Fortinet black logo

Administration Guide

Home FortiRecorder 7.0.1 Administration Guide
7.0.1
7.2.0
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.0
6.0.0
2.7.2
2.7.1
2.7.0
2.6.0

Configuring network interfaces

Configuring network interfaces

Each of the FortiRecorder appliance's physical network adapter ports (or, for FortiRecorder-VM, vNICs) correspond to a logical network interface. By default, the network interfaces have these IP addresses and netmasks:

Network Interface*

Default IP Address

Netmask

port1

192.168.1.99

255.255.255.0

port2

192.168.2.99

255.255.255.0

port3

192.168.3.99

255.255.255.0

port4

192.168.4.99

255.255.255.0

*The number of network interfaces varies by model.

If these IP addresses and subnets are not compatible with the design of your unique network, then you must configure them before you plug in port1, etc.

At least one network interface (usually port1) must be connected and configured so that you can connect to the FortiRecorder GUI and CLI.

Note

Best practice is to connect cameras and other services (GUI/CLI, external file storage, etc.) on different network interfaces.For example, you could connect:

  • port1 for administrator access
  • port2 for cameras and ACS devices
  • port3 for external file storage
  • port4 for Internet access (time synchronization, FortiRecorder Mobile, etc.)

Isolate cameras and ACS devices from the Internet, or use a VPN, so that only FortiRecorder can control them. Live video streams may be lower quality or have choppy motion if cameras do not have constantly available bandwidth. A dedicated network connection only for cameras has many advantages:

  • better security by preventing unauthorized access to cameras and video surveillance
  • consistent quality of service for live video streams
  • simpler bandwidth management

To configure a network interface's IP address

  1. Log in to the admin administrator account.
  2. Go to System > Network > Interface.
  3. Double-click the row to select the physical network interface that you want to modify.

  4. Expand the Addressing Mode section, and then select either:

    Setting Name Description

    Manual

    Manually assign an IP address and subnet mask to this network interface. Enter the IP address and netmask in IP/Netmask.

    IPv4 and IPv6 subnet masks should be provided in CIDR format. (For example, enter /24, not 255.255.255.0.) The IP address must be on the same subnet as the network to which the interface connects.Two network interfaces cannot have IP addresses on the same subnet.

    DHCP

    Automatically retrieve network settings from a DHCP server. Enable Connect to server to retrieve a DHCP lease when you save this configuration. If you want to also retrieve DNS and default route (gateway) settings, also enable Retrieve default gateway and DNS from server.

    Caution

    If an interface uses DHCP, and there are cameras connected to the interface, then you must configure an IP address reservation on the DHCP server so that the IP address will not change. FortiRecorder needs an IP address that does not change so that cameras can communicate with it reliably.

    Caution

    Retrieve default gateway and DNS from server will overwrite the existing DNS and default route, if any.

  5. Expand the Advanced Setting section, and then configure the following settings:

    Setting Name Description

    Discover cameras on this port

    Enable to send multicast camera discovery traffic from this network interface.You can also discover cameras on other subnets. See Discovering cameras in remote networks.

    Access

    Enable the types of administrative access that you want to permit to this interface.

    Caution

    Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiRecorder appliance.

    Access: HTTPS

    Enable to allow secure HTTPS connections to the GUI through this network interface. To configure the listening port number, see Configuring the public port numbers and domain name. To upload a certificate, see Replacing the default certificate for the GUI.

    Access: PING

    Enable to allow:

    • ICMP type 8 (ECHO_REQUEST) or type 30
    • UDP ports 33434 to 33534

    for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST, FortiRecorder will reply with ICMP type 0 (ECHO_RESPONSE).

    Caution

    Disabling PING only prevents FortiRecorder from receiving ICMP type 8 (ECHO_REQUEST) or type 30 and traceroute-related UDP. It does not disable FortiRecorder CLI commands such as execute ping or execute traceroute that send such traffic.

    Access: HTTP

    Enable to allow HTTP connections to the GUI through this network interface. To configure the listening port number, see Configuring the public port numbers and domain name .

    Caution

    HTTP connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiRecorder appliance.

    Access: SSH

    Enable to allow SSH connections to the CLI through this network interface.

    Access: SNMP

    Enable to allow SNMP queries to this network interface, if queries have been configured and the sender is a configured SNMP manager. To configure the listening port number and configure queries and traps, see Configuring SNMP traps and queries.

    Access: TELNET

    Enable to allow Telnet connections to the CLI through this network interface.

    Caution

    Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiRecorder appliance.

    Access: FRC-Central

    Enable to allow access from FortiCentral installations. See also the FortiCentral User Guide.

    Access: RTSP

    Enable to allow live video streams from cameras.

    MTU

    Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes.

    If network devices between the FortiRecorder unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.

    The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value. For example, RFC 2516 prescribes a value of 1492 for PPPoE.

    This option is available only for network interfaces that are directly associated with a physical link.

    Administrative Status

    Select either:

    • Up — Enable (that is, bring up) the network interface so that it can send and receive traffic.
    • Down — Disable (that is, bring down) the network interface so that it cannot send or receive traffic.

  6. Click OK.

    If you were connected to the GUI through this network interface, you are now disconnected from it.

  7. To access the GUI again, in your web browser, modify the URL to match the new IP address of the network interface. For details, see Connecting to the FortiRecorder GUI.

Creating FortiRecorder logical interfaces

If you have a more complex network, then in addition to the physical network interfaces, you can create a logical interfaces on FortiRecorder. Go to System > Network > Interface and click New.

VLAN subinterfaces

A virtual LAN (VLAN) subinterface, also called a VLAN, is a virtual interface on a physical interface. The subinterface allows routing of VLAN tagged packets using that physical interface, but it is separate from any other traffic on the physical interface.

Virtual LANs (VLANs) use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network security.

One example of an application of VLANs is a company's accounting department. Accounting computers may be located at both main and branch offices. However, accounting computers need to communicate with each other frequently and require increased security. VLANs allow the accounting network traffic to be sent only to accounting computers and to connect accounting computers in different locations as if they were on the same physical subnet.

Redundant interfaces

On a FortiRecorder, you can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to provide connectivity in the event one physical interface or the equipment on that interface fails.

In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure.

A physical interface is available to be in a redundant interface if it is:

  • a physical interface, not a VLAN interface
  • not already part of a redundant interface
  • has no defined IP address and is not configured for DHCP
  • does not have any VLAN sub-interfaces

When a physical interface is included in a redundant interface, it is not listed on System > Network > Interface. You cannot configure the interface anymore.

Aggregate interfaces

An aggregate interface is a logical interface which uses the Link Aggregation Control Protocol (LACP) (802.3ad) and combines several interfaces to increase throughput. It also provides redundancy in case one interface in the aggregation is down.

Loopback interfaces

A loopback interface is a logical interface that is always up (no physical link dependency) and the attached subnet is always present in the routing table.

The loopback IP address does not depend on one specific external port, and is therefore possible to access it through several physical or VLAN interfaces. In the current release, you can only add one loopback interface on the FortiRecorder.

The loopback interface is useful when you use an OSI Layer 2 load balancer in front of several FortiRecorder devices. In this case, you can set the FortiRecorder loopback interface's IP address the same as the load balancer's IP address and thus the FortiRecorder unit can pick up the traffic forwarded to it from the load balancer.

Previous
Next

Configuring network interfaces

Each of the FortiRecorder appliance's physical network adapter ports (or, for FortiRecorder-VM, vNICs) correspond to a logical network interface. By default, the network interfaces have these IP addresses and netmasks:

Network Interface*

Default IP Address

Netmask

port1

192.168.1.99

255.255.255.0

port2

192.168.2.99

255.255.255.0

port3

192.168.3.99

255.255.255.0

port4

192.168.4.99

255.255.255.0

*The number of network interfaces varies by model.

If these IP addresses and subnets are not compatible with the design of your unique network, then you must configure them before you plug in port1, etc.

At least one network interface (usually port1) must be connected and configured so that you can connect to the FortiRecorder GUI and CLI.

Note

Best practice is to connect cameras and other services (GUI/CLI, external file storage, etc.) on different network interfaces.For example, you could connect:

  • port1 for administrator access
  • port2 for cameras and ACS devices
  • port3 for external file storage
  • port4 for Internet access (time synchronization, FortiRecorder Mobile, etc.)

Isolate cameras and ACS devices from the Internet, or use a VPN, so that only FortiRecorder can control them. Live video streams may be lower quality or have choppy motion if cameras do not have constantly available bandwidth. A dedicated network connection only for cameras has many advantages:

  • better security by preventing unauthorized access to cameras and video surveillance
  • consistent quality of service for live video streams
  • simpler bandwidth management

To configure a network interface's IP address

  1. Log in to the admin administrator account.
  2. Go to System > Network > Interface.
  3. Double-click the row to select the physical network interface that you want to modify.

  4. Expand the Addressing Mode section, and then select either:

    Setting Name Description

    Manual

    Manually assign an IP address and subnet mask to this network interface. Enter the IP address and netmask in IP/Netmask.

    IPv4 and IPv6 subnet masks should be provided in CIDR format. (For example, enter /24, not 255.255.255.0.) The IP address must be on the same subnet as the network to which the interface connects.Two network interfaces cannot have IP addresses on the same subnet.

    DHCP

    Automatically retrieve network settings from a DHCP server. Enable Connect to server to retrieve a DHCP lease when you save this configuration. If you want to also retrieve DNS and default route (gateway) settings, also enable Retrieve default gateway and DNS from server.

    Caution

    If an interface uses DHCP, and there are cameras connected to the interface, then you must configure an IP address reservation on the DHCP server so that the IP address will not change. FortiRecorder needs an IP address that does not change so that cameras can communicate with it reliably.

    Caution

    Retrieve default gateway and DNS from server will overwrite the existing DNS and default route, if any.

  5. Expand the Advanced Setting section, and then configure the following settings:

    Setting Name Description

    Discover cameras on this port

    Enable to send multicast camera discovery traffic from this network interface.You can also discover cameras on other subnets. See Discovering cameras in remote networks.

    Access

    Enable the types of administrative access that you want to permit to this interface.

    Caution

    Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiRecorder appliance.

    Access: HTTPS

    Enable to allow secure HTTPS connections to the GUI through this network interface. To configure the listening port number, see Configuring the public port numbers and domain name. To upload a certificate, see Replacing the default certificate for the GUI.

    Access: PING

    Enable to allow:

    • ICMP type 8 (ECHO_REQUEST) or type 30
    • UDP ports 33434 to 33534

    for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST, FortiRecorder will reply with ICMP type 0 (ECHO_RESPONSE).

    Caution

    Disabling PING only prevents FortiRecorder from receiving ICMP type 8 (ECHO_REQUEST) or type 30 and traceroute-related UDP. It does not disable FortiRecorder CLI commands such as execute ping or execute traceroute that send such traffic.

    Access: HTTP

    Enable to allow HTTP connections to the GUI through this network interface. To configure the listening port number, see Configuring the public port numbers and domain name .

    Caution

    HTTP connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiRecorder appliance.

    Access: SSH

    Enable to allow SSH connections to the CLI through this network interface.

    Access: SNMP

    Enable to allow SNMP queries to this network interface, if queries have been configured and the sender is a configured SNMP manager. To configure the listening port number and configure queries and traps, see Configuring SNMP traps and queries.

    Access: TELNET

    Enable to allow Telnet connections to the CLI through this network interface.

    Caution

    Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiRecorder appliance.

    Access: FRC-Central

    Enable to allow access from FortiCentral installations. See also the FortiCentral User Guide.

    Access: RTSP

    Enable to allow live video streams from cameras.

    MTU

    Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes.

    If network devices between the FortiRecorder unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.

    The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value. For example, RFC 2516 prescribes a value of 1492 for PPPoE.

    This option is available only for network interfaces that are directly associated with a physical link.

    Administrative Status

    Select either:

    • Up — Enable (that is, bring up) the network interface so that it can send and receive traffic.
    • Down — Disable (that is, bring down) the network interface so that it cannot send or receive traffic.

  6. Click OK.

    If you were connected to the GUI through this network interface, you are now disconnected from it.

  7. To access the GUI again, in your web browser, modify the URL to match the new IP address of the network interface. For details, see Connecting to the FortiRecorder GUI.

Creating FortiRecorder logical interfaces

If you have a more complex network, then in addition to the physical network interfaces, you can create a logical interfaces on FortiRecorder. Go to System > Network > Interface and click New.

VLAN subinterfaces

A virtual LAN (VLAN) subinterface, also called a VLAN, is a virtual interface on a physical interface. The subinterface allows routing of VLAN tagged packets using that physical interface, but it is separate from any other traffic on the physical interface.

Virtual LANs (VLANs) use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network security.

One example of an application of VLANs is a company's accounting department. Accounting computers may be located at both main and branch offices. However, accounting computers need to communicate with each other frequently and require increased security. VLANs allow the accounting network traffic to be sent only to accounting computers and to connect accounting computers in different locations as if they were on the same physical subnet.

Redundant interfaces

On a FortiRecorder, you can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to provide connectivity in the event one physical interface or the equipment on that interface fails.

In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure.

A physical interface is available to be in a redundant interface if it is:

  • a physical interface, not a VLAN interface
  • not already part of a redundant interface
  • has no defined IP address and is not configured for DHCP
  • does not have any VLAN sub-interfaces

When a physical interface is included in a redundant interface, it is not listed on System > Network > Interface. You cannot configure the interface anymore.

Aggregate interfaces

An aggregate interface is a logical interface which uses the Link Aggregation Control Protocol (LACP) (802.3ad) and combines several interfaces to increase throughput. It also provides redundancy in case one interface in the aggregation is down.

Loopback interfaces

A loopback interface is a logical interface that is always up (no physical link dependency) and the attached subnet is always present in the routing table.

The loopback IP address does not depend on one specific external port, and is therefore possible to access it through several physical or VLAN interfaces. In the current release, you can only add one loopback interface on the FortiRecorder.

The loopback interface is useful when you use an OSI Layer 2 load balancer in front of several FortiRecorder devices. In this case, you can set the FortiRecorder loopback interface's IP address the same as the load balancer's IP address and thus the FortiRecorder unit can pick up the traffic forwarded to it from the load balancer.

Previous
Next