<logical_interface_name>

Enter a name for the VLAN or redundant interface. Then set the interface type.

<physical_interface_name>

Enter the name of the physical network interface, such as port1.

allowaccess {ping http https snmp ssh telnet}

Enter one or more of the following protocols to add them to the list of protocols permitted to administratively access the FortiMail unit through this network interface:

• ping: Allow ICMP ping responses from this network interface.

• http: Allow HTTP access to the GUI, webmail, and per-recipient quarantines. See also https-redirect-status {enable | disable}.

  HTTP connections are not secure and can be intercepted by a third party. To reduce risk to the security of your FortiMail unit, enable this option only on network interfaces connected directly to your management computer.

• https: Allow secure HTTP (HTTPS) access to the GUI, webmail, per-recipient quarantines, and REST API. See also system web-service.

• snmp: Allow SNMP v2 access. For more information, see system snmp community, system snmp sysinfo, and system snmp threshold.

• ssh: Allow SSH access to the CLI.

• telnet: Allow Telnet access to the CLI.

  Telnet connections are not secure and can be intercepted by a third party. To reduce risk to the security of your FortiMail unit, enable this option only on network interfaces connected directly to your management computer.

For related settings such as listening port numbers for each service, see also system global.

To control SMTP access, configure access control rules and session profiles. For details, see cloud-api profile antivirus and profile session.

bridge-member {enable | disable}

Enable to bridge the port to the management IP. For more information about bridging networks in transparent mode, see the FortiMail Administration Guide.

Bridging is the default configuration for network interfaces when the FortiMail unit operates in transparent mode, and the FortiMail unit will bridge all connections occurring through it from the network to the protected email servers.

In cases where the email servers that are protected by the FortiMail unit are located on different subnets, you must connect those email servers through separate physical ports on the FortiMail unit, and configure the network interfaces associated with those ports, assigning IP addresses and removing them from the bridge.

This command is only available when operation-mode {gateway | server | transparent} is transparent, and only for non-management ports.

connection {enable | disable}

Enable for the FortiMail unit to attempt to obtain DHCP addressing information from the DHCP server.

Disable this option if you are configuring the network interface offline, and do not want the unit to attempt to obtain addressing information at this time.

This command is only available when mode {static | dhcp} is dhcp.

defaultgw {enable disable}

Enable to retrieve both the default gateway and DNS addresses from the DHCP server, replacing any manually configured values.

This command is only available when mode {static | dhcp} is dhcp.

ip <interface_ipv4mask>

Enter the IP address and netmask of the network interface.

If the FortiMail unit is in transparent mode, interface may alternatively not have an IP address, and instead indicate that it is bridging. This means that the network interface is acting as a Layer 2 bridge. If high availability (HA) is enabled, and the FortiMail is currently a secondary unit, then it may also be normal that a network interface is disconnected (isolated from the network) until a failover occurs and then the secondary becomes the new primary.

ip6 <interface ipv6mask>

Enter the IPv6 address and netmask of the network interface.

If the FortiMail unit is in transparent mode, interface may alternatively not have an IP address, and instead indicate that it is bridging. This means that the network interface is acting as a Layer 2 bridge. If high availability (HA) is enabled, and the FortiMail is currently a secondary unit, then it may also be normal that a network interface is disconnected (isolated from the network) until a failover occurs and then the secondary becomes the new primary.

loopback

A loopback interface is a logical interface that is always up (no physical link dependency) and the attached subnet is always present in the routing table.

The FortiMail unit's loopback IP address does not depend on one specific external port, and is therefore possible to access through several physical or VLAN interfaces. You can only add one loopback interface on the FortiMail unit.

The loopback interface is useful when you use a Layer 2 load balancer in front of several FortiMail units. In this case, you can set the FortiMail loopback interface’s IP address the same as the load balancer's IP address and thus the FortiMail unit can pick up the traffic forwarded to it from the load balancer.

mac-addr <interface_mac>

Enter a media access control (MAC) address to override the factory set Layer 2 address of this interface.

mailaccess {imap | imaps | pop3 | pop3s | smtp | smtps}

Select which types of mail access to allow on the interface.

mode {static | dhcp}

Enter the interface mode.

If configuring for DHCP, see connection {enable | disable} and defaultgw {enable disable}.

DHCP mode applies only if the FortiMail unit is operating in gateway mode or server mode.

mtu <mtu_int>

Enter the maximum packet or Ethernet frame size in bytes.

If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.

The valid range is from 576 to 1500 bytes.

proxy-smtp-in-mode {pass‑through | drop | proxy}

Enter how the proxy or built-in MTA will handle SMTP connections on each network interface that are incoming to the IP addresses of email servers belonging to a protected domain:

• pass-through: Permit but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.

• drop: Drop the connection.

• proxy: Proxy or relay the connection. Once intercepted, policies determine any further scanning or logging actions. For more information, see policy ip, policy recipient, and config policy recipient.

Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have entered proxy more than once for each interface and/or directionality. For an example, see the FortiMail Administration Guide.

This option is only available if operation-mode {gateway | server | transparent} is transparent.

proxy-smtp-local status {enable | disable}

Enable to allow connections destined for the FortiMail unit itself.

This option is only available if operation-mode {gateway | server | transparent} is transparent.

proxy-smtp-out-mode {pass‑through | drop | proxy}

Enter how the proxy or built-in MTA will handle SMTP connections on each network interface that are incoming to the IP addresses of email servers belonging to a protected domain:

• pass-through: Permit but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.
• drop: Drop connections.
• proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see policy delivery-control.

Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have entered proxy more than once for each interface and/or directionality. For an example, see the FortiMail Administration Guide.

This option is only available if operation-mode {gateway | server | transparent} is transparent.

redundant-arp-ip <destination_ipv4>

Enter the redundant interface ARP monitoring IP target.

This option is only available when redundant-link-monitor {mii-link | arp-link} is arp-link.

redundant-link-monitor {mii-link | arp-link}

Select the parameters to monitor the connections of the redundant interfaces.

• mii-link: Media Independent Interface is an abstract layer between the operating system and the NIC which detects whether the failover link is running.

• arp-link: Address Resolution Protocol (ARP) periodically checks whether the remote interface is reachable. Also configure redundant-arp-ip <destination_ipv4>.

This option is only available when type {vlan | redundant} is redundant.

redundant-member <member-interface_
name>

Enter the redundant member for interface failover.

This option is only available when type {vlan | redundant} is redundant.

speed {auto | 10full | 10half | 100full | 100half | 1000full}

Enter the speed of the network interface.

Some network interfaces may not support all speeds.

status {down | up}

Enter either up to enable the network interface to send and receive traffic, or down to disable the network interface.

type {vlan | redundant}

• vlan: A virtual LAN (VLAN) subinterface, is a virtual interface on a physical interface. The subinterface allows routing of VLAN tagged packets using that physical interface, but it is separate from any other traffic on the physical interface.

  Virtual LANs (VLANs) use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network security.

  One example of an application of VLANs is a company’s accounting department. Accounting computers may be located at both main and branch offices. However, accounting computers need to communicate with each other frequently and require increased security. VLANs allow the accounting network traffic to be sent only to accounting computers and to connect accounting computers in different locations as if they were on the same physical subnet.

  Also configure vlanid <vlan_int>.

• redundant: On the FortiMail unit, you can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails.

  In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.

  Also configure redundant-member <member-interface_name> and redundant-link-monitor {mii-link | arp-link}.

vlanid <vlan_int>

Enter the VLAN ID for logically separating devices on a network into smaller broadcast domains.

This option is only available when type {vlan | redundant} is vlan.