system interface
Use this command to configure allowed and denied administrative access protocols, maximum transportation unit (MTU) size, SMTP proxy, and up or down administrative status for the network interfaces of a FortiMail unit.
Proxy and built-in MTA behaviors are configured separately based upon whether the SMTP connection is considered to be incoming or outgoing. Because a network connection considers the network layer rather than the application layer when deciding whether to intercept a connection, the concept of incoming and outgoing connections is based upon slightly different things than that of incoming and outgoing email messages: directionality is determined by IP addresses of connecting clients and servers, rather than the email addresses of recipients.
Incoming connections consist of those destined for the SMTP servers that are protected domains of the FortiMail unit. For example, if the FortiMail unit is configured to protect the SMTP server whose IP address is 10.1.1.1, the FortiMail unit treats all SMTP connections destined for 10.1.1.1 as incoming. For information about configuring protected domains, see domain-setting .
Outgoing connections consist of those destined for SMTP servers that the FortiMail unit has not been configured to protect. For example, if the FortiMail unit is not configured to protect the SMTP server whose IP address is 192.168.1.1, all SMTP connections destined for 192.168.1.1 will be treated as outgoing, regardless of their origin.
Syntax
config system interface
edit <physical_interface_str> , <logical_interface_str> , or loopback
set allowaccess {ping http https snmp ssh telnet}
set connection {enable | disable}
set defaultgw {enable | disable}
set bridge-member {enable | disable}
set ip <ipv4mask>
set ip6 <ipv6mask>
set mac-addr <xx.xx.xx.xx.xx.xx>
set mailaccess {imap | imaps | pop3 | pop3s | smtp | smtps}
set mtu <mtu_int>
set proxy-smtp-in-mode {pass‑through | drop | proxy}
set proxy-smtp-local status {enable | disable}
set proxy-smtp-out-mode {pass‑through | drop | proxy}
set speed {auto | 10full | 10half | 100full | 100half | 1000full}
set vlanid <int>
set webaccess
set redundant-link-monitor {mii-link | arp-link}
set redundant-arp-ip <ip_addr>
set redundant-member <member_interface_str>
end
Variable |
Description |
Default |
Enter the name of the physical network interface, such as port1. |
|
|
Enter a name for the VLAN or redundant interface. Then set the interface type. |
|
|
A loopback interface is a logical interface that is always up (no physical link dependency) and the attached subnet is always present in the routing table. The FortiMail's loopback IP address does not depend on one specific external port, and is therefore possible to access through several physical or VLAN interfaces. In the current release, you can only add one loopback interface on the FortiMail unit. The loopback interface is useful when you use a layer 2 load balancer in front of several FortiMail units. In this case, you can set the FortiMail loopback interface’s IP address the same as the load balancer’s IP address and thus the FortiMail unit can pick up the traffic forwarded to it from the load balancer. |
|
|
Enter one or more of the following protocols to add them to the list of protocols permitted to administratively access the FortiMail unit through this network interface:
To control SMTP access, configure access control rules and session profiles. For details, see cloud-api profile antivirus and profile session. Caution:Telnet connections are not secure and can be intercepted by a third party. To reduce risk to the security of your FortiMail unit, enable this option only on network interfaces connected directly to your management computer. |
Varies by network interface. |
|
Note: This command is only available when Enable for the FortiMail unit to attempt to obtain DHCP addressing information from the DHCP server. Disable this option if you are configuring the network interface offline, and do not want the unit to attempt to obtain addressing information at this time. |
disable |
|
Note: This command is only available when Enable to retrieve both the default gateway and DNS addresses from the DHCP server, replacing any manually configured values. |
disable |
|
Note: This command is only available when the FortiMail unit is operating in Transparent mode, and only for non-management ports. Enable to bridge the port to the management IP. See Editing network interfaces for information on bridged networks in transparent mode. Bridging is the default configuration for network interfaces when the FortiMail unit operates in transparent mode, and the FortiMail unit will bridge all connections occurring through it from the network to the protected email servers. In cases where the email servers that are protected by the FortiMail unit are located on different subnets, you must connect those email servers through separate physical ports on the FortiMail unit, and configure the network interfaces associated with those ports, assigning IP addresses and removing them from the bridge. |
enable |
|
Enter the IP address and netmask of the network interface. If the FortiMail unit is in transparent mode, IP/Netmask may alternatively display bridging. This means that the network interface is acting as a Layer 2 bridge. If high availability (HA) is also enabled, IP and Netmask may alternatively display bridged (isolated) while the effective operating mode is secondary and therefore the network interface is currently disconnected from the network, or bridging (waiting for recovery) while the effective operating mode is failed and the network interface is currently disconnected from the network but a failover may soon occur, beginning connectivity. |
|
|
Enter the IPv6 address and netmask of the network interface. If the FortiMail unit is in transparent mode, IP/Netmask may alternatively display bridging. This means that the network interface is acting as a Layer 2 bridge. If high availability (HA) is also enabled, IP and Netmask may alternatively display bridged (isolated) while the effective operating mode is secondary and therefore the network interface is currently disconnected from the network, or bridging (waiting for recovery) while the effective operating mode is failed and the network interface is currently disconnected from the network but a failover may soon occur, beginning connectivity. |
|
|
Override the factory set MAC address of this interface by specifying a new MAC address. Use the form xx:xx:xx:xx:xx:xx. |
Factory set |
|
Allow mail access with the interface. |
|
|
Enter the interface mode. If configuring for DHCP, see DHCP mode applies only if the FortiMail unit is operating in gateway mode or server mode. |
static |
|
Enter the maximum packet or Ethernet frame size in bytes. If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance. The valid range is from 576 to 1500 bytes. |
1500 |
|
Enter how the proxy or built-in MTA will handle SMTP connections on each network interface that are incoming to the IP addresses of email servers belonging to a protected domain:
Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have entered This option is only available in transparent mode. |
proxy |
|
Enable to allow connections destined for the FortiMail unit itself. This option is only available in transparent mode. |
disable |
|
Enter how the proxy or built-in MTA will handle SMTP connections on each network interface that are incoming to the IP addresses of email servers belonging to a protected domain:
Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have entered This option is only available in transparent mode. |
pass- |
|
Enter the redundant interface ARP monitoring IP target. This option is only available when you choose the |
|
|
Virtual LANs (VLANs) use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network security. One example of an application of VLANs is a company’s accounting department. Accounting computers may be located at both main and branch offices. However, accounting computers need to communicate with each other frequently and require increased security. VLANs allow the accounting network traffic to be sent only to accounting computers and to connect accounting computers in different locations as if they were on the same physical subnet. Also configure redundant-link-monitor {mii-link | arp-link} and redundant-member <member_interface_str>.
In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration. Also configure vlanid <int>. |
|
|
Configure the parameters to monitor the connections of the redundant interfaces. This option is only available when you choose the
|
mii-link |
|
Enter the redundant member for the failover configuration. This option is only available when you choose the |
|
|
Enter the VLAN ID for logically separating devices on a network into smaller broadcast domains. This option is only available when you choose the |
|
|
Allow web access with the interface. |
|
|
speed {auto | 10full | 10half | 100full | 100half | 1000full} |
Enter the speed of the network interface. Note: Some network interfaces may not support all speeds. |
auto |
Enter either |
up |