgmt-vlan *

VLAN to use for FortiLink management purposes.

integer

Minimum value: 1 Maximum value: 4094

4094

switch-controller-nac *

Integrated FortiLink settings for managed FortiSwitch.

string

Maximum length: 35

switch-controller-netflow-collect *

NetFlow collection and processing.

option

disable

Option	Description
disable	Disable NetFlow collection.
enable	Enable NetFlow collection.

switch-controller-offload *

Enable/disable managed FortiSwitch routing offload.

option

disable

Option	Description
enable	Enable routing offload to managed FortiSwitch devices.
disable	Disable routing offload to managed FortiSwitch devices.

switch-controller-offload-gw *

Enable/disable managed FortiSwitch routing offload gateway.

option

disable

Option	Description
enable	Enable routing offload gateway to managed FortiSwitch devices.
disable	Disable routing offload gateway to managed FortiSwitch devices.

switch-controller-offload-ip *

IP for routing offload on FortiSwitch.

ipv4-address

Not Specified

0.0.0.0

switch-controller-rspan-mode *

Stop Layer2 MAC learning and interception of BPDUs and other packets on this interface.

option

disable

Option	Description
disable	Disable RSPAN passthrough mode on this VLAN interface.
enable	Enable RSPAN passthrough mode on this VLAN interface.

switch-controller-source-ip *

Source IP address used in FortiLink over L3 connections.

option

outbound

Option	Description
outbound	Source IP address is that of the outbound interface.
fixed	Source IP address is that of the FortiLink interface.

switch-controller-traffic-policy *

Switch controller traffic policy for the VLAN.

string

Maximum length: 63

system-id

Define a system ID for the aggregate interface.

mac-address

Not Specified

00:00:00:00:00:00

system-id-type

Method in which system ID is generated.

option

auto

Option	Description
auto	Use the MAC address of the first member.
user	User-defined system ID.

tc-mode *

DSL transfer mode.

option

ptm

Option	Description
ptm	Packet transfer mode.

tcp-mss

TCP maximum segment size. 0 means do not change segment size.

integer

Minimum value: 48 Maximum value: 65535

trunk *

Enable/disable VLAN trunk.

option

disable

Option	Description
enable	Enable VLAN trunk on this interface.
disable	Disable VLAN trunk on this interface.

trust-ip-1

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip-2

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip-3

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip6-1

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

trust-ip6-2

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

trust-ip6-3

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

type

Interface type.

option

vlan

Option	Description
physical	Physical interface.
vlan	VLAN interface.
aggregate	Aggregate interface.
redundant	Redundant interface.
tunnel	Tunnel interface.
vdom-link	VDOM link interface.
loopback	Loopback interface.
switch	Software switch interface.
vap-switch	VAP interface.
wl-mesh	WLAN mesh interface.
fext-wan	FortiExtender interface.
vxlan	VXLAN interface.
geneve	GENEVE interface.
hdlc	T1/E1 interface.
switch-vlan	Switch VLAN interface.
emac-vlan	EMAC VLAN interface.
ssl	SSL VPN client interface.
lan-extension	LAN extension interface.

username

Username of the PPPoE account, provided by your ISP.

string

Maximum length: 64

vci *

Virtual Channel ID.

integer

Minimum value: 0 Maximum value: 65535

vdom

Interface is in this virtual domain (VDOM).

string

Maximum length: 31

vectoring *

Enable/disable DSL vectoring.

option

enable

Option	Description
disable	Disable vectoring.
enable	Enable vectoring.

vindex *

Switch control interface VLAN ID.

integer

Minimum value: 0 Maximum value: 65535

vlan-protocol

Ethernet protocol of VLAN.

option

8021q

Option	Description
8021q	IEEE 802.1Q.
8021ad	IEEE 802.1AD.

vlanforward

Enable/disable traffic forwarding between VLANs on this interface.

option

disable

Option	Description
enable	Enable traffic forwarding.
disable	Disable traffic forwarding.

vlanid

VLAN ID.

integer

Minimum value: 1 Maximum value: 4094

vpi *

Virtual Path ID.

integer

Minimum value: 0 Maximum value: 255

vrf

Virtual Routing Forwarding ID.

integer

Minimum value: 0 Maximum value: 251

vrrp-virtual-mac

Enable/disable use of virtual MAC for VRRP.

option

disable

Option	Description
enable	Enable use of virtual MAC for VRRP.
disable	Disable use of virtual MAC for VRRP.

wccp

Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.

option

disable

Option	Description
enable	Enable WCCP protocol on this interface.
disable	Disable WCCP protocol on this interface.

weight

Default weight for static routes (if route has no weight configured).

integer

Minimum value: 0 Maximum value: 255

wifi-5g-threshold *

Minimal signal strength to be considered as a good 5G AP.

string

Maximum length: 7

-78

wifi-acl *

Access control for MAC addresses in the MAC list.

option

deny

Option	Description
allow	Allow.
deny	Deny.

wifi-ap-band *

How to select the AP to connect.

option

any

Option	Description
any	Connect to the best 2G or 5G AP.
5g-preferred	Connect to the 5G AP if a good 5G AP exists.
5g-only	Only connect to the 5G AP.

wifi-auth *

WiFi authentication.

option

PSK

Option	Description
PSK	PSK.
radius	RADIUS.
usergroup	User group.

wifi-auto-connect *

Enable/disable WiFi network auto connect.

option

enable

Option	Description
enable	Enable WiFi network auto connect.
disable	Disable WiFi network auto connect.

wifi-auto-save *

Enable/disable WiFi network automatic save.

option

disable

Option	Description
enable	Enable WiFi network automatic save.
disable	Disable WiFi network automatic save.

wifi-broadcast-ssid *

Enable/disable SSID broadcast in the beacon.

option

enable

Option	Description
enable	Enable SSID broadcast in the beacon.
disable	Disable SSID broadcast in the beacon.

wifi-dns-server1 *

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

wifi-dns-server2 *

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

wifi-encrypt *

Data encryption.

option

AES

Option	Description
TKIP	TKIP.
AES	AES.

wifi-fragment-threshold *

WiFi fragment threshold.

integer

Minimum value: 800 Maximum value: 2346

2346

wifi-gateway *

IPv4 default gateway IP address.

ipv4-address

Not Specified

0.0.0.0

wifi-key *

WiFi WEP Key.

password

Not Specified

wifi-keyindex *

WEP key index.

integer

Minimum value: 1 Maximum value: 4

wifi-mac-filter *

Enable/disable MAC filter status.

option

disable

Option	Description
enable	Enable MAC filter.
disable	Disable MAC filter.

wifi-passphrase *

WiFi pre-shared key for WPA.

password

Not Specified

wifi-radius-server *

WiFi RADIUS server for WPA.

string

Maximum length: 35

wifi-rts-threshold *

WiFi RTS threshold.

integer

Minimum value: 256 Maximum value: 2346

2346

wifi-security *

Wireless access security of SSID.

option

wpa-personal

Option	Description
open	Open.
wep64	WEP64.
wep128	WEP128.
wpa-personal	WPA personal.
wpa-enterprise	WPA enterprise.
wpa-only-personal	WPA personal only.
wpa-only-enterprise	WPA enterprise only.
wpa2-only-personal	WPA2 personal only.
wpa2-only-enterprise	WPA2 enterprise only.

wifi-ssid *

IEEE 802.11 Service Set Identifier.

string

Maximum length: 32

fortinet

wifi-usergroup *

WiFi user group for WPA.

string

Maximum length: 35

wins-ip

WINS server IP.

ipv4-address

Not Specified

0.0.0.0

* This parameter may not exist in some models.

** Values may differ between models.

config client-options

Parameter

Description

Type

Size

Default

ID.

integer

Minimum value: 0 Maximum value: 4294967295

code

DHCP client option code.

integer

Minimum value: 0 Maximum value: 255

type

DHCP client option type.

option

hex

Option	Description
hex	DHCP option in hex.
string	DHCP option in string.
ip	DHCP option in IP.
fqdn	DHCP option in domain search option format.

value

DHCP client option value.

string

Maximum length: 312

DHCP option IPs.

user

Not Specified

config dhcp-snooping-server-list

Parameter	Description	Type	Size	Default
name	DHCP server name.	string	Maximum length: 35	default
server-ip	IP address for DHCP server.	ipv4-address	Not Specified	0.0.0.0

config egress-queues

Parameter	Description	Type	Size
cos0	CoS profile name for CoS 0.	string	Maximum length: 35
cos1	CoS profile name for CoS 1.	string	Maximum length: 35
cos2	CoS profile name for CoS 2.	string	Maximum length: 35
cos3	CoS profile name for CoS 3.	string	Maximum length: 35
cos4	CoS profile name for CoS 4.	string	Maximum length: 35
cos5	CoS profile name for CoS 5.	string	Maximum length: 35
cos6	CoS profile name for CoS 6.	string	Maximum length: 35
cos7	CoS profile name for CoS 7.	string	Maximum length: 35

config ipv6

Parameter

Description

Type

Size

Default

ip6-mode

Addressing mode (static, DHCP, delegated).

option

static

Option	Description
static	Static setting.
dhcp	DHCPv6 client mode.
pppoe	IPv6 over PPPoE mode.
delegated	IPv6 address with delegated prefix.

nd-mode

Neighbor discovery mode.

option

basic

Option	Description
basic	Do not support SEND.
SEND-compatible	Support SEND.

nd-cert

Neighbor discovery certificate.

string

Maximum length: 35

nd-security-level

Neighbor discovery security level.

integer

Minimum value: 0 Maximum value: 7

nd-timestamp-delta

Neighbor discovery timestamp delta value.

integer

Minimum value: 1 Maximum value: 3600

300

nd-timestamp-fuzz

Neighbor discovery timestamp fuzz factor.

integer

Minimum value: 1 Maximum value: 60

nd-cga-modifier

Neighbor discovery CGA modifier.

user

Not Specified

ip6-dns-server-override

Enable/disable using the DNS server acquired by DHCP.

option

enable

Option	Description
enable	Enable using the DNS server acquired by DHCP.
disable	Disable using the DNS server acquired by DHCP.

ip6-address

Primary IPv6 address prefix. Syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.

ipv6-prefix

Not Specified

::/0

ip6-allowaccess

Allow management access to the interface.

option

Option	Description
ping	PING access.
https	HTTPS access.
ssh	SSH access.
snmp	SNMP access.
http	HTTP access.
telnet	TELNET access.
fgfm	FortiManager access.
fabric	Fabric access.

ip6-send-adv

Enable/disable sending advertisements about the interface.

option

disable

Option	Description
enable	Enable sending advertisements about this interface.
disable	Disable sending advertisements about this interface.

icmp6-send-redirect

Enable/disable sending of ICMPv6 redirects.

option

enable

Option	Description
enable	Enable sending of ICMPv6 redirects.
disable	Disable sending of ICMPv6 redirects.

ip6-manage-flag

Enable/disable the managed flag.

option

disable

Option	Description
enable	Enable the managed IPv6 flag.
disable	Disable the managed IPv6 flag.

ip6-other-flag

Enable/disable the other IPv6 flag.

option

disable

Option	Description
enable	Enable the other IPv6 flag.
disable	Disable the other IPv6 flag.

ip6-max-interval

IPv6 maximum interval (4 to 1800 sec).

integer

Minimum value: 4 Maximum value: 1800

600

ip6-min-interval

IPv6 minimum interval (3 to 1350 sec).

integer

Minimum value: 3 Maximum value: 1350

198

ip6-link-mtu

IPv6 link MTU.

integer

Minimum value: 1280 Maximum value: 16000

ra-send-mtu

Enable/disable sending link MTU in RA packet.

option

enable

Option	Description
enable	Enable sending link MTU in RA packet.
disable	Disable sending link MTU in RA packet.

ip6-reachable-time

IPv6 reachable time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 3600000

ip6-retrans-time

IPv6 retransmit time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 4294967295

ip6-default-life

Default life (sec).

integer

Minimum value: 0 Maximum value: 9000

1800

ip6-hop-limit

Hop limit (0 means unspecified).

integer

Minimum value: 0 Maximum value: 255

autoconf

Enable/disable address auto config.

option

disable

Option	Description
enable	Enable auto-configuration.
disable	Disable auto-configuration.

unique-autoconf-addr

Enable/disable unique auto config address.

option

disable

Option	Description
enable	Enable unique auto-configuration address.
disable	Disable unique auto-configuration address.

interface-identifier

IPv6 interface identifier.

ipv6-address

Not Specified

ip6-prefix-mode

Assigning a prefix from DHCP or RA.

option

dhcp6

Option	Description
dhcp6	Use delegated prefix from a DHCPv6 client to form a delegated IPv6 address.
ra	Use prefix from RA to form a delegated IPv6 address.

ip6-delegated-prefix-iaid

IAID of obtained delegated-prefix from the upstream interface.

integer

Minimum value: 0 Maximum value: 4294967295

ip6-upstream-interface

Interface name providing delegated information.

string

Maximum length: 15

ip6-subnet

Subnet to routing prefix. Syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.

ipv6-prefix

Not Specified

::/0

dhcp6-relay-service

Enable/disable DHCPv6 relay.

option

disable

Option	Description
disable	Disable DHCPv6 relay
enable	Enable DHCPv6 relay.

dhcp6-relay-type

DHCPv6 relay type.

option

regular

Option	Description
regular	Regular DHCP relay.

dhcp6-relay-source-interface

Enable/disable use of address on this interface as the source address of the relay message.

option

disable

Option	Description
disable	Use address of the egress interface as source address of the relay message.
enable	Use address of this interface as source address of the relay message.

dhcp6-relay-ip

DHCPv6 relay IP address.

user

Not Specified

dhcp6-relay-source-ip

IPv6 address used by the DHCP6 relay as its source IP.

ipv6-address

Not Specified

dhcp6-relay-interface-id

DHCP6 relay interface ID.

string

Maximum length: 64

dhcp6-client-options

DHCPv6 client options.

option

Option	Description
rapid	Send rapid commit option.
iapd	Send including IA-PD option.
iana	Send including IA-NA option.

dhcp6-prefix-delegation

Enable/disable DHCPv6 prefix delegation.

option

disable

Option	Description
enable	Enable DHCPv6 prefix delegation.
disable	Disable DHCPv6 prefix delegation.

dhcp6-information-request

Enable/disable DHCPv6 information request.

option

disable

Option	Description
enable	Enable DHCPv6 information request.
disable	Disable DHCPv6 information request.

cli-conn6-status

CLI IPv6 connection status.

integer

Minimum value: 0 Maximum value: 4294967295

vrrp-virtual-mac6

Enable/disable virtual MAC for VRRP.

option

disable

Option	Description
enable	Enable virtual MAC for VRRP.
disable	Disable virtual MAC for VRRP.

vrip6_link_local

Link-local IPv6 address of virtual router.

ipv6-address

Not Specified

config ip6-extra-addr

Parameter	Description	Type	Size	Default
prefix	IPv6 address prefix.	ipv6-prefix	Not Specified	::/0

config ip6-prefix-list

Parameter

Description

Type

Size

Default

prefix

IPv6 prefix.

ipv6-network

Not Specified

::/0

autonomous-flag

Enable/disable the autonomous flag.

option

enable

Option	Description
enable	Enable the autonomous flag.
disable	Disable the autonomous flag.

onlink-flag

Enable/disable the onlink flag.

option

enable

Option	Description
enable	Enable the onlink flag.
disable	Disable the onlink flag.

valid-life-time

Valid life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

2592000

preferred-life-time

Preferred life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

604800

rdnss

Recursive DNS server option.

user

Not Specified

dnssl <domain>

DNS search list option.

Domain name.

string

Maximum length: 79

config ip6-delegated-prefix-list

Parameter

Description

Type

Size

Default

prefix-id

Prefix ID.

integer

Minimum value: 0 Maximum value: 4294967295

upstream-interface

Name of the interface that provides delegated information.

string

Maximum length: 15

delegated-prefix-iaid

IAID of obtained delegated-prefix from the upstream interface.

integer

Minimum value: 0 Maximum value: 4294967295

autonomous-flag

Enable/disable the autonomous flag.

option

enable

Option	Description
enable	Enable the autonomous flag.
disable	Disable the autonomous flag.

onlink-flag

Enable/disable the onlink flag.

option

enable

Option	Description
enable	Enable the onlink flag.
disable	Disable the onlink flag.

subnet

Add subnet ID to routing prefix.

ipv6-network

Not Specified

::/0

rdnss-service

Recursive DNS service option.

option

specify

Option	Description
delegated	Delegated RDNSS settings.
default	System RDNSS settings.
specify	Specify recursive DNS servers.

rdnss

Recursive DNS server option.

user

Not Specified

config dhcp6-iapd-list

Parameter	Description	Type	Size	Default
iaid	Identity association identifier.	integer	Minimum value: 0 Maximum value: 4294967295	0
prefix-hint	DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server.	ipv6-network	Not Specified	::/0
prefix-hint-plt	DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time.	integer	Minimum value: 0 Maximum value: 4294967295	604800
prefix-hint-vlt	DHCPv6 prefix hint valid life time (sec).	integer	Minimum value: 0 Maximum value: 4294967295	2592000

config vrrp6

Parameter

Description

Type

Size

Default

vrid

Virtual router identifier.

integer

Minimum value: 1 Maximum value: 255

vrgrp

VRRP group ID.

integer

Minimum value: 1 Maximum value: 65535

vrip6

IPv6 address of the virtual router.

ipv6-address

Not Specified

priority

Priority of the virtual router.

integer

Minimum value: 1 Maximum value: 255

100

adv-interval

Advertisement interval.

integer

Minimum value: 1 Maximum value: 255

start-time

Startup time.

integer

Minimum value: 1 Maximum value: 255

preempt

Enable/disable preempt mode.

option

enable

Option	Description
enable	Enable preempt mode.
disable	Disable preempt mode.

accept-mode

Enable/disable accept mode.

option

enable

Option	Description
enable	Enable accept mode.
disable	Disable accept mode.

vrdst6

Monitor the route to this destination.

ipv6-address

Not Specified

ignore-default-route

Enable/disable ignoring of default route when checking destination.

option

disable

Option	Description
enable	Ignore default route when checking destination.
disable	Do not ignore default route when checking destination.

status

Enable/disable VRRP.

option

enable

Option	Description
enable	Enable VRRP.
disable	Disable VRRP.

config l2tp-client-settings

Parameter

Description

Type

Size

Default

user

L2TP user name.

string

Maximum length: 127

password

L2TP password.

password

Not Specified

peer-host

L2TP peer host address.

string

Maximum length: 255

peer-mask

L2TP peer mask.

ipv4-netmask

Not Specified

255.255.255.255

peer-port

L2TP peer port number.

integer

Minimum value: 1 Maximum value: 65535

1701

auth-type

L2TP authentication type.

option

auto

Option	Description
auto	Automatically choose authentication.
pap	PAP authentication.
chap	CHAP authentication.
mschapv1	MS-CHAPv1 authentication.
mschapv2	MS-CHAPv2 authentication.

mtu

L2TP MTU.

integer

Minimum value: 40 Maximum value: 65535

1460

distance

Distance of learned routes.

integer

Minimum value: 1 Maximum value: 255

priority

Priority of learned routes.

integer

Minimum value: 1 Maximum value: 65535

defaultgw

Enable/disable default gateway.

option

disable

Option	Description
enable	Enable default gateway.
disable	Disable default gateway.

IP.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

hello-interval

L2TP hello message interval in seconds.

integer

Minimum value: 0 Maximum value: 3600

config mirroring-filter

Parameter	Description	Type	Size	Default
filter-srcip	Source IP and mask of mirroring filter.	ipv4-classnet-host	Not Specified	0.0.0.0 0.0.0.0
filter-dstip	Destinatin IP and mask of mirroring filter.	ipv4-classnet-host	Not Specified	0.0.0.0 0.0.0.0
filter-sport	Source port of mirroring filter.	integer	Minimum value: 0 Maximum value: 65535	0
filter-dport	Destinatin port of mirroring filter.	integer	Minimum value: 0 Maximum value: 65535	0
filter-protocol	Protocol of mirroring filter.	integer	Minimum value: 0 Maximum value: 255	0

config secondaryip

Parameter

Description

Type

Size

Default

ID.

integer

Minimum value: 0 Maximum value: 4294967295

Secondary IP address of the interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

secip-relay-ip

DHCP relay IP address.

user

Not Specified

allowaccess

Management access settings for the secondary IP address.

option

Option	Description
ping	PING access.
https	HTTPS access.
ssh	SSH access.
snmp	SNMP access.
http	HTTP access.
telnet	TELNET access.
fgfm	FortiManager access.
radius-acct	RADIUS accounting access.
probe-response	Probe access.
fabric	Security Fabric access.
ftm	FTM access.
speed-test	Speed test access.

gwdetect

Enable/disable detect gateway alive for first.

option

disable

Option	Description
enable	Enable detect gateway alive for first.
disable	Disable detect gateway alive for first.

ping-serv-status

PING server status.

integer

Minimum value: 0 Maximum value: 255

detectserver

Gateway's ping server for this IP.

user

Not Specified

detectprotocol

Protocols used to detect the server.

option

ping

Option	Description
ping	PING.
tcp-echo	TCP echo.
udp-echo	UDP echo.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

config tagging

Parameter

Description

Type

Size

Default

name

Tagging entry name.

string

Maximum length: 63

config vrrp

Parameter

Description

Type

Size

Default

vrid

Virtual router identifier.

integer

Minimum value: 1 Maximum value: 255

version

VRRP version.

option

Option	Description
2	VRRP version 2.
3	VRRP version 3.

vrgrp

VRRP group ID.

integer

Minimum value: 1 Maximum value: 65535

vrip

IP address of the virtual router.

ipv4-address-any

Not Specified

0.0.0.0

priority

Priority of the virtual router.

integer

Minimum value: 1 Maximum value: 255

100

adv-interval

Advertisement interval.

integer

Minimum value: 1 Maximum value: 255

start-time

Startup time.

integer

Minimum value: 1 Maximum value: 255

preempt

Enable/disable preempt mode.

option

enable

Option	Description
enable	Enable preempt mode.
disable	Disable preempt mode.

accept-mode

Enable/disable accept mode.

option

enable

Option	Description
enable	Enable accept mode.
disable	Disable accept mode.

vrdst

Monitor the route to this destination.

ipv4-address-any

Not Specified

vrdst-priority

Priority of the virtual router when the virtual router destination becomes unreachable.

integer

Minimum value: 0 Maximum value: 254

ignore-default-route

Enable/disable ignoring of default route when checking destination.

option

disable

Option	Description
enable	Ignore default route when checking destination.
disable	Do not ignore default route when checking destination.

status

Enable/disable this VRRP configuration.

option

enable

Option	Description
enable	Enable this VRRP configuration.
disable	Disable this VRRP configuration.

config proxy-arp

Parameter	Description	Type	Size	Default
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
ip	Set IP addresses of proxy ARP.	user	Not Specified

config wifi-mac-list

Parameter	Description	Type	Size	Default
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
mac	MAC address.	mac-address	Not Specified	00:00:00:00:00:00

config wifi-networks

Parameter

Description

Type

Size

Default

ID.

integer

Minimum value: 0 Maximum value: 4294967295

wifi-ssid

IEEE 802.11 Service Set Identifier.

string

Maximum length: 32

fortinet

wifi-security

Wireless access security of SSID.

option

wpa-personal

Option	Description
open	Open.
wep64	WEP64.
wep128	WEP128.
wpa-personal	WPA personal.
wpa-only-personal	WPA personal only.
wpa2-only-personal	WPA2 personal only.
wpa3-sae	WPA3 SAE.
owe	OWE.
wpa-enterprise	WPA2/WPA3 ENTERPRISE.

wifi-encrypt

Data encryption.

option

AES

Option	Description
TKIP	TKIP.
AES	AES.

wifi-keyindex

WEP key index.

integer

Minimum value: 1 Maximum value: 4

wifi-key

WiFi WEP Key.

password

Not Specified

wifi-passphrase

WiFi pre-shared key for WPA-PSK or password for WPA3-SAE and WPA2/WPA3-ENTERPRISE.

password

Not Specified

wifi-eap-type

WPA2/WPA3-ENTERPRISE EAP Method.

option

peap

Option	Description
both	EAP PEAP and TLS.
tls	EAP TLS.
peap	EAP PEAP.

wifi-username

Username for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 64

fortinet

wifi-client-certificate

Client certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

wifi-private-key

Private key for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

wifi-private-key-password

Password for private key file for WPA2/WPA3-ENTERPRISE.

password

Not Specified

wifi-ca-certificate

CA certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 79

config system interface

Configure interfaces.

config system interface
    Description: Configure interfaces.
    edit <name>
        set ac-name {string}
        set aggregate {string}
        set aggregate-type [physical|vxlan]
        set algorithm [L2|L3|...]
        set alias {string}
        set allowaccess {option1}, {option2}, ...
        set ap-discover [enable|disable]
        set arpforward [enable|disable]
        set atm-protocol [none|ipoa]
        set auth-cert {string}
        set auth-portal-addr {string}
        set auth-type [auto|pap|...]
        set auto-auth-extension-device [enable|disable]
        set bandwidth-measure-time {integer}
        set bfd [global|enable|...]
        set bfd-desired-min-tx {integer}
        set bfd-detect-mult {integer}
        set bfd-required-min-rx {integer}
        set broadcast-forward [enable|disable]
        set cli-conn-status {integer}
        config client-options
            Description: DHCP client options.
            edit <id>
                set code {integer}
                set type [hex|string|...]
                set value {string}
                set ip {user}
            next
        end
        set color {integer}
        set dedicated-to [none|management]
        set default-purdue-level [1|1.5|...]
        set defaultgw [enable|disable]
        set description {var-string}
        set detected-peer-mtu {integer}
        set detectprotocol {option1}, {option2}, ...
        set detectserver {user}
        set device-identification [enable|disable]
        set device-user-identification [enable|disable]
        set devindex {integer}
        set dhcp-broadcast-flag [disable|enable]
        set dhcp-classless-route-addition [enable|disable]
        set dhcp-client-identifier {string}
        set dhcp-relay-agent-option [enable|disable]
        set dhcp-relay-circuit-id {string}
        set dhcp-relay-interface {string}
        set dhcp-relay-interface-select-method [auto|sdwan|...]
        set dhcp-relay-ip {user}
        set dhcp-relay-link-selection {ipv4-address}
        set dhcp-relay-request-all-server [disable|enable]
        set dhcp-relay-service [disable|enable]
        set dhcp-relay-source-ip {ipv4-address}
        set dhcp-relay-type [regular|ipsec]
        set dhcp-renew-time {integer}
        set dhcp-smart-relay [disable|enable]
        config dhcp-snooping-server-list
            Description: Configure DHCP server access list.
            edit <name>
                set server-ip {ipv4-address}
            next
        end
        set disc-retry-timeout {integer}
        set distance {integer}
        set dns-server-override [enable|disable]
        set dns-server-protocol {option1}, {option2}, ...
        set drop-fragment [enable|disable]
        set drop-overlapped-fragment [enable|disable]
        set eap-ca-cert {string}
        set eap-identity {string}
        set eap-method [tls|peap]
        set eap-password {password}
        set eap-supplicant [enable|disable]
        set eap-user-cert {string}
        set egress-cos [disable|cos0|...]
        config egress-queues
            Description: Configure queues of NP port on egress path.
            set cos0 {string}
            set cos1 {string}
            set cos2 {string}
            set cos3 {string}
            set cos4 {string}
            set cos5 {string}
            set cos6 {string}
            set cos7 {string}
        end
        set egress-shaping-profile {string}
        set estimated-downstream-bandwidth {integer}
        set estimated-upstream-bandwidth {integer}
        set explicit-ftp-proxy [enable|disable]
        set explicit-web-proxy [enable|disable]
        set external [enable|disable]
        set fail-action-on-extender [soft-restart|hard-restart|...]
        set fail-alert-interfaces <name1>, <name2>, ...
        set fail-alert-method [link-failed-signal|link-down]
        set fail-detect [enable|disable]
        set fail-detect-option {option1}, {option2}, ...
        set fortilink [enable|disable]
        set fortilink-backup-link {integer}
        set fortilink-neighbor-detect [lldp|fortilink]
        set fortilink-split-interface [enable|disable]
        set forward-domain {integer}
        set forward-error-correction [none|disable|...]
        set gateway-address {ipv4-address}
        set gi-gk [enable|disable]
        set gwaddr {ipv4-address}
        set gwdetect [enable|disable]
        set ha-priority {integer}
        set icmp-accept-redirect [enable|disable]
        set icmp-send-redirect [enable|disable]
        set ident-accept [enable|disable]
        set idle-timeout {integer}
        set ike-saml-server {string}
        set inbandwidth {integer}
        set ingress-cos [disable|cos0|...]
        set ingress-shaping-profile {string}
        set ingress-spillover-threshold {integer}
        set interconnect-profile [default|profile1|...]
        set interface {string}
        set internal {integer}
        set ip {ipv4-classnet-host}
        set ip-managed-by-fortiipam [inherit-global|enable|...]
        set ipmac [enable|disable]
        set ips-sniffer-mode [enable|disable]
        set ipunnumbered {ipv4-address}
        config ipv6
            Description: IPv6 of interface.
            set ip6-mode [static|dhcp|...]
            set nd-mode [basic|SEND-compatible]
            set nd-cert {string}
            set nd-security-level {integer}
            set nd-timestamp-delta {integer}
            set nd-timestamp-fuzz {integer}
            set nd-cga-modifier {user}
            set ip6-dns-server-override [enable|disable]
            set ip6-address {ipv6-prefix}
            config ip6-extra-addr
                Description: Extra IPv6 address prefixes of interface.
                edit <prefix>
                next
            end
            set ip6-allowaccess {option1}, {option2}, ...
            set ip6-send-adv [enable|disable]
            set icmp6-send-redirect [enable|disable]
            set ip6-manage-flag [enable|disable]
            set ip6-other-flag [enable|disable]
            set ip6-max-interval {integer}
            set ip6-min-interval {integer}
            set ip6-link-mtu {integer}
            set ra-send-mtu [enable|disable]
            set ip6-reachable-time {integer}
            set ip6-retrans-time {integer}
            set ip6-default-life {integer}
            set ip6-hop-limit {integer}
            set autoconf [enable|disable]
            set unique-autoconf-addr [enable|disable]
            set interface-identifier {ipv6-address}
            set ip6-prefix-mode [dhcp6|ra]
            set ip6-delegated-prefix-iaid {integer}
            set ip6-upstream-interface {string}
            set ip6-subnet {ipv6-prefix}
            config ip6-prefix-list
                Description: Advertised prefix list.
                edit <prefix>
                    set autonomous-flag [enable|disable]
                    set onlink-flag [enable|disable]
                    set valid-life-time {integer}
                    set preferred-life-time {integer}
                    set rdnss {user}
                    set dnssl <domain1>, <domain2>, ...
                next
            end
            config ip6-delegated-prefix-list
                Description: Advertised IPv6 delegated prefix list.
                edit <prefix-id>
                    set upstream-interface {string}
                    set delegated-prefix-iaid {integer}
                    set autonomous-flag [enable|disable]
                    set onlink-flag [enable|disable]
                    set subnet {ipv6-network}
                    set rdnss-service [delegated|default|...]
                    set rdnss {user}
                next
            end
            set dhcp6-relay-service [disable|enable]
            set dhcp6-relay-type {option}
            set dhcp6-relay-source-interface [disable|enable]
            set dhcp6-relay-ip {user}
            set dhcp6-relay-source-ip {ipv6-address}
            set dhcp6-relay-interface-id {string}
            set dhcp6-client-options {option1}, {option2}, ...
            set dhcp6-prefix-delegation [enable|disable]
            set dhcp6-information-request [enable|disable]
            config dhcp6-iapd-list
                Description: DHCPv6 IA-PD list.
                edit <iaid>
                    set prefix-hint {ipv6-network}
                    set prefix-hint-plt {integer}
                    set prefix-hint-vlt {integer}
                next
            end
            set cli-conn6-status {integer}
            set vrrp-virtual-mac6 [enable|disable]
            set vrip6_link_local {ipv6-address}
            config vrrp6
                Description: IPv6 VRRP configuration.
                edit <vrid>
                    set vrgrp {integer}
                    set vrip6 {ipv6-address}
                    set priority {integer}
                    set adv-interval {integer}
                    set start-time {integer}
                    set preempt [enable|disable]
                    set accept-mode [enable|disable]
                    set vrdst6 {ipv6-address}
                    set ignore-default-route [enable|disable]
                    set status [enable|disable]
                next
            end
        end
        set l2forward [enable|disable]
        set l2tp-client [enable|disable]
        config l2tp-client-settings
            Description: L2TP client settings.
            set user {string}
            set password {password}
            set peer-host {string}
            set peer-mask {ipv4-netmask}
            set peer-port {integer}
            set auth-type [auto|pap|...]
            set mtu {integer}
            set distance {integer}
            set priority {integer}
            set defaultgw [enable|disable]
            set ip {ipv4-classnet-host}
            set hello-interval {integer}
        end
        set lacp-ha-secondary [enable|disable]
        set lacp-mode [static|passive|...]
        set lacp-speed [slow|fast]
        set lcp-echo-interval {integer}
        set lcp-max-echo-fails {integer}
        set link-up-delay {integer}
        set lldp-network-policy {string}
        set lldp-reception [enable|disable|...]
        set lldp-transmission [enable|disable|...]
        set macaddr {mac-address}
        set managed-subnetwork-size [32|64|...]
        set management-ip {ipv4-classnet-host}
        set measured-downstream-bandwidth {integer}
        set measured-upstream-bandwidth {integer}
        set mediatype [serdes-sfp|sgmii-sfp|...]
        set member <interface-name1>, <interface-name2>, ...
        set min-links {integer}
        set min-links-down [operational|administrative]
        set mirroring-direction [rx|tx|...]
        config mirroring-filter
            Description: Mirroring filter.
            set filter-srcip {ipv4-classnet-host}
            set filter-dstip {ipv4-classnet-host}
            set filter-sport {integer}
            set filter-dport {integer}
            set filter-protocol {integer}
        end
        set mirroring-port {string}
        set mode [static|dhcp|...]
        set monitor-bandwidth [enable|disable]
        set mtu {integer}
        set mtu-override [enable|disable]
        set mux-type [llc-encaps|vc-encaps]
        set ndiscforward [enable|disable]
        set netbios-forward [disable|enable]
        set netflow-sampler [disable|tx|...]
        set np-qos-profile {integer}
        set outbandwidth {integer}
        set padt-retry-timeout {integer}
        set password {password}
        set phy-mode {option}
        set ping-serv-status {integer}
        set poe [enable|disable]
        set polling-interval {integer}
        set port-mirroring [disable|enable]
        set pppoe-unnumbered-negotiate [enable|disable]
        set pptp-auth-type [auto|pap|...]
        set pptp-client [enable|disable]
        set pptp-password {password}
        set pptp-server-ip {ipv4-address}
        set pptp-timeout {integer}
        set pptp-user {string}
        set preserve-session-route [enable|disable]
        set priority {integer}
        set priority-override [enable|disable]
        set proxy-captive-portal [enable|disable]
        set pvc-atm-qos [cbr|rt-vbr|...]
        set pvc-chan {integer}
        set pvc-crc {integer}
        set pvc-pcr {integer}
        set pvc-scr {integer}
        set pvc-vlan-id {integer}
        set pvc-vlan-rx-id {integer}
        set pvc-vlan-rx-op [pass-through|replace|...]
        set pvc-vlan-tx-id {integer}
        set pvc-vlan-tx-op [pass-through|replace|...]
        set reachable-time {integer}
        set redundant-interface {string}
        set remote-ip {ipv4-classnet-host}
        set replacemsg-override-group {string}
        set retransmission [disable|enable]
        set ring-rx {integer}
        set ring-tx {integer}
        set role [lan|wan|...]
        set sample-direction [tx|rx|...]
        set sample-rate {integer}
        set secondary-IP [enable|disable]
        config secondaryip
            Description: Second IP address of interface.
            edit <id>
                set ip {ipv4-classnet-host}
                set secip-relay-ip {user}
                set allowaccess {option1}, {option2}, ...
                set gwdetect [enable|disable]
                set ping-serv-status {integer}
                set detectserver {user}
                set detectprotocol {option1}, {option2}, ...
                set ha-priority {integer}
            next
        end
        set security-8021x-dynamic-vlan-id {integer}
        set security-8021x-master {string}
        set security-8021x-member-mode [switch|disable]
        set security-8021x-mode [default|dynamic-vlan|...]
        set security-exempt-list {string}
        set security-external-logout {string}
        set security-external-web {var-string}
        set security-groups <name1>, <name2>, ...
        set security-mac-auth-bypass [mac-auth-only|enable|...]
        set security-mode [none|captive-portal|...]
        set security-redirect-url {var-string}
        set service-name {string}
        set sflow-sampler [enable|disable]
        set sfp-dsl [disable|enable]
        set sfp-dsl-adsl-fallback [disable|enable]
        set sfp-dsl-autodetect [disable|enable]
        set sfp-dsl-mac {mac-address}
        set snmp-index {integer}
        set speed [auto|10full|...]
        set spillover-threshold {integer}
        set src-check [enable|disable]
        set status [up|down]
        set stp [disable|enable]
        set stp-edge [disable|enable]
        set stp-ha-secondary [disable|enable|...]
        set stpforward [enable|disable]
        set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]
        set subst [enable|disable]
        set substitute-dst-mac {mac-address}
        set sw-algorithm [l2|l3|...]
        set swc-first-create {integer}
        set swc-vlan {integer}
        set switch {string}
        set switch-controller-access-vlan [enable|disable]
        set switch-controller-arp-inspection [enable|disable]
        set switch-controller-dhcp-snooping [enable|disable]
        set switch-controller-dhcp-snooping-option82 [enable|disable]
        set switch-controller-dhcp-snooping-verify-mac [enable|disable]
        set switch-controller-dynamic {string}
        set switch-controller-feature [none|default-vlan|...]
        set switch-controller-igmp-snooping [enable|disable]
        set switch-controller-igmp-snooping-fast-leave [enable|disable]
        set switch-controller-igmp-snooping-proxy [enable|disable]
        set switch-controller-iot-scanning [enable|disable]
        set switch-controller-learning-limit {integer}
        set switch-controller-mgmt-vlan {integer}
        set switch-controller-nac {string}
        set switch-controller-netflow-collect [disable|enable]
        set switch-controller-offload [enable|disable]
        set switch-controller-offload-gw [enable|disable]
        set switch-controller-offload-ip {ipv4-address}
        set switch-controller-rspan-mode [disable|enable]
        set switch-controller-source-ip [outbound|fixed]
        set switch-controller-traffic-policy {string}
        set system-id {mac-address}
        set system-id-type [auto|user]
        config tagging
            Description: Config object tagging.
            edit <name>
                set category {string}
                set tags <name1>, <name2>, ...
            next
        end
        set tc-mode {option}
        set tcp-mss {integer}
        set trunk [enable|disable]
        set trust-ip-1 {ipv4-classnet-any}
        set trust-ip-2 {ipv4-classnet-any}
        set trust-ip-3 {ipv4-classnet-any}
        set trust-ip6-1 {ipv6-prefix}
        set trust-ip6-2 {ipv6-prefix}
        set trust-ip6-3 {ipv6-prefix}
        set type [physical|vlan|...]
        set username {string}
        set vci {integer}
        set vdom {string}
        set vectoring [disable|enable]
        set vindex {integer}
        set vlan-protocol [8021q|8021ad]
        set vlanforward [enable|disable]
        set vlanid {integer}
        set vpi {integer}
        set vrf {integer}
        config vrrp
            Description: VRRP configuration.
            edit <vrid>
                set version [2|3]
                set vrgrp {integer}
                set vrip {ipv4-address-any}
                set priority {integer}
                set adv-interval {integer}
                set start-time {integer}
                set preempt [enable|disable]
                set accept-mode [enable|disable]
                set vrdst {ipv4-address-any}
                set vrdst-priority {integer}
                set ignore-default-route [enable|disable]
                set status [enable|disable]
                config proxy-arp
                    Description: VRRP Proxy ARP configuration.
                    edit <id>
                        set ip {user}
                    next
                end
            next
        end
        set vrrp-virtual-mac [enable|disable]
        set wccp [enable|disable]
        set weight {integer}
        set wifi-5g-threshold {string}
        set wifi-acl [allow|deny]
        set wifi-ap-band [any|5g-preferred|...]
        set wifi-auth [PSK|radius|...]
        set wifi-auto-connect [enable|disable]
        set wifi-auto-save [enable|disable]
        set wifi-broadcast-ssid [enable|disable]
        set wifi-dns-server1 {ipv4-address}
        set wifi-dns-server2 {ipv4-address}
        set wifi-encrypt [TKIP|AES]
        set wifi-fragment-threshold {integer}
        set wifi-gateway {ipv4-address}
        set wifi-key {password}
        set wifi-keyindex {integer}
        set wifi-mac-filter [enable|disable]
        config wifi-mac-list
            Description: MAC filter list.
            edit <id>
                set mac {mac-address}
            next
        end
        config wifi-networks
            Description: WiFi network table.
            edit <id>
                set wifi-ssid {string}
                set wifi-security [open|wep64|...]
                set wifi-encrypt [TKIP|AES]
                set wifi-keyindex {integer}
                set wifi-key {password}
                set wifi-passphrase {password}
                set wifi-eap-type [both|tls|...]
                set wifi-username {string}
                set wifi-client-certificate {string}
                set wifi-private-key {string}
                set wifi-private-key-password {password}
                set wifi-ca-certificate {string}
            next
        end
        set wifi-passphrase {password}
        set wifi-radius-server {string}
        set wifi-rts-threshold {integer}
        set wifi-security [open|wep64|...]
        set wifi-ssid {string}
        set wifi-usergroup {string}
        set wins-ip {ipv4-address}
    next
end

config system interface

Parameter

Description

Type

Size

Default

ac-name

PPPoE server name.

string

Maximum length: 63

aggregate

Aggregate interface.

string

Maximum length: 15

aggregate-type

Type of aggregation.

option

physical

Option	Description
physical	Physical interface aggregation.
vxlan	VXLAN interface aggregation.

algorithm

Frame distribution algorithm.

option

Option	Description
L2	Use layer 2 address for distribution.
L3	Use layer 3 address for distribution.
L4	Use layer 4 information for distribution.
Source-MAC	Use source MAC address for distribution.

alias

Alias will be displayed with the interface name to make it easier to distinguish.

string

Maximum length: 25

allowaccess

Permitted types of management access to this interface.

option

Option	Description
ping	PING access.
https	HTTPS access.
ssh	SSH access.
snmp	SNMP access.
http	HTTP access.
telnet	TELNET access.
fgfm	FortiManager access.
radius-acct	RADIUS accounting access.
probe-response	Probe access.
fabric	Security Fabric access.
ftm	FTM access.
speed-test	Speed test access.

ap-discover

Enable/disable automatic registration of unknown FortiAP devices.

option

enable

Option	Description
enable	Enable automatic registration of unknown FortiAP devices.
disable	Disable automatic registration of unknown FortiAP devices.

arpforward

Enable/disable ARP forwarding.

option

enable

Option	Description
enable	Enable ARP forwarding.
disable	Disable ARP forwarding.

atm-protocol *

ATM protocol.

option

none

Option	Description
none	Not over ATM.
ipoa	IPoA RFC2684.

auth-cert

HTTPS server certificate.

string

Maximum length: 35

auth-portal-addr

Address of captive portal.

string

Maximum length: 63

auth-type

PPP authentication type to use.

option

auto

Option	Description
auto	Automatically choose authentication.
pap	PAP authentication.
chap	CHAP authentication.
mschapv1	MS-CHAPv1 authentication.
mschapv2	MS-CHAPv2 authentication.

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.

option

disable

Option	Description
enable	Enable automatic authorization of dedicated Fortinet extension device on this interface.
disable	Disable automatic authorization of dedicated Fortinet extension device on this interface.

bandwidth-measure-time

Bandwidth measure time.

integer

Minimum value: 0 Maximum value: 4294967295

bfd

Bidirectional Forwarding Detection (BFD) settings.

option

global

Option	Description
global	BFD behavior of this interface will be based on global configuration.
enable	Enable BFD on this interface and ignore global configuration.
disable	Disable BFD on this interface and ignore global configuration.

bfd-desired-min-tx

BFD desired minimal transmit interval.

integer

Minimum value: 1 Maximum value: 100000

250

bfd-detect-mult

BFD detection multiplier.

integer

Minimum value: 1 Maximum value: 50

bfd-required-min-rx

BFD required minimal receive interval.

integer

Minimum value: 1 Maximum value: 100000

250

broadcast-forward

Enable/disable broadcast forwarding.

option

disable

Option	Description
enable	Enable broadcast forwarding.
disable	Disable broadcast forwarding.

cli-conn-status

CLI connection status.

integer

Minimum value: 0 Maximum value: 4294967295

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

dedicated-to

Configure interface for single purpose.

option

none

Option	Description
none	Interface not dedicated for any purpose.
management	Dedicate this interface for management purposes only.

default-purdue-level

default purdue level of device detected on this interface.

option

Option	Description
1	Level 1 - Basic Control
1.5	Level 1.5
2	Level 2 - Area Supervisory Control
2.5	Level 2.5
3	Level 3 - Operations & Control
3.5	Level 3.5
4	Level 4 - Business Planning & Logistics
5	Level 5 - Enterprise Network
5.5	Level 5.5

defaultgw

Enable to get the gateway IP from the DHCP or PPPoE server.

option

enable

Option	Description
enable	Enable default gateway.
disable	Disable default gateway.

description

Description.

var-string

Maximum length: 255

detected-peer-mtu

MTU of detected peer.

integer

Minimum value: 0 Maximum value: 4294967295

detectprotocol

Protocols used to detect the server.

option

ping

Option	Description
ping	PING.
tcp-echo	TCP echo.
udp-echo	UDP echo.

detectserver

Gateway's ping server for this IP.

user

Not Specified

device-identification

Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.

option

disable

Option	Description
enable	Enable passive gathering of identity information about hosts.
disable	Disable passive gathering of identity information about hosts.

device-user-identification

Enable/disable passive gathering of user identity information about users on this interface.

option

enable

Option	Description
enable	Enable passive gathering of user identity information about users.
disable	Disable passive gathering of user identity information about users.

devindex

Device Index.

integer

Minimum value: 0 Maximum value: 4294967295

dhcp-broadcast-flag

Enable/disable setting of the broadcast flag in messages sent by the DHCP client.

option

enable

Option	Description
disable	Disable broadcast flag.
enable	Enable broadcast flag.

dhcp-classless-route-addition

Enable/disable addition of classless static routes retrieved from DHCP server.

option

disable **

Option	Description
enable	Enable addition of classless static routes retrieved from DHCP server.
disable	Disable addition of classless static routes retrieved from DHCP server.

dhcp-client-identifier

DHCP client identifier.

string

Maximum length: 48

dhcp-relay-agent-option

Enable/disable DHCP relay agent option.

option

enable

Option	Description
enable	Enable DHCP relay agent option.
disable	Disable DHCP relay agent option.

dhcp-relay-circuit-id

DHCP relay circuit ID.

string

Maximum length: 64

dhcp-relay-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-relay-interface-select-method

Specify how to select outgoing interface to reach server.

option

auto

Option	Description
auto	Set outgoing interface automatically.
sdwan	Set outgoing interface by SD-WAN or policy routing rules.
specify	Set outgoing interface manually.

dhcp-relay-ip

DHCP relay IP address.

user

Not Specified

dhcp-relay-link-selection

DHCP relay link selection.

ipv4-address

Not Specified

0.0.0.0

dhcp-relay-request-all-server

Enable/disable sending of DHCP requests to all servers.

option

disable

Option	Description
disable	Send DHCP requests only to a matching server.
enable	Send DHCP requests to all servers.

dhcp-relay-service

Enable/disable allowing this interface to act as a DHCP relay.

option

disable

Option	Description
disable	None.
enable	DHCP relay agent.

dhcp-relay-source-ip

IP address used by the DHCP relay as its source IP.

ipv4-address

Not Specified

0.0.0.0

dhcp-relay-type

DHCP relay type (regular or IPsec).

option

regular

Option	Description
regular	Regular DHCP relay.
ipsec	DHCP relay for IPsec.

dhcp-renew-time

DHCP renew time in seconds , 0 means use the renew time provided by the server.

integer

Minimum value: 300 Maximum value: 604800

dhcp-smart-relay

Enable/disable DHCP smart relay.

option

disable

Option	Description
disable	Disable DHCP smart relay.
enable	Enable DHCP smart relay.

disc-retry-timeout

Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 4294967295

distance

Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route.

integer

Minimum value: 1 Maximum value: 255

dns-server-override

Enable/disable use DNS acquired by DHCP or PPPoE.

option

enable

Option	Description
enable	Use DNS acquired by DHCP or PPPoE.
disable	No not use DNS acquired by DHCP or PPPoE.

dns-server-protocol

DNS transport protocols.

option

cleartext

Option	Description
cleartext	DNS over UDP/53, DNS over TCP/53.
dot	DNS over TLS/853.
doh	DNS over HTTPS/443.

drop-fragment

Enable/disable drop fragment packets.

option

disable

Option	Description
enable	Enable/disable drop fragment packets.
disable	Do not drop fragment packets.

drop-overlapped-fragment

Enable/disable drop overlapped fragment packets.

option

disable

Option	Description
enable	Enable drop of overlapped fragment packets.
disable	Disable drop of overlapped fragment packets.

eap-ca-cert

EAP CA certificate name.

string

Maximum length: 79

eap-identity

EAP identity.

string

Maximum length: 35

eap-method

EAP method.

option

Option	Description
tls	TLS.
peap	PEAP.

eap-password

EAP password.

password

Not Specified

eap-supplicant

Enable/disable EAP-Supplicant.

option

disable

Option	Description
enable	Enable EAP Supplicant.
disable	Disable EAP Supplicant.

eap-user-cert

EAP user certificate name.

string

Maximum length: 35

egress-cos *

Override outgoing CoS in user VLAN tag.

option

disable

Option	Description
disable	Disable.
cos0	CoS 0.
cos1	CoS 1.
cos2	CoS 2.
cos3	CoS 3.
cos4	CoS 4.
cos5	CoS 5.
cos6	CoS 6.
cos7	CoS 7.

egress-shaping-profile

Outgoing traffic shaping profile.

string

Maximum length: 35

estimated-downstream-bandwidth

Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

estimated-upstream-bandwidth

Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

explicit-ftp-proxy

Enable/disable the explicit FTP proxy on this interface.

option

disable

Option	Description
enable	Enable explicit FTP proxy on this interface.
disable	Disable explicit FTP proxy on this interface.

explicit-web-proxy

Enable/disable the explicit web proxy on this interface.

option

disable

Option	Description
enable	Enable explicit Web proxy on this interface.
disable	Disable explicit Web proxy on this interface.

external

Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet).

option

disable

Option	Description
enable	Enable identifying the interface as an external interface.
disable	Disable identifying the interface as an external interface.

fail-action-on-extender

Action on FortiExtender when interface fail.

option

soft-restart

Option	Description
soft-restart	Soft-restart-on-extender.
hard-restart	Hard-restart-on-extender.
reboot	Reboot-on-extender.

fail-alert-interfaces <name>

Names of the FortiGate interfaces to which the link failure alert is sent.

Names of the non-virtual interface.

string

Maximum length: 15

fail-alert-method

Select link-failed-signal or link-down method to alert about a failed link.

option

link-down

Option	Description
link-failed-signal	Link-failed-signal.
link-down	Link-down.

fail-detect

Enable/disable fail detection features for this interface.

option

disable

Option	Description
enable	Enable interface failed option status.
disable	Disable interface failed option status.

fail-detect-option

Options for detecting that this interface has failed.

option

link-down

Option	Description
detectserver	Use a ping server to determine if the interface has failed.
link-down	Use port detection to determine if the interface has failed.

fortilink *

Enable FortiLink to dedicate this interface to manage other Fortinet devices.

option

disable

Option	Description
enable	Enable FortiLink to dedicated interface for managing FortiSwitch devices.
disable	Disable FortiLink to dedicated interface for managing FortiSwitch devices.

fortilink-backup-link

FortiLink split interface backup link.

integer

Minimum value: 0 Maximum value: 255

fortilink-neighbor-detect

Protocol for FortiGate neighbor discovery.

option

fortilink

Option	Description
lldp	Detect FortiLink neighbors using LLDP protocol.
fortilink	Detect FortiLink neighbors using FortiLink protocol.

fortilink-split-interface

Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.

option

enable

Option	Description
enable	Enable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.
disable	Disable FortiLink split interface.

forward-domain

Transparent mode forward domain.

integer

Minimum value: 0 Maximum value: 2147483647

forward-error-correction *

Configure forward error correction (FEC).

option

none

Option	Description
none	none
disable	Disable forward error correction (FEC).
cl91-rs-fec	Reed-Solomon (FEC CL91).
cl74-fc-fec	Fire-Code (FEC CL74).
auto	Negotaite forward error correction (FEC).

gateway-address *

Gateway address.

ipv4-address

Not Specified

0.0.0.0

gi-gk *

Enable/disable Gi Gatekeeper.

option

disable

Option	Description
enable	enable Gi Gatekeeper
disable	disable Gi Gatekeeper

gwaddr *

Gateway address.

ipv4-address

Not Specified

0.0.0.0

gwdetect

Enable/disable detect gateway alive for first.

option

disable

Option	Description
enable	Enable detect gateway alive for first.
disable	Disable detect gateway alive for first.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

icmp-accept-redirect

Enable/disable ICMP accept redirect.

option

enable

Option	Description
enable	Enable ICMP accept redirect.
disable	Disable ICMP accept redirect.

icmp-send-redirect

Enable/disable sending of ICMP redirects.

option

enable

Option	Description
enable	Enable sending of ICMP redirects.
disable	Disable sending of ICMP redirects.

ident-accept

Enable/disable authentication for this interface.

option

disable

Option	Description
enable	Enable determining a user's identity from packet identification.
disable	Disable determining a user's identity from packet identification.

idle-timeout

PPPoE auto disconnect after idle timeout seconds, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 32767

ike-saml-server

Configure IKE authentication SAML server.

string

Maximum length: 35

inbandwidth

Bandwidth limit for incoming traffic , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 80000000 **

ingress-cos *

Override incoming CoS in user VLAN tag on VLAN interface or assign a priority VLAN tag on physical interface.

option

disable

Option	Description
disable	Disable.
cos0	CoS 0.
cos1	CoS 1.
cos2	CoS 2.
cos3	CoS 3.
cos4	CoS 4.
cos5	CoS 5.
cos6	CoS 6.
cos7	CoS 7.

ingress-shaping-profile

Incoming traffic shaping profile.

string

Maximum length: 35

ingress-spillover-threshold

Ingress Spillover threshold , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

interconnect-profile *

Set interconnect profile.

option

default

Option	Description
default	default interconnect profile
profile1	interconnect profile1 [(10G & IC > 7m/20db-loss) or (25G/27G & IC < 1m)]
profile2	interconnect profile2 [(27G in AP (106G) Auto Profile)]

interface

Interface name.

string

Maximum length: 15

internal

Implicitly created.

integer

Minimum value: 0 Maximum value: 255

Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

ip-managed-by-fortiipam

Enable/disable automatic IP address assignment of this interface by FortiIPAM.

option

inherit-global

Option	Description
inherit-global	Control automatic IP address assignment status using the central FortiIPAM config.
enable	Enable automatic IP address assignment of this interface by FortiIPAM.
disable	Disable automatic IP address assignment of this interface by FortiIPAM.

ipmac

Enable/disable IP/MAC binding.

option

disable

Option	Description
enable	Enable IP/MAC binding.
disable	Disable IP/MAC binding.

ips-sniffer-mode

Enable/disable the use of this interface as a one-armed sniffer.

option

disable

Option	Description
enable	Enable IPS sniffer mode.
disable	Disable IPS sniffer mode.

ipunnumbered

Unnumbered IP used for PPPoE interfaces for which no unique local address is provided.

ipv4-address

Not Specified

0.0.0.0

l2forward

Enable/disable l2 forwarding.

option

disable

Option	Description
enable	Enable L2 forwarding.
disable	Disable L2 forwarding.

l2tp-client *

Enable/disable this interface as a Layer 2 Tunnelling Protocol (L2TP) client.

option

disable

Option	Description
enable	Enable L2TP client.
disable	Disable L2TP client.

lacp-ha-secondary

LACP HA secondary member.

option

enable

Option	Description
enable	Allow HA secondary member to send/receive LACP messages.
disable	Block HA secondary member from sending/receiving LACP messages.

lacp-mode

LACP mode.

option

active

Option	Description
static	Use static aggregation, do not send and ignore any LACP messages.
passive	Passively use LACP to negotiate 802.3ad aggregation.
active	Actively use LACP to negotiate 802.3ad aggregation.

lacp-speed

How often the interface sends LACP messages.

option

slow

Option	Description
slow	Send LACP message every 30 seconds.
fast	Send LACP message every second.

lcp-echo-interval

Time in seconds between PPPoE Link Control Protocol (LCP) echo requests.

integer

Minimum value: 0 Maximum value: 32767

lcp-max-echo-fails

Maximum missed LCP echo messages before disconnect.

integer

Minimum value: 0 Maximum value: 32767

link-up-delay

Number of milliseconds to wait before considering a link is up.

integer

Minimum value: 50 Maximum value: 3600000

lldp-network-policy

LLDP-MED network policy profile.

string

Maximum length: 35

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception.

option

vdom

Option	Description
enable	Enable reception of Link Layer Discovery Protocol (LLDP).
disable	Disable reception of Link Layer Discovery Protocol (LLDP).
vdom	Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration setting.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission.

option

vdom

Option	Description
enable	Enable transmission of Link Layer Discovery Protocol (LLDP).
disable	Disable transmission of Link Layer Discovery Protocol (LLDP).
vdom	Use VDOM Link Layer Discovery Protocol (LLDP) transmission configuration setting.

macaddr

Change the interface's MAC address.

mac-address

Not Specified

00:00:00:00:00:00

managed-subnetwork-size

Number of IP addresses to be allocated by FortiIPAM and used by this FortiGate unit's DHCP server settings.

option

256

Option	Description
32	Allocate a subnet with 32 IP addresses.
64	Allocate a subnet with 64 IP addresses.
128	Allocate a subnet with 128 IP addresses.
256	Allocate a subnet with 256 IP addresses.
512	Allocate a subnet with 512 IP addresses.
1024	Allocate a subnet with 1024 IP addresses.
2048	Allocate a subnet with 2048 IP addresses.
4096	Allocate a subnet with 4096 IP addresses.
8192	Allocate a subnet with 8192 IP addresses.
16384	Allocate a subnet with 16384 IP addresses.
32768	Allocate a subnet with 32768 IP addresses.
65536	Allocate a subnet with 65536 IP addresses.

management-ip

High Availability in-band management IP address of this interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

measured-downstream-bandwidth

Measured downstream bandwidth (kbps).

integer

Minimum value: 0 Maximum value: 4294967295

measured-upstream-bandwidth

Measured upstream bandwidth (kbps).

integer

Minimum value: 0 Maximum value: 4294967295

mediatype *

Select SFP media interface type

option

serdes-sfp **

Option	Description
serdes-sfp	SFP using SerDes Media Interface
sgmii-sfp	SFP using SGMII Media Interface
serdes-copper-sfp	Copper SFP using SerDes media Interface.

member <interface-name>

Physical interfaces that belong to the aggregate or redundant interface.

Physical interface name.

string

Maximum length: 79

min-links

Minimum number of aggregated ports that must be up.

integer

Minimum value: 1 Maximum value: 32

min-links-down

Action to take when less than the configured minimum number of links are active.

option

operational

Option	Description
operational	Set the aggregate operationally down.
administrative	Set the aggregate administratively down.

mirroring-direction *

Port mirroring direction.

option

Option	Description
rx	Port mirroring receive direction only.
tx	Port mirroring transmit direction only.
both	Port mirroring both directions.

mirroring-port *

Mirroring port.

string

Maximum length: 15

mode

Addressing mode (static, DHCP, PPPoE).

option

static

Option	Description
static	Static setting.
dhcp	External DHCP client mode.
pppoe	External PPPoE mode.

monitor-bandwidth

Enable monitoring bandwidth on this interface.

option

disable

Option	Description
enable	Enable monitoring bandwidth on this interface.
disable	Disable monitoring bandwidth on this interface.

mtu

MTU value for this interface.

integer

Minimum value: 0 Maximum value: 4294967295

1500

mtu-override

Enable to set a custom MTU for this interface.

option

disable

Option	Description
enable	Override default MTU.
disable	Use default MTU.

mux-type *

Multiplexer type.

option

llc-encaps

Option	Description
llc-encaps	LLC encapsulation.
vc-encaps	VC encapsulation.

name

Name.

string

Maximum length: 15

ndiscforward

Enable/disable NDISC forwarding.

option

enable

Option	Description
enable	Enable NDISC forwarding.
disable	Disable NDISC forwarding.

netbios-forward

Enable/disable NETBIOS forwarding.

option

disable

Option	Description
disable	Disable NETBIOS forwarding.
enable	Enable NETBIOS forwarding.

netflow-sampler

Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).

option

disable

Option	Description
disable	Disable NetFlow protocol on this interface.
tx	Monitor transmitted traffic on this interface.
rx	Monitor received traffic on this interface.
both	Monitor transmitted/received traffic on this interface.

np-qos-profile *

NP QoS profile ID.

integer

Minimum value: 0 Maximum value: 15

outbandwidth

Bandwidth limit for outgoing traffic.

integer

Minimum value: 0 Maximum value: 80000000 **

padt-retry-timeout

PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time.

integer

Minimum value: 0 Maximum value: 4294967295

password

PPPoE account's password.

password

Not Specified

phy-mode *

DSL physical mode.

option

vdsl

Option	Description
vdsl	VDSL.

ping-serv-status

PING server status.

integer

Minimum value: 0 Maximum value: 255

poe *

Enable/disable PoE status.

option

enable

Option	Description
enable	Enable PoE status.
disable	Disable PoE status.

polling-interval

sFlow polling interval in seconds.

integer

Minimum value: 1 Maximum value: 255

port-mirroring *

Enable/disable NP port mirroring.

option

disable

Option	Description
disable	Disable NP port mirroring.
enable	Enable NP port mirroring.

pppoe-unnumbered-negotiate

Enable/disable PPPoE unnumbered negotiation.

option

enable

Option	Description
enable	Enable IP address negotiating for unnumbered.
disable	Disable IP address negotiating for unnumbered.

pptp-auth-type

PPTP authentication type.

option

auto

Option	Description
auto	Automatically choose authentication.
pap	PAP authentication.
chap	CHAP authentication.
mschapv1	MS-CHAPv1 authentication.
mschapv2	MS-CHAPv2 authentication.

pptp-client

Enable/disable PPTP client.

option

disable

Option	Description
enable	Enable PPTP client.
disable	Disable PPTP client.

pptp-password

PPTP password.

password

Not Specified

pptp-server-ip

PPTP server IP address.

ipv4-address

Not Specified

0.0.0.0

pptp-timeout

Idle timer in minutes (0 for disabled).

integer

Minimum value: 0 Maximum value: 65535

pptp-user

PPTP user name.

string

Maximum length: 64

preserve-session-route

Enable/disable preservation of session route when dirty.

option

disable

Option	Description
enable	Enable preservation of session route when dirty.
disable	Disable preservation of session route when dirty.

priority

Priority of learned routes.

integer

Minimum value: 1 Maximum value: 65535

priority-override

Enable/disable fail back to higher priority port once recovered.

option

enable

Option	Description
enable	Enable fail back to higher priority port once recovered.
disable	Disable fail back to higher priority port once recovered.

proxy-captive-portal

Enable/disable proxy captive portal on this interface.

option

disable

Option	Description
enable	Enable proxy captive portal on this interface.
disable	Disable proxy captive portal on this interface.

pvc-atm-qos *

SFP-DSL ADSL Fallback PVC ATM QoS.

option

cbr

Option	Description
cbr	ATM QoS CBR.
rt-vbr	ATM QoS rt-VBR.
nrt-vbr	ATM QoS nrt-VBR.
cbr	ATM QoS CCBR.

pvc-chan *

SFP-DSL ADSL Fallback PVC Channel.

integer

Minimum value: 0 Maximum value: 7

pvc-crc *

SFP-DSL ADSL Fallback PVC CRC Option: bit0: sar LLC preserve, bit1: ream LLC preserve, bit2: ream VC-MUX has crc.

integer

Minimum value: 0 Maximum value: 7

pvc-pcr *

SFP-DSL ADSL Fallback PVC Packet Cell Rate in cells.

integer

Minimum value: 0 Maximum value: 5500

pvc-scr *

SFP-DSL ADSL Fallback PVC Sustainable Cell Rate in cells.

integer

Minimum value: 0 Maximum value: 5500

pvc-vlan-id *

SFP-DSL ADSL Fallback PVC VLAN ID.

integer

Minimum value: 1 Maximum value: 4094

pvc-vlan-rx-id *

SFP-DSL ADSL Fallback PVC VLANID RX.

integer

Minimum value: 1 Maximum value: 4094

pvc-vlan-rx-op *

SFP-DSL ADSL Fallback PVC VLAN RX op.

option

pass-through

Option	Description
pass-through	PVC VLAN Tag Passthrough.
replace	PVC VLAN Tag Replace.
remove	PVC VLAN Tag Remove.

pvc-vlan-tx-id *

SFP-DSL ADSL Fallback PVC VLAN ID TX.

integer

Minimum value: 1 Maximum value: 4094

pvc-vlan-tx-op *

SFP-DSL ADSL Fallback PVC VLAN TX op.

option

remove

Option	Description
pass-through	PVC VLAN Tag Passthrough.
replace	PVC VLAN Tag Replace.
remove	PVC VLAN Tag Remove.

reachable-time

IPv4 reachable time in milliseconds.

integer

Minimum value: 30000 Maximum value: 3600000

30000

redundant-interface

Redundant interface.

string

Maximum length: 15

remote-ip

Remote IP address of tunnel.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

replacemsg-override-group

Replacement message override group.

string

Maximum length: 35

retransmission *

Enable/disable DSL retransmission.

option

enable

Option	Description
disable	Disable retransmission.
enable	Enable retransmission.

ring-rx *

RX ring size.

integer

Minimum value: 0 Maximum value: 4294967295

ring-tx *

TX ring size.

integer

Minimum value: 0 Maximum value: 4294967295

role

Interface role.

option

undefined

Option	Description
lan	Connected to local network of endpoints.
wan	Connected to Internet.
dmz	Connected to server zone.
undefined	Interface has no specific role.

sample-direction

Data that NetFlow collects (rx, tx, or both).

option

both

Option	Description
tx	Monitor transmitted traffic on this interface.
rx	Monitor received traffic on this interface.
both	Monitor transmitted/received traffic on this interface.

sample-rate

sFlow sample rate.

integer

Minimum value: 10 Maximum value: 99999

2000

secondary-IP

Enable/disable adding a secondary IP to this interface.

option

disable

Option	Description
enable	Enable secondary IP.
disable	Disable secondary IP.

security-8021x-dynamic-vlan-id *

VLAN ID for virtual switch.

integer

Minimum value: 0 Maximum value: 4094

security-8021x-master *

802.1X master virtual-switch.

string

Maximum length: 15

security-8021x-member-mode *

802.1X member mode.

option

switch

Option	Description
switch	This member will use switch 802.1X configuration.
disable	This member will disable 802.1X configuration.

security-8021x-mode *

802.1X mode.

option

default

Option	Description
default	802.1X default mode.
dynamic-vlan	802.1X dynamic VLAN (master) mode.
fallback	802.1X fallback (master) mode.
slave	802.1X slave mode.

security-exempt-list

Name of security-exempt-list.

string

Maximum length: 35

security-external-logout

URL of external authentication logout server.

string

Maximum length: 127

security-external-web

URL of external authentication web server.

var-string

Maximum length: 1023

security-groups <name>

User groups that can authenticate with the captive portal.

Names of user groups that can authenticate with the captive portal.

string

Maximum length: 79

security-mac-auth-bypass

Enable/disable MAC authentication bypass.

option

disable

Option	Description
mac-auth-only	Enable MAC authentication bypass without EAP.
enable	Enable MAC authentication bypass.
disable	Disable MAC authentication bypass.

security-mode

Turn on captive portal authentication for this interface.

option

none

Option	Description
none	No security option.
captive-portal	Captive portal authentication.
802.1X	802.1X port-based authentication.

security-redirect-url

URL redirection after disclaimer/authentication.

var-string

Maximum length: 1023

service-name

PPPoE service name.

string

Maximum length: 63

sflow-sampler

Enable/disable sFlow on this interface.

option

disable

Option	Description
enable	Enable sFlow protocol on this interface.
disable	Disable sFlow protocol on this interface.

sfp-dsl *

Enable/disable SFP DSL.

option

disable

Option	Description
disable	Disable SFP DSL.
enable	Enable SFP DSL.

sfp-dsl-adsl-fallback *

Enable/disable SFP DSL ADSL fallback.

option

disable

Option	Description
disable	Disable SFP DSL ADSL fallback.
enable	Enable SFP DSL ADSL fallback.

sfp-dsl-autodetect *

Enable/disable SFP DSL MAC address autodetect.

option

enable

Option	Description
disable	Disable SFP DSL MAC address autodetect.
enable	Enable SFP DSL MAC address autodetect.

sfp-dsl-mac *

SFP DSL MAC address.

mac-address

Not Specified

00:00:00:00:00:00

snmp-index

Permanent SNMP Index of the interface.

integer

Minimum value: 1 Maximum value: 2147483647

speed

Interface speed. The default setting and the options available depend on the interface hardware.

option

auto

Option	Description
auto	Automatically adjust speed.
10full	10M full-duplex.
10half	10M half-duplex.
100full	100M full-duplex.
100half	100M half-duplex.
1000full	1000M full-duplex.
1000auto	1000M auto adjust.
10000full	10G full-duplex.
10000auto	10G auto.

spillover-threshold

Egress Spillover threshold , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

src-check

Enable/disable source IP check.

option

enable

Option	Description
enable	Enable source IP check.
disable	Disable source IP check.

status

Bring the interface up or shut the interface down.

option

Option	Description
up	Bring the interface up.
down	Shut the interface down.

stp *

Enable/disable STP.

option

disable

Option	Description
disable	Disable STP.
enable	Enable STP.

stp-edge *

Enable/disable as STP edge port.

option

disable

Option	Description
disable	Disable STP edge port.
enable	Enable STP edge port.

stp-ha-secondary *

Control STP behavior on HA secondary.

option

priority-adjust

Option	Description
disable	Disable STP negotiation on HA secondary.
enable	Enable STP negotiation on HA secondary.
priority-adjust	Enable STP negotiation on HA secondary and make priority lower than HA primary.

stpforward

Enable/disable STP forwarding.

option

disable

Option	Description
enable	Enable STP forwarding.
disable	Disable STP forwarding.

stpforward-mode

Configure STP forwarding mode.

option

rpl-all-ext-id

Option	Description
rpl-all-ext-id	Replace all extension IDs (root, bridge).
rpl-bridge-ext-id	Replace the bridge extension ID only.
rpl-nothing	Replace nothing.

subst

Enable to always send packets from this interface to a destination MAC address.

option

disable

Option	Description
enable	Send packets from this interface.
disable	Do not send packets from this interface.

substitute-dst-mac

Destination MAC address that all packets are sent to from this interface.

mac-address

Not Specified

00:00:00:00:00:00

sw-algorithm *

Frame distribution algorithm for switch.

option

Option	Description
l2	Use layer 2 address for distribution.
l3	Use layer 3 address for distribution.
eh	Use enhanced hashing for distribution.

swc-first-create *

Initial create for switch-controller VLANs.

integer

Minimum value: 0 Maximum value: 4294967295

swc-vlan *

Creation status for switch-controller VLANs.

integer

Minimum value: 0 Maximum value: 4294967295

switch

Contained in switch.

string

Maximum length: 15

switch-controller-access-vlan *

Block FortiSwitch port-to-port traffic.

option

disable

Option	Description
enable	Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate.
disable	Allow normal VLAN traffic.

switch-controller-arp-inspection *

Enable/disable FortiSwitch ARP inspection.

option

disable

Option	Description
enable	Enable ARP inspection for FortiSwitch devices.
disable	Disable ARP inspection for FortiSwitch devices.

switch-controller-dhcp-snooping *

Switch controller DHCP snooping.

option

disable

Option	Description
enable	Enable DHCP snooping for FortiSwitch devices.
disable	Disable DHCP snooping for FortiSwitch devices.

switch-controller-dhcp-snooping-option82 *

Switch controller DHCP snooping option82.

option

disable

Option	Description
enable	Enable DHCP snooping insert option82 for FortiSwitch devices.
disable	Disable DHCP snooping insert option82 for FortiSwitch devices.

switch-controller-dhcp-snooping-verify-mac *

Switch controller DHCP snooping verify MAC.

option

disable

Option	Description
enable	Enable DHCP snooping verify source MAC for FortiSwitch devices.
disable	Disable DHCP snooping verify source MAC for FortiSwitch devices.

switch-controller-dynamic *

Integrated FortiLink settings for managed FortiSwitch.

string

Maximum length: 35

switch-controller-feature *

Interface's purpose when assigning traffic (read only).

option

none

Option	Description
none	VLAN for generic purpose.
default-vlan	Default VLAN (native) assigned to all switch ports upon discovery.
quarantine	VLAN for quarantined traffic.
rspan	VLAN for RSPAN/ERSPAN mirrored traffic.
voice	VLAN dedicated for voice devices.
video	VLAN dedicated for camera devices.
nac	VLAN dedicated for NAC onboarding devices.
nac-segment	VLAN dedicated for NAC segment devices.

switch-controller-igmp-snooping *

Switch controller IGMP snooping.

option

disable

Option	Description
enable	Enable IGMP snooping.
disable	Disable IGMP snooping.

switch-controller-igmp-snooping-fast-leave *

Switch controller IGMP snooping fast-leave.

option

disable

Option	Description
enable	Enable IGMP snooping fast-leave.
disable	Disable IGMP snooping fast-leave.

switch-controller-igmp-snooping-proxy *

Switch controller IGMP snooping proxy.

option

disable

Option	Description
enable	Enable IGMP snooping proxy.
disable	Disable IGMP snooping proxy.

switch-controller-iot-scanning *

Enable/disable managed FortiSwitch IoT scanning.

option

disable

Option	Description
enable	Enable IoT scanning for managed FortiSwitch devices.
disable	Disable IoT scanning for managed FortiSwitch devices.

switch-controller-learning-limit *

Limit the number of dynamic MAC addresses on this VLAN.

integer

Minimum value: 0 Maximum value: 128

switch-controller-mgmt-vlan *

VLAN to use for FortiLink management purposes.

integer

Minimum value: 1 Maximum value: 4094

4094

switch-controller-nac *

Integrated FortiLink settings for managed FortiSwitch.

string

Maximum length: 35

switch-controller-netflow-collect *

NetFlow collection and processing.

option

disable

Option	Description
disable	Disable NetFlow collection.
enable	Enable NetFlow collection.

switch-controller-offload *

Enable/disable managed FortiSwitch routing offload.

option

disable

Option	Description
enable	Enable routing offload to managed FortiSwitch devices.
disable	Disable routing offload to managed FortiSwitch devices.

switch-controller-offload-gw *

Enable/disable managed FortiSwitch routing offload gateway.

option

disable

Option	Description
enable	Enable routing offload gateway to managed FortiSwitch devices.
disable	Disable routing offload gateway to managed FortiSwitch devices.

switch-controller-offload-ip *

IP for routing offload on FortiSwitch.

ipv4-address

Not Specified

0.0.0.0

switch-controller-rspan-mode *

Stop Layer2 MAC learning and interception of BPDUs and other packets on this interface.

option

disable

Option	Description
disable	Disable RSPAN passthrough mode on this VLAN interface.
enable	Enable RSPAN passthrough mode on this VLAN interface.

switch-controller-source-ip *

Source IP address used in FortiLink over L3 connections.

option

outbound

Option	Description
outbound	Source IP address is that of the outbound interface.
fixed	Source IP address is that of the FortiLink interface.

switch-controller-traffic-policy *

Switch controller traffic policy for the VLAN.

string

Maximum length: 63

system-id

Define a system ID for the aggregate interface.

mac-address

Not Specified

00:00:00:00:00:00

system-id-type

Method in which system ID is generated.

option

auto

Option	Description
auto	Use the MAC address of the first member.
user	User-defined system ID.

tc-mode *

DSL transfer mode.

option

ptm

Option	Description
ptm	Packet transfer mode.

tcp-mss

TCP maximum segment size. 0 means do not change segment size.

integer

Minimum value: 48 Maximum value: 65535

trunk *

Enable/disable VLAN trunk.

option

disable

Option	Description
enable	Enable VLAN trunk on this interface.
disable	Disable VLAN trunk on this interface.

trust-ip-1

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip-2

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip-3

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip6-1

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

trust-ip6-2

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

trust-ip6-3

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

type

Interface type.

option

vlan

Option	Description
physical	Physical interface.
vlan	VLAN interface.
aggregate	Aggregate interface.
redundant	Redundant interface.
tunnel	Tunnel interface.
vdom-link	VDOM link interface.
loopback	Loopback interface.
switch	Software switch interface.
vap-switch	VAP interface.
wl-mesh	WLAN mesh interface.
fext-wan	FortiExtender interface.
vxlan	VXLAN interface.
geneve	GENEVE interface.
hdlc	T1/E1 interface.
switch-vlan	Switch VLAN interface.
emac-vlan	EMAC VLAN interface.
ssl	SSL VPN client interface.
lan-extension	LAN extension interface.

username

Username of the PPPoE account, provided by your ISP.

string

Maximum length: 64

vci *

Virtual Channel ID.

integer

Minimum value: 0 Maximum value: 65535

vdom

Interface is in this virtual domain (VDOM).

string

Maximum length: 31

vectoring *

Enable/disable DSL vectoring.

option

enable

Option	Description
disable	Disable vectoring.
enable	Enable vectoring.

vindex *

Switch control interface VLAN ID.

integer

Minimum value: 0 Maximum value: 65535

vlan-protocol

Ethernet protocol of VLAN.

option

8021q

Option	Description
8021q	IEEE 802.1Q.
8021ad	IEEE 802.1AD.

vlanforward

Enable/disable traffic forwarding between VLANs on this interface.

option

disable

Option	Description
enable	Enable traffic forwarding.
disable	Disable traffic forwarding.

vlanid

VLAN ID.

integer

Minimum value: 1 Maximum value: 4094

vpi *

Virtual Path ID.

integer

Minimum value: 0 Maximum value: 255

vrf

Virtual Routing Forwarding ID.

integer

Minimum value: 0 Maximum value: 251

vrrp-virtual-mac

Enable/disable use of virtual MAC for VRRP.

option

disable

Option	Description
enable	Enable use of virtual MAC for VRRP.
disable	Disable use of virtual MAC for VRRP.

wccp

Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.

option

disable

Option	Description
enable	Enable WCCP protocol on this interface.
disable	Disable WCCP protocol on this interface.

weight

Default weight for static routes (if route has no weight configured).

integer

Minimum value: 0 Maximum value: 255

wifi-5g-threshold *

Minimal signal strength to be considered as a good 5G AP.

string

Maximum length: 7

-78

wifi-acl *

Access control for MAC addresses in the MAC list.

option

deny

Option	Description
allow	Allow.
deny	Deny.

wifi-ap-band *

How to select the AP to connect.

option

any

Option	Description
any	Connect to the best 2G or 5G AP.
5g-preferred	Connect to the 5G AP if a good 5G AP exists.
5g-only	Only connect to the 5G AP.

wifi-auth *

WiFi authentication.

option

PSK

Option	Description
PSK	PSK.
radius	RADIUS.
usergroup	User group.

wifi-auto-connect *

Enable/disable WiFi network auto connect.

option

enable

Option	Description
enable	Enable WiFi network auto connect.
disable	Disable WiFi network auto connect.

wifi-auto-save *

Enable/disable WiFi network automatic save.

option

disable

Option	Description
enable	Enable WiFi network automatic save.
disable	Disable WiFi network automatic save.

wifi-broadcast-ssid *

Enable/disable SSID broadcast in the beacon.

option

enable

Option	Description
enable	Enable SSID broadcast in the beacon.
disable	Disable SSID broadcast in the beacon.

wifi-dns-server1 *

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

wifi-dns-server2 *

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

wifi-encrypt *

Data encryption.

option

AES

Option	Description
TKIP	TKIP.
AES	AES.

wifi-fragment-threshold *

WiFi fragment threshold.

integer

Minimum value: 800 Maximum value: 2346

2346

wifi-gateway *

IPv4 default gateway IP address.

ipv4-address

Not Specified

0.0.0.0

wifi-key *

WiFi WEP Key.

password

Not Specified

wifi-keyindex *

WEP key index.

integer

Minimum value: 1 Maximum value: 4

wifi-mac-filter *

Enable/disable MAC filter status.

option

disable

Option	Description
enable	Enable MAC filter.
disable	Disable MAC filter.

wifi-passphrase *

WiFi pre-shared key for WPA.

password

Not Specified

wifi-radius-server *

WiFi RADIUS server for WPA.

string

Maximum length: 35

wifi-rts-threshold *

WiFi RTS threshold.

integer

Minimum value: 256 Maximum value: 2346

2346

wifi-security *

Wireless access security of SSID.

option

wpa-personal

Option	Description
open	Open.
wep64	WEP64.
wep128	WEP128.
wpa-personal	WPA personal.
wpa-enterprise	WPA enterprise.
wpa-only-personal	WPA personal only.
wpa-only-enterprise	WPA enterprise only.
wpa2-only-personal	WPA2 personal only.
wpa2-only-enterprise	WPA2 enterprise only.

wifi-ssid *

IEEE 802.11 Service Set Identifier.

string

Maximum length: 32

fortinet

wifi-usergroup *

WiFi user group for WPA.

string

Maximum length: 35

wins-ip

WINS server IP.

ipv4-address

Not Specified

0.0.0.0

* This parameter may not exist in some models.

** Values may differ between models.

config client-options

Parameter

Description

Type

Size

Default

ID.

integer

Minimum value: 0 Maximum value: 4294967295

code

DHCP client option code.

integer

Minimum value: 0 Maximum value: 255

type

DHCP client option type.

option

hex

Option	Description
hex	DHCP option in hex.
string	DHCP option in string.
ip	DHCP option in IP.
fqdn	DHCP option in domain search option format.

value

DHCP client option value.

string

Maximum length: 312

DHCP option IPs.

user

Not Specified

config dhcp-snooping-server-list

Parameter	Description	Type	Size	Default
name	DHCP server name.	string	Maximum length: 35	default
server-ip	IP address for DHCP server.	ipv4-address	Not Specified	0.0.0.0

config egress-queues

Parameter	Description	Type	Size
cos0	CoS profile name for CoS 0.	string	Maximum length: 35
cos1	CoS profile name for CoS 1.	string	Maximum length: 35
cos2	CoS profile name for CoS 2.	string	Maximum length: 35
cos3	CoS profile name for CoS 3.	string	Maximum length: 35
cos4	CoS profile name for CoS 4.	string	Maximum length: 35
cos5	CoS profile name for CoS 5.	string	Maximum length: 35
cos6	CoS profile name for CoS 6.	string	Maximum length: 35
cos7	CoS profile name for CoS 7.	string	Maximum length: 35

config ipv6

Parameter

Description

Type

Size

Default

ip6-mode

Addressing mode (static, DHCP, delegated).

option

static

Option	Description
static	Static setting.
dhcp	DHCPv6 client mode.
pppoe	IPv6 over PPPoE mode.
delegated	IPv6 address with delegated prefix.

nd-mode

Neighbor discovery mode.

option

basic

Option	Description
basic	Do not support SEND.
SEND-compatible	Support SEND.

nd-cert

Neighbor discovery certificate.

string

Maximum length: 35

nd-security-level

Neighbor discovery security level.

integer

Minimum value: 0 Maximum value: 7

nd-timestamp-delta

Neighbor discovery timestamp delta value.

integer

Minimum value: 1 Maximum value: 3600

300

nd-timestamp-fuzz

Neighbor discovery timestamp fuzz factor.

integer

Minimum value: 1 Maximum value: 60

nd-cga-modifier

Neighbor discovery CGA modifier.

user

Not Specified

ip6-dns-server-override

Enable/disable using the DNS server acquired by DHCP.

option

enable

Option	Description
enable	Enable using the DNS server acquired by DHCP.
disable	Disable using the DNS server acquired by DHCP.

ip6-address

Primary IPv6 address prefix. Syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.

ipv6-prefix

Not Specified

::/0

ip6-allowaccess

Allow management access to the interface.

option

Option	Description
ping	PING access.
https	HTTPS access.
ssh	SSH access.
snmp	SNMP access.
http	HTTP access.
telnet	TELNET access.
fgfm	FortiManager access.
fabric	Fabric access.

ip6-send-adv

Enable/disable sending advertisements about the interface.

option

disable

Option	Description
enable	Enable sending advertisements about this interface.
disable	Disable sending advertisements about this interface.

icmp6-send-redirect

Enable/disable sending of ICMPv6 redirects.

option

enable

Option	Description
enable	Enable sending of ICMPv6 redirects.
disable	Disable sending of ICMPv6 redirects.

ip6-manage-flag

Enable/disable the managed flag.

option

disable

Option	Description
enable	Enable the managed IPv6 flag.
disable	Disable the managed IPv6 flag.

ip6-other-flag

Enable/disable the other IPv6 flag.

option

disable

Option	Description
enable	Enable the other IPv6 flag.
disable	Disable the other IPv6 flag.

ip6-max-interval

IPv6 maximum interval (4 to 1800 sec).

integer

Minimum value: 4 Maximum value: 1800

600

ip6-min-interval

IPv6 minimum interval (3 to 1350 sec).

integer

Minimum value: 3 Maximum value: 1350

198

ip6-link-mtu

IPv6 link MTU.

integer

Minimum value: 1280 Maximum value: 16000

ra-send-mtu

Enable/disable sending link MTU in RA packet.

option

enable

Option	Description
enable	Enable sending link MTU in RA packet.
disable	Disable sending link MTU in RA packet.

ip6-reachable-time

IPv6 reachable time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 3600000

ip6-retrans-time

IPv6 retransmit time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 4294967295

ip6-default-life

Default life (sec).

integer

Minimum value: 0 Maximum value: 9000

1800

ip6-hop-limit

Hop limit (0 means unspecified).

integer

Minimum value: 0 Maximum value: 255

autoconf

Enable/disable address auto config.

option

disable

Option	Description
enable	Enable auto-configuration.
disable	Disable auto-configuration.

unique-autoconf-addr

Enable/disable unique auto config address.

option

disable

Option	Description
enable	Enable unique auto-configuration address.
disable	Disable unique auto-configuration address.

interface-identifier

IPv6 interface identifier.

ipv6-address

Not Specified

ip6-prefix-mode

Assigning a prefix from DHCP or RA.

option

dhcp6

Option	Description
dhcp6	Use delegated prefix from a DHCPv6 client to form a delegated IPv6 address.
ra	Use prefix from RA to form a delegated IPv6 address.

ip6-delegated-prefix-iaid

IAID of obtained delegated-prefix from the upstream interface.

integer

Minimum value: 0 Maximum value: 4294967295

ip6-upstream-interface

Interface name providing delegated information.

string

Maximum length: 15

ip6-subnet

Subnet to routing prefix. Syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.

ipv6-prefix

Not Specified

::/0

dhcp6-relay-service

Enable/disable DHCPv6 relay.

option

disable

Option	Description
disable	Disable DHCPv6 relay
enable	Enable DHCPv6 relay.

dhcp6-relay-type

DHCPv6 relay type.

option

regular

Option	Description
regular	Regular DHCP relay.

dhcp6-relay-source-interface

Enable/disable use of address on this interface as the source address of the relay message.

option

disable

Option	Description
disable	Use address of the egress interface as source address of the relay message.
enable	Use address of this interface as source address of the relay message.

dhcp6-relay-ip

DHCPv6 relay IP address.

user

Not Specified

dhcp6-relay-source-ip

IPv6 address used by the DHCP6 relay as its source IP.

ipv6-address

Not Specified

dhcp6-relay-interface-id

DHCP6 relay interface ID.

string

Maximum length: 64

dhcp6-client-options

DHCPv6 client options.

option

Option	Description
rapid	Send rapid commit option.
iapd	Send including IA-PD option.
iana	Send including IA-NA option.

dhcp6-prefix-delegation

Enable/disable DHCPv6 prefix delegation.

option

disable

Option	Description
enable	Enable DHCPv6 prefix delegation.
disable	Disable DHCPv6 prefix delegation.

dhcp6-information-request

Enable/disable DHCPv6 information request.

option

disable

Option	Description
enable	Enable DHCPv6 information request.
disable	Disable DHCPv6 information request.

cli-conn6-status

CLI IPv6 connection status.

integer

Minimum value: 0 Maximum value: 4294967295

vrrp-virtual-mac6

Enable/disable virtual MAC for VRRP.

option

disable

Option	Description
enable	Enable virtual MAC for VRRP.
disable	Disable virtual MAC for VRRP.

vrip6_link_local

Link-local IPv6 address of virtual router.

ipv6-address

Not Specified

config ip6-extra-addr

Parameter	Description	Type	Size	Default
prefix	IPv6 address prefix.	ipv6-prefix	Not Specified	::/0

config ip6-prefix-list

Parameter

Description

Type

Size

Default

prefix

IPv6 prefix.

ipv6-network

Not Specified

::/0

autonomous-flag

Enable/disable the autonomous flag.

option

enable

Option	Description
enable	Enable the autonomous flag.
disable	Disable the autonomous flag.

onlink-flag

Enable/disable the onlink flag.

option

enable

Option	Description
enable	Enable the onlink flag.
disable	Disable the onlink flag.

valid-life-time

Valid life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

2592000

preferred-life-time

Preferred life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

604800

rdnss

Recursive DNS server option.

user

Not Specified

dnssl <domain>

DNS search list option.

Domain name.

string

Maximum length: 79

config ip6-delegated-prefix-list

Parameter

Description

Type

Size

Default

prefix-id

Prefix ID.

integer

Minimum value: 0 Maximum value: 4294967295

upstream-interface

Name of the interface that provides delegated information.

string

Maximum length: 15

delegated-prefix-iaid

IAID of obtained delegated-prefix from the upstream interface.

integer

Minimum value: 0 Maximum value: 4294967295

autonomous-flag

Enable/disable the autonomous flag.

option

enable

Option	Description
enable	Enable the autonomous flag.
disable	Disable the autonomous flag.

onlink-flag

Enable/disable the onlink flag.

option

enable

Option	Description
enable	Enable the onlink flag.
disable	Disable the onlink flag.

subnet

Add subnet ID to routing prefix.

ipv6-network

Not Specified

::/0

rdnss-service

Recursive DNS service option.

option

specify

Option	Description
delegated	Delegated RDNSS settings.
default	System RDNSS settings.
specify	Specify recursive DNS servers.

rdnss

Recursive DNS server option.

user

Not Specified

config dhcp6-iapd-list

Parameter	Description	Type	Size	Default
iaid	Identity association identifier.	integer	Minimum value: 0 Maximum value: 4294967295	0
prefix-hint	DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server.	ipv6-network	Not Specified	::/0
prefix-hint-plt	DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time.	integer	Minimum value: 0 Maximum value: 4294967295	604800
prefix-hint-vlt	DHCPv6 prefix hint valid life time (sec).	integer	Minimum value: 0 Maximum value: 4294967295	2592000

config vrrp6

Parameter

Description

Type

Size

Default

vrid

Virtual router identifier.

integer

Minimum value: 1 Maximum value: 255

vrgrp

VRRP group ID.

integer

Minimum value: 1 Maximum value: 65535

vrip6

IPv6 address of the virtual router.

ipv6-address

Not Specified

priority

Priority of the virtual router.

integer

Minimum value: 1 Maximum value: 255

100

adv-interval

Advertisement interval.

integer

Minimum value: 1 Maximum value: 255

start-time

Startup time.

integer

Minimum value: 1 Maximum value: 255

preempt

Enable/disable preempt mode.

option

enable

Option	Description
enable	Enable preempt mode.
disable	Disable preempt mode.

accept-mode

Enable/disable accept mode.

option

enable

Option	Description
enable	Enable accept mode.
disable	Disable accept mode.

vrdst6

Monitor the route to this destination.

ipv6-address

Not Specified

ignore-default-route

Enable/disable ignoring of default route when checking destination.

option

disable

Option	Description
enable	Ignore default route when checking destination.
disable	Do not ignore default route when checking destination.

status

Enable/disable VRRP.

option

enable

Option	Description
enable	Enable VRRP.
disable	Disable VRRP.

config l2tp-client-settings

Parameter

Description

Type

Size

Default

user

L2TP user name.

string

Maximum length: 127

password

L2TP password.

password

Not Specified

peer-host

L2TP peer host address.

string

Maximum length: 255

peer-mask

L2TP peer mask.

ipv4-netmask

Not Specified

255.255.255.255

peer-port

L2TP peer port number.

integer

Minimum value: 1 Maximum value: 65535

1701

auth-type

L2TP authentication type.

option

auto

Option	Description
auto	Automatically choose authentication.
pap	PAP authentication.
chap	CHAP authentication.
mschapv1	MS-CHAPv1 authentication.
mschapv2	MS-CHAPv2 authentication.

mtu

L2TP MTU.

integer

Minimum value: 40 Maximum value: 65535

1460

distance

Distance of learned routes.

integer

Minimum value: 1 Maximum value: 255

priority

Priority of learned routes.

integer

Minimum value: 1 Maximum value: 65535

defaultgw

Enable/disable default gateway.

option

disable

Option	Description
enable	Enable default gateway.
disable	Disable default gateway.

IP.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

hello-interval

L2TP hello message interval in seconds.

integer

Minimum value: 0 Maximum value: 3600

config mirroring-filter

Parameter	Description	Type	Size	Default
filter-srcip	Source IP and mask of mirroring filter.	ipv4-classnet-host	Not Specified	0.0.0.0 0.0.0.0
filter-dstip	Destinatin IP and mask of mirroring filter.	ipv4-classnet-host	Not Specified	0.0.0.0 0.0.0.0
filter-sport	Source port of mirroring filter.	integer	Minimum value: 0 Maximum value: 65535	0
filter-dport	Destinatin port of mirroring filter.	integer	Minimum value: 0 Maximum value: 65535	0
filter-protocol	Protocol of mirroring filter.	integer	Minimum value: 0 Maximum value: 255	0

config secondaryip

Parameter

Description

Type

Size

Default

ID.

integer

Minimum value: 0 Maximum value: 4294967295

Secondary IP address of the interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

secip-relay-ip

DHCP relay IP address.

user

Not Specified

allowaccess

Management access settings for the secondary IP address.

option

Option	Description
ping	PING access.
https	HTTPS access.
ssh	SSH access.
snmp	SNMP access.
http	HTTP access.
telnet	TELNET access.
fgfm	FortiManager access.
radius-acct	RADIUS accounting access.
probe-response	Probe access.
fabric	Security Fabric access.
ftm	FTM access.
speed-test	Speed test access.

gwdetect

Enable/disable detect gateway alive for first.

option

disable

Option	Description
enable	Enable detect gateway alive for first.
disable	Disable detect gateway alive for first.

ping-serv-status

PING server status.

integer

Minimum value: 0 Maximum value: 255

detectserver

Gateway's ping server for this IP.

user

Not Specified

detectprotocol

Protocols used to detect the server.

option

ping

Option	Description
ping	PING.
tcp-echo	TCP echo.
udp-echo	UDP echo.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

config tagging

Parameter

Description

Type

Size

Default

name

Tagging entry name.

string

Maximum length: 63

config vrrp

Parameter

Description

Type

Size

Default

vrid

Virtual router identifier.

integer

Minimum value: 1 Maximum value: 255

version

VRRP version.

option

Option	Description
2	VRRP version 2.
3	VRRP version 3.

vrgrp

VRRP group ID.

integer

Minimum value: 1 Maximum value: 65535

vrip

IP address of the virtual router.

ipv4-address-any

Not Specified

0.0.0.0

priority

Priority of the virtual router.

integer

Minimum value: 1 Maximum value: 255

100

adv-interval

Advertisement interval.

integer

Minimum value: 1 Maximum value: 255

start-time

Startup time.

integer

Minimum value: 1 Maximum value: 255

preempt

Enable/disable preempt mode.

option

enable

Option	Description
enable	Enable preempt mode.
disable	Disable preempt mode.

accept-mode

Enable/disable accept mode.

option

enable

Option	Description
enable	Enable accept mode.
disable	Disable accept mode.

vrdst

Monitor the route to this destination.

ipv4-address-any

Not Specified

vrdst-priority

Priority of the virtual router when the virtual router destination becomes unreachable.

integer

Minimum value: 0 Maximum value: 254

ignore-default-route

Enable/disable ignoring of default route when checking destination.

option

disable

Option	Description
enable	Ignore default route when checking destination.
disable	Do not ignore default route when checking destination.

status

Enable/disable this VRRP configuration.

option

enable

Option	Description
enable	Enable this VRRP configuration.
disable	Disable this VRRP configuration.

config proxy-arp

Parameter	Description	Type	Size	Default
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
ip	Set IP addresses of proxy ARP.	user	Not Specified

config wifi-mac-list

Parameter	Description	Type	Size	Default
id	ID.	integer	Minimum value: 0 Maximum value: 4294967295	0
mac	MAC address.	mac-address	Not Specified	00:00:00:00:00:00

config wifi-networks

Parameter

Description

Type

Size

Default

ID.

integer

Minimum value: 0 Maximum value: 4294967295

wifi-ssid

IEEE 802.11 Service Set Identifier.

string

Maximum length: 32

fortinet

wifi-security

Wireless access security of SSID.

option

wpa-personal

Option	Description
open	Open.
wep64	WEP64.
wep128	WEP128.
wpa-personal	WPA personal.
wpa-only-personal	WPA personal only.
wpa2-only-personal	WPA2 personal only.
wpa3-sae	WPA3 SAE.
owe	OWE.
wpa-enterprise	WPA2/WPA3 ENTERPRISE.

wifi-encrypt

Data encryption.

option

AES

Option	Description
TKIP	TKIP.
AES	AES.

wifi-keyindex

WEP key index.

integer

Minimum value: 1 Maximum value: 4

wifi-key

WiFi WEP Key.

password

Not Specified

wifi-passphrase

WiFi pre-shared key for WPA-PSK or password for WPA3-SAE and WPA2/WPA3-ENTERPRISE.

password

Not Specified

wifi-eap-type

WPA2/WPA3-ENTERPRISE EAP Method.

option

peap

Option	Description
both	EAP PEAP and TLS.
tls	EAP TLS.
peap	EAP PEAP.

wifi-username

Username for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 64

fortinet

wifi-client-certificate

Client certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

wifi-private-key

Private key for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

wifi-private-key-password

Password for private key file for WPA2/WPA3-ENTERPRISE.

password

Not Specified

wifi-ca-certificate

CA certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 79

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

config system interface

config system interface

config system interface

config client-options

config dhcp-snooping-server-list

config egress-queues

config ipv6

config ip6-extra-addr

config ip6-prefix-list

config ip6-delegated-prefix-list

config dhcp6-iapd-list

config vrrp6

config l2tp-client-settings