Fortinet black logo

CLI Reference

system v-zone

system v-zone

Use this command to configure bridged network interfaces, also called v-zones.

Bridges allow network connections to travel through the FortiWeb appliance’s physical network ports without explicitly connecting to one of its IP addresses.

For FortiWeb-VM, you must create vSwitches before you can configure a bridge. For details, see the FortiWeb-VM Install Guide:

https://docs.fortinet.com/fortiweb/hardware

To use this command, your administrator account’s access control profile must have either w or rw permission to the netgrp area. For details, see Permissions.

Syntax

config system v-zone

edit "<bridge_name>"

set interfaces {"<interface_name>" "<interface_name>" ...}

set monitor {enable | disable}

set mtu <mtu_int>

set use-interface-macs {"<interface_name>" "<interface_name>" ...}

set multicast-snooping {enable | disable}

next

end

Variable Description Default

"<bridge_name>"

Type the name of the bridge. The maximum length is 15 characters.

To display the list of existing bridges, type:

edit ?

No default.

interfaces {"<interface_name>" "<interface_name>" ...}

Type the names of two or more network interfaces that currently have no IP address of their own, nor are members of another bridge, and therefore could be members of this bridge. Separate each name with a space. The maximum length is 63 characters. No default.

mtu <mtu_int>

Enter the maximum transmission unit (MTU) that the bridge supports.

When you specify the MTU for a bridge, FortiWeb automatically sets the MTU for the v-zone members to the same value.

Valid values are 512–9216 (for IPv4) or 1280–9216 (for IPv6).

1500

multicast-snooping {enable | disable}

Enable/disable multicast snooping.

No default

monitor {enable | disable}

Specifies whether FortiWeb automatically brings down all members of this v-zone if one member goes down. disable

use-interface-macs {"<interface_name>" "<interface_name>" ...}

Enter the names of network interfaces that are members of the bridge and send and transmit traffic using the MAC address of their corresponding FortiWeb network interface.

When the operation mode is True Transparent Proxy, by default, traffic to the back-end servers preserves the MAC address of the source. If you are using FortiWeb with front-end load balancers that are in a high availability cluster that uses multiple bridges, this mechanism can cause switching problems on failover. When the v-zone uses the MAC address of the FortiWeb network interface instead, a failover does not interrupt the flow of traffic.

Available only when the operation mode is True Transparent Proxy.
No default.

Example

This example configures a true bridge between port3 and port4. The bridge has no virtual network interface, and so it cannot respond to pings.

config system v-zone

edit bridge1

set interfaces port3 port4

next

end

Related topics

system v-zone

Use this command to configure bridged network interfaces, also called v-zones.

Bridges allow network connections to travel through the FortiWeb appliance’s physical network ports without explicitly connecting to one of its IP addresses.

For FortiWeb-VM, you must create vSwitches before you can configure a bridge. For details, see the FortiWeb-VM Install Guide:

https://docs.fortinet.com/fortiweb/hardware

To use this command, your administrator account’s access control profile must have either w or rw permission to the netgrp area. For details, see Permissions.

Syntax

config system v-zone

edit "<bridge_name>"

set interfaces {"<interface_name>" "<interface_name>" ...}

set monitor {enable | disable}

set mtu <mtu_int>

set use-interface-macs {"<interface_name>" "<interface_name>" ...}

set multicast-snooping {enable | disable}

next

end

Variable Description Default

"<bridge_name>"

Type the name of the bridge. The maximum length is 15 characters.

To display the list of existing bridges, type:

edit ?

No default.

interfaces {"<interface_name>" "<interface_name>" ...}

Type the names of two or more network interfaces that currently have no IP address of their own, nor are members of another bridge, and therefore could be members of this bridge. Separate each name with a space. The maximum length is 63 characters. No default.

mtu <mtu_int>

Enter the maximum transmission unit (MTU) that the bridge supports.

When you specify the MTU for a bridge, FortiWeb automatically sets the MTU for the v-zone members to the same value.

Valid values are 512–9216 (for IPv4) or 1280–9216 (for IPv6).

1500

multicast-snooping {enable | disable}

Enable/disable multicast snooping.

No default

monitor {enable | disable}

Specifies whether FortiWeb automatically brings down all members of this v-zone if one member goes down. disable

use-interface-macs {"<interface_name>" "<interface_name>" ...}

Enter the names of network interfaces that are members of the bridge and send and transmit traffic using the MAC address of their corresponding FortiWeb network interface.

When the operation mode is True Transparent Proxy, by default, traffic to the back-end servers preserves the MAC address of the source. If you are using FortiWeb with front-end load balancers that are in a high availability cluster that uses multiple bridges, this mechanism can cause switching problems on failover. When the v-zone uses the MAC address of the FortiWeb network interface instead, a failover does not interrupt the flow of traffic.

Available only when the operation mode is True Transparent Proxy.
No default.

Example

This example configures a true bridge between port3 and port4. The bridge has no virtual network interface, and so it cannot respond to pings.

config system v-zone

edit bridge1

set interfaces port3 port4

next

end

Related topics