Fortinet white logo
Fortinet white logo

CLI Reference

system interface

system interface

Use this command to configure:

  • The network interfaces associated with the physical network ports of the FortiWeb appliance
  • VLAN subinterfaces or 802.3ad link aggregates associated with physical network interfaces

Both the network interfaces and VLAN subinterfaces can include administrative access.

You can restrict which IP addresses are permitted to log in as a FortiWeb administrator through the network interfaces and VLAN subinterfaces. For details, see system admin.

When the FortiWeb appliance is operating in either of the transparent modes, VLANs do not support Cisco discovery protocol (CDP).

The Link Aggregation Control Protocol (LACP) Interface and Redundant Interface are currently supported only when FortiWeb is deployed in Reverse Proxy or True Transparent Proxy mode. It can be applied to VLAN subinterfaces. It cannot be applied to ports that are used for the HA heartbeat, but it can be applied to monitor ports in an HA cluster. It is not supported in FortiWeb-VM.

You can use SNMP traps to notify you when a network interface’s configuration changes, or when a link is brought down or brought up. For details, see system snmp community.

To use this command, your administrator account’s access control profile must have either rw permission to the netgrp area. For details, see Permissions.

Syntax

config system interface

edit "<interface_name>"

set status {up | down}

set type {aggregate | physical | vlan | redundant}

set algorithm {layer2 | layer2_3 | layer3_4}

set allowaccess {HTTP HTTPs ping snmp ssh FortiWeb-manager}

set ip6-allowaccess {HTTP HTTPs ping snmp ssh FortiWeb-manager}

set wccp {enable | disable}

set description "<comment_str>"

set interface "<interface_name>"

set intf {"<port_name>" ...}

set ip "<interface_ipv4mask>"

set ip6 "<interface_ipv6mask>"

set mode {static | dhcp}

set ip6-mode {static | dhcp}

set vlanid <vlan-id_int>

set vlanproto {8021q | 8021ad}

set lacp-speed {fast | slow}

set mtu <mtu_int>

set system interface

set system interface

set system interface

set system interface

config secondaryip

edit <entry_index>

set ip {"<interface_ipv4mask>" | "<interface_ipv6mask>"}

next

end

next

end

Variable Description Default

"<interface_name>"

Enter the name of a network interface. The maximum length is 15 characters. No default.

status {up | down}

Enable (select up) to bring up the network interface so that it is permitted to receive and/or transmit traffic.

Note: This administrative status from this command is not the same as its detected physical link status.

For example, even though you have used config system interface to configure port1 with set status up, if the cable is physically unplugged, diagnose hardware nic list port1 may indicate correctly that the link is down (Link detected: no).

up

algorithm {layer2 | layer2_3 | layer3_4}

Select the connectivity layers that will be considered when distributing frames among the aggregated physical ports.

  • layer2—Consider only the MAC address. This results in the most even distribution of frames, but may be disruptive to TCP if packets frequently arrive out of order.

  • layer2_3—Consider both the MAC address and IP session. Queue frames involving the same session to the same port. This results in slightly less even distribution, and still does not guarantee perfectly ordered TCP sessions, but does result in less jitter within the session.

  • layer3_4—Consider both the IP session and TCP connection. Queue frames involving the same session and connection to the same port. Distribution is not even, but this does prevent TCP retransmissions associated with link aggregation.

layer2

allowaccess {HTTP HTTPs ping snmp ssh FortiWeb-manager}

Enter the IPv4 protocols that will be permitted for administrative connections to the network interface or VLAN sub-interface.

Separate each protocol with a space. To remove from or add to the list of permitted administrative access protocols, retype the entire list.

  • ping—Allow ICMP ping responses from this network interface.

  • HTTP—Allow HTTP access to the web UI.

    The HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't enable HTTP alone, it should be enabled along with HTTPS.

  • HTTPs—Allow secure HTTP (HTTPS) access to the web UI.

  • snmp—Allow SNMP access. For details, see system snmp community.

    Note: This setting only configures which network interface will receive SNMP queries. To configure which network interface will send traffic, see system snmp community.

  • ssh—Allow SSH access to the CLI.

  • FortiWeb-manager — Allow FortiWeb Manager to use this interface to administer this appliance.

Caution: Enable administrative access only on network interfaces or VLAN subinterfaces that are connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance. Consider allowing ping only when troubleshooting.

ping HTTPs ssh

ip6-allowaccess {HTTP HTTPs ping snmp ssh FortiWeb-manager}

Enter the IPv6 protocols that will be permitted for administrative connections to the network interface or VLAN subinterface.

Separate each protocol with a space. To remove from or add to the list of permitted administrative access protocols, retype the entire list.

  • ping—Allow ICMP ping responses from this network interface.

  • HTTP—Allow HTTP access to the web UI.
    The HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't enable HTTP alone, it should be enabled along with HTTPS.

  • HTTPs—Allow secure HTTP (HTTPS) access to the web UI.

  • snmp—Allow SNMP access. For details, see system snmp community.

    Note: This setting only configures which network interface will receive SNMP queries. To configure which network interface will send traffic, see system snmp community.

  • ssh—Allow SSH access to the CLI.

  • FortiWeb-manager — Allow FortiWeb Manager to use this interface to administer this appliance.

Caution: Enable administrative access only on network interfaces or VLAN subinterfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance. Consider allowing ping only when troubleshooting.

ping

wccp {enable | disable}

Specify whether FortiWeb uses the interface to communicate with a FortiGate unit configured as a WCCP server.

Available only when the operation mode is WCCP.

disable

description "<comment_str>"

Enter a description or other comment. If the comment is more than one word or contains an apostrophe, surround the comment with double quotes ( " ). The maximum length is 63 characters. No default.

interface "<interface_name>"

Enter the name of the network interface with which the VLAN subinterface will be associated. The maximum length is 15 characters.

This field is available only if type {aggregate | physical | vlan | redundant} is vlan.

No default.

intf {"<port_name>" ...}

Enter the names of 2 physical network interfaces or more that will be combined into the aggregate link. Only physical network interfaces may be aggregated. The maximum length is 15 characters each.

This field is available only if type {aggregate | physical | vlan | redundant} is vlan.

No default.

ip "<interface_ipv4mask>"

Enter the IPv4 address and netmask of the network interface, if any. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet. The default setting for port1 is 192.168.1.99 with a netmask of 256.256.256.0. Other ports have no default. Varies by the interface.

ip6 "<interface_ipv6mask>"

Enter the IPv6 address and netmask of the network interface, if any. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet. ::/0

lacp-speed {fast | slow}

Select the rate of transmission for the LACP frames (LACPUs) between FortiWeb and the peer device at the other end of the trunking cables, either:

  • SLOW—Every 30 seconds.
  • FAST—Every 1 second.

Note: This must match the setting on the other device. If the rates do not match, FortiWeb or the other device could mistakenly believe that the other’s ports have failed, effectively disabling ports in the trunk.

slow

type {aggregate | physical | vlan | redundant}

Indicates whether the interface is directly associated with a single physical network port, a group of redundant interfaces, or is instead a VLAN subinterface or link aggregate.

The default varies by whether you are editing a network interface associated with a physical port (physical) or creating a new subinterface/aggregate (vlan or aggregate).

Varies by the interface.

mode {static | dhcp}

Specify whether the interface obtains its IPv4 address and netmask using DHCP.

static

ip6-mode {static | dhcp}

Specify whether the interface obtains its IPv6 address and netmask using DHCP.

static

vlanid <vlan-id_int>

Enter the VLAN ID of packets that belong to this VLAN subinterface.

  • If one physical network port (that is, a VLAN trunk) will handle multiple VLANs, create multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received.
  • If multiple, different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs.

The VLAN ID is part of the tag that is inserted into each Ethernet frame in order to identify traffic for a specific VLAN. VLAN header addition is handled automatically, and does not require that you adjust the maximum transmission appliance (MTU). Depending on whether the device receiving a packet operates at Layer 2 or Layer 3 of the network, this tag may be added, removed or rewritten before forwarding to other nodes on the network.

For example, a Layer 2 switch or FortiWeb appliance operating in either of the transparent modes would typically add or remove a tag when forwarding traffic among members of the VLAN, but would not route tagged traffic to a different VLAN ID. In contrast, a FortiWeb appliance operating in Reverse Proxy mode, inspecting the traffic to make routing decisions based upon higher-level layers/protocols, might route traffic between different VLAN IDs (also known as inter-VLAN routing) if indicated by its policy, such as if it has been configured to do WSDL-based routing.

For the maximum number of interfaces, including VLAN subinterfaces, see the FortiWeb Administration Guide:

HTTPs://docs.fortinet.com/fortiweb/admin-guides

This field is available only when type {aggregate | physical | vlan | redundant} is vlan. The valid range is between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface.

0

vlanproto {8021q | 8021ad}

Select either the VLAN type 802.1Q or 802.1ad. 802.1Q

<entry_index>

Enter the index number of the individual entry in the table. No default.

ip {"<interface_ipv4mask>" | "<interface_ipv6mask>"}

Type an additional IPv4 or IPv6 address and netmask for the network interface.

Available only when ip-src-balance or ip6-src-balance is enabled. For details, see system network-option.

No default.

mtu <mtu_int>

Enter the maximum transmission unit (MTU) that the interface supports.

Valid values are 512–9216 (for IPv4) or 1280–9216 (for IPv6).

You cannot specify an MTU for a VLAN interface that is larger than the MTU of the corresponding physical interface.

1500

Example

This example configures the network interface named port1, associated with the first physical network port, with the IP address and subnet mask 192.0.2.1/24. It also enables ICMP ECHO (ping) and HTTPS administrative access to that network interface, and enables it.

config system interface

edit "port1"

set ip "192.0.2.1 256.256.256.0"

set allowaccess ping HTTPs

set status up

next

end

Example

This example configures the network subinterface named vlan_100, associated with the physical network interface port1, with the IP address and subnet mask 192.0.2.1/24. It does not allow administrative access.

config system interface

edit "vlan_100"

set type vlan

set ip "192.0.2.1 256.256.256.0"

set status up

set vlanid 100

set interface "port1"

next

end

Related topics

system interface

system interface

Use this command to configure:

  • The network interfaces associated with the physical network ports of the FortiWeb appliance
  • VLAN subinterfaces or 802.3ad link aggregates associated with physical network interfaces

Both the network interfaces and VLAN subinterfaces can include administrative access.

You can restrict which IP addresses are permitted to log in as a FortiWeb administrator through the network interfaces and VLAN subinterfaces. For details, see system admin.

When the FortiWeb appliance is operating in either of the transparent modes, VLANs do not support Cisco discovery protocol (CDP).

The Link Aggregation Control Protocol (LACP) Interface and Redundant Interface are currently supported only when FortiWeb is deployed in Reverse Proxy or True Transparent Proxy mode. It can be applied to VLAN subinterfaces. It cannot be applied to ports that are used for the HA heartbeat, but it can be applied to monitor ports in an HA cluster. It is not supported in FortiWeb-VM.

You can use SNMP traps to notify you when a network interface’s configuration changes, or when a link is brought down or brought up. For details, see system snmp community.

To use this command, your administrator account’s access control profile must have either rw permission to the netgrp area. For details, see Permissions.

Syntax

config system interface

edit "<interface_name>"

set status {up | down}

set type {aggregate | physical | vlan | redundant}

set algorithm {layer2 | layer2_3 | layer3_4}

set allowaccess {HTTP HTTPs ping snmp ssh FortiWeb-manager}

set ip6-allowaccess {HTTP HTTPs ping snmp ssh FortiWeb-manager}

set wccp {enable | disable}

set description "<comment_str>"

set interface "<interface_name>"

set intf {"<port_name>" ...}

set ip "<interface_ipv4mask>"

set ip6 "<interface_ipv6mask>"

set mode {static | dhcp}

set ip6-mode {static | dhcp}

set vlanid <vlan-id_int>

set vlanproto {8021q | 8021ad}

set lacp-speed {fast | slow}

set mtu <mtu_int>

set system interface

set system interface

set system interface

set system interface

config secondaryip

edit <entry_index>

set ip {"<interface_ipv4mask>" | "<interface_ipv6mask>"}

next

end

next

end

Variable Description Default

"<interface_name>"

Enter the name of a network interface. The maximum length is 15 characters. No default.

status {up | down}

Enable (select up) to bring up the network interface so that it is permitted to receive and/or transmit traffic.

Note: This administrative status from this command is not the same as its detected physical link status.

For example, even though you have used config system interface to configure port1 with set status up, if the cable is physically unplugged, diagnose hardware nic list port1 may indicate correctly that the link is down (Link detected: no).

up

algorithm {layer2 | layer2_3 | layer3_4}

Select the connectivity layers that will be considered when distributing frames among the aggregated physical ports.

  • layer2—Consider only the MAC address. This results in the most even distribution of frames, but may be disruptive to TCP if packets frequently arrive out of order.

  • layer2_3—Consider both the MAC address and IP session. Queue frames involving the same session to the same port. This results in slightly less even distribution, and still does not guarantee perfectly ordered TCP sessions, but does result in less jitter within the session.

  • layer3_4—Consider both the IP session and TCP connection. Queue frames involving the same session and connection to the same port. Distribution is not even, but this does prevent TCP retransmissions associated with link aggregation.

layer2

allowaccess {HTTP HTTPs ping snmp ssh FortiWeb-manager}

Enter the IPv4 protocols that will be permitted for administrative connections to the network interface or VLAN sub-interface.

Separate each protocol with a space. To remove from or add to the list of permitted administrative access protocols, retype the entire list.

  • ping—Allow ICMP ping responses from this network interface.

  • HTTP—Allow HTTP access to the web UI.

    The HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't enable HTTP alone, it should be enabled along with HTTPS.

  • HTTPs—Allow secure HTTP (HTTPS) access to the web UI.

  • snmp—Allow SNMP access. For details, see system snmp community.

    Note: This setting only configures which network interface will receive SNMP queries. To configure which network interface will send traffic, see system snmp community.

  • ssh—Allow SSH access to the CLI.

  • FortiWeb-manager — Allow FortiWeb Manager to use this interface to administer this appliance.

Caution: Enable administrative access only on network interfaces or VLAN subinterfaces that are connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance. Consider allowing ping only when troubleshooting.

ping HTTPs ssh

ip6-allowaccess {HTTP HTTPs ping snmp ssh FortiWeb-manager}

Enter the IPv6 protocols that will be permitted for administrative connections to the network interface or VLAN subinterface.

Separate each protocol with a space. To remove from or add to the list of permitted administrative access protocols, retype the entire list.

  • ping—Allow ICMP ping responses from this network interface.

  • HTTP—Allow HTTP access to the web UI.
    The HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't enable HTTP alone, it should be enabled along with HTTPS.

  • HTTPs—Allow secure HTTP (HTTPS) access to the web UI.

  • snmp—Allow SNMP access. For details, see system snmp community.

    Note: This setting only configures which network interface will receive SNMP queries. To configure which network interface will send traffic, see system snmp community.

  • ssh—Allow SSH access to the CLI.

  • FortiWeb-manager — Allow FortiWeb Manager to use this interface to administer this appliance.

Caution: Enable administrative access only on network interfaces or VLAN subinterfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance. Consider allowing ping only when troubleshooting.

ping

wccp {enable | disable}

Specify whether FortiWeb uses the interface to communicate with a FortiGate unit configured as a WCCP server.

Available only when the operation mode is WCCP.

disable

description "<comment_str>"

Enter a description or other comment. If the comment is more than one word or contains an apostrophe, surround the comment with double quotes ( " ). The maximum length is 63 characters. No default.

interface "<interface_name>"

Enter the name of the network interface with which the VLAN subinterface will be associated. The maximum length is 15 characters.

This field is available only if type {aggregate | physical | vlan | redundant} is vlan.

No default.

intf {"<port_name>" ...}

Enter the names of 2 physical network interfaces or more that will be combined into the aggregate link. Only physical network interfaces may be aggregated. The maximum length is 15 characters each.

This field is available only if type {aggregate | physical | vlan | redundant} is vlan.

No default.

ip "<interface_ipv4mask>"

Enter the IPv4 address and netmask of the network interface, if any. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet. The default setting for port1 is 192.168.1.99 with a netmask of 256.256.256.0. Other ports have no default. Varies by the interface.

ip6 "<interface_ipv6mask>"

Enter the IPv6 address and netmask of the network interface, if any. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet. ::/0

lacp-speed {fast | slow}

Select the rate of transmission for the LACP frames (LACPUs) between FortiWeb and the peer device at the other end of the trunking cables, either:

  • SLOW—Every 30 seconds.
  • FAST—Every 1 second.

Note: This must match the setting on the other device. If the rates do not match, FortiWeb or the other device could mistakenly believe that the other’s ports have failed, effectively disabling ports in the trunk.

slow

type {aggregate | physical | vlan | redundant}

Indicates whether the interface is directly associated with a single physical network port, a group of redundant interfaces, or is instead a VLAN subinterface or link aggregate.

The default varies by whether you are editing a network interface associated with a physical port (physical) or creating a new subinterface/aggregate (vlan or aggregate).

Varies by the interface.

mode {static | dhcp}

Specify whether the interface obtains its IPv4 address and netmask using DHCP.

static

ip6-mode {static | dhcp}

Specify whether the interface obtains its IPv6 address and netmask using DHCP.

static

vlanid <vlan-id_int>

Enter the VLAN ID of packets that belong to this VLAN subinterface.

  • If one physical network port (that is, a VLAN trunk) will handle multiple VLANs, create multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received.
  • If multiple, different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs.

The VLAN ID is part of the tag that is inserted into each Ethernet frame in order to identify traffic for a specific VLAN. VLAN header addition is handled automatically, and does not require that you adjust the maximum transmission appliance (MTU). Depending on whether the device receiving a packet operates at Layer 2 or Layer 3 of the network, this tag may be added, removed or rewritten before forwarding to other nodes on the network.

For example, a Layer 2 switch or FortiWeb appliance operating in either of the transparent modes would typically add or remove a tag when forwarding traffic among members of the VLAN, but would not route tagged traffic to a different VLAN ID. In contrast, a FortiWeb appliance operating in Reverse Proxy mode, inspecting the traffic to make routing decisions based upon higher-level layers/protocols, might route traffic between different VLAN IDs (also known as inter-VLAN routing) if indicated by its policy, such as if it has been configured to do WSDL-based routing.

For the maximum number of interfaces, including VLAN subinterfaces, see the FortiWeb Administration Guide:

HTTPs://docs.fortinet.com/fortiweb/admin-guides

This field is available only when type {aggregate | physical | vlan | redundant} is vlan. The valid range is between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface.

0

vlanproto {8021q | 8021ad}

Select either the VLAN type 802.1Q or 802.1ad. 802.1Q

<entry_index>

Enter the index number of the individual entry in the table. No default.

ip {"<interface_ipv4mask>" | "<interface_ipv6mask>"}

Type an additional IPv4 or IPv6 address and netmask for the network interface.

Available only when ip-src-balance or ip6-src-balance is enabled. For details, see system network-option.

No default.

mtu <mtu_int>

Enter the maximum transmission unit (MTU) that the interface supports.

Valid values are 512–9216 (for IPv4) or 1280–9216 (for IPv6).

You cannot specify an MTU for a VLAN interface that is larger than the MTU of the corresponding physical interface.

1500

Example

This example configures the network interface named port1, associated with the first physical network port, with the IP address and subnet mask 192.0.2.1/24. It also enables ICMP ECHO (ping) and HTTPS administrative access to that network interface, and enables it.

config system interface

edit "port1"

set ip "192.0.2.1 256.256.256.0"

set allowaccess ping HTTPs

set status up

next

end

Example

This example configures the network subinterface named vlan_100, associated with the physical network interface port1, with the IP address and subnet mask 192.0.2.1/24. It does not allow administrative access.

config system interface

edit "vlan_100"

set type vlan

set ip "192.0.2.1 256.256.256.0"

set status up

set vlanid 100

set interface "port1"

next

end

Related topics