Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.2.9
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiPortal 7.2.9 User Guide
    7.2.9
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.8
    5.3.7
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.0
    5.2.0
    4.1.0

    Configuring device interfaces

    Configuring device interfaces

    You can view and configure device interface settings.

    To configure a device interface:

    1. Go to Security > Network.

    2. Select Interface from the System dropdown.

    3. Click Create or select an existing interface from the list and click Edit.

    4. Configure the following settings:

      Setting

      Guidelines

      Name

      Required. Enter a name for the interface.

      Alias Name

      Optional. Enter an alias for this interface. This alias is used in forms but does not appear in logs.

      Type

      Required. Select the appropriate interface type.

      Only the options available for the interface are selectable. Disabled (grayed-out) types are not supported.

      Select from the following types:

      • 802.3ad Aggregate: Bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces. The only noticeable effect is reduced bandwidth.

      • Redundant Interface; Bind two or more interfaces to form a redundant interface. In a redundant interface, only one interface is in use at any time. If the active interface fails, one of the other interfaces becomes active.

      • VLAN: Virtual local area networks (VLANs) multiply the capabilities of your firewall device and can also provide added network security. VLANs use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain.

      VLAN Protocol

      Required. Select the appropriate protocol from the following options:

      • 802.1Q: The most common VLAN tagging protocol. 802.1Q inserts a 4-byte tag within the Ethernet frame.

      • 802.1AD: Extends 801.1Q by allowing nested VLAN tags.

      Note: This field is only displayed if Type is set to VLAN.

      Interface

      Required. Select the device interface to which this VLAN interface is attached.

      Note: This field is only displayed if Type is set to VLAN.

      VLAN ID

      Required. Specify an identifier for this VLAN.

      Note: This field is only displayed if Type is set to VLAN.

      VRF ID

      Optional. Enter a Virtual Routing and Forwarding (VRF) identifier for this interface.

      VRF allows multiple routing table instances to coexist on the same router. One or more interface can have a VRF, and packets are only forwarded between interfaces with the same VRF.

      Interface Members

      Optional. If applicable, select the interfaces to be joined in this interface.

      Note: This field is only displayed if Type is 802.3ad Aggregate or Redundant Interface.

      Address

      Addressing Mode

      Required. Select the IPv4 addressing mode for the interface from the following:

      • Manual: Add an IP address and netmask for the interface.

      • DHCP: Get the interface IP address and other network settings from a DHCP server.

      The following options are not supported:

      • IPAM: Assign subnets to prevent duplicate IP addresses from overlapping within the same Security Fabric. See Configure IPAM locally on the FortiGate.

      • PPPoE: Get the interface IP address and other network settings from a PPPoE server.

      • PPPoA: Get the interface IP address and other network settings from a PPPoA server.

      • One-Arm Sniffer: Set the interface as a sniffer port so it can be used to detect attacks. See One-arm sniffer.

      IP/Netmask

      Optional. Specify the IPv4 address and netmask for this interface.

      Note: This field is only displayed when Addressing Mode is Manual.

      Retrieve default gateway from server

      Optional. Enable or disable setting the default gateway using the server-provided value.

      Note: This field is only displayed when Addressing Mode is DHCP.

      Distance

      Optional. Enter the administrative distance for the default gateway retrieved from the DHCP server.

      The administrative distance is an integer from 1 to 255 that specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route.

      Note: This field is only displayed when Addressing Mode is DHCP.

      Override internal DNS

      Optional. Enable or disable using the DNS addresses retrieved from the DHCP server.

      Note: This field is only displayed when Addressing Mode is DHCP.

      IPv6 Addressing Mode

      Optional. Select the IPv6 addressing mode for the interface from the following:

      • Manual: Add an IPv6 address and netmask for the interface.

      • DHCP: Get the interface IPv6 address and other network settings from a DHCP server.

      The following option is not supported:

      • Delegated

      Note: This field is only displayed when IPv6 Addressing Mode is Manual.

      IPv6 Address/Prefix

      Optional. Specify the IPv6 address and prefix.

      Note: This field is only displayed when IPv6 Addressing Mode is Manual.

      Auto Configure IPv6 Address

      		 Optional. Enable or disable automatically configuring an IPv6 address using Stateless Address Auto-configuration (SLAAC).

      Administrative access

      Optional. Enable or disable the types of administrative access permitted for connections to this interface.

      Note: Only IPv4 administrative access is supported.

      Network

      Device Detection

      		 Optional. Enable or disable passively gathering device identity information about the devices on the network that are connected to this interface.

      Security Mode

      Optional. Enable or disable captive portal authentication for this interface.

      After enabling captive portal authentication, you can configure the authentication portal, user and group access, custom portal messages, exempt sources and destinations and services, and redirect after captive portal.

      Authentication Portal

      Optional. Select the location of the portal from the following:

      • Local: The portal is hosted on the firewall device.

      • External: The portal is hosted on an external server. Enter the FQDN or IP address.

      Note: This field is only displayed when Security Mode is enabled and set to Captive Portal.

      User Access

      Optional. Specify whether the portal applies to all users or selected user groups:

      • Restricted to Groups: Restrict access to the user groups selected in User group. Users redirect to the captive portal login page when they access the captive portal.

      • Allow all: All users can log in, but access is defined by relevant policies. The disclaimer page is shown when a user tried to log in to the captive portal.

      Note: This field is only displayed when Security Mode is enabled and set to Captive Portal.

      Exempt Sources

      Optional. Select sources exempt from the captive portal.

      Note: This field is only displayed when Security Mode is enabled and set to Captive Portal.

      Exempt Destinations

      Optional. Select destinations exempt from the captive portal.

      Note: This field is only displayed when Security Mode is enabled and set to Captive Portal.

      Exempt Service

      Optional. Select services exempt from the captive portal.

      Note: This field is only displayed when Security Mode is enabled and set to Captive Portal.

      Redirect after Captive Portal

      Optional Select from the following options:

      • Original Request: Redirect to the original request URL.

      • Specify URL: Redirect to the specified URL.

      Note: This field is only displayed when Security Mode is enabled and set to Captive Portal.

      Miscellaneous

      Comments

      Optional. Enter comments as needed.

      Status

      Required. Enable or disable this interface.

    5. Click Save

      The interface is saved. As with other device settings, you must install it to the device before it can take effect. See Installing updates to devices.

    Previous
    Next

    Configuring device interfaces

    Configuring device interfaces

    You can view and configure device interface settings.

    To configure a device interface:

    1. Go to Security > Network.

    2. Select Interface from the System dropdown.

    3. Click Create or select an existing interface from the list and click Edit.

    4. Configure the following settings:

      Setting

      Guidelines

      Name

      Required. Enter a name for the interface.

      Alias Name

      Optional. Enter an alias for this interface. This alias is used in forms but does not appear in logs.

      Type

      Required. Select the appropriate interface type.

      Only the options available for the interface are selectable. Disabled (grayed-out) types are not supported.

      Select from the following types:

      • 802.3ad Aggregate: Bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces. The only noticeable effect is reduced bandwidth.

      • Redundant Interface; Bind two or more interfaces to form a redundant interface. In a redundant interface, only one interface is in use at any time. If the active interface fails, one of the other interfaces becomes active.

      • VLAN: Virtual local area networks (VLANs) multiply the capabilities of your firewall device and can also provide added network security. VLANs use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain.

      VLAN Protocol

      Required. Select the appropriate protocol from the following options:

      • 802.1Q: The most common VLAN tagging protocol. 802.1Q inserts a 4-byte tag within the Ethernet frame.

      • 802.1AD: Extends 801.1Q by allowing nested VLAN tags.

      Note: This field is only displayed if Type is set to VLAN.

      Interface

      Required. Select the device interface to which this VLAN interface is attached.

      Note: This field is only displayed if Type is set to VLAN.

      VLAN ID

      Required. Specify an identifier for this VLAN.

      Note: This field is only displayed if Type is set to VLAN.

      VRF ID

      Optional. Enter a Virtual Routing and Forwarding (VRF) identifier for this interface.

      VRF allows multiple routing table instances to coexist on the same router. One or more interface can have a VRF, and packets are only forwarded between interfaces with the same VRF.

      Interface Members

      Optional. If applicable, select the interfaces to be joined in this interface.

      Note: This field is only displayed if Type is 802.3ad Aggregate or Redundant Interface.

      Address

      Addressing Mode

      Required. Select the IPv4 addressing mode for the interface from the following:

      • Manual: Add an IP address and netmask for the interface.

      • DHCP: Get the interface IP address and other network settings from a DHCP server.

      The following options are not supported:

      • IPAM: Assign subnets to prevent duplicate IP addresses from overlapping within the same Security Fabric. See Configure IPAM locally on the FortiGate.

      • PPPoE: Get the interface IP address and other network settings from a PPPoE server.

      • PPPoA: Get the interface IP address and other network settings from a PPPoA server.

      • One-Arm Sniffer: Set the interface as a sniffer port so it can be used to detect attacks. See One-arm sniffer.

      IP/Netmask

      Optional. Specify the IPv4 address and netmask for this interface.

      Note: This field is only displayed when Addressing Mode is Manual.

      Retrieve default gateway from server

      Optional. Enable or disable setting the default gateway using the server-provided value.

      Note: This field is only displayed when Addressing Mode is DHCP.

      Distance

      Optional. Enter the administrative distance for the default gateway retrieved from the DHCP server.

      The administrative distance is an integer from 1 to 255 that specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route.

      Note: This field is only displayed when Addressing Mode is DHCP.

      Override internal DNS

      Optional. Enable or disable using the DNS addresses retrieved from the DHCP server.

      Note: This field is only displayed when Addressing Mode is DHCP.

      IPv6 Addressing Mode

      Optional. Select the IPv6 addressing mode for the interface from the following:

      • Manual: Add an IPv6 address and netmask for the interface.

      • DHCP: Get the interface IPv6 address and other network settings from a DHCP server.

      The following option is not supported:

      • Delegated

      Note: This field is only displayed when IPv6 Addressing Mode is Manual.

      IPv6 Address/Prefix

      Optional. Specify the IPv6 address and prefix.

      Note: This field is only displayed when IPv6 Addressing Mode is Manual.

      Auto Configure IPv6 Address

      		 Optional. Enable or disable automatically configuring an IPv6 address using Stateless Address Auto-configuration (SLAAC).

      Administrative access

      Optional. Enable or disable the types of administrative access permitted for connections to this interface.

      Note: Only IPv4 administrative access is supported.

      Network

      Device Detection

      		 Optional. Enable or disable passively gathering device identity information about the devices on the network that are connected to this interface.

      Security Mode

      Optional. Enable or disable captive portal authentication for this interface.

      After enabling captive portal authentication, you can configure the authentication portal, user and group access, custom portal messages, exempt sources and destinations and services, and redirect after captive portal.

      Authentication Portal

      Optional. Select the location of the portal from the following:

      • Local: The portal is hosted on the firewall device.

      • External: The portal is hosted on an external server. Enter the FQDN or IP address.

      Note: This field is only displayed when Security Mode is enabled and set to Captive Portal.

      User Access

      Optional. Specify whether the portal applies to all users or selected user groups:

      • Restricted to Groups: Restrict access to the user groups selected in User group. Users redirect to the captive portal login page when they access the captive portal.

      • Allow all: All users can log in, but access is defined by relevant policies. The disclaimer page is shown when a user tried to log in to the captive portal.

      Note: This field is only displayed when Security Mode is enabled and set to Captive Portal.

      Exempt Sources

      Optional. Select sources exempt from the captive portal.

      Note: This field is only displayed when Security Mode is enabled and set to Captive Portal.

      Exempt Destinations

      Optional. Select destinations exempt from the captive portal.

      Note: This field is only displayed when Security Mode is enabled and set to Captive Portal.

      Exempt Service

      Optional. Select services exempt from the captive portal.

      Note: This field is only displayed when Security Mode is enabled and set to Captive Portal.

      Redirect after Captive Portal

      Optional Select from the following options:

      • Original Request: Redirect to the original request URL.

      • Specify URL: Redirect to the specified URL.

      Note: This field is only displayed when Security Mode is enabled and set to Captive Portal.

      Miscellaneous

      Comments

      Optional. Enter comments as needed.

      Status

      Required. Enable or disable this interface.

    5. Click Save

      The interface is saved. As with other device settings, you must install it to the device before it can take effect. See Installing updates to devices.

    Previous
    Next