Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

system interface

Use this command to configure allowed and denied administrative access protocols, maximum transportation unit (MTU) size, SMTP proxy, and up or down administrative status for the network interfaces of a FortiMail unit.

Proxy and built-in MTA behaviors are configured separately based upon whether the SMTP connection is considered to be incoming or outgoing. Because a network connection considers the network layer rather than the application layer when deciding whether to intercept a connection, the concept of incoming and outgoing connections is based upon slightly different things than that of incoming and outgoing email messages: directionality is determined by IP addresses of connecting clients and servers, rather than the email addresses of recipients.

Incoming connections consist of those destined for the SMTP servers that are protected domains of the FortiMail unit. For example, if the FortiMail unit is configured to protect the SMTP server whose IP address is 10.1.1.1, the FortiMail unit treats all SMTP connections destined for 10.1.1.1 as incoming. For information about configuring protected domains, see config domain-setting.

Outgoing connections consist of those destined for SMTP servers that the FortiMail unit has not been configured to protect. For example, if the FortiMail unit is not configured to protect the SMTP server whose IP address is 192.168.1.1, all SMTP connections destined for 192.168.1.1 will be treated as outgoing, regardless of their origin.

Syntax

config system interface

edit <physical_interface_str>, <logical_interface_str>, or loopback

set allowaccess {ping http https snmp ssh telnet}

set ip <ipv4mask>

set ip6 <ipv6mask>

set mac-addr <xx.xx.xx.xx.xx.xx>

set mailaccess {imap | imaps | pop3 | pop3s | smtp | smtps}

set mode {static | dhcp}

set mtu <mtu_int>

set proxy-smtp-in-mode {pass‑through | drop | proxy}

set proxy-smtp-local status {enable | disable}

set proxy-smtp-out-mode {pass‑through | drop | proxy}

set speed {auto | 10full | 10half | 100full | 100half | 1000full}

set status {down | up}

set type {vlan | redundant}

set vlanid <int>

set webaccess

set redundant-link-monitor {mii-link | arp-link}

set redundant-arp-ip <ip_addr>

set redundant-member <member_interface_str>

end

Variable

Description

Default

<physical_interface_str>

Enter the name of the physical network interface, such as port1.

 

<logical_interface_str>

Enter a name for the VLAN or redundant interface. Then set the interface type.

 

loopback

A loopback interface is a logical interface that is always up (no physical link dependency) and the attached subnet is always present in the routing table.

The FortiMail's loopback IP address does not depend on one specific external port, and is therefore possible to access it through several physical or VLAN interfaces. In the current release, you can only add one loopback interface on the FortiMail unit.

The loopback interface is useful when you use a layer 2 load balancer in front of several FortiMail units. In this case, you can set the FortiMail loopback interface’s IP address the same as the load balancer’s IP address and thus the FortiMail unit can pick up the traffic forwarded to it from the load balancer.

 

allowaccess {ping http https snmp ssh telnet}

Enter one or more of the following protocols to add them to the list of protocols permitted to administratively access the FortiMail unit through this network interface:

ping: Allow ICMP ping responses from this network interface.

http: Allow HTTP access to the web-based manager, webmail, and per-recipient quarantines.
Caution: HTTP connections are not secure and can be intercepted by a third party. To reduce risk to the security of your FortiMail unit, enable this option only on network interfaces connected directly to your management computer.

https: Allow secure HTTP (HTTPS) access to the web-based manager, webmail, and per-recipient quarantines.

snmp: Allow SNMP v2 access. For more information, see system snmp community, system snmp sysinfo, and system snmp threshold.

ssh: Allow SSH access to the CLI.

telnet: Allow Telnet access to the CLI.

To control SMTP access, configure access control rules and session profiles. For details, see ms365 profile antivirus and profile session.

Caution:Telnet connections are not secure and can be intercepted by a third party. To reduce risk to the security of your FortiMail unit, enable this option only on network interfaces connected directly to your management computer.

Varies by the network interface.

ip <ipv4mask>

Enter the IP address and netmask of the network interface.

If the FortiMail unit is in transparent mode, IP/Netmask may alternatively display bridging. This means that the network interface is acting as a Layer 2 bridge. If high availability (HA) is also enabled, IP and Netmask may alternatively display bridged (isolated) while the effective operating mode is secondary and therefore the network interface is currently disconnected from the network, or bridging (waiting for recovery) while the effective operating mode is failed and the network interface is currently disconnected from the network but a failover may soon occur, beginning connectivity.

 

ip6 <ipv6mask>

Enter the IPv6 address and netmask of the network interface.

If the FortiMail unit is in transparent mode, IP/Netmask may alternatively display bridging. This means that the network interface is acting as a Layer 2 bridge. If high availability (HA) is also enabled, IP and Netmask may alternatively display bridged (isolated) while the effective operating mode is secondary and therefore the network interface is currently disconnected from the network, or bridging (waiting for recovery) while the effective operating mode is failed and the network interface is currently disconnected from the network but a failover may soon occur, beginning connectivity.

 

mac-addr <xx.xx.xx.xx.xx.xx>

Override the factory set MAC address of this interface by specifying a new MAC address. Use the form xx:xx:xx:xx:xx:xx.

Factory set

mailaccess {imap | imaps | pop3 | pop3s | smtp | smtps}

Allow mail access with the interface.

 

mode {static | dhcp}

Enter the interface mode.

DHCP mode applies only if the FortiMail unit is operating in gateway mode or server mode.

static

mtu <mtu_int>

Enter the maximum packet or Ethernet frame size in bytes.

If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.

The valid range is from 576 to 1500 bytes.

1500

proxy-smtp-in-mode {pass‑through | drop | proxy}

Enter how the proxy or built-in MTA will handle SMTP connections on each network interface that are incoming to the IP addresses of email servers belonging to a protected domain:

  • pass-through: Permit but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.
  • drop: Drop the connection.
  • proxy: Proxy or relay the connection. Once intercepted, policies determine any further scanning or logging actions. For more information, see config policy delivery-control, policy recipient, and config policy recipient.

Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have entered proxy more than once for each interface and/or directionality. For an example, see the FortiMail Administration Guide.

This option is only available in transparent mode.

proxy

proxy-smtp-local status {enable | disable}

Enable to allow connections destined for the FortiMail unit itself.

This option is only available in transparent mode.

disable

proxy-smtp-out-mode {pass‑through | drop | proxy}

Enter how the proxy or built-in MTA will handle SMTP connections on each network interface that are incoming to the IP addresses of email servers belonging to a protected domain:

  • pass-through: Permit but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.
  • drop: Drop connections.
  • proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see config policy delivery-control.

Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have entered proxy more than once for each interface and/or directionality. For an example, see the FortiMail Administration Guide.

This option is only available in transparent mode.

pass‑
through

redundant-arp-ip <ip_addr>

Enter the redundant interface ARP monitoring IP target.

This option is only available when you choose the arp-link monitoring parameter. See redundant-link-monitor {mii-link | arp-link}.

 

type {vlan | redundant}

vlan: A Virtual LAN (VLAN) subinterface, also called a VLAN, is a virtual interface on a physical interface. The subinterface allows routing of VLAN tagged packets using that physical interface, but it is separate from any other traffic on the physical interface.

Virtual LANs (VLANs) use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network security.

One example of an application of VLANs is a company’s accounting department. Accounting computers may be located at both main and branch offices. However, accounting computers need to communicate with each other frequently and require increased security. VLANs allow the accounting network traffic to be sent only to accounting computers and to connect accounting computers in different locations as if they were on the same physical subnet.

Also configure redundant-link-monitor {mii-link | arp-link} and redundant-member <member_interface_str>.

redundant: On the FortiMail unit, you can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails.

In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.

Also configure vlanid <int>.

 

redundant-link-monitor {mii-link | arp-link}

Configure the parameters to monitor the connections of the redundant interfaces. This option is only available when you choose the redundant interface type. mii-link: Media Independent Interface is an abstract layer between the operating system and the NIC which detects whether the failover link is running.

arp-link: Address Resolution Protocol periodically checks whether the remote interface is reachable. Also configure redundant-arp-ip <ip_addr>.

mii-link

redundant-member <member_interface_
str>

Enter the redundant member for the failover configuration.

This option is only available when you choose the redundant interface type.

 

vlanid <int>

Enter the Vlan ID for logically separating devices on a network into smaller broadcast domains.

This option is only available when you choose the vlan interface type.

 

webaccess

Allow web access with the interface.

 

speed {auto | 10full | 10half | 100full | 100half | 1000full}

Enter the speed of the network interface.

Note: Some network interfaces may not support all speeds.

auto

status {down | up}

Enter either up to enable the network interface to send and receive traffic, or down to disable the network interface.

up

Related topics

sensitive data

system admin

system interface

Use this command to configure allowed and denied administrative access protocols, maximum transportation unit (MTU) size, SMTP proxy, and up or down administrative status for the network interfaces of a FortiMail unit.

Proxy and built-in MTA behaviors are configured separately based upon whether the SMTP connection is considered to be incoming or outgoing. Because a network connection considers the network layer rather than the application layer when deciding whether to intercept a connection, the concept of incoming and outgoing connections is based upon slightly different things than that of incoming and outgoing email messages: directionality is determined by IP addresses of connecting clients and servers, rather than the email addresses of recipients.

Incoming connections consist of those destined for the SMTP servers that are protected domains of the FortiMail unit. For example, if the FortiMail unit is configured to protect the SMTP server whose IP address is 10.1.1.1, the FortiMail unit treats all SMTP connections destined for 10.1.1.1 as incoming. For information about configuring protected domains, see config domain-setting.

Outgoing connections consist of those destined for SMTP servers that the FortiMail unit has not been configured to protect. For example, if the FortiMail unit is not configured to protect the SMTP server whose IP address is 192.168.1.1, all SMTP connections destined for 192.168.1.1 will be treated as outgoing, regardless of their origin.

Syntax

config system interface

edit <physical_interface_str>, <logical_interface_str>, or loopback

set allowaccess {ping http https snmp ssh telnet}

set ip <ipv4mask>

set ip6 <ipv6mask>

set mac-addr <xx.xx.xx.xx.xx.xx>

set mailaccess {imap | imaps | pop3 | pop3s | smtp | smtps}

set mode {static | dhcp}

set mtu <mtu_int>

set proxy-smtp-in-mode {pass‑through | drop | proxy}

set proxy-smtp-local status {enable | disable}

set proxy-smtp-out-mode {pass‑through | drop | proxy}

set speed {auto | 10full | 10half | 100full | 100half | 1000full}

set status {down | up}

set type {vlan | redundant}

set vlanid <int>

set webaccess

set redundant-link-monitor {mii-link | arp-link}

set redundant-arp-ip <ip_addr>

set redundant-member <member_interface_str>

end

Variable

Description

Default

<physical_interface_str>

Enter the name of the physical network interface, such as port1.

 

<logical_interface_str>

Enter a name for the VLAN or redundant interface. Then set the interface type.

 

loopback

A loopback interface is a logical interface that is always up (no physical link dependency) and the attached subnet is always present in the routing table.

The FortiMail's loopback IP address does not depend on one specific external port, and is therefore possible to access it through several physical or VLAN interfaces. In the current release, you can only add one loopback interface on the FortiMail unit.

The loopback interface is useful when you use a layer 2 load balancer in front of several FortiMail units. In this case, you can set the FortiMail loopback interface’s IP address the same as the load balancer’s IP address and thus the FortiMail unit can pick up the traffic forwarded to it from the load balancer.

 

allowaccess {ping http https snmp ssh telnet}

Enter one or more of the following protocols to add them to the list of protocols permitted to administratively access the FortiMail unit through this network interface:

ping: Allow ICMP ping responses from this network interface.

http: Allow HTTP access to the web-based manager, webmail, and per-recipient quarantines.
Caution: HTTP connections are not secure and can be intercepted by a third party. To reduce risk to the security of your FortiMail unit, enable this option only on network interfaces connected directly to your management computer.

https: Allow secure HTTP (HTTPS) access to the web-based manager, webmail, and per-recipient quarantines.

snmp: Allow SNMP v2 access. For more information, see system snmp community, system snmp sysinfo, and system snmp threshold.

ssh: Allow SSH access to the CLI.

telnet: Allow Telnet access to the CLI.

To control SMTP access, configure access control rules and session profiles. For details, see ms365 profile antivirus and profile session.

Caution:Telnet connections are not secure and can be intercepted by a third party. To reduce risk to the security of your FortiMail unit, enable this option only on network interfaces connected directly to your management computer.

Varies by the network interface.

ip <ipv4mask>

Enter the IP address and netmask of the network interface.

If the FortiMail unit is in transparent mode, IP/Netmask may alternatively display bridging. This means that the network interface is acting as a Layer 2 bridge. If high availability (HA) is also enabled, IP and Netmask may alternatively display bridged (isolated) while the effective operating mode is secondary and therefore the network interface is currently disconnected from the network, or bridging (waiting for recovery) while the effective operating mode is failed and the network interface is currently disconnected from the network but a failover may soon occur, beginning connectivity.

 

ip6 <ipv6mask>

Enter the IPv6 address and netmask of the network interface.

If the FortiMail unit is in transparent mode, IP/Netmask may alternatively display bridging. This means that the network interface is acting as a Layer 2 bridge. If high availability (HA) is also enabled, IP and Netmask may alternatively display bridged (isolated) while the effective operating mode is secondary and therefore the network interface is currently disconnected from the network, or bridging (waiting for recovery) while the effective operating mode is failed and the network interface is currently disconnected from the network but a failover may soon occur, beginning connectivity.

 

mac-addr <xx.xx.xx.xx.xx.xx>

Override the factory set MAC address of this interface by specifying a new MAC address. Use the form xx:xx:xx:xx:xx:xx.

Factory set

mailaccess {imap | imaps | pop3 | pop3s | smtp | smtps}

Allow mail access with the interface.

 

mode {static | dhcp}

Enter the interface mode.

DHCP mode applies only if the FortiMail unit is operating in gateway mode or server mode.

static

mtu <mtu_int>

Enter the maximum packet or Ethernet frame size in bytes.

If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.

The valid range is from 576 to 1500 bytes.

1500

proxy-smtp-in-mode {pass‑through | drop | proxy}

Enter how the proxy or built-in MTA will handle SMTP connections on each network interface that are incoming to the IP addresses of email servers belonging to a protected domain:

  • pass-through: Permit but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.
  • drop: Drop the connection.
  • proxy: Proxy or relay the connection. Once intercepted, policies determine any further scanning or logging actions. For more information, see config policy delivery-control, policy recipient, and config policy recipient.

Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have entered proxy more than once for each interface and/or directionality. For an example, see the FortiMail Administration Guide.

This option is only available in transparent mode.

proxy

proxy-smtp-local status {enable | disable}

Enable to allow connections destined for the FortiMail unit itself.

This option is only available in transparent mode.

disable

proxy-smtp-out-mode {pass‑through | drop | proxy}

Enter how the proxy or built-in MTA will handle SMTP connections on each network interface that are incoming to the IP addresses of email servers belonging to a protected domain:

  • pass-through: Permit but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.
  • drop: Drop connections.
  • proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see config policy delivery-control.

Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have entered proxy more than once for each interface and/or directionality. For an example, see the FortiMail Administration Guide.

This option is only available in transparent mode.

pass‑
through

redundant-arp-ip <ip_addr>

Enter the redundant interface ARP monitoring IP target.

This option is only available when you choose the arp-link monitoring parameter. See redundant-link-monitor {mii-link | arp-link}.

 

type {vlan | redundant}

vlan: A Virtual LAN (VLAN) subinterface, also called a VLAN, is a virtual interface on a physical interface. The subinterface allows routing of VLAN tagged packets using that physical interface, but it is separate from any other traffic on the physical interface.

Virtual LANs (VLANs) use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network security.

One example of an application of VLANs is a company’s accounting department. Accounting computers may be located at both main and branch offices. However, accounting computers need to communicate with each other frequently and require increased security. VLANs allow the accounting network traffic to be sent only to accounting computers and to connect accounting computers in different locations as if they were on the same physical subnet.

Also configure redundant-link-monitor {mii-link | arp-link} and redundant-member <member_interface_str>.

redundant: On the FortiMail unit, you can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails.

In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.

Also configure vlanid <int>.

 

redundant-link-monitor {mii-link | arp-link}

Configure the parameters to monitor the connections of the redundant interfaces. This option is only available when you choose the redundant interface type. mii-link: Media Independent Interface is an abstract layer between the operating system and the NIC which detects whether the failover link is running.

arp-link: Address Resolution Protocol periodically checks whether the remote interface is reachable. Also configure redundant-arp-ip <ip_addr>.

mii-link

redundant-member <member_interface_
str>

Enter the redundant member for the failover configuration.

This option is only available when you choose the redundant interface type.

 

vlanid <int>

Enter the Vlan ID for logically separating devices on a network into smaller broadcast domains.

This option is only available when you choose the vlan interface type.

 

webaccess

Allow web access with the interface.

 

speed {auto | 10full | 10half | 100full | 100half | 1000full}

Enter the speed of the network interface.

Note: Some network interfaces may not support all speeds.

auto

status {down | up}

Enter either up to enable the network interface to send and receive traffic, or down to disable the network interface.

up

Related topics

sensitive data

system admin