interface

Use this command to edit the configuration of a FortiManager network interface.

Syntax

To configure a physical interface:

config system interface

edit <interface name>

set status {enable | disable}

set ip <ipv4_mask>

set allowaccess {http https ping snmp soc-fabric ssh webservice}

set serviceaccess {fclupdates fgtupdates webfilter-antispam}

set update-service-ip <ip&netmask>

set rating-service-ip <ip&netmask>

set lldp {enable | disable}

set speed {1000full | 100full | 100half | 10full | 10half | auto}

set description <string>

set alias <string>

set mtu <integer>

set type {aggregate | physical | vlan}

config ipv6

set ip6-address <ipv6 prefix>

set ip6-allowaccess {http https https-logging ping snmp ssh webservice}

set ip6-autoconf {enable | disable}

end

To configure an aggregate interface:

config system interface

edit <interface name>

set status {enable | disable}

set ip <ipv4_mask>

set allowaccess {http https ping snmp soc-fabric ssh webservice}

set serviceaccess {fclupdates fgtupdates webfilter-antispam}

set update-service-ip <ip&netmask>

set rating-service-ip <ip&netmask>

set speed {1000full | 100full | 100half | 10full | 10half | auto}

set description <string>

set alias <string>

set mtu <integer>

set type {aggregate | physical | vlan}

set lacp-speed {fast | slow}

set min-links <integer>

set min-links-down {administrative | operational}

set link-up-delay <integer>

config member

edit <interface-name>

end

config ipv6

set ip6-address <ipv6 prefix>

set ip6-allowaccess {http https https-logging ping snmp ssh webservice}

set ip6-autoconf {enable | disable}

end

To configure a VLAN interface:

config system interface

edit <interface name>

set status {enable | disable}

set ip <ipv4_mask>

set allowaccess {http https ping snmp soc-fabric ssh webservice}

set serviceaccess {fclupdates fgtupdates webfilter-antispam}

set update-service-ip <ip&netmask>

set rating-service-ip <ip&netmask>

set speed {1000full | 100full | 100half | 10full | 10half | auto}

set description <string>

set alias <string>

set mtu <integer>

set type {aggregate | physical | vlan}

set interface <string>

set vlanid <integer>

set vlan-protocol {8021ad | 8021q}

config ipv6

set ip6-address <ipv6 prefix>

set ip6-allowaccess {http https https-logging ping snmp ssh webservice}

set ip6-autoconf {enable | disable}

end

Variable	Description
<interface name>	The interface name. The port can be set to a port number such as `port1`, `port2`, `port3`, or `port4`. Different FortiManager models have different numbers of ports.
status {enable \| disable}	Enable/disable the interface (default = enable). If the interface is disabled it does not accept or send packets. If you disable a physical interface, VLAN interfaces associated with it are also disabled.
ip <ipv4_mask>	Enter the interface IPv4 address and netmask. The IPv4 address cannot be on the same subnet as any other interface.
allowaccess {http https ping snmp soc-fabric ssh webservice}	Enter the types of management access permitted on this interface. Separate multiple selected types with spaces. If you want to add or remove an option from the list, retype the list as required.
serviceaccess {fclupdates fgtupdates webfilter-antispam}	Enter the types of service access permitted on this interface. Separate multiple selected types with spaces. If you want to add or remove an option from the list, retype the list as required. `fclupdates`: FortiClient updates access. `fgtupdates`: FortiGate updates access. `webfilter-antispam`: Web filtering and antispam access.
update-service-ip <ip&netmask>	The IP address for the FortiGate update service. It must be on the same subnet as the interface IP address. This variable is only available when `serviceaccess` is `fgtupdates`.
rating-service-ip <ip&netmask>	The IP address for the FortiGate rating service. It must be on the same subnet as the interface IP address. This variable is only available when `serviceaccess` is `webfilter-antispam`.
lldp {enable \| disable}	Enable or disable the link layer discovery protocol (LLDP) (default = disable). This variable is only available when the `type` is `physical`.
speed {1000full \| 100full \| 100half \| 10full \| 10half \| auto}	Enter the speed and duplexing the network port uses: `100full`: 100M full-duplex `100half`: 100M half-duplex `10full`: 10M full-duplex `10half`: 10M half-duplex `auto`: Automatically negotiate the fastest common speed (default)
description <string>	Enter a description of the interface (character limit = 63).
alias <string>	Enter an alias for the interface.
mtu <integer>	Set the maximum transportation unit (68 - 9000, default = 1500).
type {aggregate \| physical \| vlan}	Set the type of interface (default = aggregate).
lacp-speed {fast \| slow}	Set how often the interface sends LACP messages: `fast`: Send LACP message every second. `slow`: Send LACP message every 30 seconds (default). This variable is only available when the `type` is `aggregate`.
min-links <integer>	Set the minimum number of aggregated ports that must be up (default = 1). This variable is only available when the `type` is `aggregate`.
min-links-down {administrative \| operational}	Action to take when less than the configured minimum number of links are active: `administrative`: Set the aggregate administratively down. `operational`: Set the aggregate operationally down (default). This variable is only available when the `type` is `aggregate`.
link-up-delay <integer>	Set the number of milliseconds to wait before considering a link is up (default = 50). This variable is only available when the `type` is `aggregate`.
interface <string>	Set the underlying interface name for the VLAN interface. This variable is only available when the `type` is `vlan`.
vlanid <integer>	Set the VLAN ID (1 - 4094, default = 0). This variable is only available when the `type` is `vlan`.
vlan-protocol {8021ad \| 8021q}	Set the ethernet protocol of the VLAN (IEEE 802.1AD or IEEE 802.1Q, default = IEEE 802.1Q). This variable is only available when the `type` is `vlan`.
Variables for `config member` subcommand: This subcommand is only available when the `type` is `aggregate`.
<interface-name>	Enter the interface name that belongs to the aggregate or the redundant interface.
Variables for `config ipv6` subcommand:
ip6-address <ipv6 prefix>	IPv6 address/prefix of interface.
ip6-allowaccess {http https https-logging ping snmp ssh webservice}	Allow management access to the interface.
ip6-autoconf {enable \| disable}	Enable/disable address automatic configuration (SLAAC) (default = enable).

Example

This example shows how to set the FortiManager port1 interface IPv4 address and network mask to 192.168.100.159 and 255.255.255.0, and the management access to ping, https, and ssh.

config system interface

edit port1

set allowaccess ping https ssh

set ip 192.168.110.26 255.255.255.0

set status enable

end

interface

Use this command to edit the configuration of a FortiManager network interface.

Syntax

To configure a physical interface:

config system interface

edit <interface name>

set status {enable | disable}

set ip <ipv4_mask>

set allowaccess {http https ping snmp soc-fabric ssh webservice}

set serviceaccess {fclupdates fgtupdates webfilter-antispam}

set update-service-ip <ip&netmask>

set rating-service-ip <ip&netmask>

set lldp {enable | disable}

set speed {1000full | 100full | 100half | 10full | 10half | auto}

set description <string>

set alias <string>

set mtu <integer>

set type {aggregate | physical | vlan}

config ipv6

set ip6-address <ipv6 prefix>

set ip6-allowaccess {http https https-logging ping snmp ssh webservice}

set ip6-autoconf {enable | disable}

end

To configure an aggregate interface:

config system interface

edit <interface name>

set status {enable | disable}

set ip <ipv4_mask>

set allowaccess {http https ping snmp soc-fabric ssh webservice}

set serviceaccess {fclupdates fgtupdates webfilter-antispam}

set update-service-ip <ip&netmask>

set rating-service-ip <ip&netmask>

set speed {1000full | 100full | 100half | 10full | 10half | auto}

set description <string>

set alias <string>

set mtu <integer>

set type {aggregate | physical | vlan}

set lacp-speed {fast | slow}

set min-links <integer>

set min-links-down {administrative | operational}

set link-up-delay <integer>

config member

edit <interface-name>

end

config ipv6

set ip6-address <ipv6 prefix>

set ip6-allowaccess {http https https-logging ping snmp ssh webservice}

set ip6-autoconf {enable | disable}

end

To configure a VLAN interface:

config system interface

edit <interface name>

set status {enable | disable}

set ip <ipv4_mask>

set allowaccess {http https ping snmp soc-fabric ssh webservice}

set serviceaccess {fclupdates fgtupdates webfilter-antispam}

set update-service-ip <ip&netmask>

set rating-service-ip <ip&netmask>

set speed {1000full | 100full | 100half | 10full | 10half | auto}

set description <string>

set alias <string>

set mtu <integer>

set type {aggregate | physical | vlan}

set interface <string>

set vlanid <integer>

set vlan-protocol {8021ad | 8021q}

config ipv6

set ip6-address <ipv6 prefix>

set ip6-allowaccess {http https https-logging ping snmp ssh webservice}

set ip6-autoconf {enable | disable}

end

Variable	Description
<interface name>	The interface name. The port can be set to a port number such as `port1`, `port2`, `port3`, or `port4`. Different FortiManager models have different numbers of ports.
status {enable \| disable}	Enable/disable the interface (default = enable). If the interface is disabled it does not accept or send packets. If you disable a physical interface, VLAN interfaces associated with it are also disabled.
ip <ipv4_mask>	Enter the interface IPv4 address and netmask. The IPv4 address cannot be on the same subnet as any other interface.
allowaccess {http https ping snmp soc-fabric ssh webservice}	Enter the types of management access permitted on this interface. Separate multiple selected types with spaces. If you want to add or remove an option from the list, retype the list as required.
serviceaccess {fclupdates fgtupdates webfilter-antispam}	Enter the types of service access permitted on this interface. Separate multiple selected types with spaces. If you want to add or remove an option from the list, retype the list as required. `fclupdates`: FortiClient updates access. `fgtupdates`: FortiGate updates access. `webfilter-antispam`: Web filtering and antispam access.
update-service-ip <ip&netmask>	The IP address for the FortiGate update service. It must be on the same subnet as the interface IP address. This variable is only available when `serviceaccess` is `fgtupdates`.
rating-service-ip <ip&netmask>	The IP address for the FortiGate rating service. It must be on the same subnet as the interface IP address. This variable is only available when `serviceaccess` is `webfilter-antispam`.
lldp {enable \| disable}	Enable or disable the link layer discovery protocol (LLDP) (default = disable). This variable is only available when the `type` is `physical`.
speed {1000full \| 100full \| 100half \| 10full \| 10half \| auto}	Enter the speed and duplexing the network port uses: `100full`: 100M full-duplex `100half`: 100M half-duplex `10full`: 10M full-duplex `10half`: 10M half-duplex `auto`: Automatically negotiate the fastest common speed (default)
description <string>	Enter a description of the interface (character limit = 63).
alias <string>	Enter an alias for the interface.
mtu <integer>	Set the maximum transportation unit (68 - 9000, default = 1500).
type {aggregate \| physical \| vlan}	Set the type of interface (default = aggregate).
lacp-speed {fast \| slow}	Set how often the interface sends LACP messages: `fast`: Send LACP message every second. `slow`: Send LACP message every 30 seconds (default). This variable is only available when the `type` is `aggregate`.
min-links <integer>	Set the minimum number of aggregated ports that must be up (default = 1). This variable is only available when the `type` is `aggregate`.
min-links-down {administrative \| operational}	Action to take when less than the configured minimum number of links are active: `administrative`: Set the aggregate administratively down. `operational`: Set the aggregate operationally down (default). This variable is only available when the `type` is `aggregate`.
link-up-delay <integer>	Set the number of milliseconds to wait before considering a link is up (default = 50). This variable is only available when the `type` is `aggregate`.
interface <string>	Set the underlying interface name for the VLAN interface. This variable is only available when the `type` is `vlan`.
vlanid <integer>	Set the VLAN ID (1 - 4094, default = 0). This variable is only available when the `type` is `vlan`.
vlan-protocol {8021ad \| 8021q}	Set the ethernet protocol of the VLAN (IEEE 802.1AD or IEEE 802.1Q, default = IEEE 802.1Q). This variable is only available when the `type` is `vlan`.
Variables for `config member` subcommand: This subcommand is only available when the `type` is `aggregate`.
<interface-name>	Enter the interface name that belongs to the aggregate or the redundant interface.
Variables for `config ipv6` subcommand:
ip6-address <ipv6 prefix>	IPv6 address/prefix of interface.
ip6-allowaccess {http https https-logging ping snmp ssh webservice}	Allow management access to the interface.
ip6-autoconf {enable \| disable}	Enable/disable address automatic configuration (SLAAC) (default = enable).

Example

This example shows how to set the FortiManager port1 interface IPv4 address and network mask to 192.168.100.159 and 255.255.255.0, and the management access to ping, https, and ssh.

config system interface

edit port1

set allowaccess ping https ssh

set ip 192.168.110.26 255.255.255.0

set status enable

end

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

interface

interface

Syntax

To configure a physical interface:

To configure an aggregate interface:

To configure a VLAN interface:

Example

interface

interface

Syntax

To configure a physical interface:

To configure an aggregate interface:

To configure a VLAN interface: