system interface
Use this command to configure:
- The network interfaces associated with the physical network ports of the FortiWeb appliance
- VLAN subinterfaces or 802.3ad link aggregates associated with physical network interfaces
Both the network interfaces and VLAN subinterfaces can include administrative access.
You can restrict which IP addresses are permitted to log in as a FortiWeb administrator through the network interfaces and VLAN subinterfaces. For details, see system admin.
When the FortiWeb appliance is operating in either of the transparent modes, VLANs do not support Cisco discovery protocol (CDP). |
The Link Aggregation Control Protocol (LACP) Interface and Redundant Interface are currently supported only when FortiWeb is deployed in Reverse Proxy or True Transparent Proxy mode. It can be applied to VLAN subinterfaces. It cannot be applied to ports that are used for the HA heartbeat, but it can be applied to monitor ports in an HA cluster. It is not supported in FortiWeb-VM. |
You can use SNMP traps to notify you when a network interface’s configuration changes, or when a link is brought down or brought up. For details, see system snmp community.
To use this command, your administrator account’s access control profile must have either rw
permission to the netgrp
area. For details, see Permissions.
Syntax
edit "<interface_name>"
set type {aggregate | physical | vlan | redundant}
set algorithm {layer2 | layer2_3 | layer3_4}
set allowaccess {HTTP HTTPs ping snmp ssh FortiWeb-manager}
set ip6-allowaccess {HTTP HTTPs ping snmp ssh FortiWeb-manager}
set description "<comment_str>"
set interface "<interface_name>"
set ip6 "<interface_ipv6mask>"
set vlanproto {8021q | 8021ad}
set mtu <mtu_int>
set system interface
set system interface
set system interface
set system interface
config secondaryip
edit <entry_index>
set ip {"<interface_ipv4mask>" | "<interface_ipv6mask>"}
next
end
next
end
Variable | Description | Default |
Enter the name of a network interface. The maximum length is 15 characters. | No default. | |
Enable (select Note: This administrative status from this command is not the same as its detected physical link status. For example, even though you have used |
up
|
|
Select the connectivity layers that will be considered when distributing frames among the aggregated physical ports.
|
layer2
|
|
Enter the IPv4 protocols that will be permitted for administrative connections to the network interface or VLAN sub-interface. Separate each protocol with a space. To remove from or add to the list of permitted administrative access protocols, retype the entire list.
Caution: Enable administrative access only on network interfaces or VLAN subinterfaces that are connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance. Consider allowing ping only when troubleshooting. |
ping HTTPs ssh
|
|
Enter the IPv6 protocols that will be permitted for administrative connections to the network interface or VLAN subinterface. Separate each protocol with a space. To remove from or add to the list of permitted administrative access protocols, retype the entire list.
Caution: Enable administrative access only on network interfaces or VLAN subinterfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance. Consider allowing ping only when troubleshooting. |
ping
|
|
Specify whether FortiWeb uses the interface to communicate with a FortiGate unit configured as a WCCP server. Available only when the operation mode is WCCP. |
disable
|
|
Enter a description or other comment. If the comment is more than one word or contains an apostrophe, surround the comment with double quotes ( " ). The maximum length is 63 characters. |
No default. | |
Enter the name of the network interface with which the VLAN subinterface will be associated. The maximum length is 15 characters. This field is available only if type {aggregate | physical | vlan | redundant} is |
No default. | |
Enter the names of 2 physical network interfaces or more that will be combined into the aggregate link. Only physical network interfaces may be aggregated. The maximum length is 15 characters each. This field is available only if type {aggregate | physical | vlan | redundant} is |
No default. | |
Enter the IPv4 address and netmask of the network interface, if any. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet. The default setting for port1 is 192.168.1.99 with a netmask of 256.256.256.0 . Other ports have no default. |
Varies by the interface. | |
Enter the IPv6 address and netmask of the network interface, if any. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet. |
::/0
|
|
Select the rate of transmission for the LACP frames (LACPUs) between FortiWeb and the peer device at the other end of the trunking cables, either:
Note: This must match the setting on the other device. If the rates do not match, FortiWeb or the other device could mistakenly believe that the other’s ports have failed, effectively disabling ports in the trunk. |
slow
|
|
Indicates whether the interface is directly associated with a single physical network port, a group of redundant interfaces, or is instead a VLAN subinterface or link aggregate. The default varies by whether you are editing a network interface associated with a physical port ( |
Varies by the interface. | |
Specify whether the interface obtains its IPv4 address and netmask using DHCP. |
static
|
|
Specify whether the interface obtains its IPv6 address and netmask using DHCP. |
static
|
|
Enter the VLAN ID of packets that belong to this VLAN subinterface.
The VLAN ID is part of the tag that is inserted into each Ethernet frame in order to identify traffic for a specific VLAN. VLAN header addition is handled automatically, and does not require that you adjust the maximum transmission appliance (MTU). Depending on whether the device receiving a packet operates at Layer 2 or Layer 3 of the network, this tag may be added, removed or rewritten before forwarding to other nodes on the network. For example, a Layer 2 switch or FortiWeb appliance operating in either of the transparent modes would typically add or remove a tag when forwarding traffic among members of the VLAN, but would not route tagged traffic to a different VLAN ID. In contrast, a FortiWeb appliance operating in Reverse Proxy mode, inspecting the traffic to make routing decisions based upon higher-level layers/protocols, might route traffic between different VLAN IDs (also known as inter-VLAN routing) if indicated by its policy, such as if it has been configured to do WSDL-based routing. For the maximum number of interfaces, including VLAN subinterfaces, see the FortiWeb Administration Guide: HTTPs://docs.fortinet.com/fortiweb/admin-guides This field is available only when type {aggregate | physical | vlan | redundant} is |
0
|
|
Select either the VLAN type 802.1Q or 802.1ad. |
802.1Q
|
|
Enter the index number of the individual entry in the table. | No default. | |
Type an additional IPv4 or IPv6 address and netmask for the network interface. Available only when |
No default. | |
Enter the maximum transmission unit (MTU) that the interface supports. Valid values are 512–9216 (for IPv4) or 1280–9216 (for IPv6). You cannot specify an MTU for a VLAN interface that is larger than the MTU of the corresponding physical interface. |
1500
|
Example
This example configures the network interface named port1, associated with the first physical network port, with the IP address and subnet mask 192.0.2.1/24
. It also enables ICMP ECHO
(ping) and HTTPS administrative access to that network interface, and enables it.
config system interface
edit "port1"
set ip "192.0.2.1 256.256.256.0"
set allowaccess ping HTTPs
set status up
next
end
Example
This example configures the network subinterface named vlan_100, associated with the physical network interface port1, with the IP address and subnet mask 192.0.2.1/24
. It does not allow administrative access.
config system interface
edit "vlan_100"
set type vlan
set ip "192.0.2.1 256.256.256.0"
set status up
set vlanid 100
set interface "port1"
next
end