Interface settings

Administrators can configure both physical and virtual FortiGate interfaces in Network > Interfaces. There are different options for configuring interfaces when FortiGate is in NAT mode or transparent mode.

The available options will vary depending on feature visibility, licensing, device model, and other factors. The following list is not comprehensive.

To configure an interface in the GUI:

1. Go to Network > Interfaces.

2. Click Create New > Interface.

3. Configure the interface fields:

   Interface Name	Physical interface names cannot be changed.
   Alias	Enter an alternate name for a physical interface on the FortiGate unit. This field appears when you edit an existing physical interface. The alias does not appear in logs. The maximum length of the alias is 25 characters.
   Type	The configuration type for the interface, such as VLAN, Software Switch, 802.3ad Aggregate, and others.
   Interface	This field is available when Type is set to VLAN. Select the name of the physical interface that you want to add a VLAN interface to. Once created, the VLAN interface is listed below its physical interface in the Interface list. You cannot change the physical interface of a VLAN interface.
   VLAN ID	This field is available when Type is set to VLAN. Enter the VLAN ID. The VLAN ID can be any number between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch that is connected to the VLAN subinterface. The VLAN ID can be edited after the interface is added.
   VRF ID	Virtual Routing and Forwarding (VRF) allows multiple routing table instances to coexist on the same router. One or more interface can have a VRF, and packets are only forwarded between interfaces with the dame VRF.
   Virtual Domain	Select the virtual domain to add the interface to. Only administrator accounts with the super_admin profile can change the Virtual Domain.
   Interface Members	This section can have different formats depending on the Type. Members can be selected for some interface types: Software Switch or Hardware Switch: Specify the physical and wireless interfaces joined into the switch. 802.3ad Aggregate or Redundant Interface: This field includes the available and selected interface lists.
   Role	Set the role setting for the interface. Different settings will be shown or hidden when editing an interface depending on the role: LAN: Used to connected to a local network of endpoints. It is default role for new interfaces. WAN: Used to connected to the internet. When WAN is selected, the Estimated bandwidth setting is available, and the following settings are not: DHCP server, Create address object matching subnet, Device detection, Security mode, One-arm sniffer, Dedicate to extension/fortiap modes, and Admission Control.and will show Estimated Bandwidth settings. DMZ: Used to connected to the DMZ. When selected, DHCP server and Security mode are not available. Undefined: The interface has no specific role. When selected, Create address object matching subnet is not available.
   Estimated bandwidth	The estimated WAN bandwidth. The values can be entered manually, or saved from a speed test executed on the interface. The values can be used in SD-WAN rules that use the Maximize Bandwidth or Best Quality strategy.
   Traffic mode	This option is only available when Type is WiFi SSID. Tunnel: Tunnel to wireless controller Bridge: Local bridge with FortiAP's interface Mesh: Mesh downlink
   Address
   Addressing mode	Select the addressing mode for the interface. Manual: Add an IP address and netmask for the interface. If IPv6 configuration is enabled, you can add both an IPv4 and an IPv6 address. DHCP: Get the interface IP address and other network settings from a DHCP server. Auto-managed by IPAM: Assign subnets to prevent duplicate IP addresses from overlapping within the same Security Fabric. See Configure IPAM locally on the FortiGate. PPPoE: Get the interface IP address and other network settings from a PPPoE server. This option is only available on entry-level FortiGate models. One-Arm Sniffer: Set the interface as a sniffer port so it can be used to detect attacks. See One-arm sniffer.
   IP/Netmask	If Addressing Mode is set to Manual, enter an IPv4 address and subnet mask for the interface. FortiGate interfaces cannot have multiple IP addresses on the same subnet.
   IPv6 addressing mode	Select the addressing mode for the interface: Manual: Add an IP address and netmask for the interface. DHCP: Get the interface IP address and other network settings from a DHCP server. Delegated: Select an IPv6 upstream interface that has DHCPv6 prefix delegation enabled, and enter an IPv6 subnet if needed. The interface will get the IPv6 prefix from the upstream DHCPv6 server that is connected to the IPv6 upstream interface, and form the IPv6 address with the subnet configured on the interface.
   IPv6 Address/Prefix	If Addressing Mode is set to Manual and IPv6 support is enabled, enter an IPv6 address and subnet mask for the interface. A single interface can have an IPv4 address, IPv6 address, or both.
   Auto configure IPv6 address	Automatically configure an IPv6 address using Stateless Address Auto-configuration (SLAAC). This option is available when IPv6 addressing mode is set to Manual.
   DHCPv6 prefix delegation	Enable/disable DHCPv6 prefix delegation, which can be used to delegate IPv6 prefixes from an upstream DHCPv6 server to another interface or downstream device. When enabled, there is an option to enable a DHCPv6 prefix hint that helps the DHCPv6 server provide the desired prefix.
   Create address object matching subnet	This option is available and automatically enabled when Role is set to LAN or DMZ. This creates an address object that matches the interface subnet and dynamically updates the object when the IP/Netmask changes. See Interface subnet for more information.
   Secondary IP Address	Add additional IPv4 addresses to this interface.
   Administrative Access
   IPv4 Administrative Access	Select the types of administrative access permitted for IPv4 connections to this interface. See Configure administrative access to interfaces.
   IPv6 Administrative Access	Select the types of administrative access permitted for IPv6 connections to this interface. See Configure administrative access to interfaces.
   DHCP Server	Enable a DHCP server for the interface. See DHCP servers and relays.
   Stateless Address Auto-configuration (SLAAC)	Enable to provide IPv6 addresses to connected devices using SLAAC.
   DHCPv6 Server	Select to enable a DHCPv6 server for the interface. When enabled, you can configure DNS service settings: Delegated (delegate the DNS received from the upstream server), Same as System DNS, or Specify (up to four servers). You can also enable Stateful serverto configure the DHCPv6 server to be stateful. Manually enter the IP range, or use Delegated mode to delegate IP prefixes from an upstream DHCPv6 server connected to the upstream interface.
   Network
   Device Detection	Enable/disable passively gathering device identity information about the devices on the network that are connected to this interface.
   Security Mode	Enable/disable captive portal authentication for this interface. After enabling captive portal authentication, you can configure the authentication portal, user and group access, custom portal messages, exempt sources and destinations/services, and redirect after captive portal.
   DSL Settings
   Physical mode	Set to ADSL or VDSL.
   Transfer mode	Set to PTM or ATM. If the Transfer mode is set to ATM, the Virtual channel identification, Virtual path identification, ATM protocol, and MUX type can be configured.
   Traffic Shaping
   Outbound shaping profile	Enable/disable traffic shaping on the interface. This allows you to enforce bandwidth limits on individual interfaces. See Interface-based traffic shaping profile for more information.
   Miscellaneous
   Comments	Enter a description of the interface of up to 255 characters.
   Status	Enable/disable the interface. Enabled: The interface is active and can accept network traffic. Disabled: The interface is not active and cannot accept traffic.

4. Click OK.

To configure an interface in the CLI:

config system interface
    edit <name>
        set vdom <VDOM_name>
        set mode {static | dhcp | pppoe}
        set ip <IP_address/netmask>
        set security-mode {none | captive-portal | 802.1X}
        set egress-shaping-profile <profile>
        set device-identification {enable | disable}
        set allowaccess {ping https ssh http snmp telnet fgfm radius-acct probe-response fabric ftm}
        set eap-supplicant {enable | disable}
        set eap-method {peap | tls}
        set eap-identity <identity>
        set eap-password <password>
        set eap-ca-cert <CA_cert>
        set eap-user-cert <user_cert>
        set secondary-IP enable
        config secondaryip
            edit 1
                set ip 9.1.1.2 255.255.255.0
                set allowaccess ping https ssh snmp http
            next
        end
    next
end

Configure administrative access to interfaces

You can configure the protocols that administrators can use to access interfaces on the FortiGate. This helps secure access to the FortiGate by restricting access to a limited number of protocols. It helps prevent users from accessing interfaces that you don't want them to access, such as public-facing ports.

As a best practice, you should configure administrative access when you're setting the IP address for a port.

To configure administrative access to interfaces in the GUI:

1. Go to Network > Interfaces.

2. Create or edit an interface.

3. In the Administrative Access section, select which protocols to enable for IPv4 and IPv6 Administrative Access.

   Industrial Connectivity	Allow Industrial Connectivity service access to proxy traffic between serial port and TCP/IP. Available with FortiGate Rugged models equipped with a serial RS-232 (DB9/RJ45) interface and when Role is set to Undefined or WAN. See Industrial Connectivity NEW.
   Speed Test	Allow this interface to listen to speed test sender requests. To allow the FortiGate to be configured as speed test server, configure the following: config system global set speedtest-server {enable | disable} end For more detail, see Running speed tests from the hub to the spokes in dial-up IPsec tunnels.
   HTTPS	Allow secure HTTPS connections to the FortiGate GUI through this interface. If configured, this option is enabled automatically.
   HTTP	Allow HTTP connections to the FortiGate GUI through this interface. This option can only be enabled if HTTPS is already enabled.
   PING	The interface responds to pings. Use this setting to verify your installation and for testing.
   FMG-Access	Allow FortiManager authorization automatically during the communication exchanges between FortiManager and FortiGate devices.
   SSH	Allow SSH connections to the CLI through this interface.
   SNMP	Allow a remote SNMP manager to request SNMP information by connecting to this interface.
   FTM	Allow FortiToken Mobile Push (FTM) access.
   RADIUS Accounting	Allow RADIUS accounting information on this interface.
   Security Fabric Connection	Allow Security Fabric access. This enables FortiTelemetry and CAPWAP.

FEC implementations on 10G, 25G, 40G, and 100G interfaces

Only supported FEC (forward error correction) implementations are allowed to be configured on 10G, 25G, 40G, and 100G interfaces based on the speed that is selected.

• For 1000M, 10G, or 40G interfaces, FEC is not supported and the option is disabled.

• For 25G and 100G interfaces, FEC is automatically set to cl91-rs-fec by default.

To configure an interface for FEC:

config system interface 
    edit <name>
        set speed {10000full | 1000full | 100Gauto | 100Gfull | 25000auto | 25000full | 40000full}
        set mediatype {sr4 | lr4 | cr4}
        set forward-error-correction {disable | cl91-rs-fec | cl74-fc-fec}
    next
end

speed {10000full | 1000full | 100Gauto | 100Gfull | 25000auto | 25000full | 40000full}	Set the interface speed: 10000full: 10G full-duplex 1000full: 1000M full-duplex 100Gauto: 100G auto-negotiation 100Gfull: 100G full-duplex 25000auto: 25G auto-negotiation 25000full: 25G full-duplex 40000full: 40G full-duplex
mediatype {sr4 | lr4 | cr4}	Set the media type to use: sr4: short-range transceiver (4-lane) lr4: long-range transceiver (4-lane) cr4: copper transceiver (4-lane)
forward-error-correction {disable | cl91-rs-fec | cl74-fc-fec}	Set the forward error correction type: disable: disable forward error correction cl91-rs-fec: Reed-Solomon (FEC CL91) cl74-fc-fec: Firecode (FEC CL74)

To change the interface speed from 40G to 100G:

config system interface 
    edit port26
        set speed 100Gfull 
    next
end

The speed/mediatype/FEC of port26 will be changed from 40000full/sr4/disable to 100Gfull/sr4/cl91-rs-fec.
Do you want to continue? (y/n) y

Since the speed changed to 100G, the mediatype setting automatically changes to sr4, and the forward-error-correction setting automatically changes to cl91-rs-fec. When the speed was 40G, the forward-error-correction setting was disabled.