Fortinet white logo
Fortinet white logo

CLI Reference

config system interface

config system interface

Configure interfaces.

config system interface
    Description: Configure interfaces.
    edit <name>
        set ac-name {string}
        set aggregate {string}
        set aggregate-type [physical|vxlan]
        set algorithm [L2|L3|...]
        set alias {string}
        set allowaccess {option1}, {option2}, ...
        set annex [a|b|...]
        set ap-discover [enable|disable]
        set arpforward [enable|disable]
        set atm-protocol [none|ipoa]
        set auth-cert {string}
        set auth-portal-addr {string}
        set auth-type [auto|pap|...]
        set auto-auth-extension-device [enable|disable]
        set bandwidth-measure-time {integer}
        set bfd [global|enable|...]
        set bfd-desired-min-tx {integer}
        set bfd-detect-mult {integer}
        set bfd-required-min-rx {integer}
        set broadcast-forward [enable|disable]
        set cli-conn-status {integer}
        config client-options
            Description: DHCP client options.
            edit <id>
                set code {integer}
                set ip {user}
                set type [hex|string|...]
                set value {string}
            next
        end
        set color {integer}
        set dedicated-to [none|management]
        set default-purdue-level [1|1.5|...]
        set defaultgw [enable|disable]
        set description {var-string}
        set detected-peer-mtu {integer}
        set detectprotocol {option1}, {option2}, ...
        set detectserver {user}
        set device-identification [enable|disable]
        set device-user-identification [enable|disable]
        set devindex {integer}
        set dhcp-broadcast-flag [disable|enable]
        set dhcp-classless-route-addition [enable|disable]
        set dhcp-client-identifier {string}
        set dhcp-relay-agent-option [enable|disable]
        set dhcp-relay-allow-no-end-option [disable|enable]
        set dhcp-relay-circuit-id {string}
        set dhcp-relay-interface {string}
        set dhcp-relay-interface-select-method [auto|sdwan|...]
        set dhcp-relay-ip {user}
        set dhcp-relay-link-selection {ipv4-address}
        set dhcp-relay-request-all-server [disable|enable]
        set dhcp-relay-service [disable|enable]
        set dhcp-relay-source-ip {ipv4-address}
        set dhcp-relay-type [regular|ipsec]
        set dhcp-relay-vrf-select {integer}
        set dhcp-renew-time {integer}
        set dhcp-smart-relay [disable|enable]
        config dhcp-snooping-server-list
            Description: Configure DHCP server access list.
            edit <name>
                set server-ip {ipv4-address}
            next
        end
        set disc-retry-timeout {integer}
        set distance {integer}
        set dns-server-override [enable|disable]
        set dns-server-protocol {option1}, {option2}, ...
        set drop-fragment [enable|disable]
        set drop-overlapped-fragment [enable|disable]
        set eap-ca-cert {string}
        set eap-identity {string}
        set eap-method [tls|peap]
        set eap-password {password}
        set eap-supplicant [enable|disable]
        set eap-user-cert {string}
        set egress-cos [disable|cos0|...]
        config egress-queues
            Description: Configure queues of NP port on egress path.
            set cos0 {string}
            set cos1 {string}
            set cos2 {string}
            set cos3 {string}
            set cos4 {string}
            set cos5 {string}
            set cos6 {string}
            set cos7 {string}
        end
        set egress-shaping-profile {string}
        set eip {ipv4-address-any}
        set estimated-downstream-bandwidth {integer}
        set estimated-upstream-bandwidth {integer}
        set exclude-signatures {option1}, {option2}, ...
        set explicit-ftp-proxy [enable|disable]
        set explicit-web-proxy [enable|disable]
        set external [enable|disable]
        set fail-action-on-extender [soft-restart|hard-restart|...]
        set fail-alert-interfaces <name1>, <name2>, ...
        set fail-alert-method [link-failed-signal|link-down]
        set fail-detect [enable|disable]
        set fail-detect-option {option1}, {option2}, ...
        set fortilink [enable|disable]
        set fortilink-backup-link {integer}
        set fortilink-neighbor-detect [lldp|fortilink]
        set fortilink-split-interface [enable|disable]
        set forward-domain {integer}
        set forward-error-correction [none|disable|...]
        set gateway-address {ipv4-address}
        set gi-gk [enable|disable]
        set gwaddr {ipv4-address}
        set gwdetect [enable|disable]
        set ha-priority {integer}
        set icmp-accept-redirect [enable|disable]
        set icmp-send-redirect [enable|disable]
        set ident-accept [enable|disable]
        set idle-timeout {integer}
        set ike-saml-server {string}
        set inbandwidth {integer}
        set ingress-cos [disable|cos0|...]
        set ingress-shaping-profile {string}
        set ingress-spillover-threshold {integer}
        set interconnect-profile [default|profile1|...]
        set interface {string}
        set internal {integer}
        set ip {ipv4-classnet-host}
        set ip-managed-by-fortiipam [inherit-global|enable|...]
        set ipmac [enable|disable]
        set ips-sniffer-mode [enable|disable]
        set ipunnumbered {ipv4-address}
        config ipv6
            Description: IPv6 of interface.
            set autoconf [enable|disable]
            set cli-conn6-status {integer}
            config client-options
                Description: DHCP6 client options.
                edit <id>
                    set code {integer}
                    set ip6 {user}
                    set type [hex|string|...]
                    set value {string}
                next
            end
            set dhcp6-client-options {option1}, {option2}, ...
            config dhcp6-iapd-list
                Description: DHCPv6 IA-PD list.
                edit <iaid>
                    set prefix-hint {ipv6-network}
                    set prefix-hint-plt {integer}
                    set prefix-hint-vlt {integer}
                next
            end
            set dhcp6-information-request [enable|disable]
            set dhcp6-prefix-delegation [enable|disable]
            set dhcp6-relay-interface-id {string}
            set dhcp6-relay-ip {user}
            set dhcp6-relay-service [disable|enable]
            set dhcp6-relay-source-interface [disable|enable]
            set dhcp6-relay-source-ip {ipv6-address}
            set dhcp6-relay-type {option}
            set icmp6-send-redirect [enable|disable]
            set interface-identifier {ipv6-address}
            set ip6-address {ipv6-prefix}
            set ip6-adv-rio [enable|disable]
            set ip6-allowaccess {option1}, {option2}, ...
            set ip6-default-life {integer}
            set ip6-delegated-prefix-iaid {integer}
            config ip6-delegated-prefix-list
                Description: Advertised IPv6 delegated prefix list.
                edit <prefix-id>
                    set autonomous-flag [enable|disable]
                    set delegated-prefix-iaid {integer}
                    set onlink-flag [enable|disable]
                    set rdnss {user}
                    set rdnss-service [delegated|default|...]
                    set subnet {ipv6-network}
                    set upstream-interface {string}
                next
            end
            set ip6-dns-server-override [enable|disable]
            config ip6-dnssl-list
                Description: Advertised IPv6 DNSS list.
                edit <domain>
                    set dnssl-life-time {integer}
                next
            end
            config ip6-extra-addr
                Description: Extra IPv6 address prefixes of interface.
                edit <prefix>
                next
            end
            set ip6-hop-limit {integer}
            set ip6-link-mtu {integer}
            set ip6-manage-flag [enable|disable]
            set ip6-max-interval {integer}
            set ip6-min-interval {integer}
            set ip6-mode [static|dhcp|...]
            set ip6-other-flag [enable|disable]
            config ip6-prefix-list
                Description: Advertised prefix list.
                edit <prefix>
                    set autonomous-flag [enable|disable]
                    set onlink-flag [enable|disable]
                    set preferred-life-time {integer}
                    set valid-life-time {integer}
                next
            end
            set ip6-prefix-mode [dhcp6|ra]
            config ip6-rdnss-list
                Description: Advertised IPv6 RDNSS list.
                edit <rdnss>
                    set rdnss-life-time {integer}
                next
            end
            set ip6-reachable-time {integer}
            set ip6-retrans-time {integer}
            config ip6-route-list
                Description: Advertised route list.
                edit <route>
                    set route-life-time {integer}
                    set route-pref [medium|high|...]
                next
            end
            set ip6-route-pref [medium|high|...]
            set ip6-send-adv [enable|disable]
            set ip6-subnet {ipv6-prefix}
            set ip6-upstream-interface {string}
            set nd-cert {string}
            set nd-cga-modifier {user}
            set nd-mode [basic|SEND-compatible]
            set nd-security-level {integer}
            set nd-timestamp-delta {integer}
            set nd-timestamp-fuzz {integer}
            set ra-send-mtu [enable|disable]
            set unique-autoconf-addr [enable|disable]
            set vrip6_link_local {ipv6-address}
            set vrrp-virtual-mac6 [enable|disable]
            config vrrp6
                Description: IPv6 VRRP configuration.
                edit <vrid>
                    set accept-mode [enable|disable]
                    set adv-interval {integer}
                    set ignore-default-route [enable|disable]
                    set preempt [enable|disable]
                    set priority {integer}
                    set start-time {integer}
                    set status [enable|disable]
                    set vrdst-priority {integer}
                    set vrdst6 {ipv6-address}
                    set vrgrp {integer}
                    set vrip6 {ipv6-address}
                next
            end
        end
        set l2forward [enable|disable]
        set l2tp-client [enable|disable]
        config l2tp-client-settings
            Description: L2TP client settings.
            set auth-type [auto|pap|...]
            set defaultgw [enable|disable]
            set distance {integer}
            set hello-interval {integer}
            set ip {ipv4-classnet-host}
            set mtu {integer}
            set password {password}
            set peer-host {string}
            set peer-mask {ipv4-netmask}
            set peer-port {integer}
            set priority {integer}
            set user {string}
        end
        set lacp-ha-secondary [enable|disable]
        set lacp-mode [static|passive|...]
        set lacp-speed [slow|fast]
        set lcp-echo-interval {integer}
        set lcp-max-echo-fails {integer}
        set link-up-delay {integer}
        set lldp-network-policy {string}
        set lldp-reception [enable|disable|...]
        set lldp-transmission [enable|disable|...]
        set macaddr {mac-address}
        set managed-subnetwork-size [32|64|...]
        set management-ip {ipv4-classnet-host}
        set measured-downstream-bandwidth {integer}
        set measured-upstream-bandwidth {integer}
        set mediatype [serdes-sfp|sgmii-sfp|...]
        set member <interface-name1>, <interface-name2>, ...
        set min-links {integer}
        set min-links-down [operational|administrative]
        set mirroring-direction [rx|tx|...]
        config mirroring-filter
            Description: Mirroring filter.
            set filter-dport {integer}
            set filter-dstip {ipv4-classnet-host}
            set filter-protocol {integer}
            set filter-sport {integer}
            set filter-srcip {ipv4-classnet-host}
        end
        set mirroring-port {string}
        set mode [static|dhcp|...]
        set monitor-bandwidth [enable|disable]
        set mtu {integer}
        set mtu-override [enable|disable]
        set mux-type [llc-encaps|vc-encaps]
        set ndiscforward [enable|disable]
        set netbios-forward [disable|enable]
        set netflow-sample-rate {integer}
        set netflow-sampler [disable|tx|...]
        set netflow-sampler-id {integer}
        set np-qos-profile {integer}
        set outbandwidth {integer}
        set padt-retry-timeout {integer}
        set password {password}
        set phy-mode {option}
        set ping-serv-status {integer}
        set poe [enable|disable]
        set polling-interval {integer}
        set port-mirroring [disable|enable]
        set pppoe-egress-cos [cos0|cos1|...]
        set pppoe-unnumbered-negotiate [enable|disable]
        set pptp-auth-type [auto|pap|...]
        set pptp-client [enable|disable]
        set pptp-password {password}
        set pptp-server-ip {ipv4-address}
        set pptp-timeout {integer}
        set pptp-user {string}
        set preserve-session-route [enable|disable]
        set priority {integer}
        set priority-override [enable|disable]
        set proxy-captive-portal [enable|disable]
        set pvc-atm-qos [cbr|rt-vbr|...]
        set pvc-chan {integer}
        set pvc-crc {integer}
        set pvc-pcr {integer}
        set pvc-scr {integer}
        set pvc-vlan-id {integer}
        set pvc-vlan-rx-id {integer}
        set pvc-vlan-rx-op [pass-through|replace|...]
        set pvc-vlan-tx-id {integer}
        set pvc-vlan-tx-op [pass-through|replace|...]
        set reachable-time {integer}
        set redundant-interface {string}
        set remote-ip {ipv4-classnet-host}
        set replacemsg-override-group {string}
        set retransmission [disable|enable]
        set ring-rx {integer}
        set ring-tx {integer}
        set role [lan|wan|...]
        set sample-direction [tx|rx|...]
        set sample-rate {integer}
        set secondary-IP [enable|disable]
        config secondaryip
            Description: Second IP address of interface.
            edit <id>
                set allowaccess {option1}, {option2}, ...
                set detectprotocol {option1}, {option2}, ...
                set detectserver {user}
                set gwdetect [enable|disable]
                set ha-priority {integer}
                set ip {ipv4-classnet-host}
                set ping-serv-status {integer}
                set secip-relay-ip {user}
            next
        end
        set security-8021x-dynamic-vlan-id {integer}
        set security-8021x-master {string}
        set security-8021x-member-mode [switch|disable]
        set security-8021x-mode [default|dynamic-vlan|...]
        set security-exempt-list {string}
        set security-external-logout {string}
        set security-external-web {var-string}
        set security-groups <name1>, <name2>, ...
        set security-ip-auth-bypass [enable|disable]
        set security-mac-auth-bypass [mac-auth-only|enable|...]
        set security-mode [none|captive-portal|...]
        set security-redirect-url {var-string}
        set select-profile-30a-35b [30A|35B]
        set service-name {string}
        set sflow-sampler [enable|disable]
        set sfp-dsl [disable|enable]
        set sfp-dsl-adsl-fallback [disable|enable]
        set sfp-dsl-autodetect [disable|enable]
        set sfp-dsl-mac {mac-address}
        set snmp-index {integer}
        set speed [auto|10full|...]
        set spillover-threshold {integer}
        set src-check [enable|disable]
        set status [up|down]
        set stp [disable|enable]
        set stp-edge [disable|enable]
        set stp-ha-secondary [disable|enable|...]
        set stpforward [enable|disable]
        set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]
        set subst [enable|disable]
        set substitute-dst-mac {mac-address}
        set sw-algorithm [l2|l3|...]
        set swc-first-create {integer}
        set swc-vlan {integer}
        set switch {string}
        set switch-controller-access-vlan [enable|disable]
        set switch-controller-arp-inspection [enable|disable|...]
        set switch-controller-dhcp-snooping [enable|disable]
        set switch-controller-dhcp-snooping-option82 [enable|disable]
        set switch-controller-dhcp-snooping-verify-mac [enable|disable]
        set switch-controller-dynamic {string}
        set switch-controller-feature [none|default-vlan|...]
        set switch-controller-igmp-snooping [enable|disable]
        set switch-controller-igmp-snooping-fast-leave [enable|disable]
        set switch-controller-igmp-snooping-proxy [enable|disable]
        set switch-controller-iot-scanning [enable|disable]
        set switch-controller-learning-limit {integer}
        set switch-controller-mgmt-vlan {integer}
        set switch-controller-nac {string}
        set switch-controller-netflow-collect [disable|enable]
        set switch-controller-offload [enable|disable]
        set switch-controller-offload-gw [enable|disable]
        set switch-controller-offload-ip {ipv4-address}
        set switch-controller-rspan-mode [disable|enable]
        set switch-controller-source-ip [outbound|fixed]
        set switch-controller-traffic-policy {string}
        set system-id {mac-address}
        set system-id-type [auto|user]
        config tagging
            Description: Config object tagging.
            edit <name>
                set category {string}
                set tags <name1>, <name2>, ...
            next
        end
        set tc-mode {option}
        set tcp-mss {integer}
        set trunk [enable|disable]
        set trust-ip-1 {ipv4-classnet-any}
        set trust-ip-2 {ipv4-classnet-any}
        set trust-ip-3 {ipv4-classnet-any}
        set trust-ip6-1 {ipv6-prefix}
        set trust-ip6-2 {ipv6-prefix}
        set trust-ip6-3 {ipv6-prefix}
        set type [physical|vlan|...]
        set username {string}
        set vci {integer}
        set vdom {string}
        set vectoring [disable|enable]
        set vindex {integer}
        set virtual-mac {mac-address}
        set vlan-id {integer}
        set vlan-op-mode [tag|untag|...]
        set vlan-protocol [8021q|8021ad]
        set vlanforward [enable|disable]
        set vlanid {integer}
        set vpi {integer}
        set vrf {integer}
        config vrrp
            Description: VRRP configuration.
            edit <vrid>
                set accept-mode [enable|disable]
                set adv-interval {integer}
                set ignore-default-route [enable|disable]
                set preempt [enable|disable]
                set priority {integer}
                config proxy-arp
                    Description: VRRP Proxy ARP configuration.
                    edit <id>
                        set ip {user}
                    next
                end
                set start-time {integer}
                set status [enable|disable]
                set version [2|3]
                set vrdst {ipv4-address-any}
                set vrdst-priority {integer}
                set vrgrp {integer}
                set vrip {ipv4-address-any}
            next
        end
        set vrrp-virtual-mac [enable|disable]
        set wccp [enable|disable]
        set weight {integer}
        set wifi-5g-threshold {string}
        set wifi-acl [allow|deny]
        set wifi-ap-band [any|5g-preferred|...]
        set wifi-auth [PSK|radius|...]
        set wifi-auto-connect [enable|disable]
        set wifi-auto-save [enable|disable]
        set wifi-broadcast-ssid [enable|disable]
        set wifi-dns-server1 {ipv4-address}
        set wifi-dns-server2 {ipv4-address}
        set wifi-encrypt [TKIP|AES]
        set wifi-fragment-threshold {integer}
        set wifi-gateway {ipv4-address}
        set wifi-key {password}
        set wifi-keyindex {integer}
        set wifi-mac-filter [enable|disable]
        config wifi-mac-list
            Description: MAC filter list.
            edit <id>
                set mac {mac-address}
            next
        end
        config wifi-networks
            Description: WiFi network table.
            edit <id>
                set wifi-ca-certificate {string}
                set wifi-client-certificate {string}
                set wifi-eap-type [both|tls|...]
                set wifi-encrypt [TKIP|AES]
                set wifi-key {password}
                set wifi-keyindex {integer}
                set wifi-passphrase {password}
                set wifi-private-key {string}
                set wifi-private-key-password {password}
                set wifi-security [open|wep64|...]
                set wifi-ssid {string}
                set wifi-username {string}
            next
        end
        set wifi-passphrase {password}
        set wifi-radius-server {string}
        set wifi-rts-threshold {integer}
        set wifi-security [open|wep64|...]
        set wifi-ssid {string}
        set wifi-usergroup {string}
        set wins-ip {ipv4-address}
    next
end

config system interface

Parameter

Description

Type

Size

Default

ac-name

PPPoE server name.

string

Maximum length: 63

aggregate

Aggregate interface. Read-only.

string

Maximum length: 15

aggregate-type

Type of aggregation.

option

-

physical

Option

Description

physical

Physical interface aggregation.

vxlan

VXLAN interface aggregation.

algorithm

Frame distribution algorithm.

option

-

L4

Option

Description

L2

Use layer 2 address for distribution.

L3

Use layer 3 address for distribution.

L4

Use layer 4 information for distribution.

Source-MAC

Use source MAC address for distribution.

alias

Alias will be displayed with the interface name to make it easier to distinguish.

string

Maximum length: 25

allowaccess

Permitted types of management access to this interface.

option

-

Option

Description

ping

PING access.

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

http

HTTP access.

telnet

TELNET access.

fgfm

FortiManager access.

radius-acct

RADIUS accounting access.

probe-response

Probe access.

fabric

Security Fabric access.

ftm

FTM access.

speed-test

Speed test access.

scim

System for Cross-domain Identity Management (SCIM) access.

annex *

Configure xDSL annex type.

option

-

a

Option

Description

a

xDSL Annex A

b

xDSL Annex B

j

xDSL Annex J

bjm

xDSL Annex BJM

i

xDSL Annex I

al

xDSL Annex AL

m

xDSL Annex M

aijlm

xDSL Annex AIJLM

ap-discover

Enable/disable automatic registration of unknown FortiAP devices.

option

-

enable

Option

Description

enable

Enable automatic registration of unknown FortiAP devices.

disable

Disable automatic registration of unknown FortiAP devices.

arpforward

Enable/disable ARP forwarding.

option

-

enable

Option

Description

enable

Enable ARP forwarding.

disable

Disable ARP forwarding.

atm-protocol *

ATM protocol.

option

-

none

Option

Description

none

Not over ATM.

ipoa

IPoA RFC2684.

auth-cert

HTTPS server certificate.

string

Maximum length: 35

auth-portal-addr

Address of captive portal.

string

Maximum length: 63

auth-type

PPP authentication type to use.

option

-

auto

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.

option

-

disable

Option

Description

enable

Enable automatic authorization of dedicated Fortinet extension device on this interface.

disable

Disable automatic authorization of dedicated Fortinet extension device on this interface.

bandwidth-measure-time

Bandwidth measure time.

integer

Minimum value: 0 Maximum value: 4294967295

0

bfd

Bidirectional Forwarding Detection (BFD) settings.

option

-

global

Option

Description

global

BFD behavior of this interface will be based on global configuration.

enable

Enable BFD on this interface and ignore global configuration.

disable

Disable BFD on this interface and ignore global configuration.

bfd-desired-min-tx

BFD desired minimal transmit interval.

integer

Minimum value: 1 Maximum value: 100000

250

bfd-detect-mult

BFD detection multiplier.

integer

Minimum value: 1 Maximum value: 50

3

bfd-required-min-rx

BFD required minimal receive interval.

integer

Minimum value: 1 Maximum value: 100000

250

broadcast-forward

Enable/disable broadcast forwarding.

option

-

disable

Option

Description

enable

Enable broadcast forwarding.

disable

Disable broadcast forwarding.

cli-conn-status

CLI connection status. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

0

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

0

dedicated-to

Configure interface for single purpose.

option

-

none

Option

Description

none

Interface not dedicated for any purpose.

management

Dedicate this interface for management purposes only.

default-purdue-level

default purdue level of device detected on this interface.

option

-

3

Option

Description

1

Level 1 - Basic Control

1.5

Level 1.5

2

Level 2 - Area Supervisory Control

2.5

Level 2.5

3

Level 3 - Operations & Control

3.5

Level 3.5

4

Level 4 - Business Planning & Logistics

5

Level 5 - Enterprise Network

5.5

Level 5.5

defaultgw

Enable to get the gateway IP from the DHCP or PPPoE server.

option

-

enable

Option

Description

enable

Enable default gateway.

disable

Disable default gateway.

description

Description.

var-string

Maximum length: 255

detected-peer-mtu

MTU of detected peer. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

0

detectprotocol

Protocols used to detect the server.

option

-

ping

Option

Description

ping

PING.

tcp-echo

TCP echo.

udp-echo

UDP echo.

detectserver

Gateway's ping server for this IP.

user

Not Specified

device-identification

Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.

option

-

disable

Option

Description

enable

Enable passive gathering of identity information about hosts.

disable

Disable passive gathering of identity information about hosts.

device-user-identification

Enable/disable passive gathering of user identity information about users on this interface.

option

-

enable

Option

Description

enable

Enable passive gathering of user identity information about users.

disable

Disable passive gathering of user identity information about users.

devindex

Device Index. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

0

dhcp-broadcast-flag

Enable/disable setting of the broadcast flag in messages sent by the DHCP client.

option

-

enable

Option

Description

disable

Disable broadcast flag.

enable

Enable broadcast flag.

dhcp-classless-route-addition

Enable/disable addition of classless static routes retrieved from DHCP server.

option

-

disable **

Option

Description

enable

Enable addition of classless static routes retrieved from DHCP server.

disable

Disable addition of classless static routes retrieved from DHCP server.

dhcp-client-identifier

DHCP client identifier.

string

Maximum length: 48

dhcp-relay-agent-option

Enable/disable DHCP relay agent option.

option

-

enable

Option

Description

enable

Enable DHCP relay agent option.

disable

Disable DHCP relay agent option.

dhcp-relay-allow-no-end-option

Enable/disable relaying DHCP messages with no end option.

option

-

disable

Option

Description

disable

Disable relaying DHCP messages with no end option.

enable

Enable relaying DHCP messages with no end option.

dhcp-relay-circuit-id

DHCP relay circuit ID.

string

Maximum length: 64

dhcp-relay-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-relay-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

dhcp-relay-ip

DHCP relay IP address.

user

Not Specified

dhcp-relay-link-selection

DHCP relay link selection.

ipv4-address

Not Specified

0.0.0.0

dhcp-relay-request-all-server

Enable/disable sending of DHCP requests to all servers.

option

-

disable

Option

Description

disable

Send DHCP requests only to a matching server.

enable

Send DHCP requests to all servers.

dhcp-relay-service

Enable/disable allowing this interface to act as a DHCP relay.

option

-

disable

Option

Description

disable

None.

enable

DHCP relay agent.

dhcp-relay-source-ip

IP address used by the DHCP relay as its source IP.

ipv4-address

Not Specified

0.0.0.0

dhcp-relay-type

DHCP relay type (regular or IPsec).

option

-

regular

Option

Description

regular

Regular DHCP relay.

ipsec

DHCP relay for IPsec.

dhcp-relay-vrf-select

VRF ID used for connection to server.

integer

Minimum value: 0 Maximum value: 511

4294967295

dhcp-renew-time

DHCP renew time in seconds , 0 means use the renew time provided by the server.

integer

Minimum value: 300 Maximum value: 604800

0

dhcp-smart-relay

Enable/disable DHCP smart relay.

option

-

disable

Option

Description

disable

Disable DHCP smart relay.

enable

Enable DHCP smart relay.

disc-retry-timeout

Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 4294967295

1

distance

Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route.

integer

Minimum value: 1 Maximum value: 255

5

dns-server-override

Enable/disable use DNS acquired by DHCP or PPPoE.

option

-

enable

Option

Description

enable

Use DNS acquired by DHCP or PPPoE.

disable

No not use DNS acquired by DHCP or PPPoE.

dns-server-protocol

DNS transport protocols.

option

-

cleartext

Option

Description

cleartext

DNS over UDP/53, DNS over TCP/53.

dot

DNS over TLS/853.

doh

DNS over HTTPS/443.

drop-fragment

Enable/disable drop fragment packets.

option

-

disable

Option

Description

enable

Enable/disable drop fragment packets.

disable

Do not drop fragment packets.

drop-overlapped-fragment

Enable/disable drop overlapped fragment packets.

option

-

disable

Option

Description

enable

Enable drop of overlapped fragment packets.

disable

Disable drop of overlapped fragment packets.

eap-ca-cert

EAP CA certificate name.

string

Maximum length: 79

eap-identity

EAP identity.

string

Maximum length: 35

eap-method

EAP method.

option

-

Option

Description

tls

TLS.

peap

PEAP.

eap-password

EAP password.

password

Not Specified

eap-supplicant

Enable/disable EAP-Supplicant.

option

-

disable

Option

Description

enable

Enable EAP Supplicant.

disable

Disable EAP Supplicant.

eap-user-cert

EAP user certificate name.

string

Maximum length: 35

egress-cos *

Override outgoing CoS in user VLAN tag.

option

-

disable

Option

Description

disable

Disable.

cos0

CoS 0.

cos1

CoS 1.

cos2

CoS 2.

cos3

CoS 3.

cos4

CoS 4.

cos5

CoS 5.

cos6

CoS 6.

cos7

CoS 7.

egress-shaping-profile

Outgoing traffic shaping profile.

string

Maximum length: 35

eip *

External IP. Read-only.

ipv4-address-any

Not Specified

0.0.0.0

estimated-downstream-bandwidth

Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

0

estimated-upstream-bandwidth

Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

0

exclude-signatures

Exclude IOT or OT application signatures.

option

-

Option

Description

iot

Exclude IOT appctrl signatures.

ot

Exclude OT appctrl signatures.

explicit-ftp-proxy

Enable/disable the explicit FTP proxy on this interface.

option

-

disable

Option

Description

enable

Enable explicit FTP proxy on this interface.

disable

Disable explicit FTP proxy on this interface.

explicit-web-proxy

Enable/disable the explicit web proxy on this interface.

option

-

disable

Option

Description

enable

Enable explicit Web proxy on this interface.

disable

Disable explicit Web proxy on this interface.

external

Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet).

option

-

disable

Option

Description

enable

Enable identifying the interface as an external interface.

disable

Disable identifying the interface as an external interface.

fail-action-on-extender

Action on FortiExtender when interface fail.

option

-

soft-restart

Option

Description

soft-restart

Soft-restart-on-extender.

hard-restart

Hard-restart-on-extender.

reboot

Reboot-on-extender.

fail-alert-interfaces <name>

Names of the FortiGate interfaces to which the link failure alert is sent.

Names of the non-virtual interface.

string

Maximum length: 15

fail-alert-method

Select link-failed-signal or link-down method to alert about a failed link.

option

-

link-down

Option

Description

link-failed-signal

Link-failed-signal.

link-down

Link-down.

fail-detect

Enable/disable fail detection features for this interface.

option

-

disable

Option

Description

enable

Enable interface failed option status.

disable

Disable interface failed option status.

fail-detect-option

Options for detecting that this interface has failed.

option

-

link-down

Option

Description

detectserver

Use a ping server to determine if the interface has failed.

link-down

Use port detection to determine if the interface has failed.

fortilink *

Enable FortiLink to dedicate this interface to manage other Fortinet devices.

option

-

disable

Option

Description

enable

Enable FortiLink to dedicated interface for managing FortiSwitch devices.

disable

Disable FortiLink to dedicated interface for managing FortiSwitch devices.

fortilink-backup-link

FortiLink split interface backup link. Read-only.

integer

Minimum value: 0 Maximum value: 255

0

fortilink-neighbor-detect

Protocol for FortiGate neighbor discovery.

option

-

lldp

Option

Description

lldp

Detect FortiLink neighbors using LLDP protocol.

fortilink

Detect FortiLink neighbors using FortiLink protocol.

fortilink-split-interface

Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.

option

-

enable

Option

Description

enable

Enable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.

disable

Disable FortiLink split interface.

forward-domain

Transparent mode forward domain.

integer

Minimum value: 0 Maximum value: 2147483647

0

forward-error-correction *

Enable/disable forward error correction (FEC).

option

-

none

Option

Description

none

none

disable

Disable forward error correction (FEC).

cl91-rs-fec

Reed-Solomon (FEC CL91).

cl74-fc-fec

Fire-Code (FEC CL74).

auto

Negotaite forward error correction (FEC).

gateway-address *

Gateway address.

ipv4-address

Not Specified

0.0.0.0

gi-gk *

Enable/disable Gi Gatekeeper.

option

-

disable

Option

Description

enable

enable Gi Gatekeeper

disable

disable Gi Gatekeeper

gwaddr *

Gateway address.

ipv4-address

Not Specified

0.0.0.0

gwdetect

Enable/disable detect gateway alive for first.

option

-

disable

Option

Description

enable

Enable detect gateway alive for first.

disable

Disable detect gateway alive for first.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

1

icmp-accept-redirect

Enable/disable ICMP accept redirect.

option

-

enable

Option

Description

enable

Enable ICMP accept redirect.

disable

Disable ICMP accept redirect.

icmp-send-redirect

Enable/disable sending of ICMP redirects.

option

-

enable

Option

Description

enable

Enable sending of ICMP redirects.

disable

Disable sending of ICMP redirects.

ident-accept

Enable/disable authentication for this interface.

option

-

disable

Option

Description

enable

Enable determining a user's identity from packet identification.

disable

Disable determining a user's identity from packet identification.

idle-timeout

PPPoE auto disconnect after idle timeout seconds, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 32767

0

ike-saml-server

Configure IKE authentication SAML server.

string

Maximum length: 35

inbandwidth

Bandwidth limit for incoming traffic , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 80000000 **

0

ingress-cos *

Override incoming CoS in user VLAN tag on VLAN interface or assign a priority VLAN tag on physical interface.

option

-

disable

Option

Description

disable

Disable.

cos0

CoS 0.

cos1

CoS 1.

cos2

CoS 2.

cos3

CoS 3.

cos4

CoS 4.

cos5

CoS 5.

cos6

CoS 6.

cos7

CoS 7.

ingress-shaping-profile

Incoming traffic shaping profile.

string

Maximum length: 35

ingress-spillover-threshold

Ingress Spillover threshold , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

0

interconnect-profile *

Set interconnect profile.

option

-

default

Option

Description

default

default interconnect profile

profile1

interconnect profile1 [(10G & IC > 7m/20db-loss) or (25G/27G & IC < 1m)]

profile2

interconnect profile2 [(27G in AP (106G) Auto Profile)]

interface

Interface name.

string

Maximum length: 15

internal

Implicitly created.

integer

Minimum value: 0 Maximum value: 255

0

ip

Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

ip-managed-by-fortiipam

Enable/disable automatic IP address assignment of this interface by FortiIPAM.

option

-

inherit-global

Option

Description

inherit-global

Control automatic IP address assignment status using the central FortiIPAM config.

enable

Enable automatic IP address assignment of this interface by FortiIPAM.

disable

Disable automatic IP address assignment of this interface by FortiIPAM.

ipmac

Enable/disable IP/MAC binding.

option

-

disable

Option

Description

enable

Enable IP/MAC binding.

disable

Disable IP/MAC binding.

ips-sniffer-mode

Enable/disable the use of this interface as a one-armed sniffer.

option

-

disable

Option

Description

enable

Enable IPS sniffer mode.

disable

Disable IPS sniffer mode.

ipunnumbered

Unnumbered IP used for PPPoE interfaces for which no unique local address is provided.

ipv4-address

Not Specified

0.0.0.0

l2forward

Enable/disable l2 forwarding.

option

-

disable

Option

Description

enable

Enable L2 forwarding.

disable

Disable L2 forwarding.

l2tp-client *

Enable/disable this interface as a Layer 2 Tunnelling Protocol (L2TP) client.

option

-

disable

Option

Description

enable

Enable L2TP client.

disable

Disable L2TP client.

lacp-ha-secondary

LACP HA secondary member.

option

-

enable

Option

Description

enable

Allow HA secondary member to send/receive LACP messages.

disable

Block HA secondary member from sending/receiving LACP messages.

lacp-mode

LACP mode.

option

-

active

Option

Description

static

Use static aggregation, do not send and ignore any LACP messages.

passive

Passively use LACP to negotiate 802.3ad aggregation.

active

Actively use LACP to negotiate 802.3ad aggregation.

lacp-speed

How often the interface sends LACP messages.

option

-

slow

Option

Description

slow

Send LACP message every 30 seconds.

fast

Send LACP message every second.

lcp-echo-interval

Time in seconds between PPPoE Link Control Protocol (LCP) echo requests.

integer

Minimum value: 0 Maximum value: 32767

5

lcp-max-echo-fails

Maximum missed LCP echo messages before disconnect.

integer

Minimum value: 0 Maximum value: 32767

3

link-up-delay

Number of milliseconds to wait before considering a link is up.

integer

Minimum value: 50 Maximum value: 3600000

50

lldp-network-policy

LLDP-MED network policy profile.

string

Maximum length: 35

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception.

option

-

vdom

Option

Description

enable

Enable reception of Link Layer Discovery Protocol (LLDP).

disable

Disable reception of Link Layer Discovery Protocol (LLDP).

vdom

Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration setting.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission.

option

-

vdom

Option

Description

enable

Enable transmission of Link Layer Discovery Protocol (LLDP).

disable

Disable transmission of Link Layer Discovery Protocol (LLDP).

vdom

Use VDOM Link Layer Discovery Protocol (LLDP) transmission configuration setting.

macaddr

Change the interface's MAC address.

mac-address

Not Specified

00:00:00:00:00:00

managed-subnetwork-size

Number of IP addresses to be allocated by FortiIPAM and used by this FortiGate unit's DHCP server settings.

option

-

256

Option

Description

32

Allocate a subnet with 32 IP addresses.

64

Allocate a subnet with 64 IP addresses.

128

Allocate a subnet with 128 IP addresses.

256

Allocate a subnet with 256 IP addresses.

512

Allocate a subnet with 512 IP addresses.

1024

Allocate a subnet with 1024 IP addresses.

2048

Allocate a subnet with 2048 IP addresses.

4096

Allocate a subnet with 4096 IP addresses.

8192

Allocate a subnet with 8192 IP addresses.

16384

Allocate a subnet with 16384 IP addresses.

32768

Allocate a subnet with 32768 IP addresses.

65536

Allocate a subnet with 65536 IP addresses.

management-ip

High Availability in-band management IP address of this interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

measured-downstream-bandwidth

Measured downstream bandwidth (kbps).

integer

Minimum value: 0 Maximum value: 4294967295

0

measured-upstream-bandwidth

Measured upstream bandwidth (kbps).

integer

Minimum value: 0 Maximum value: 4294967295

0

mediatype *

Select SFP media interface type

option

-

serdes-sfp **

Option

Description

serdes-sfp

SFP using SerDes Media Interface

sgmii-sfp

SFP using SGMII Media Interface

serdes-copper-sfp

Copper SFP using SerDes media Interface.

member <interface-name>

Physical interfaces that belong to the aggregate or redundant interface.

Physical interface name.

string

Maximum length: 79

min-links

Minimum number of aggregated ports that must be up.

integer

Minimum value: 1 Maximum value: 32

1

min-links-down

Action to take when less than the configured minimum number of links are active.

option

-

operational

Option

Description

operational

Set the aggregate operationally down.

administrative

Set the aggregate administratively down.

mirroring-direction *

Port mirroring direction.

option

-

Option

Description

rx

Port mirroring receive direction only.

tx

Port mirroring transmit direction only.

both

Port mirroring both directions.

mirroring-port *

Mirroring port.

string

Maximum length: 15

mode

Addressing mode (static, DHCP, PPPoE).

option

-

static

Option

Description

static

Static setting.

dhcp

External DHCP client mode.

pppoe

External PPPoE mode.

monitor-bandwidth

Enable monitoring bandwidth on this interface.

option

-

disable

Option

Description

enable

Enable monitoring bandwidth on this interface.

disable

Disable monitoring bandwidth on this interface.

mtu

MTU value for this interface.

integer

Minimum value: 0 Maximum value: 4294967295

1500

mtu-override

Enable to set a custom MTU for this interface.

option

-

disable

Option

Description

enable

Override default MTU.

disable

Use default MTU.

mux-type *

Multiplexer type.

option

-

llc-encaps

Option

Description

llc-encaps

LLC encapsulation.

vc-encaps

VC encapsulation.

name

Name.

string

Maximum length: 15

ndiscforward

Enable/disable NDISC forwarding.

option

-

enable

Option

Description

enable

Enable NDISC forwarding.

disable

Disable NDISC forwarding.

netbios-forward

Enable/disable NETBIOS forwarding.

option

-

disable

Option

Description

disable

Disable NETBIOS forwarding.

enable

Enable NETBIOS forwarding.

netflow-sample-rate

NetFlow sample rate. Sample one packet every configured number of packets.

integer

Minimum value: 1 Maximum value: 65535

1

netflow-sampler

Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).

option

-

disable

Option

Description

disable

Disable NetFlow protocol on this interface.

tx

Monitor transmitted traffic on this interface.

rx

Monitor received traffic on this interface.

both

Monitor transmitted/received traffic on this interface.

netflow-sampler-id

Netflow sampler ID.

integer

Minimum value: 1 Maximum value: 254

0

np-qos-profile *

NP QoS profile ID.

integer

Minimum value: 0 Maximum value: 15

0

outbandwidth

Bandwidth limit for outgoing traffic.

integer

Minimum value: 0 Maximum value: 80000000 **

0

padt-retry-timeout

PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time.

integer

Minimum value: 0 Maximum value: 4294967295

1

password

PPPoE account's password.

password

Not Specified

phy-mode *

DSL physical mode.

option

-

vdsl

Option

Description

vdsl

VDSL.

ping-serv-status

PING server status. Read-only.

integer

Minimum value: 0 Maximum value: 255

0

poe *

Enable/disable PoE status.

option

-

enable

Option

Description

enable

Enable PoE status.

disable

Disable PoE status.

polling-interval

sFlow polling interval in seconds.

integer

Minimum value: 1 Maximum value: 255

20

port-mirroring *

Enable/disable NP port mirroring.

option

-

disable

Option

Description

disable

Disable NP port mirroring.

enable

Enable NP port mirroring.

pppoe-egress-cos

CoS in VLAN tag for outgoing PPPoE/PPP packets.

option

-

cos0

Option

Description

cos0

CoS 0.

cos1

CoS 1.

cos2

CoS 2.

cos3

CoS 3.

cos4

CoS 4.

cos5

CoS 5.

cos6

CoS 6.

cos7

CoS 7.

pppoe-unnumbered-negotiate

Enable/disable PPPoE unnumbered negotiation.

option

-

enable

Option

Description

enable

Enable IP address negotiating for unnumbered.

disable

Disable IP address negotiating for unnumbered.

pptp-auth-type

PPTP authentication type.

option

-

auto

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

pptp-client

Enable/disable PPTP client.

option

-

disable

Option

Description

enable

Enable PPTP client.

disable

Disable PPTP client.

pptp-password

PPTP password.

password

Not Specified

pptp-server-ip

PPTP server IP address.

ipv4-address

Not Specified

0.0.0.0

pptp-timeout

Idle timer in minutes (0 for disabled).

integer

Minimum value: 0 Maximum value: 65535

0

pptp-user

PPTP user name.

string

Maximum length: 64

preserve-session-route

Enable/disable preservation of session route when dirty.

option

-

disable

Option

Description

enable

Enable preservation of session route when dirty.

disable

Disable preservation of session route when dirty.

priority

Priority of learned routes.

integer

Minimum value: 1 Maximum value: 65535

1

priority-override

Enable/disable fail back to higher priority port once recovered.

option

-

enable

Option

Description

enable

Enable fail back to higher priority port once recovered.

disable

Disable fail back to higher priority port once recovered.

proxy-captive-portal

Enable/disable proxy captive portal on this interface.

option

-

disable

Option

Description

enable

Enable proxy captive portal on this interface.

disable

Disable proxy captive portal on this interface.

pvc-atm-qos *

SFP-DSL ADSL Fallback PVC ATM QoS.

option

-

ubr

Option

Description

cbr

ATM QoS CBR.

rt-vbr

ATM QoS rt-VBR.

nrt-vbr

ATM QoS nrt-VBR.

ubr

ATM QoS CCBR.

pvc-chan *

SFP-DSL ADSL Fallback PVC Channel.

integer

Minimum value: 0 Maximum value: 7

0

pvc-crc *

SFP-DSL ADSL Fallback PVC CRC Option: bit0: sar LLC preserve, bit1: ream LLC preserve, bit2: ream VC-MUX has crc.

integer

Minimum value: 0 Maximum value: 7

2

pvc-pcr *

SFP-DSL ADSL Fallback PVC Packet Cell Rate in cells.

integer

Minimum value: 0 Maximum value: 5500

0

pvc-scr *

SFP-DSL ADSL Fallback PVC Sustainable Cell Rate in cells.

integer

Minimum value: 0 Maximum value: 5500

0

pvc-vlan-id *

SFP-DSL ADSL Fallback PVC VLAN ID.

integer

Minimum value: 1 Maximum value: 4094

7

pvc-vlan-rx-id *

SFP-DSL ADSL Fallback PVC VLANID RX.

integer

Minimum value: 1 Maximum value: 4094

7

pvc-vlan-rx-op *

SFP-DSL ADSL Fallback PVC VLAN RX op.

option

-

pass-through

Option

Description

pass-through

PVC VLAN Tag Passthrough.

replace

PVC VLAN Tag Replace.

remove

PVC VLAN Tag Remove.

pvc-vlan-tx-id *

SFP-DSL ADSL Fallback PVC VLAN ID TX.

integer

Minimum value: 1 Maximum value: 4094

7

pvc-vlan-tx-op *

SFP-DSL ADSL Fallback PVC VLAN TX op.

option

-

remove

Option

Description

pass-through

PVC VLAN Tag Passthrough.

replace

PVC VLAN Tag Replace.

remove

PVC VLAN Tag Remove.

reachable-time

IPv4 reachable time in milliseconds.

integer

Minimum value: 30000 Maximum value: 3600000

30000

redundant-interface

Redundant interface. Read-only.

string

Maximum length: 15

remote-ip

Remote IP address of tunnel.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

replacemsg-override-group

Replacement message override group.

string

Maximum length: 35

retransmission *

Enable/disable DSL retransmission.

option

-

enable

Option

Description

disable

Disable retransmission.

enable

Enable retransmission.

ring-rx *

RX ring size.

integer

Minimum value: 0 Maximum value: 4294967295

0

ring-tx *

TX ring size.

integer

Minimum value: 0 Maximum value: 4294967295

0

role

Interface role.

option

-

undefined

Option

Description

lan

Connected to local network of endpoints.

wan

Connected to Internet.

dmz

Connected to server zone.

undefined

Interface has no specific role.

sample-direction

Data that NetFlow collects (rx, tx, or both).

option

-

both

Option

Description

tx

Monitor transmitted traffic on this interface.

rx

Monitor received traffic on this interface.

both

Monitor transmitted/received traffic on this interface.

sample-rate

sFlow sample rate.

integer

Minimum value: 10 Maximum value: 99999

2000

secondary-IP

Enable/disable adding a secondary IP to this interface.

option

-

disable

Option

Description

enable

Enable secondary IP.

disable

Disable secondary IP.

security-8021x-dynamic-vlan-id *

VLAN ID for virtual switch.

integer

Minimum value: 0 Maximum value: 4094

0

security-8021x-master *

802.1X master virtual-switch.

string

Maximum length: 15

security-8021x-member-mode *

802.1X member mode.

option

-

switch

Option

Description

switch

This member will use switch 802.1X configuration.

disable

This member will disable 802.1X configuration.

security-8021x-mode *

802.1X mode.

option

-

default

Option

Description

default

802.1X default mode.

dynamic-vlan

802.1X dynamic VLAN (master) mode.

fallback

802.1X fallback (master) mode.

slave

802.1X slave mode.

security-exempt-list

Name of security-exempt-list.

string

Maximum length: 35

security-external-logout

URL of external authentication logout server.

string

Maximum length: 127

security-external-web

URL of external authentication web server.

var-string

Maximum length: 1023

security-groups <name>

User groups that can authenticate with the captive portal.

Names of user groups that can authenticate with the captive portal.

string

Maximum length: 79

security-ip-auth-bypass

Enable/disable IP authentication bypass.

option

-

disable

Option

Description

enable

Enable IP authentication bypass.

disable

Disable IP authentication bypass.

security-mac-auth-bypass

Enable/disable MAC authentication bypass.

option

-

disable

Option

Description

mac-auth-only

Enable MAC authentication bypass without EAP.

enable

Enable MAC authentication bypass.

disable

Disable MAC authentication bypass.

security-mode

Turn on captive portal authentication for this interface.

option

-

none

Option

Description

none

No security option.

captive-portal

Captive portal authentication.

802.1X

802.1X port-based authentication.

security-redirect-url

URL redirection after disclaimer/authentication.

var-string

Maximum length: 1023

select-profile-30a-35b *

Select VDSL Profile 30a or 35b.

option

-

35B

Option

Description

30A

Enable VDSL Profile 30A.

35B

Enable VDSL Profile 35B.

service-name

PPPoE service name.

string

Maximum length: 63

sflow-sampler

Enable/disable sFlow on this interface.

option

-

disable

Option

Description

enable

Enable sFlow protocol on this interface.

disable

Disable sFlow protocol on this interface.

sfp-dsl *

Enable/disable SFP DSL.

option

-

disable

Option

Description

disable

Disable SFP DSL.

enable

Enable SFP DSL.

sfp-dsl-adsl-fallback *

Enable/disable SFP DSL ADSL fallback.

option

-

disable

Option

Description

disable

Disable SFP DSL ADSL fallback.

enable

Enable SFP DSL ADSL fallback.

sfp-dsl-autodetect *

Enable/disable SFP DSL MAC address autodetect.

option

-

enable

Option

Description

disable

Disable SFP DSL MAC address autodetect.

enable

Enable SFP DSL MAC address autodetect.

sfp-dsl-mac *

SFP DSL MAC address.

mac-address

Not Specified

00:00:00:00:00:00

snmp-index

Permanent SNMP Index of the interface.

integer

Minimum value: 0 Maximum value: 2147483647

0

speed

Interface speed. The default setting and the options available depend on the interface hardware.

option

-

auto

Option

Description

auto

Automatically adjust speed.

10full

10M full-duplex.

10half

10M half-duplex.

100full

100M full-duplex.

100half

100M half-duplex.

1000full

1000M full-duplex.

1000auto

1000M auto adjust.

10000full

10G full-duplex.

10000auto

10G auto.

spillover-threshold

Egress Spillover threshold , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

0

src-check

Enable/disable source IP check.

option

-

enable

Option

Description

enable

Enable source IP check.

disable

Disable source IP check.

status

Bring the interface up or shut the interface down.

option

-

up

Option

Description

up

Bring the interface up.

down

Shut the interface down.

stp *

Enable/disable STP.

option

-

disable

Option

Description

disable

Disable STP.

enable

Enable STP.

stp-edge *

Enable/disable as STP edge port.

option

-

disable

Option

Description

disable

Disable STP edge port.

enable

Enable STP edge port.

stp-ha-secondary *

Control STP behavior on HA secondary.

option

-

priority-adjust

Option

Description

disable

Disable STP negotiation on HA secondary.

enable

Enable STP negotiation on HA secondary.

priority-adjust

Enable STP negotiation on HA secondary and make priority lower than HA primary.

stpforward

Enable/disable STP forwarding.

option

-

disable

Option

Description

enable

Enable STP forwarding.

disable

Disable STP forwarding.

stpforward-mode

Configure STP forwarding mode.

option

-

rpl-all-ext-id

Option

Description

rpl-all-ext-id

Replace all extension IDs (root, bridge).

rpl-bridge-ext-id

Replace the bridge extension ID only.

rpl-nothing

Replace nothing.

subst

Enable to always send packets from this interface to a destination MAC address.

option

-

disable

Option

Description

enable

Send packets from this interface.

disable

Do not send packets from this interface.

substitute-dst-mac

Destination MAC address that all packets are sent to from this interface.

mac-address

Not Specified

00:00:00:00:00:00

sw-algorithm *

Frame distribution algorithm for switch.

option

-

default

Option

Description

l2

Use layer 2 address for distribution.

l3

Use layer 3 address for distribution.

eh

Use enhanced hashing for distribution.

default

Use the hashing that the driver selects during initialization for distribution.

swc-first-create *

Initial create for switch-controller VLANs. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

0

swc-vlan *

Creation status for switch-controller VLANs. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

0

switch

Contained in switch. Read-only.

string

Maximum length: 15

switch-controller-access-vlan *

Block FortiSwitch port-to-port traffic.

option

-

disable

Option

Description

enable

Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate.

disable

Allow normal VLAN traffic.

switch-controller-arp-inspection *

Enable/disable/Monitor FortiSwitch ARP inspection.

option

-

disable

Option

Description

enable

Enable ARP inspection for FortiSwitch devices.

disable

Disable ARP inspection for FortiSwitch devices.

monitor

Monitor ARP traffic and update DHCP client database with MAC-VLAN-IP.

switch-controller-dhcp-snooping *

Switch controller DHCP snooping.

option

-

disable

Option

Description

enable

Enable DHCP snooping for FortiSwitch devices.

disable

Disable DHCP snooping for FortiSwitch devices.

switch-controller-dhcp-snooping-option82 *

Switch controller DHCP snooping option82.

option

-

disable

Option

Description

enable

Enable DHCP snooping insert option82 for FortiSwitch devices.

disable

Disable DHCP snooping insert option82 for FortiSwitch devices.

switch-controller-dhcp-snooping-verify-mac *

Switch controller DHCP snooping verify MAC.

option

-

disable

Option

Description

enable

Enable DHCP snooping verify source MAC for FortiSwitch devices.

disable

Disable DHCP snooping verify source MAC for FortiSwitch devices.

switch-controller-dynamic *

Integrated FortiLink settings for managed FortiSwitch.

string

Maximum length: 35

switch-controller-feature *

Interface's purpose when assigning traffic (read only).

option

-

none

Option

Description

none

VLAN for generic purpose.

default-vlan

Default VLAN (native) assigned to all switch ports upon discovery.

quarantine

VLAN for quarantined traffic.

rspan

VLAN for RSPAN/ERSPAN mirrored traffic.

voice

VLAN dedicated for voice devices.

video

VLAN dedicated for camera devices.

nac

VLAN dedicated for NAC onboarding devices.

nac-segment

VLAN dedicated for NAC segment devices.

switch-controller-igmp-snooping *

Switch controller IGMP snooping.

option

-

disable

Option

Description

enable

Enable IGMP snooping.

disable

Disable IGMP snooping.

switch-controller-igmp-snooping-fast-leave *

Switch controller IGMP snooping fast-leave.

option

-

disable

Option

Description

enable

Enable IGMP snooping fast-leave.

disable

Disable IGMP snooping fast-leave.

switch-controller-igmp-snooping-proxy *

Switch controller IGMP snooping proxy.

option

-

disable

Option

Description

enable

Enable IGMP snooping proxy.

disable

Disable IGMP snooping proxy.

switch-controller-iot-scanning *

Enable/disable managed FortiSwitch IoT scanning.

option

-

disable

Option

Description

enable

Enable IoT scanning for managed FortiSwitch devices.

disable

Disable IoT scanning for managed FortiSwitch devices.

switch-controller-learning-limit *

Limit the number of dynamic MAC addresses on this VLAN.

integer

Minimum value: 0 Maximum value: 128

0

switch-controller-mgmt-vlan *

VLAN to use for FortiLink management purposes.

integer

Minimum value: 1 Maximum value: 4094

4094

switch-controller-nac *

Integrated FortiLink settings for managed FortiSwitch.

string

Maximum length: 35

switch-controller-netflow-collect *

NetFlow collection and processing.

option

-

disable

Option

Description

disable

Disable NetFlow collection.

enable

Enable NetFlow collection.

switch-controller-offload *

Enable/disable managed FortiSwitch routing offload.

option

-

disable

Option

Description

enable

Enable routing offload to managed FortiSwitch devices.

disable

Disable routing offload to managed FortiSwitch devices.

switch-controller-offload-gw *

Enable/disable managed FortiSwitch routing offload gateway.

option

-

disable

Option

Description

enable

Enable routing offload gateway to managed FortiSwitch devices.

disable

Disable routing offload gateway to managed FortiSwitch devices.

switch-controller-offload-ip *

IP for routing offload on FortiSwitch.

ipv4-address

Not Specified

0.0.0.0

switch-controller-rspan-mode *

Stop Layer2 MAC learning and interception of BPDUs and other packets on this interface.

option

-

disable

Option

Description

disable

Disable RSPAN passthrough mode on this VLAN interface.

enable

Enable RSPAN passthrough mode on this VLAN interface.

switch-controller-source-ip *

Source IP address used in FortiLink over L3 connections.

option

-

outbound

Option

Description

outbound

Source IP address is that of the outbound interface.

fixed

Source IP address is that of the FortiLink interface.

switch-controller-traffic-policy *

Switch controller traffic policy for the VLAN.

string

Maximum length: 63

system-id

Define a system ID for the aggregate interface.

mac-address

Not Specified

00:00:00:00:00:00

system-id-type

Method in which system ID is generated.

option

-

auto

Option

Description

auto

Use the MAC address of the first member.

user

User-defined system ID.

tc-mode *

DSL transfer mode.

option

-

ptm

Option

Description

ptm

Packet transfer mode.

tcp-mss

TCP maximum segment size. 0 means do not change segment size.

integer

Minimum value: 48 Maximum value: 65535

0

trunk *

Enable/disable VLAN trunk.

option

-

disable

Option

Description

enable

Enable VLAN trunk on this interface.

disable

Disable VLAN trunk on this interface.

trust-ip-1

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip-2

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip-3

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip6-1

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

trust-ip6-2

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

trust-ip6-3

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

type

Interface type.

option

-

vlan

Option

Description

physical

Physical interface.

vlan

VLAN interface.

aggregate

Aggregate interface.

redundant

Redundant interface.

tunnel

Tunnel interface.

vdom-link

VDOM link interface.

loopback

Loopback interface.

switch

Software switch interface.

vap-switch

VAP interface.

wl-mesh

WLAN mesh interface.

fext-wan

FortiExtender interface.

vxlan

VXLAN interface.

geneve

GENEVE interface.

hdlc

T1/E1 interface.

switch-vlan

Switch VLAN interface.

emac-vlan

EMAC VLAN interface.

ssl

SSL VPN client interface.

lan-extension

LAN extension interface.

username

Username of the PPPoE account, provided by your ISP.

string

Maximum length: 64

vci *

Virtual Channel ID.

integer

Minimum value: 0 Maximum value: 65535

35

vdom

Interface is in this virtual domain (VDOM).

string

Maximum length: 31

vectoring *

Enable/disable DSL vectoring.

option

-

enable

Option

Description

disable

Disable vectoring.

enable

Enable vectoring.

vindex *

Switch control interface VLAN ID. Read-only.

integer

Minimum value: 0 Maximum value: 65535

0

virtual-mac

Change the interface's virtual MAC address.

mac-address

Not Specified

00:00:00:00:00:00

vlan-id *

Vlan ID.

integer

Minimum value: 0 Maximum value: 4095

1

vlan-op-mode *

Configure DSL 802.1q mode.

option

-

passthrough

Option

Description

tag

802.1q Tagged.

untag

802.1q Un-Tagged.

passthrough

802.1q Passthrough.

vlan-protocol

Ethernet protocol of VLAN.

option

-

8021q

Option

Description

8021q

IEEE 802.1Q.

8021ad

IEEE 802.1AD.

vlanforward

Enable/disable traffic forwarding between VLANs on this interface.

option

-

disable

Option

Description

enable

Enable traffic forwarding.

disable

Disable traffic forwarding.

vlanid

VLAN ID.

integer

Minimum value: 1 Maximum value: 4094

0

vpi *

Virtual Path ID.

integer

Minimum value: 0 Maximum value: 255

0

vrf

Virtual Routing Forwarding ID.

integer

Minimum value: 0 Maximum value: 511

0

vrrp-virtual-mac

Enable/disable use of virtual MAC for VRRP.

option

-

disable

Option

Description

enable

Enable use of virtual MAC for VRRP.

disable

Disable use of virtual MAC for VRRP.

wccp

Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.

option

-

disable

Option

Description

enable

Enable WCCP protocol on this interface.

disable

Disable WCCP protocol on this interface.

weight

Default weight for static routes (if route has no weight configured).

integer

Minimum value: 0 Maximum value: 255

0

wifi-5g-threshold *

Minimal signal strength to be considered as a good 5G AP.

string

Maximum length: 7

-78

wifi-acl *

Access control for MAC addresses in the MAC list.

option

-

deny

Option

Description

allow

Allow.

deny

Deny.

wifi-ap-band *

How to select the AP to connect.

option

-

any

Option

Description

any

Connect to the best 2G or 5G AP.

5g-preferred

Connect to the 5G AP if a good 5G AP exists.

5g-only

Only connect to the 5G AP.

wifi-auth *

WiFi authentication.

option

-

PSK

Option

Description

PSK

PSK.

radius

RADIUS.

usergroup

User group.

wifi-auto-connect *

Enable/disable WiFi network auto connect.

option

-

enable

Option

Description

enable

Enable WiFi network auto connect.

disable

Disable WiFi network auto connect.

wifi-auto-save *

Enable/disable WiFi network automatic save.

option

-

disable

Option

Description

enable

Enable WiFi network automatic save.

disable

Disable WiFi network automatic save.

wifi-broadcast-ssid *

Enable/disable SSID broadcast in the beacon.

option

-

enable

Option

Description

enable

Enable SSID broadcast in the beacon.

disable

Disable SSID broadcast in the beacon.

wifi-dns-server1 *

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

wifi-dns-server2 *

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

wifi-encrypt *

Data encryption.

option

-

AES

Option

Description

TKIP

TKIP.

AES

AES.

wifi-fragment-threshold *

WiFi fragment threshold.

integer

Minimum value: 800 Maximum value: 2346

2346

wifi-gateway *

IPv4 default gateway IP address.

ipv4-address

Not Specified

0.0.0.0

wifi-key *

WiFi WEP Key.

password

Not Specified

wifi-keyindex *

WEP key index.

integer

Minimum value: 1 Maximum value: 4

1

wifi-mac-filter *

Enable/disable MAC filter status.

option

-

disable

Option

Description

enable

Enable MAC filter.

disable

Disable MAC filter.

wifi-passphrase *

WiFi pre-shared key for WPA.

password

Not Specified

wifi-radius-server *

WiFi RADIUS server for WPA.

string

Maximum length: 35

wifi-rts-threshold *

WiFi RTS threshold.

integer

Minimum value: 256 Maximum value: 2346

2346

wifi-security *

Wireless access security of SSID.

option

-

wpa-personal

Option

Description

open

Open.

wep64

WEP64.

wep128

WEP128.

wpa-personal

WPA personal.

wpa-enterprise

WPA enterprise.

wpa-only-personal

WPA personal only.

wpa-only-enterprise

WPA enterprise only.

wpa2-only-personal

WPA2 personal only.

wpa2-only-enterprise

WPA2 enterprise only.

wifi-ssid *

IEEE 802.11 Service Set Identifier.

string

Maximum length: 32

fortinet

wifi-usergroup *

WiFi user group for WPA.

string

Maximum length: 35

wins-ip

WINS server IP.

ipv4-address

Not Specified

0.0.0.0

* This parameter may not exist in some models.

** Values may differ between models.

config client-options

Parameter

Description

Type

Size

Default

code

DHCP client option code.

integer

Minimum value: 0 Maximum value: 255

0

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

DHCP option IPs.

user

Not Specified

type

DHCP client option type.

option

-

hex

Option

Description

hex

DHCP option in hex.

string

DHCP option in string.

ip

DHCP option in IP.

fqdn

DHCP option in domain search option format.

value

DHCP client option value.

string

Maximum length: 312

config client-options

Parameter

Description

Type

Size

Default

code

DHCPv6 option code.

integer

Minimum value: 0 Maximum value: 255

0

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip6

DHCP option IP6s.

user

Not Specified

type

DHCPv6 option type.

option

-

hex

Option

Description

hex

DHCPv6 option in hex.

string

DHCPv6 option in string.

ip6

DHCPv6 option in IP6.

fqdn

DHCPv6 option in domain search option format.

value

DHCPv6 option value (hexadecimal value must be even).

string

Maximum length: 312

config dhcp-snooping-server-list

Parameter

Description

Type

Size

Default

name

DHCP server name.

string

Maximum length: 35

default

server-ip

IP address for DHCP server.

ipv4-address

Not Specified

0.0.0.0

config egress-queues

Parameter

Description

Type

Size

Default

cos0

CoS profile name for CoS 0.

string

Maximum length: 35

cos1

CoS profile name for CoS 1.

string

Maximum length: 35

cos2

CoS profile name for CoS 2.

string

Maximum length: 35

cos3

CoS profile name for CoS 3.

string

Maximum length: 35

cos4

CoS profile name for CoS 4.

string

Maximum length: 35

cos5

CoS profile name for CoS 5.

string

Maximum length: 35

cos6

CoS profile name for CoS 6.

string

Maximum length: 35

cos7

CoS profile name for CoS 7.

string

Maximum length: 35

config ipv6

Parameter

Description

Type

Size

Default

autoconf

Enable/disable address auto config.

option

-

disable

Option

Description

enable

Enable auto-configuration.

disable

Disable auto-configuration.

cli-conn6-status

CLI IPv6 connection status. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

0

dhcp6-client-options

DHCPv6 client options. Read-only.

option

-

Option

Description

rapid

Send rapid commit option.

iapd

Send including IA-PD option.

iana

Send including IA-NA option.

dhcp6-information-request

Enable/disable DHCPv6 information request.

option

-

disable

Option

Description

enable

Enable DHCPv6 information request.

disable

Disable DHCPv6 information request.

dhcp6-prefix-delegation

Enable/disable DHCPv6 prefix delegation.

option

-

disable

Option

Description

enable

Enable DHCPv6 prefix delegation.

disable

Disable DHCPv6 prefix delegation.

dhcp6-relay-interface-id

DHCP6 relay interface ID.

string

Maximum length: 64

dhcp6-relay-ip

DHCPv6 relay IP address.

user

Not Specified

dhcp6-relay-service

Enable/disable DHCPv6 relay.

option

-

disable

Option

Description

disable

Disable DHCPv6 relay

enable

Enable DHCPv6 relay.

dhcp6-relay-source-interface

Enable/disable use of address on this interface as the source address of the relay message.

option

-

disable

Option

Description

disable

Use address of the egress interface as source address of the relay message.

enable

Use address of this interface as source address of the relay message.

dhcp6-relay-source-ip

IPv6 address used by the DHCP6 relay as its source IP.

ipv6-address

Not Specified

::

dhcp6-relay-type

DHCPv6 relay type.

option

-

regular

Option

Description

regular

Regular DHCP relay.

icmp6-send-redirect

Enable/disable sending of ICMPv6 redirects.

option

-

enable

Option

Description

enable

Enable sending of ICMPv6 redirects.

disable

Disable sending of ICMPv6 redirects.

interface-identifier

IPv6 interface identifier.

ipv6-address

Not Specified

::

ip6-address

Primary IPv6 address prefix. Syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.

ipv6-prefix

Not Specified

::/0

ip6-adv-rio

Enable/disable sending advertisements with route information option.

option

-

disable

Option

Description

enable

Enable sending advertisements with route information option.

disable

Disable sending advertisements with route information option.

ip6-allowaccess

Allow management access to the interface.

option

-

Option

Description

ping

PING access.

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

http

HTTP access.

telnet

TELNET access.

fgfm

FortiManager access.

fabric

Fabric access.

ip6-default-life

Default life (sec).

integer

Minimum value: 0 Maximum value: 9000

1800

ip6-delegated-prefix-iaid

IAID of obtained delegated-prefix from the upstream interface.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip6-dns-server-override

Enable/disable using the DNS server acquired by DHCP.

option

-

enable

Option

Description

enable

Enable using the DNS server acquired by DHCP.

disable

Disable using the DNS server acquired by DHCP.

ip6-hop-limit

Hop limit (0 means unspecified).

integer

Minimum value: 0 Maximum value: 255

0

ip6-link-mtu

IPv6 link MTU.

integer

Minimum value: 1280 Maximum value: 16000

0

ip6-manage-flag

Enable/disable the managed flag.

option

-

disable

Option

Description

enable

Enable the managed IPv6 flag.

disable

Disable the managed IPv6 flag.

ip6-max-interval

IPv6 maximum interval (4 to 1800 sec).

integer

Minimum value: 4 Maximum value: 1800

600

ip6-min-interval

IPv6 minimum interval (3 to 1350 sec).

integer

Minimum value: 3 Maximum value: 1350

198

ip6-mode

Addressing mode (static, DHCP, delegated).

option

-

static

Option

Description

static

Static setting.

dhcp

DHCPv6 client mode.

pppoe

IPv6 over PPPoE mode.

delegated

IPv6 address with delegated prefix.

ip6-other-flag

Enable/disable the other IPv6 flag.

option

-

disable

Option

Description

enable

Enable the other IPv6 flag.

disable

Disable the other IPv6 flag.

ip6-prefix-mode

Assigning a prefix from DHCP or RA.

option

-

dhcp6

Option

Description

dhcp6

Use delegated prefix from a DHCPv6 client to form a delegated IPv6 address.

ra

Use prefix from RA to form a delegated IPv6 address.

ip6-reachable-time

IPv6 reachable time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 3600000

0

ip6-retrans-time

IPv6 retransmit time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 4294967295

0

ip6-route-pref

Set route preference to the interface.

option

-

medium

Option

Description

medium

Medium route preferences in RA packet.

high

High route preferences in RA packet.

low

Low route preferences in RA packet.

ip6-send-adv

Enable/disable sending advertisements about the interface.

option

-

disable

Option

Description

enable

Enable sending advertisements about this interface.

disable

Disable sending advertisements about this interface.

ip6-subnet

Subnet to routing prefix. Syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.

ipv6-prefix

Not Specified

::/0

ip6-upstream-interface

Interface name providing delegated information.

string

Maximum length: 15

nd-cert

Neighbor discovery certificate.

string

Maximum length: 35

nd-cga-modifier

Neighbor discovery CGA modifier.

user

Not Specified

nd-mode

Neighbor discovery mode.

option

-

basic

Option

Description

basic

Do not support SEND.

SEND-compatible

Support SEND.

nd-security-level

Neighbor discovery security level.

integer

Minimum value: 0 Maximum value: 7

0

nd-timestamp-delta

Neighbor discovery timestamp delta value.

integer

Minimum value: 1 Maximum value: 3600

300

nd-timestamp-fuzz

Neighbor discovery timestamp fuzz factor.

integer

Minimum value: 1 Maximum value: 60

1

ra-send-mtu

Enable/disable sending link MTU in RA packet.

option

-

enable

Option

Description

enable

Enable sending link MTU in RA packet.

disable

Disable sending link MTU in RA packet.

unique-autoconf-addr

Enable/disable unique auto config address.

option

-

disable

Option

Description

enable

Enable unique auto-configuration address.

disable

Disable unique auto-configuration address.

vrip6_link_local

Link-local IPv6 address of virtual router.

ipv6-address

Not Specified

::

vrrp-virtual-mac6

Enable/disable virtual MAC for VRRP.

option

-

disable

Option

Description

enable

Enable virtual MAC for VRRP.

disable

Disable virtual MAC for VRRP.

config client-options

Parameter

Description

Type

Size

Default

code

DHCP client option code.

integer

Minimum value: 0 Maximum value: 255

0

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

DHCP option IPs.

user

Not Specified

type

DHCP client option type.

option

-

hex

value

DHCP client option value.

string

Maximum length: 312

config client-options

Parameter

Description

Type

Size

Default

code

DHCPv6 option code.

integer

Minimum value: 0 Maximum value: 255

0

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip6

DHCP option IP6s.

user

Not Specified

type

DHCPv6 option type.

option

-

hex

value

DHCPv6 option value (hexadecimal value must be even).

string

Maximum length: 312

config dhcp6-iapd-list

Parameter

Description

Type

Size

Default

iaid

Identity association identifier.

integer

Minimum value: 0 Maximum value: 4294967295

0

prefix-hint

DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server.

ipv6-network

Not Specified

::/0

prefix-hint-plt

DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time.

integer

Minimum value: 0 Maximum value: 4294967295

604800

prefix-hint-vlt

DHCPv6 prefix hint valid life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

2592000

config ip6-delegated-prefix-list

Parameter

Description

Type

Size

Default

autonomous-flag

Enable/disable the autonomous flag.

option

-

enable

Option

Description

enable

Enable the autonomous flag.

disable

Disable the autonomous flag.

delegated-prefix-iaid

IAID of obtained delegated-prefix from the upstream interface.

integer

Minimum value: 0 Maximum value: 4294967295

0

onlink-flag

Enable/disable the onlink flag.

option

-

enable

Option

Description

enable

Enable the onlink flag.

disable

Disable the onlink flag.

prefix-id

Prefix ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

rdnss

Recursive DNS server option.

user

Not Specified

rdnss-service

Recursive DNS service option.

option

-

specify

Option

Description

delegated

Delegated RDNSS settings.

default

System RDNSS settings.

specify

Specify recursive DNS servers.

subnet

Add subnet ID to routing prefix.

ipv6-network

Not Specified

::/0

upstream-interface

Name of the interface that provides delegated information.

string

Maximum length: 15

config ip6-dnssl-list

Parameter

Description

Type

Size

Default

dnssl-life-time

DNS search list time in seconds.

integer

Minimum value: 0 Maximum value: 4294967295

1800

domain

Domain name.

string

Maximum length: 79

config ip6-extra-addr

Parameter

Description

Type

Size

Default

prefix

IPv6 address prefix.

ipv6-prefix

Not Specified

::/0

config ip6-prefix-list

Parameter

Description

Type

Size

Default

autonomous-flag

Enable/disable the autonomous flag.

option

-

enable

Option

Description

enable

Enable the autonomous flag.

disable

Disable the autonomous flag.

onlink-flag

Enable/disable the onlink flag.

option

-

enable

Option

Description

enable

Enable the onlink flag.

disable

Disable the onlink flag.

preferred-life-time

Preferred life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

604800

prefix

IPv6 prefix.

ipv6-network

Not Specified

::/0

valid-life-time

Valid life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

2592000

config ip6-rdnss-list

Parameter

Description

Type

Size

Default

rdnss

Recursive DNS server option.

ipv6-address

Not Specified

::

rdnss-life-time

Recursive DNS server life time in seconds.

integer

Minimum value: 0 Maximum value: 4294967295

1800

config ip6-route-list

Parameter

Description

Type

Size

Default

route

IPv6 route.

ipv6-network

Not Specified

::/0

route-life-time

Route life time in seconds.

integer

Minimum value: 0 Maximum value: 65535

1800

route-pref

Set route preference to the interface.

option

-

medium

Option

Description

medium

Medium route preferences in RA packet.

high

High route preferences in RA packet.

low

Low route preferences in RA packet.

config vrrp6

Parameter

Description

Type

Size

Default

accept-mode

Enable/disable accept mode.

option

-

enable

Option

Description

enable

Enable accept mode.

disable

Disable accept mode.

adv-interval

Advertisement interval.

integer

Minimum value: 250 Maximum value: 255000

1000

ignore-default-route

Enable/disable ignoring of default route when checking destination.

option

-

disable

Option

Description

enable

Ignore default route when checking destination.

disable

Do not ignore default route when checking destination.

preempt

Enable/disable preempt mode.

option

-

enable

Option

Description

enable

Enable preempt mode.

disable

Disable preempt mode.

priority

Priority of the virtual router.

integer

Minimum value: 1 Maximum value: 255

100

start-time

Startup time.

integer

Minimum value: 1 Maximum value: 255

3

status

Enable/disable VRRP.

option

-

enable

Option

Description

enable

Enable VRRP.

disable

Disable VRRP.

vrdst-priority

Priority of the virtual router when the virtual router destination becomes unreachable.

integer

Minimum value: 0 Maximum value: 254

0

vrdst6

Monitor the route to this destination.

ipv6-address

Not Specified

vrgrp

VRRP group ID.

integer

Minimum value: 1 Maximum value: 65535

0

vrid

Virtual router identifier.

integer

Minimum value: 1 Maximum value: 255

0

vrip6

IPv6 address of the virtual router.

ipv6-address

Not Specified

::

config l2tp-client-settings

Parameter

Description

Type

Size

Default

auth-type

L2TP authentication type.

option

-

auto

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

defaultgw

Enable/disable default gateway.

option

-

disable

Option

Description

enable

Enable default gateway.

disable

Disable default gateway.

distance

Distance of learned routes.

integer

Minimum value: 1 Maximum value: 255

2

hello-interval

L2TP hello message interval in seconds.

integer

Minimum value: 0 Maximum value: 3600

60

ip

IP. Read-only.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

mtu

L2TP MTU.

integer

Minimum value: 40 Maximum value: 65535

1460

password

L2TP password.

password

Not Specified

peer-host

L2TP peer host address.

string

Maximum length: 255

peer-mask

L2TP peer mask.

ipv4-netmask

Not Specified

255.255.255.255

peer-port

L2TP peer port number.

integer

Minimum value: 1 Maximum value: 65535

1701

priority

Priority of learned routes.

integer

Minimum value: 1 Maximum value: 65535

1

user

L2TP user name.

string

Maximum length: 127

config mirroring-filter

Parameter

Description

Type

Size

Default

filter-dport

Destinatin port of mirroring filter.

integer

Minimum value: 0 Maximum value: 65535

0

filter-dstip

Destinatin IP and mask of mirroring filter.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

filter-protocol

Protocol of mirroring filter.

integer

Minimum value: 0 Maximum value: 255

0

filter-sport

Source port of mirroring filter.

integer

Minimum value: 0 Maximum value: 65535

0

filter-srcip

Source IP and mask of mirroring filter.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

config secondaryip

Parameter

Description

Type

Size

Default

allowaccess

Management access settings for the secondary IP address.

option

-

Option

Description

ping

PING access.

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

http

HTTP access.

telnet

TELNET access.

fgfm

FortiManager access.

radius-acct

RADIUS accounting access.

probe-response

Probe access.

fabric

Security Fabric access.

ftm

FTM access.

speed-test

Speed test access.

scim

System for Cross-domain Identity Management (SCIM) access.

detectprotocol

Protocols used to detect the server.

option

-

ping

Option

Description

ping

PING.

tcp-echo

TCP echo.

udp-echo

UDP echo.

detectserver

Gateway's ping server for this IP.

user

Not Specified

gwdetect

Enable/disable detect gateway alive for first.

option

-

disable

Option

Description

enable

Enable detect gateway alive for first.

disable

Disable detect gateway alive for first.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

1

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

Secondary IP address of the interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

ping-serv-status

PING server status. Read-only.

integer

Minimum value: 0 Maximum value: 255

0

secip-relay-ip

DHCP relay IP address.

user

Not Specified

config tagging

Parameter

Description

Type

Size

Default

category

Tag category.

string

Maximum length: 63

name

Tagging entry name.

string

Maximum length: 63

tags <name>

Tags.

Tag name.

string

Maximum length: 79

config vrrp

Parameter

Description

Type

Size

Default

accept-mode

Enable/disable accept mode.

option

-

enable

Option

Description

enable

Enable accept mode.

disable

Disable accept mode.

adv-interval

Advertisement interval.

integer

Minimum value: 250 Maximum value: 255000

1000

ignore-default-route

Enable/disable ignoring of default route when checking destination.

option

-

disable

Option

Description

enable

Ignore default route when checking destination.

disable

Do not ignore default route when checking destination.

preempt

Enable/disable preempt mode.

option

-

enable

Option

Description

enable

Enable preempt mode.

disable

Disable preempt mode.

priority

Priority of the virtual router.

integer

Minimum value: 1 Maximum value: 255

100

start-time

Startup time.

integer

Minimum value: 1 Maximum value: 255

3

status

Enable/disable this VRRP configuration.

option

-

enable

Option

Description

enable

Enable this VRRP configuration.

disable

Disable this VRRP configuration.

version

VRRP version.

option

-

2

Option

Description

2

VRRP version 2.

3

VRRP version 3.

vrdst

Monitor the route to this destination.

ipv4-address-any

Not Specified

vrdst-priority

Priority of the virtual router when the virtual router destination becomes unreachable.

integer

Minimum value: 0 Maximum value: 254

0

vrgrp

VRRP group ID.

integer

Minimum value: 1 Maximum value: 65535

0

vrid

Virtual router identifier.

integer

Minimum value: 1 Maximum value: 255

0

vrip

IP address of the virtual router.

ipv4-address-any

Not Specified

0.0.0.0

config proxy-arp

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

Set IP addresses of proxy ARP.

user

Not Specified

config wifi-mac-list

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

mac

MAC address.

mac-address

Not Specified

00:00:00:00:00:00

config wifi-networks

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

wifi-ca-certificate

CA certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 79

wifi-client-certificate

Client certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

wifi-eap-type

WPA2/WPA3-ENTERPRISE EAP Method.

option

-

peap

Option

Description

both

EAP PEAP and TLS.

tls

EAP TLS.

peap

EAP PEAP.

wifi-encrypt

Data encryption.

option

-

AES

Option

Description

TKIP

TKIP.

AES

AES.

wifi-key

WiFi WEP Key.

password

Not Specified

wifi-keyindex

WEP key index.

integer

Minimum value: 1 Maximum value: 4

1

wifi-passphrase

WiFi pre-shared key for WPA-PSK or password for WPA3-SAE and WPA2/WPA3-ENTERPRISE.

password

Not Specified

wifi-private-key

Private key for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

wifi-private-key-password

Password for private key file for WPA2/WPA3-ENTERPRISE.

password

Not Specified

wifi-security

Wireless access security of SSID.

option

-

wpa-personal

Option

Description

open

Open.

wep64

WEP64.

wep128

WEP128.

wpa-personal

WPA personal.

wpa-only-personal

WPA personal only.

wpa2-only-personal

WPA2 personal only.

wpa3-sae

WPA3 SAE.

owe

OWE.

wpa-enterprise

WPA2/WPA3 ENTERPRISE.

wifi-ssid

IEEE 802.11 Service Set Identifier.

string

Maximum length: 32

fortinet

wifi-username

Username for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 64

fortinet

config system interface

config system interface

Configure interfaces.

config system interface
    Description: Configure interfaces.
    edit <name>
        set ac-name {string}
        set aggregate {string}
        set aggregate-type [physical|vxlan]
        set algorithm [L2|L3|...]
        set alias {string}
        set allowaccess {option1}, {option2}, ...
        set annex [a|b|...]
        set ap-discover [enable|disable]
        set arpforward [enable|disable]
        set atm-protocol [none|ipoa]
        set auth-cert {string}
        set auth-portal-addr {string}
        set auth-type [auto|pap|...]
        set auto-auth-extension-device [enable|disable]
        set bandwidth-measure-time {integer}
        set bfd [global|enable|...]
        set bfd-desired-min-tx {integer}
        set bfd-detect-mult {integer}
        set bfd-required-min-rx {integer}
        set broadcast-forward [enable|disable]
        set cli-conn-status {integer}
        config client-options
            Description: DHCP client options.
            edit <id>
                set code {integer}
                set ip {user}
                set type [hex|string|...]
                set value {string}
            next
        end
        set color {integer}
        set dedicated-to [none|management]
        set default-purdue-level [1|1.5|...]
        set defaultgw [enable|disable]
        set description {var-string}
        set detected-peer-mtu {integer}
        set detectprotocol {option1}, {option2}, ...
        set detectserver {user}
        set device-identification [enable|disable]
        set device-user-identification [enable|disable]
        set devindex {integer}
        set dhcp-broadcast-flag [disable|enable]
        set dhcp-classless-route-addition [enable|disable]
        set dhcp-client-identifier {string}
        set dhcp-relay-agent-option [enable|disable]
        set dhcp-relay-allow-no-end-option [disable|enable]
        set dhcp-relay-circuit-id {string}
        set dhcp-relay-interface {string}
        set dhcp-relay-interface-select-method [auto|sdwan|...]
        set dhcp-relay-ip {user}
        set dhcp-relay-link-selection {ipv4-address}
        set dhcp-relay-request-all-server [disable|enable]
        set dhcp-relay-service [disable|enable]
        set dhcp-relay-source-ip {ipv4-address}
        set dhcp-relay-type [regular|ipsec]
        set dhcp-relay-vrf-select {integer}
        set dhcp-renew-time {integer}
        set dhcp-smart-relay [disable|enable]
        config dhcp-snooping-server-list
            Description: Configure DHCP server access list.
            edit <name>
                set server-ip {ipv4-address}
            next
        end
        set disc-retry-timeout {integer}
        set distance {integer}
        set dns-server-override [enable|disable]
        set dns-server-protocol {option1}, {option2}, ...
        set drop-fragment [enable|disable]
        set drop-overlapped-fragment [enable|disable]
        set eap-ca-cert {string}
        set eap-identity {string}
        set eap-method [tls|peap]
        set eap-password {password}
        set eap-supplicant [enable|disable]
        set eap-user-cert {string}
        set egress-cos [disable|cos0|...]
        config egress-queues
            Description: Configure queues of NP port on egress path.
            set cos0 {string}
            set cos1 {string}
            set cos2 {string}
            set cos3 {string}
            set cos4 {string}
            set cos5 {string}
            set cos6 {string}
            set cos7 {string}
        end
        set egress-shaping-profile {string}
        set eip {ipv4-address-any}
        set estimated-downstream-bandwidth {integer}
        set estimated-upstream-bandwidth {integer}
        set exclude-signatures {option1}, {option2}, ...
        set explicit-ftp-proxy [enable|disable]
        set explicit-web-proxy [enable|disable]
        set external [enable|disable]
        set fail-action-on-extender [soft-restart|hard-restart|...]
        set fail-alert-interfaces <name1>, <name2>, ...
        set fail-alert-method [link-failed-signal|link-down]
        set fail-detect [enable|disable]
        set fail-detect-option {option1}, {option2}, ...
        set fortilink [enable|disable]
        set fortilink-backup-link {integer}
        set fortilink-neighbor-detect [lldp|fortilink]
        set fortilink-split-interface [enable|disable]
        set forward-domain {integer}
        set forward-error-correction [none|disable|...]
        set gateway-address {ipv4-address}
        set gi-gk [enable|disable]
        set gwaddr {ipv4-address}
        set gwdetect [enable|disable]
        set ha-priority {integer}
        set icmp-accept-redirect [enable|disable]
        set icmp-send-redirect [enable|disable]
        set ident-accept [enable|disable]
        set idle-timeout {integer}
        set ike-saml-server {string}
        set inbandwidth {integer}
        set ingress-cos [disable|cos0|...]
        set ingress-shaping-profile {string}
        set ingress-spillover-threshold {integer}
        set interconnect-profile [default|profile1|...]
        set interface {string}
        set internal {integer}
        set ip {ipv4-classnet-host}
        set ip-managed-by-fortiipam [inherit-global|enable|...]
        set ipmac [enable|disable]
        set ips-sniffer-mode [enable|disable]
        set ipunnumbered {ipv4-address}
        config ipv6
            Description: IPv6 of interface.
            set autoconf [enable|disable]
            set cli-conn6-status {integer}
            config client-options
                Description: DHCP6 client options.
                edit <id>
                    set code {integer}
                    set ip6 {user}
                    set type [hex|string|...]
                    set value {string}
                next
            end
            set dhcp6-client-options {option1}, {option2}, ...
            config dhcp6-iapd-list
                Description: DHCPv6 IA-PD list.
                edit <iaid>
                    set prefix-hint {ipv6-network}
                    set prefix-hint-plt {integer}
                    set prefix-hint-vlt {integer}
                next
            end
            set dhcp6-information-request [enable|disable]
            set dhcp6-prefix-delegation [enable|disable]
            set dhcp6-relay-interface-id {string}
            set dhcp6-relay-ip {user}
            set dhcp6-relay-service [disable|enable]
            set dhcp6-relay-source-interface [disable|enable]
            set dhcp6-relay-source-ip {ipv6-address}
            set dhcp6-relay-type {option}
            set icmp6-send-redirect [enable|disable]
            set interface-identifier {ipv6-address}
            set ip6-address {ipv6-prefix}
            set ip6-adv-rio [enable|disable]
            set ip6-allowaccess {option1}, {option2}, ...
            set ip6-default-life {integer}
            set ip6-delegated-prefix-iaid {integer}
            config ip6-delegated-prefix-list
                Description: Advertised IPv6 delegated prefix list.
                edit <prefix-id>
                    set autonomous-flag [enable|disable]
                    set delegated-prefix-iaid {integer}
                    set onlink-flag [enable|disable]
                    set rdnss {user}
                    set rdnss-service [delegated|default|...]
                    set subnet {ipv6-network}
                    set upstream-interface {string}
                next
            end
            set ip6-dns-server-override [enable|disable]
            config ip6-dnssl-list
                Description: Advertised IPv6 DNSS list.
                edit <domain>
                    set dnssl-life-time {integer}
                next
            end
            config ip6-extra-addr
                Description: Extra IPv6 address prefixes of interface.
                edit <prefix>
                next
            end
            set ip6-hop-limit {integer}
            set ip6-link-mtu {integer}
            set ip6-manage-flag [enable|disable]
            set ip6-max-interval {integer}
            set ip6-min-interval {integer}
            set ip6-mode [static|dhcp|...]
            set ip6-other-flag [enable|disable]
            config ip6-prefix-list
                Description: Advertised prefix list.
                edit <prefix>
                    set autonomous-flag [enable|disable]
                    set onlink-flag [enable|disable]
                    set preferred-life-time {integer}
                    set valid-life-time {integer}
                next
            end
            set ip6-prefix-mode [dhcp6|ra]
            config ip6-rdnss-list
                Description: Advertised IPv6 RDNSS list.
                edit <rdnss>
                    set rdnss-life-time {integer}
                next
            end
            set ip6-reachable-time {integer}
            set ip6-retrans-time {integer}
            config ip6-route-list
                Description: Advertised route list.
                edit <route>
                    set route-life-time {integer}
                    set route-pref [medium|high|...]
                next
            end
            set ip6-route-pref [medium|high|...]
            set ip6-send-adv [enable|disable]
            set ip6-subnet {ipv6-prefix}
            set ip6-upstream-interface {string}
            set nd-cert {string}
            set nd-cga-modifier {user}
            set nd-mode [basic|SEND-compatible]
            set nd-security-level {integer}
            set nd-timestamp-delta {integer}
            set nd-timestamp-fuzz {integer}
            set ra-send-mtu [enable|disable]
            set unique-autoconf-addr [enable|disable]
            set vrip6_link_local {ipv6-address}
            set vrrp-virtual-mac6 [enable|disable]
            config vrrp6
                Description: IPv6 VRRP configuration.
                edit <vrid>
                    set accept-mode [enable|disable]
                    set adv-interval {integer}
                    set ignore-default-route [enable|disable]
                    set preempt [enable|disable]
                    set priority {integer}
                    set start-time {integer}
                    set status [enable|disable]
                    set vrdst-priority {integer}
                    set vrdst6 {ipv6-address}
                    set vrgrp {integer}
                    set vrip6 {ipv6-address}
                next
            end
        end
        set l2forward [enable|disable]
        set l2tp-client [enable|disable]
        config l2tp-client-settings
            Description: L2TP client settings.
            set auth-type [auto|pap|...]
            set defaultgw [enable|disable]
            set distance {integer}
            set hello-interval {integer}
            set ip {ipv4-classnet-host}
            set mtu {integer}
            set password {password}
            set peer-host {string}
            set peer-mask {ipv4-netmask}
            set peer-port {integer}
            set priority {integer}
            set user {string}
        end
        set lacp-ha-secondary [enable|disable]
        set lacp-mode [static|passive|...]
        set lacp-speed [slow|fast]
        set lcp-echo-interval {integer}
        set lcp-max-echo-fails {integer}
        set link-up-delay {integer}
        set lldp-network-policy {string}
        set lldp-reception [enable|disable|...]
        set lldp-transmission [enable|disable|...]
        set macaddr {mac-address}
        set managed-subnetwork-size [32|64|...]
        set management-ip {ipv4-classnet-host}
        set measured-downstream-bandwidth {integer}
        set measured-upstream-bandwidth {integer}
        set mediatype [serdes-sfp|sgmii-sfp|...]
        set member <interface-name1>, <interface-name2>, ...
        set min-links {integer}
        set min-links-down [operational|administrative]
        set mirroring-direction [rx|tx|...]
        config mirroring-filter
            Description: Mirroring filter.
            set filter-dport {integer}
            set filter-dstip {ipv4-classnet-host}
            set filter-protocol {integer}
            set filter-sport {integer}
            set filter-srcip {ipv4-classnet-host}
        end
        set mirroring-port {string}
        set mode [static|dhcp|...]
        set monitor-bandwidth [enable|disable]
        set mtu {integer}
        set mtu-override [enable|disable]
        set mux-type [llc-encaps|vc-encaps]
        set ndiscforward [enable|disable]
        set netbios-forward [disable|enable]
        set netflow-sample-rate {integer}
        set netflow-sampler [disable|tx|...]
        set netflow-sampler-id {integer}
        set np-qos-profile {integer}
        set outbandwidth {integer}
        set padt-retry-timeout {integer}
        set password {password}
        set phy-mode {option}
        set ping-serv-status {integer}
        set poe [enable|disable]
        set polling-interval {integer}
        set port-mirroring [disable|enable]
        set pppoe-egress-cos [cos0|cos1|...]
        set pppoe-unnumbered-negotiate [enable|disable]
        set pptp-auth-type [auto|pap|...]
        set pptp-client [enable|disable]
        set pptp-password {password}
        set pptp-server-ip {ipv4-address}
        set pptp-timeout {integer}
        set pptp-user {string}
        set preserve-session-route [enable|disable]
        set priority {integer}
        set priority-override [enable|disable]
        set proxy-captive-portal [enable|disable]
        set pvc-atm-qos [cbr|rt-vbr|...]
        set pvc-chan {integer}
        set pvc-crc {integer}
        set pvc-pcr {integer}
        set pvc-scr {integer}
        set pvc-vlan-id {integer}
        set pvc-vlan-rx-id {integer}
        set pvc-vlan-rx-op [pass-through|replace|...]
        set pvc-vlan-tx-id {integer}
        set pvc-vlan-tx-op [pass-through|replace|...]
        set reachable-time {integer}
        set redundant-interface {string}
        set remote-ip {ipv4-classnet-host}
        set replacemsg-override-group {string}
        set retransmission [disable|enable]
        set ring-rx {integer}
        set ring-tx {integer}
        set role [lan|wan|...]
        set sample-direction [tx|rx|...]
        set sample-rate {integer}
        set secondary-IP [enable|disable]
        config secondaryip
            Description: Second IP address of interface.
            edit <id>
                set allowaccess {option1}, {option2}, ...
                set detectprotocol {option1}, {option2}, ...
                set detectserver {user}
                set gwdetect [enable|disable]
                set ha-priority {integer}
                set ip {ipv4-classnet-host}
                set ping-serv-status {integer}
                set secip-relay-ip {user}
            next
        end
        set security-8021x-dynamic-vlan-id {integer}
        set security-8021x-master {string}
        set security-8021x-member-mode [switch|disable]
        set security-8021x-mode [default|dynamic-vlan|...]
        set security-exempt-list {string}
        set security-external-logout {string}
        set security-external-web {var-string}
        set security-groups <name1>, <name2>, ...
        set security-ip-auth-bypass [enable|disable]
        set security-mac-auth-bypass [mac-auth-only|enable|...]
        set security-mode [none|captive-portal|...]
        set security-redirect-url {var-string}
        set select-profile-30a-35b [30A|35B]
        set service-name {string}
        set sflow-sampler [enable|disable]
        set sfp-dsl [disable|enable]
        set sfp-dsl-adsl-fallback [disable|enable]
        set sfp-dsl-autodetect [disable|enable]
        set sfp-dsl-mac {mac-address}
        set snmp-index {integer}
        set speed [auto|10full|...]
        set spillover-threshold {integer}
        set src-check [enable|disable]
        set status [up|down]
        set stp [disable|enable]
        set stp-edge [disable|enable]
        set stp-ha-secondary [disable|enable|...]
        set stpforward [enable|disable]
        set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]
        set subst [enable|disable]
        set substitute-dst-mac {mac-address}
        set sw-algorithm [l2|l3|...]
        set swc-first-create {integer}
        set swc-vlan {integer}
        set switch {string}
        set switch-controller-access-vlan [enable|disable]
        set switch-controller-arp-inspection [enable|disable|...]
        set switch-controller-dhcp-snooping [enable|disable]
        set switch-controller-dhcp-snooping-option82 [enable|disable]
        set switch-controller-dhcp-snooping-verify-mac [enable|disable]
        set switch-controller-dynamic {string}
        set switch-controller-feature [none|default-vlan|...]
        set switch-controller-igmp-snooping [enable|disable]
        set switch-controller-igmp-snooping-fast-leave [enable|disable]
        set switch-controller-igmp-snooping-proxy [enable|disable]
        set switch-controller-iot-scanning [enable|disable]
        set switch-controller-learning-limit {integer}
        set switch-controller-mgmt-vlan {integer}
        set switch-controller-nac {string}
        set switch-controller-netflow-collect [disable|enable]
        set switch-controller-offload [enable|disable]
        set switch-controller-offload-gw [enable|disable]
        set switch-controller-offload-ip {ipv4-address}
        set switch-controller-rspan-mode [disable|enable]
        set switch-controller-source-ip [outbound|fixed]
        set switch-controller-traffic-policy {string}
        set system-id {mac-address}
        set system-id-type [auto|user]
        config tagging
            Description: Config object tagging.
            edit <name>
                set category {string}
                set tags <name1>, <name2>, ...
            next
        end
        set tc-mode {option}
        set tcp-mss {integer}
        set trunk [enable|disable]
        set trust-ip-1 {ipv4-classnet-any}
        set trust-ip-2 {ipv4-classnet-any}
        set trust-ip-3 {ipv4-classnet-any}
        set trust-ip6-1 {ipv6-prefix}
        set trust-ip6-2 {ipv6-prefix}
        set trust-ip6-3 {ipv6-prefix}
        set type [physical|vlan|...]
        set username {string}
        set vci {integer}
        set vdom {string}
        set vectoring [disable|enable]
        set vindex {integer}
        set virtual-mac {mac-address}
        set vlan-id {integer}
        set vlan-op-mode [tag|untag|...]
        set vlan-protocol [8021q|8021ad]
        set vlanforward [enable|disable]
        set vlanid {integer}
        set vpi {integer}
        set vrf {integer}
        config vrrp
            Description: VRRP configuration.
            edit <vrid>
                set accept-mode [enable|disable]
                set adv-interval {integer}
                set ignore-default-route [enable|disable]
                set preempt [enable|disable]
                set priority {integer}
                config proxy-arp
                    Description: VRRP Proxy ARP configuration.
                    edit <id>
                        set ip {user}
                    next
                end
                set start-time {integer}
                set status [enable|disable]
                set version [2|3]
                set vrdst {ipv4-address-any}
                set vrdst-priority {integer}
                set vrgrp {integer}
                set vrip {ipv4-address-any}
            next
        end
        set vrrp-virtual-mac [enable|disable]
        set wccp [enable|disable]
        set weight {integer}
        set wifi-5g-threshold {string}
        set wifi-acl [allow|deny]
        set wifi-ap-band [any|5g-preferred|...]
        set wifi-auth [PSK|radius|...]
        set wifi-auto-connect [enable|disable]
        set wifi-auto-save [enable|disable]
        set wifi-broadcast-ssid [enable|disable]
        set wifi-dns-server1 {ipv4-address}
        set wifi-dns-server2 {ipv4-address}
        set wifi-encrypt [TKIP|AES]
        set wifi-fragment-threshold {integer}
        set wifi-gateway {ipv4-address}
        set wifi-key {password}
        set wifi-keyindex {integer}
        set wifi-mac-filter [enable|disable]
        config wifi-mac-list
            Description: MAC filter list.
            edit <id>
                set mac {mac-address}
            next
        end
        config wifi-networks
            Description: WiFi network table.
            edit <id>
                set wifi-ca-certificate {string}
                set wifi-client-certificate {string}
                set wifi-eap-type [both|tls|...]
                set wifi-encrypt [TKIP|AES]
                set wifi-key {password}
                set wifi-keyindex {integer}
                set wifi-passphrase {password}
                set wifi-private-key {string}
                set wifi-private-key-password {password}
                set wifi-security [open|wep64|...]
                set wifi-ssid {string}
                set wifi-username {string}
            next
        end
        set wifi-passphrase {password}
        set wifi-radius-server {string}
        set wifi-rts-threshold {integer}
        set wifi-security [open|wep64|...]
        set wifi-ssid {string}
        set wifi-usergroup {string}
        set wins-ip {ipv4-address}
    next
end

config system interface

Parameter

Description

Type

Size

Default

ac-name

PPPoE server name.

string

Maximum length: 63

aggregate

Aggregate interface. Read-only.

string

Maximum length: 15

aggregate-type

Type of aggregation.

option

-

physical

Option

Description

physical

Physical interface aggregation.

vxlan

VXLAN interface aggregation.

algorithm

Frame distribution algorithm.

option

-

L4

Option

Description

L2

Use layer 2 address for distribution.

L3

Use layer 3 address for distribution.

L4

Use layer 4 information for distribution.

Source-MAC

Use source MAC address for distribution.

alias

Alias will be displayed with the interface name to make it easier to distinguish.

string

Maximum length: 25

allowaccess

Permitted types of management access to this interface.

option

-

Option

Description

ping

PING access.

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

http

HTTP access.

telnet

TELNET access.

fgfm

FortiManager access.

radius-acct

RADIUS accounting access.

probe-response

Probe access.

fabric

Security Fabric access.

ftm

FTM access.

speed-test

Speed test access.

scim

System for Cross-domain Identity Management (SCIM) access.

annex *

Configure xDSL annex type.

option

-

a

Option

Description

a

xDSL Annex A

b

xDSL Annex B

j

xDSL Annex J

bjm

xDSL Annex BJM

i

xDSL Annex I

al

xDSL Annex AL

m

xDSL Annex M

aijlm

xDSL Annex AIJLM

ap-discover

Enable/disable automatic registration of unknown FortiAP devices.

option

-

enable

Option

Description

enable

Enable automatic registration of unknown FortiAP devices.

disable

Disable automatic registration of unknown FortiAP devices.

arpforward

Enable/disable ARP forwarding.

option

-

enable

Option

Description

enable

Enable ARP forwarding.

disable

Disable ARP forwarding.

atm-protocol *

ATM protocol.

option

-

none

Option

Description

none

Not over ATM.

ipoa

IPoA RFC2684.

auth-cert

HTTPS server certificate.

string

Maximum length: 35

auth-portal-addr

Address of captive portal.

string

Maximum length: 63

auth-type

PPP authentication type to use.

option

-

auto

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.

option

-

disable

Option

Description

enable

Enable automatic authorization of dedicated Fortinet extension device on this interface.

disable

Disable automatic authorization of dedicated Fortinet extension device on this interface.

bandwidth-measure-time

Bandwidth measure time.

integer

Minimum value: 0 Maximum value: 4294967295

0

bfd

Bidirectional Forwarding Detection (BFD) settings.

option

-

global

Option

Description

global

BFD behavior of this interface will be based on global configuration.

enable

Enable BFD on this interface and ignore global configuration.

disable

Disable BFD on this interface and ignore global configuration.

bfd-desired-min-tx

BFD desired minimal transmit interval.

integer

Minimum value: 1 Maximum value: 100000

250

bfd-detect-mult

BFD detection multiplier.

integer

Minimum value: 1 Maximum value: 50

3

bfd-required-min-rx

BFD required minimal receive interval.

integer

Minimum value: 1 Maximum value: 100000

250

broadcast-forward

Enable/disable broadcast forwarding.

option

-

disable

Option

Description

enable

Enable broadcast forwarding.

disable

Disable broadcast forwarding.

cli-conn-status

CLI connection status. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

0

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

0

dedicated-to

Configure interface for single purpose.

option

-

none

Option

Description

none

Interface not dedicated for any purpose.

management

Dedicate this interface for management purposes only.

default-purdue-level

default purdue level of device detected on this interface.

option

-

3

Option

Description

1

Level 1 - Basic Control

1.5

Level 1.5

2

Level 2 - Area Supervisory Control

2.5

Level 2.5

3

Level 3 - Operations & Control

3.5

Level 3.5

4

Level 4 - Business Planning & Logistics

5

Level 5 - Enterprise Network

5.5

Level 5.5

defaultgw

Enable to get the gateway IP from the DHCP or PPPoE server.

option

-

enable

Option

Description

enable

Enable default gateway.

disable

Disable default gateway.

description

Description.

var-string

Maximum length: 255

detected-peer-mtu

MTU of detected peer. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

0

detectprotocol

Protocols used to detect the server.

option

-

ping

Option

Description

ping

PING.

tcp-echo

TCP echo.

udp-echo

UDP echo.

detectserver

Gateway's ping server for this IP.

user

Not Specified

device-identification

Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.

option

-

disable

Option

Description

enable

Enable passive gathering of identity information about hosts.

disable

Disable passive gathering of identity information about hosts.

device-user-identification

Enable/disable passive gathering of user identity information about users on this interface.

option

-

enable

Option

Description

enable

Enable passive gathering of user identity information about users.

disable

Disable passive gathering of user identity information about users.

devindex

Device Index. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

0

dhcp-broadcast-flag

Enable/disable setting of the broadcast flag in messages sent by the DHCP client.

option

-

enable

Option

Description

disable

Disable broadcast flag.

enable

Enable broadcast flag.

dhcp-classless-route-addition

Enable/disable addition of classless static routes retrieved from DHCP server.

option

-

disable **

Option

Description

enable

Enable addition of classless static routes retrieved from DHCP server.

disable

Disable addition of classless static routes retrieved from DHCP server.

dhcp-client-identifier

DHCP client identifier.

string

Maximum length: 48

dhcp-relay-agent-option

Enable/disable DHCP relay agent option.

option

-

enable

Option

Description

enable

Enable DHCP relay agent option.

disable

Disable DHCP relay agent option.

dhcp-relay-allow-no-end-option

Enable/disable relaying DHCP messages with no end option.

option

-

disable

Option

Description

disable

Disable relaying DHCP messages with no end option.

enable

Enable relaying DHCP messages with no end option.

dhcp-relay-circuit-id

DHCP relay circuit ID.

string

Maximum length: 64

dhcp-relay-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-relay-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

dhcp-relay-ip

DHCP relay IP address.

user

Not Specified

dhcp-relay-link-selection

DHCP relay link selection.

ipv4-address

Not Specified

0.0.0.0

dhcp-relay-request-all-server

Enable/disable sending of DHCP requests to all servers.

option

-

disable

Option

Description

disable

Send DHCP requests only to a matching server.

enable

Send DHCP requests to all servers.

dhcp-relay-service

Enable/disable allowing this interface to act as a DHCP relay.

option

-

disable

Option

Description

disable

None.

enable

DHCP relay agent.

dhcp-relay-source-ip

IP address used by the DHCP relay as its source IP.

ipv4-address

Not Specified

0.0.0.0

dhcp-relay-type

DHCP relay type (regular or IPsec).

option

-

regular

Option

Description

regular

Regular DHCP relay.

ipsec

DHCP relay for IPsec.

dhcp-relay-vrf-select

VRF ID used for connection to server.

integer

Minimum value: 0 Maximum value: 511

4294967295

dhcp-renew-time

DHCP renew time in seconds , 0 means use the renew time provided by the server.

integer

Minimum value: 300 Maximum value: 604800

0

dhcp-smart-relay

Enable/disable DHCP smart relay.

option

-

disable

Option

Description

disable

Disable DHCP smart relay.

enable

Enable DHCP smart relay.

disc-retry-timeout

Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 4294967295

1

distance

Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route.

integer

Minimum value: 1 Maximum value: 255

5

dns-server-override

Enable/disable use DNS acquired by DHCP or PPPoE.

option

-

enable

Option

Description

enable

Use DNS acquired by DHCP or PPPoE.

disable

No not use DNS acquired by DHCP or PPPoE.

dns-server-protocol

DNS transport protocols.

option

-

cleartext

Option

Description

cleartext

DNS over UDP/53, DNS over TCP/53.

dot

DNS over TLS/853.

doh

DNS over HTTPS/443.

drop-fragment

Enable/disable drop fragment packets.

option

-

disable

Option

Description

enable

Enable/disable drop fragment packets.

disable

Do not drop fragment packets.

drop-overlapped-fragment

Enable/disable drop overlapped fragment packets.

option

-

disable

Option

Description

enable

Enable drop of overlapped fragment packets.

disable

Disable drop of overlapped fragment packets.

eap-ca-cert

EAP CA certificate name.

string

Maximum length: 79

eap-identity

EAP identity.

string

Maximum length: 35

eap-method

EAP method.

option

-

Option

Description

tls

TLS.

peap

PEAP.

eap-password

EAP password.

password

Not Specified

eap-supplicant

Enable/disable EAP-Supplicant.

option

-

disable

Option

Description

enable

Enable EAP Supplicant.

disable

Disable EAP Supplicant.

eap-user-cert

EAP user certificate name.

string

Maximum length: 35

egress-cos *

Override outgoing CoS in user VLAN tag.

option

-

disable

Option

Description

disable

Disable.

cos0

CoS 0.

cos1

CoS 1.

cos2

CoS 2.

cos3

CoS 3.

cos4

CoS 4.

cos5

CoS 5.

cos6

CoS 6.

cos7

CoS 7.

egress-shaping-profile

Outgoing traffic shaping profile.

string

Maximum length: 35

eip *

External IP. Read-only.

ipv4-address-any

Not Specified

0.0.0.0

estimated-downstream-bandwidth

Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

0

estimated-upstream-bandwidth

Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

0

exclude-signatures

Exclude IOT or OT application signatures.

option

-

Option

Description

iot

Exclude IOT appctrl signatures.

ot

Exclude OT appctrl signatures.

explicit-ftp-proxy

Enable/disable the explicit FTP proxy on this interface.

option

-

disable

Option

Description

enable

Enable explicit FTP proxy on this interface.

disable

Disable explicit FTP proxy on this interface.

explicit-web-proxy

Enable/disable the explicit web proxy on this interface.

option

-

disable

Option

Description

enable

Enable explicit Web proxy on this interface.

disable

Disable explicit Web proxy on this interface.

external

Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet).

option

-

disable

Option

Description

enable

Enable identifying the interface as an external interface.

disable

Disable identifying the interface as an external interface.

fail-action-on-extender

Action on FortiExtender when interface fail.

option

-

soft-restart

Option

Description

soft-restart

Soft-restart-on-extender.

hard-restart

Hard-restart-on-extender.

reboot

Reboot-on-extender.

fail-alert-interfaces <name>

Names of the FortiGate interfaces to which the link failure alert is sent.

Names of the non-virtual interface.

string

Maximum length: 15

fail-alert-method

Select link-failed-signal or link-down method to alert about a failed link.

option

-

link-down

Option

Description

link-failed-signal

Link-failed-signal.

link-down

Link-down.

fail-detect

Enable/disable fail detection features for this interface.

option

-

disable

Option

Description

enable

Enable interface failed option status.

disable

Disable interface failed option status.

fail-detect-option

Options for detecting that this interface has failed.

option

-

link-down

Option

Description

detectserver

Use a ping server to determine if the interface has failed.

link-down

Use port detection to determine if the interface has failed.

fortilink *

Enable FortiLink to dedicate this interface to manage other Fortinet devices.

option

-

disable

Option

Description

enable

Enable FortiLink to dedicated interface for managing FortiSwitch devices.

disable

Disable FortiLink to dedicated interface for managing FortiSwitch devices.

fortilink-backup-link

FortiLink split interface backup link. Read-only.

integer

Minimum value: 0 Maximum value: 255

0

fortilink-neighbor-detect

Protocol for FortiGate neighbor discovery.

option

-

lldp

Option

Description

lldp

Detect FortiLink neighbors using LLDP protocol.

fortilink

Detect FortiLink neighbors using FortiLink protocol.

fortilink-split-interface

Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.

option

-

enable

Option

Description

enable

Enable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.

disable

Disable FortiLink split interface.

forward-domain

Transparent mode forward domain.

integer

Minimum value: 0 Maximum value: 2147483647

0

forward-error-correction *

Enable/disable forward error correction (FEC).

option

-

none

Option

Description

none

none

disable

Disable forward error correction (FEC).

cl91-rs-fec

Reed-Solomon (FEC CL91).

cl74-fc-fec

Fire-Code (FEC CL74).

auto

Negotaite forward error correction (FEC).

gateway-address *

Gateway address.

ipv4-address

Not Specified

0.0.0.0

gi-gk *

Enable/disable Gi Gatekeeper.

option

-

disable

Option

Description

enable

enable Gi Gatekeeper

disable

disable Gi Gatekeeper

gwaddr *

Gateway address.

ipv4-address

Not Specified

0.0.0.0

gwdetect

Enable/disable detect gateway alive for first.

option

-

disable

Option

Description

enable

Enable detect gateway alive for first.

disable

Disable detect gateway alive for first.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

1

icmp-accept-redirect

Enable/disable ICMP accept redirect.

option

-

enable

Option

Description

enable

Enable ICMP accept redirect.

disable

Disable ICMP accept redirect.

icmp-send-redirect

Enable/disable sending of ICMP redirects.

option

-

enable

Option

Description

enable

Enable sending of ICMP redirects.

disable

Disable sending of ICMP redirects.

ident-accept

Enable/disable authentication for this interface.

option

-

disable

Option

Description

enable

Enable determining a user's identity from packet identification.

disable

Disable determining a user's identity from packet identification.

idle-timeout

PPPoE auto disconnect after idle timeout seconds, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 32767

0

ike-saml-server

Configure IKE authentication SAML server.

string

Maximum length: 35

inbandwidth

Bandwidth limit for incoming traffic , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 80000000 **

0

ingress-cos *

Override incoming CoS in user VLAN tag on VLAN interface or assign a priority VLAN tag on physical interface.

option

-

disable

Option

Description

disable

Disable.

cos0

CoS 0.

cos1

CoS 1.

cos2

CoS 2.

cos3

CoS 3.

cos4

CoS 4.

cos5

CoS 5.

cos6

CoS 6.

cos7

CoS 7.

ingress-shaping-profile

Incoming traffic shaping profile.

string

Maximum length: 35

ingress-spillover-threshold

Ingress Spillover threshold , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

0

interconnect-profile *

Set interconnect profile.

option

-

default

Option

Description

default

default interconnect profile

profile1

interconnect profile1 [(10G & IC > 7m/20db-loss) or (25G/27G & IC < 1m)]

profile2

interconnect profile2 [(27G in AP (106G) Auto Profile)]

interface

Interface name.

string

Maximum length: 15

internal

Implicitly created.

integer

Minimum value: 0 Maximum value: 255

0

ip

Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

ip-managed-by-fortiipam

Enable/disable automatic IP address assignment of this interface by FortiIPAM.

option

-

inherit-global

Option

Description

inherit-global

Control automatic IP address assignment status using the central FortiIPAM config.

enable

Enable automatic IP address assignment of this interface by FortiIPAM.

disable

Disable automatic IP address assignment of this interface by FortiIPAM.

ipmac

Enable/disable IP/MAC binding.

option

-

disable

Option

Description

enable

Enable IP/MAC binding.

disable

Disable IP/MAC binding.

ips-sniffer-mode

Enable/disable the use of this interface as a one-armed sniffer.

option

-

disable

Option

Description

enable

Enable IPS sniffer mode.

disable

Disable IPS sniffer mode.

ipunnumbered

Unnumbered IP used for PPPoE interfaces for which no unique local address is provided.

ipv4-address

Not Specified

0.0.0.0

l2forward

Enable/disable l2 forwarding.

option

-

disable

Option

Description

enable

Enable L2 forwarding.

disable

Disable L2 forwarding.

l2tp-client *

Enable/disable this interface as a Layer 2 Tunnelling Protocol (L2TP) client.

option

-

disable

Option

Description

enable

Enable L2TP client.

disable

Disable L2TP client.

lacp-ha-secondary

LACP HA secondary member.

option

-

enable

Option

Description

enable

Allow HA secondary member to send/receive LACP messages.

disable

Block HA secondary member from sending/receiving LACP messages.

lacp-mode

LACP mode.

option

-

active

Option

Description

static

Use static aggregation, do not send and ignore any LACP messages.

passive

Passively use LACP to negotiate 802.3ad aggregation.

active

Actively use LACP to negotiate 802.3ad aggregation.

lacp-speed

How often the interface sends LACP messages.

option

-

slow

Option

Description

slow

Send LACP message every 30 seconds.

fast

Send LACP message every second.

lcp-echo-interval

Time in seconds between PPPoE Link Control Protocol (LCP) echo requests.

integer

Minimum value: 0 Maximum value: 32767

5

lcp-max-echo-fails

Maximum missed LCP echo messages before disconnect.

integer

Minimum value: 0 Maximum value: 32767

3

link-up-delay

Number of milliseconds to wait before considering a link is up.

integer

Minimum value: 50 Maximum value: 3600000

50

lldp-network-policy

LLDP-MED network policy profile.

string

Maximum length: 35

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception.

option

-

vdom

Option

Description

enable

Enable reception of Link Layer Discovery Protocol (LLDP).

disable

Disable reception of Link Layer Discovery Protocol (LLDP).

vdom

Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration setting.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission.

option

-

vdom

Option

Description

enable

Enable transmission of Link Layer Discovery Protocol (LLDP).

disable

Disable transmission of Link Layer Discovery Protocol (LLDP).

vdom

Use VDOM Link Layer Discovery Protocol (LLDP) transmission configuration setting.

macaddr

Change the interface's MAC address.

mac-address

Not Specified

00:00:00:00:00:00

managed-subnetwork-size

Number of IP addresses to be allocated by FortiIPAM and used by this FortiGate unit's DHCP server settings.

option

-

256

Option

Description

32

Allocate a subnet with 32 IP addresses.

64

Allocate a subnet with 64 IP addresses.

128

Allocate a subnet with 128 IP addresses.

256

Allocate a subnet with 256 IP addresses.

512

Allocate a subnet with 512 IP addresses.

1024

Allocate a subnet with 1024 IP addresses.

2048

Allocate a subnet with 2048 IP addresses.

4096

Allocate a subnet with 4096 IP addresses.

8192

Allocate a subnet with 8192 IP addresses.

16384

Allocate a subnet with 16384 IP addresses.

32768

Allocate a subnet with 32768 IP addresses.

65536

Allocate a subnet with 65536 IP addresses.

management-ip

High Availability in-band management IP address of this interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

measured-downstream-bandwidth

Measured downstream bandwidth (kbps).

integer

Minimum value: 0 Maximum value: 4294967295

0

measured-upstream-bandwidth

Measured upstream bandwidth (kbps).

integer

Minimum value: 0 Maximum value: 4294967295

0

mediatype *

Select SFP media interface type

option

-

serdes-sfp **

Option

Description

serdes-sfp

SFP using SerDes Media Interface

sgmii-sfp

SFP using SGMII Media Interface

serdes-copper-sfp

Copper SFP using SerDes media Interface.

member <interface-name>

Physical interfaces that belong to the aggregate or redundant interface.

Physical interface name.

string

Maximum length: 79

min-links

Minimum number of aggregated ports that must be up.

integer

Minimum value: 1 Maximum value: 32

1

min-links-down

Action to take when less than the configured minimum number of links are active.

option

-

operational

Option

Description

operational

Set the aggregate operationally down.

administrative

Set the aggregate administratively down.

mirroring-direction *

Port mirroring direction.

option

-

Option

Description

rx

Port mirroring receive direction only.

tx

Port mirroring transmit direction only.

both

Port mirroring both directions.

mirroring-port *

Mirroring port.

string

Maximum length: 15

mode

Addressing mode (static, DHCP, PPPoE).

option

-

static

Option

Description

static

Static setting.

dhcp

External DHCP client mode.

pppoe

External PPPoE mode.

monitor-bandwidth

Enable monitoring bandwidth on this interface.

option

-

disable

Option

Description

enable

Enable monitoring bandwidth on this interface.

disable

Disable monitoring bandwidth on this interface.

mtu

MTU value for this interface.

integer

Minimum value: 0 Maximum value: 4294967295

1500

mtu-override

Enable to set a custom MTU for this interface.

option

-

disable

Option

Description

enable

Override default MTU.

disable

Use default MTU.

mux-type *

Multiplexer type.

option

-

llc-encaps

Option

Description

llc-encaps

LLC encapsulation.

vc-encaps

VC encapsulation.

name

Name.

string

Maximum length: 15

ndiscforward

Enable/disable NDISC forwarding.

option

-

enable

Option

Description

enable

Enable NDISC forwarding.

disable

Disable NDISC forwarding.

netbios-forward

Enable/disable NETBIOS forwarding.

option

-

disable

Option

Description

disable

Disable NETBIOS forwarding.

enable

Enable NETBIOS forwarding.

netflow-sample-rate

NetFlow sample rate. Sample one packet every configured number of packets.

integer

Minimum value: 1 Maximum value: 65535

1

netflow-sampler

Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).

option

-

disable

Option

Description

disable

Disable NetFlow protocol on this interface.

tx

Monitor transmitted traffic on this interface.

rx

Monitor received traffic on this interface.

both

Monitor transmitted/received traffic on this interface.

netflow-sampler-id

Netflow sampler ID.

integer

Minimum value: 1 Maximum value: 254

0

np-qos-profile *

NP QoS profile ID.

integer

Minimum value: 0 Maximum value: 15

0

outbandwidth

Bandwidth limit for outgoing traffic.

integer

Minimum value: 0 Maximum value: 80000000 **

0

padt-retry-timeout

PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time.

integer

Minimum value: 0 Maximum value: 4294967295

1

password

PPPoE account's password.

password

Not Specified

phy-mode *

DSL physical mode.

option

-

vdsl

Option

Description

vdsl

VDSL.

ping-serv-status

PING server status. Read-only.

integer

Minimum value: 0 Maximum value: 255

0

poe *

Enable/disable PoE status.

option

-

enable

Option

Description

enable

Enable PoE status.

disable

Disable PoE status.

polling-interval

sFlow polling interval in seconds.

integer

Minimum value: 1 Maximum value: 255

20

port-mirroring *

Enable/disable NP port mirroring.

option

-

disable

Option

Description

disable

Disable NP port mirroring.

enable

Enable NP port mirroring.

pppoe-egress-cos

CoS in VLAN tag for outgoing PPPoE/PPP packets.

option

-

cos0

Option

Description

cos0

CoS 0.

cos1

CoS 1.

cos2

CoS 2.

cos3

CoS 3.

cos4

CoS 4.

cos5

CoS 5.

cos6

CoS 6.

cos7

CoS 7.

pppoe-unnumbered-negotiate

Enable/disable PPPoE unnumbered negotiation.

option

-

enable

Option

Description

enable

Enable IP address negotiating for unnumbered.

disable

Disable IP address negotiating for unnumbered.

pptp-auth-type

PPTP authentication type.

option

-

auto

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

pptp-client

Enable/disable PPTP client.

option

-

disable

Option

Description

enable

Enable PPTP client.

disable

Disable PPTP client.

pptp-password

PPTP password.

password

Not Specified

pptp-server-ip

PPTP server IP address.

ipv4-address

Not Specified

0.0.0.0

pptp-timeout

Idle timer in minutes (0 for disabled).

integer

Minimum value: 0 Maximum value: 65535

0

pptp-user

PPTP user name.

string

Maximum length: 64

preserve-session-route

Enable/disable preservation of session route when dirty.

option

-

disable

Option

Description

enable

Enable preservation of session route when dirty.

disable

Disable preservation of session route when dirty.

priority

Priority of learned routes.

integer

Minimum value: 1 Maximum value: 65535

1

priority-override

Enable/disable fail back to higher priority port once recovered.

option

-

enable

Option

Description

enable

Enable fail back to higher priority port once recovered.

disable

Disable fail back to higher priority port once recovered.

proxy-captive-portal

Enable/disable proxy captive portal on this interface.

option

-

disable

Option

Description

enable

Enable proxy captive portal on this interface.

disable

Disable proxy captive portal on this interface.

pvc-atm-qos *

SFP-DSL ADSL Fallback PVC ATM QoS.

option

-

ubr

Option

Description

cbr

ATM QoS CBR.

rt-vbr

ATM QoS rt-VBR.

nrt-vbr

ATM QoS nrt-VBR.

ubr

ATM QoS CCBR.

pvc-chan *

SFP-DSL ADSL Fallback PVC Channel.

integer

Minimum value: 0 Maximum value: 7

0

pvc-crc *

SFP-DSL ADSL Fallback PVC CRC Option: bit0: sar LLC preserve, bit1: ream LLC preserve, bit2: ream VC-MUX has crc.

integer

Minimum value: 0 Maximum value: 7

2

pvc-pcr *

SFP-DSL ADSL Fallback PVC Packet Cell Rate in cells.

integer

Minimum value: 0 Maximum value: 5500

0

pvc-scr *

SFP-DSL ADSL Fallback PVC Sustainable Cell Rate in cells.

integer

Minimum value: 0 Maximum value: 5500

0

pvc-vlan-id *

SFP-DSL ADSL Fallback PVC VLAN ID.

integer

Minimum value: 1 Maximum value: 4094

7

pvc-vlan-rx-id *

SFP-DSL ADSL Fallback PVC VLANID RX.

integer

Minimum value: 1 Maximum value: 4094

7

pvc-vlan-rx-op *

SFP-DSL ADSL Fallback PVC VLAN RX op.

option

-

pass-through

Option

Description

pass-through

PVC VLAN Tag Passthrough.

replace

PVC VLAN Tag Replace.

remove

PVC VLAN Tag Remove.

pvc-vlan-tx-id *

SFP-DSL ADSL Fallback PVC VLAN ID TX.

integer

Minimum value: 1 Maximum value: 4094

7

pvc-vlan-tx-op *

SFP-DSL ADSL Fallback PVC VLAN TX op.

option

-

remove

Option

Description

pass-through

PVC VLAN Tag Passthrough.

replace

PVC VLAN Tag Replace.

remove

PVC VLAN Tag Remove.

reachable-time

IPv4 reachable time in milliseconds.

integer

Minimum value: 30000 Maximum value: 3600000

30000

redundant-interface

Redundant interface. Read-only.

string

Maximum length: 15

remote-ip

Remote IP address of tunnel.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

replacemsg-override-group

Replacement message override group.

string

Maximum length: 35

retransmission *

Enable/disable DSL retransmission.

option

-

enable

Option

Description

disable

Disable retransmission.

enable

Enable retransmission.

ring-rx *

RX ring size.

integer

Minimum value: 0 Maximum value: 4294967295

0

ring-tx *

TX ring size.

integer

Minimum value: 0 Maximum value: 4294967295

0

role

Interface role.

option

-

undefined

Option

Description

lan

Connected to local network of endpoints.

wan

Connected to Internet.

dmz

Connected to server zone.

undefined

Interface has no specific role.

sample-direction

Data that NetFlow collects (rx, tx, or both).

option

-

both

Option

Description

tx

Monitor transmitted traffic on this interface.

rx

Monitor received traffic on this interface.

both

Monitor transmitted/received traffic on this interface.

sample-rate

sFlow sample rate.

integer

Minimum value: 10 Maximum value: 99999

2000

secondary-IP

Enable/disable adding a secondary IP to this interface.

option

-

disable

Option

Description

enable

Enable secondary IP.

disable

Disable secondary IP.

security-8021x-dynamic-vlan-id *

VLAN ID for virtual switch.

integer

Minimum value: 0 Maximum value: 4094

0

security-8021x-master *

802.1X master virtual-switch.

string

Maximum length: 15

security-8021x-member-mode *

802.1X member mode.

option

-

switch

Option

Description

switch

This member will use switch 802.1X configuration.

disable

This member will disable 802.1X configuration.

security-8021x-mode *

802.1X mode.

option

-

default

Option

Description

default

802.1X default mode.

dynamic-vlan

802.1X dynamic VLAN (master) mode.

fallback

802.1X fallback (master) mode.

slave

802.1X slave mode.

security-exempt-list

Name of security-exempt-list.

string

Maximum length: 35

security-external-logout

URL of external authentication logout server.

string

Maximum length: 127

security-external-web

URL of external authentication web server.

var-string

Maximum length: 1023

security-groups <name>

User groups that can authenticate with the captive portal.

Names of user groups that can authenticate with the captive portal.

string

Maximum length: 79

security-ip-auth-bypass

Enable/disable IP authentication bypass.

option

-

disable

Option

Description

enable

Enable IP authentication bypass.

disable

Disable IP authentication bypass.

security-mac-auth-bypass

Enable/disable MAC authentication bypass.

option

-

disable

Option

Description

mac-auth-only

Enable MAC authentication bypass without EAP.

enable

Enable MAC authentication bypass.

disable

Disable MAC authentication bypass.

security-mode

Turn on captive portal authentication for this interface.

option

-

none

Option

Description

none

No security option.

captive-portal

Captive portal authentication.

802.1X

802.1X port-based authentication.

security-redirect-url

URL redirection after disclaimer/authentication.

var-string

Maximum length: 1023

select-profile-30a-35b *

Select VDSL Profile 30a or 35b.

option

-

35B

Option

Description

30A

Enable VDSL Profile 30A.

35B

Enable VDSL Profile 35B.

service-name

PPPoE service name.

string

Maximum length: 63

sflow-sampler

Enable/disable sFlow on this interface.

option

-

disable

Option

Description

enable

Enable sFlow protocol on this interface.

disable

Disable sFlow protocol on this interface.

sfp-dsl *

Enable/disable SFP DSL.

option

-

disable

Option

Description

disable

Disable SFP DSL.

enable

Enable SFP DSL.

sfp-dsl-adsl-fallback *

Enable/disable SFP DSL ADSL fallback.

option

-

disable

Option

Description

disable

Disable SFP DSL ADSL fallback.

enable

Enable SFP DSL ADSL fallback.

sfp-dsl-autodetect *

Enable/disable SFP DSL MAC address autodetect.

option

-

enable

Option

Description

disable

Disable SFP DSL MAC address autodetect.

enable

Enable SFP DSL MAC address autodetect.

sfp-dsl-mac *

SFP DSL MAC address.

mac-address

Not Specified

00:00:00:00:00:00

snmp-index

Permanent SNMP Index of the interface.

integer

Minimum value: 0 Maximum value: 2147483647

0

speed

Interface speed. The default setting and the options available depend on the interface hardware.

option

-

auto

Option

Description

auto

Automatically adjust speed.

10full

10M full-duplex.

10half

10M half-duplex.

100full

100M full-duplex.

100half

100M half-duplex.

1000full

1000M full-duplex.

1000auto

1000M auto adjust.

10000full

10G full-duplex.

10000auto

10G auto.

spillover-threshold

Egress Spillover threshold , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

0

src-check

Enable/disable source IP check.

option

-

enable

Option

Description

enable

Enable source IP check.

disable

Disable source IP check.

status

Bring the interface up or shut the interface down.

option

-

up

Option

Description

up

Bring the interface up.

down

Shut the interface down.

stp *

Enable/disable STP.

option

-

disable

Option

Description

disable

Disable STP.

enable

Enable STP.

stp-edge *

Enable/disable as STP edge port.

option

-

disable

Option

Description

disable

Disable STP edge port.

enable

Enable STP edge port.

stp-ha-secondary *

Control STP behavior on HA secondary.

option

-

priority-adjust

Option

Description

disable

Disable STP negotiation on HA secondary.

enable

Enable STP negotiation on HA secondary.

priority-adjust

Enable STP negotiation on HA secondary and make priority lower than HA primary.

stpforward

Enable/disable STP forwarding.

option

-

disable

Option

Description

enable

Enable STP forwarding.

disable

Disable STP forwarding.

stpforward-mode

Configure STP forwarding mode.

option

-

rpl-all-ext-id

Option

Description

rpl-all-ext-id

Replace all extension IDs (root, bridge).

rpl-bridge-ext-id

Replace the bridge extension ID only.

rpl-nothing

Replace nothing.

subst

Enable to always send packets from this interface to a destination MAC address.

option

-

disable

Option

Description

enable

Send packets from this interface.

disable

Do not send packets from this interface.

substitute-dst-mac

Destination MAC address that all packets are sent to from this interface.

mac-address

Not Specified

00:00:00:00:00:00

sw-algorithm *

Frame distribution algorithm for switch.

option

-

default

Option

Description

l2

Use layer 2 address for distribution.

l3

Use layer 3 address for distribution.

eh

Use enhanced hashing for distribution.

default

Use the hashing that the driver selects during initialization for distribution.

swc-first-create *

Initial create for switch-controller VLANs. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

0

swc-vlan *

Creation status for switch-controller VLANs. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

0

switch

Contained in switch. Read-only.

string

Maximum length: 15

switch-controller-access-vlan *

Block FortiSwitch port-to-port traffic.

option

-

disable

Option

Description

enable

Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate.

disable

Allow normal VLAN traffic.

switch-controller-arp-inspection *

Enable/disable/Monitor FortiSwitch ARP inspection.

option

-

disable

Option

Description

enable

Enable ARP inspection for FortiSwitch devices.

disable

Disable ARP inspection for FortiSwitch devices.

monitor

Monitor ARP traffic and update DHCP client database with MAC-VLAN-IP.

switch-controller-dhcp-snooping *

Switch controller DHCP snooping.

option

-

disable

Option

Description

enable

Enable DHCP snooping for FortiSwitch devices.

disable

Disable DHCP snooping for FortiSwitch devices.

switch-controller-dhcp-snooping-option82 *

Switch controller DHCP snooping option82.

option

-

disable

Option

Description

enable

Enable DHCP snooping insert option82 for FortiSwitch devices.

disable

Disable DHCP snooping insert option82 for FortiSwitch devices.

switch-controller-dhcp-snooping-verify-mac *

Switch controller DHCP snooping verify MAC.

option

-

disable

Option

Description

enable

Enable DHCP snooping verify source MAC for FortiSwitch devices.

disable

Disable DHCP snooping verify source MAC for FortiSwitch devices.

switch-controller-dynamic *

Integrated FortiLink settings for managed FortiSwitch.

string

Maximum length: 35

switch-controller-feature *

Interface's purpose when assigning traffic (read only).

option

-

none

Option

Description

none

VLAN for generic purpose.

default-vlan

Default VLAN (native) assigned to all switch ports upon discovery.

quarantine

VLAN for quarantined traffic.

rspan

VLAN for RSPAN/ERSPAN mirrored traffic.

voice

VLAN dedicated for voice devices.

video

VLAN dedicated for camera devices.

nac

VLAN dedicated for NAC onboarding devices.

nac-segment

VLAN dedicated for NAC segment devices.

switch-controller-igmp-snooping *

Switch controller IGMP snooping.

option

-

disable

Option

Description

enable

Enable IGMP snooping.

disable

Disable IGMP snooping.

switch-controller-igmp-snooping-fast-leave *

Switch controller IGMP snooping fast-leave.

option

-

disable

Option

Description

enable

Enable IGMP snooping fast-leave.

disable

Disable IGMP snooping fast-leave.

switch-controller-igmp-snooping-proxy *

Switch controller IGMP snooping proxy.

option

-

disable

Option

Description

enable

Enable IGMP snooping proxy.

disable

Disable IGMP snooping proxy.

switch-controller-iot-scanning *

Enable/disable managed FortiSwitch IoT scanning.

option

-

disable

Option

Description

enable

Enable IoT scanning for managed FortiSwitch devices.

disable

Disable IoT scanning for managed FortiSwitch devices.

switch-controller-learning-limit *

Limit the number of dynamic MAC addresses on this VLAN.

integer

Minimum value: 0 Maximum value: 128

0

switch-controller-mgmt-vlan *

VLAN to use for FortiLink management purposes.

integer

Minimum value: 1 Maximum value: 4094

4094

switch-controller-nac *

Integrated FortiLink settings for managed FortiSwitch.

string

Maximum length: 35

switch-controller-netflow-collect *

NetFlow collection and processing.

option

-

disable

Option

Description

disable

Disable NetFlow collection.

enable

Enable NetFlow collection.

switch-controller-offload *

Enable/disable managed FortiSwitch routing offload.

option

-

disable

Option

Description

enable

Enable routing offload to managed FortiSwitch devices.

disable

Disable routing offload to managed FortiSwitch devices.

switch-controller-offload-gw *

Enable/disable managed FortiSwitch routing offload gateway.

option

-

disable

Option

Description

enable

Enable routing offload gateway to managed FortiSwitch devices.

disable

Disable routing offload gateway to managed FortiSwitch devices.

switch-controller-offload-ip *

IP for routing offload on FortiSwitch.

ipv4-address

Not Specified

0.0.0.0

switch-controller-rspan-mode *

Stop Layer2 MAC learning and interception of BPDUs and other packets on this interface.

option

-

disable

Option

Description

disable

Disable RSPAN passthrough mode on this VLAN interface.

enable

Enable RSPAN passthrough mode on this VLAN interface.

switch-controller-source-ip *

Source IP address used in FortiLink over L3 connections.

option

-

outbound

Option

Description

outbound

Source IP address is that of the outbound interface.

fixed

Source IP address is that of the FortiLink interface.

switch-controller-traffic-policy *

Switch controller traffic policy for the VLAN.

string

Maximum length: 63

system-id

Define a system ID for the aggregate interface.

mac-address

Not Specified

00:00:00:00:00:00

system-id-type

Method in which system ID is generated.

option

-

auto

Option

Description

auto

Use the MAC address of the first member.

user

User-defined system ID.

tc-mode *

DSL transfer mode.

option

-

ptm

Option

Description

ptm

Packet transfer mode.

tcp-mss

TCP maximum segment size. 0 means do not change segment size.

integer

Minimum value: 48 Maximum value: 65535

0

trunk *

Enable/disable VLAN trunk.

option

-

disable

Option

Description

enable

Enable VLAN trunk on this interface.

disable

Disable VLAN trunk on this interface.

trust-ip-1

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip-2

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip-3

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

0.0.0.0 0.0.0.0

trust-ip6-1

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

trust-ip6-2

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

trust-ip6-3

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

::/0

type

Interface type.

option

-

vlan

Option

Description

physical

Physical interface.

vlan

VLAN interface.

aggregate

Aggregate interface.

redundant

Redundant interface.

tunnel

Tunnel interface.

vdom-link

VDOM link interface.

loopback

Loopback interface.

switch

Software switch interface.

vap-switch

VAP interface.

wl-mesh

WLAN mesh interface.

fext-wan

FortiExtender interface.

vxlan

VXLAN interface.

geneve

GENEVE interface.

hdlc

T1/E1 interface.

switch-vlan

Switch VLAN interface.

emac-vlan

EMAC VLAN interface.

ssl

SSL VPN client interface.

lan-extension

LAN extension interface.

username

Username of the PPPoE account, provided by your ISP.

string

Maximum length: 64

vci *

Virtual Channel ID.

integer

Minimum value: 0 Maximum value: 65535

35

vdom

Interface is in this virtual domain (VDOM).

string

Maximum length: 31

vectoring *

Enable/disable DSL vectoring.

option

-

enable

Option

Description

disable

Disable vectoring.

enable

Enable vectoring.

vindex *

Switch control interface VLAN ID. Read-only.

integer

Minimum value: 0 Maximum value: 65535

0

virtual-mac

Change the interface's virtual MAC address.

mac-address

Not Specified

00:00:00:00:00:00

vlan-id *

Vlan ID.

integer

Minimum value: 0 Maximum value: 4095

1

vlan-op-mode *

Configure DSL 802.1q mode.

option

-

passthrough

Option

Description

tag

802.1q Tagged.

untag

802.1q Un-Tagged.

passthrough

802.1q Passthrough.

vlan-protocol

Ethernet protocol of VLAN.

option

-

8021q

Option

Description

8021q

IEEE 802.1Q.

8021ad

IEEE 802.1AD.

vlanforward

Enable/disable traffic forwarding between VLANs on this interface.

option

-

disable

Option

Description

enable

Enable traffic forwarding.

disable

Disable traffic forwarding.

vlanid

VLAN ID.

integer

Minimum value: 1 Maximum value: 4094

0

vpi *

Virtual Path ID.

integer

Minimum value: 0 Maximum value: 255

0

vrf

Virtual Routing Forwarding ID.

integer

Minimum value: 0 Maximum value: 511

0

vrrp-virtual-mac

Enable/disable use of virtual MAC for VRRP.

option

-

disable

Option

Description

enable

Enable use of virtual MAC for VRRP.

disable

Disable use of virtual MAC for VRRP.

wccp

Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.

option

-

disable

Option

Description

enable

Enable WCCP protocol on this interface.

disable

Disable WCCP protocol on this interface.

weight

Default weight for static routes (if route has no weight configured).

integer

Minimum value: 0 Maximum value: 255

0

wifi-5g-threshold *

Minimal signal strength to be considered as a good 5G AP.

string

Maximum length: 7

-78

wifi-acl *

Access control for MAC addresses in the MAC list.

option

-

deny

Option

Description

allow

Allow.

deny

Deny.

wifi-ap-band *

How to select the AP to connect.

option

-

any

Option

Description

any

Connect to the best 2G or 5G AP.

5g-preferred

Connect to the 5G AP if a good 5G AP exists.

5g-only

Only connect to the 5G AP.

wifi-auth *

WiFi authentication.

option

-

PSK

Option

Description

PSK

PSK.

radius

RADIUS.

usergroup

User group.

wifi-auto-connect *

Enable/disable WiFi network auto connect.

option

-

enable

Option

Description

enable

Enable WiFi network auto connect.

disable

Disable WiFi network auto connect.

wifi-auto-save *

Enable/disable WiFi network automatic save.

option

-

disable

Option

Description

enable

Enable WiFi network automatic save.

disable

Disable WiFi network automatic save.

wifi-broadcast-ssid *

Enable/disable SSID broadcast in the beacon.

option

-

enable

Option

Description

enable

Enable SSID broadcast in the beacon.

disable

Disable SSID broadcast in the beacon.

wifi-dns-server1 *

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

wifi-dns-server2 *

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

wifi-encrypt *

Data encryption.

option

-

AES

Option

Description

TKIP

TKIP.

AES

AES.

wifi-fragment-threshold *

WiFi fragment threshold.

integer

Minimum value: 800 Maximum value: 2346

2346

wifi-gateway *

IPv4 default gateway IP address.

ipv4-address

Not Specified

0.0.0.0

wifi-key *

WiFi WEP Key.

password

Not Specified

wifi-keyindex *

WEP key index.

integer

Minimum value: 1 Maximum value: 4

1

wifi-mac-filter *

Enable/disable MAC filter status.

option

-

disable

Option

Description

enable

Enable MAC filter.

disable

Disable MAC filter.

wifi-passphrase *

WiFi pre-shared key for WPA.

password

Not Specified

wifi-radius-server *

WiFi RADIUS server for WPA.

string

Maximum length: 35

wifi-rts-threshold *

WiFi RTS threshold.

integer

Minimum value: 256 Maximum value: 2346

2346

wifi-security *

Wireless access security of SSID.

option

-

wpa-personal

Option

Description

open

Open.

wep64

WEP64.

wep128

WEP128.

wpa-personal

WPA personal.

wpa-enterprise

WPA enterprise.

wpa-only-personal

WPA personal only.

wpa-only-enterprise

WPA enterprise only.

wpa2-only-personal

WPA2 personal only.

wpa2-only-enterprise

WPA2 enterprise only.

wifi-ssid *

IEEE 802.11 Service Set Identifier.

string

Maximum length: 32

fortinet

wifi-usergroup *

WiFi user group for WPA.

string

Maximum length: 35

wins-ip

WINS server IP.

ipv4-address

Not Specified

0.0.0.0

* This parameter may not exist in some models.

** Values may differ between models.

config client-options

Parameter

Description

Type

Size

Default

code

DHCP client option code.

integer

Minimum value: 0 Maximum value: 255

0

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

DHCP option IPs.

user

Not Specified

type

DHCP client option type.

option

-

hex

Option

Description

hex

DHCP option in hex.

string

DHCP option in string.

ip

DHCP option in IP.

fqdn

DHCP option in domain search option format.

value

DHCP client option value.

string

Maximum length: 312

config client-options

Parameter

Description

Type

Size

Default

code

DHCPv6 option code.

integer

Minimum value: 0 Maximum value: 255

0

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip6

DHCP option IP6s.

user

Not Specified

type

DHCPv6 option type.

option

-

hex

Option

Description

hex

DHCPv6 option in hex.

string

DHCPv6 option in string.

ip6

DHCPv6 option in IP6.

fqdn

DHCPv6 option in domain search option format.

value

DHCPv6 option value (hexadecimal value must be even).

string

Maximum length: 312

config dhcp-snooping-server-list

Parameter

Description

Type

Size

Default

name

DHCP server name.

string

Maximum length: 35

default

server-ip

IP address for DHCP server.

ipv4-address

Not Specified

0.0.0.0

config egress-queues

Parameter

Description

Type

Size

Default

cos0

CoS profile name for CoS 0.

string

Maximum length: 35

cos1

CoS profile name for CoS 1.

string

Maximum length: 35

cos2

CoS profile name for CoS 2.

string

Maximum length: 35

cos3

CoS profile name for CoS 3.

string

Maximum length: 35

cos4

CoS profile name for CoS 4.

string

Maximum length: 35

cos5

CoS profile name for CoS 5.

string

Maximum length: 35

cos6

CoS profile name for CoS 6.

string

Maximum length: 35

cos7

CoS profile name for CoS 7.

string

Maximum length: 35

config ipv6

Parameter

Description

Type

Size

Default

autoconf

Enable/disable address auto config.

option

-

disable

Option

Description

enable

Enable auto-configuration.

disable

Disable auto-configuration.

cli-conn6-status

CLI IPv6 connection status. Read-only.

integer

Minimum value: 0 Maximum value: 4294967295

0

dhcp6-client-options

DHCPv6 client options. Read-only.

option

-

Option

Description

rapid

Send rapid commit option.

iapd

Send including IA-PD option.

iana

Send including IA-NA option.

dhcp6-information-request

Enable/disable DHCPv6 information request.

option

-

disable

Option

Description

enable

Enable DHCPv6 information request.

disable

Disable DHCPv6 information request.

dhcp6-prefix-delegation

Enable/disable DHCPv6 prefix delegation.

option

-

disable

Option

Description

enable

Enable DHCPv6 prefix delegation.

disable

Disable DHCPv6 prefix delegation.

dhcp6-relay-interface-id

DHCP6 relay interface ID.

string

Maximum length: 64

dhcp6-relay-ip

DHCPv6 relay IP address.

user

Not Specified

dhcp6-relay-service

Enable/disable DHCPv6 relay.

option

-

disable

Option

Description

disable

Disable DHCPv6 relay

enable

Enable DHCPv6 relay.

dhcp6-relay-source-interface

Enable/disable use of address on this interface as the source address of the relay message.

option

-

disable

Option

Description

disable

Use address of the egress interface as source address of the relay message.

enable

Use address of this interface as source address of the relay message.

dhcp6-relay-source-ip

IPv6 address used by the DHCP6 relay as its source IP.

ipv6-address

Not Specified

::

dhcp6-relay-type

DHCPv6 relay type.

option

-

regular

Option

Description

regular

Regular DHCP relay.

icmp6-send-redirect

Enable/disable sending of ICMPv6 redirects.

option

-

enable

Option

Description

enable

Enable sending of ICMPv6 redirects.

disable

Disable sending of ICMPv6 redirects.

interface-identifier

IPv6 interface identifier.

ipv6-address

Not Specified

::

ip6-address

Primary IPv6 address prefix. Syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.

ipv6-prefix

Not Specified

::/0

ip6-adv-rio

Enable/disable sending advertisements with route information option.

option

-

disable

Option

Description

enable

Enable sending advertisements with route information option.

disable

Disable sending advertisements with route information option.

ip6-allowaccess

Allow management access to the interface.

option

-

Option

Description

ping

PING access.

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

http

HTTP access.

telnet

TELNET access.

fgfm

FortiManager access.

fabric

Fabric access.

ip6-default-life

Default life (sec).

integer

Minimum value: 0 Maximum value: 9000

1800

ip6-delegated-prefix-iaid

IAID of obtained delegated-prefix from the upstream interface.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip6-dns-server-override

Enable/disable using the DNS server acquired by DHCP.

option

-

enable

Option

Description

enable

Enable using the DNS server acquired by DHCP.

disable

Disable using the DNS server acquired by DHCP.

ip6-hop-limit

Hop limit (0 means unspecified).

integer

Minimum value: 0 Maximum value: 255

0

ip6-link-mtu

IPv6 link MTU.

integer

Minimum value: 1280 Maximum value: 16000

0

ip6-manage-flag

Enable/disable the managed flag.

option

-

disable

Option

Description

enable

Enable the managed IPv6 flag.

disable

Disable the managed IPv6 flag.

ip6-max-interval

IPv6 maximum interval (4 to 1800 sec).

integer

Minimum value: 4 Maximum value: 1800

600

ip6-min-interval

IPv6 minimum interval (3 to 1350 sec).

integer

Minimum value: 3 Maximum value: 1350

198

ip6-mode

Addressing mode (static, DHCP, delegated).

option

-

static

Option

Description

static

Static setting.

dhcp

DHCPv6 client mode.

pppoe

IPv6 over PPPoE mode.

delegated

IPv6 address with delegated prefix.

ip6-other-flag

Enable/disable the other IPv6 flag.

option

-

disable

Option

Description

enable

Enable the other IPv6 flag.

disable

Disable the other IPv6 flag.

ip6-prefix-mode

Assigning a prefix from DHCP or RA.

option

-

dhcp6

Option

Description

dhcp6

Use delegated prefix from a DHCPv6 client to form a delegated IPv6 address.

ra

Use prefix from RA to form a delegated IPv6 address.

ip6-reachable-time

IPv6 reachable time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 3600000

0

ip6-retrans-time

IPv6 retransmit time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 4294967295

0

ip6-route-pref

Set route preference to the interface.

option

-

medium

Option

Description

medium

Medium route preferences in RA packet.

high

High route preferences in RA packet.

low

Low route preferences in RA packet.

ip6-send-adv

Enable/disable sending advertisements about the interface.

option

-

disable

Option

Description

enable

Enable sending advertisements about this interface.

disable

Disable sending advertisements about this interface.

ip6-subnet

Subnet to routing prefix. Syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.

ipv6-prefix

Not Specified

::/0

ip6-upstream-interface

Interface name providing delegated information.

string

Maximum length: 15

nd-cert

Neighbor discovery certificate.

string

Maximum length: 35

nd-cga-modifier

Neighbor discovery CGA modifier.

user

Not Specified

nd-mode

Neighbor discovery mode.

option

-

basic

Option

Description

basic

Do not support SEND.

SEND-compatible

Support SEND.

nd-security-level

Neighbor discovery security level.

integer

Minimum value: 0 Maximum value: 7

0

nd-timestamp-delta

Neighbor discovery timestamp delta value.

integer

Minimum value: 1 Maximum value: 3600

300

nd-timestamp-fuzz

Neighbor discovery timestamp fuzz factor.

integer

Minimum value: 1 Maximum value: 60

1

ra-send-mtu

Enable/disable sending link MTU in RA packet.

option

-

enable

Option

Description

enable

Enable sending link MTU in RA packet.

disable

Disable sending link MTU in RA packet.

unique-autoconf-addr

Enable/disable unique auto config address.

option

-

disable

Option

Description

enable

Enable unique auto-configuration address.

disable

Disable unique auto-configuration address.

vrip6_link_local

Link-local IPv6 address of virtual router.

ipv6-address

Not Specified

::

vrrp-virtual-mac6

Enable/disable virtual MAC for VRRP.

option

-

disable

Option

Description

enable

Enable virtual MAC for VRRP.

disable

Disable virtual MAC for VRRP.

config client-options

Parameter

Description

Type

Size

Default

code

DHCP client option code.

integer

Minimum value: 0 Maximum value: 255

0

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

DHCP option IPs.

user

Not Specified

type

DHCP client option type.

option

-

hex

value

DHCP client option value.

string

Maximum length: 312

config client-options

Parameter

Description

Type

Size

Default

code

DHCPv6 option code.

integer

Minimum value: 0 Maximum value: 255

0

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip6

DHCP option IP6s.

user

Not Specified

type

DHCPv6 option type.

option

-

hex

value

DHCPv6 option value (hexadecimal value must be even).

string

Maximum length: 312

config dhcp6-iapd-list

Parameter

Description

Type

Size

Default

iaid

Identity association identifier.

integer

Minimum value: 0 Maximum value: 4294967295

0

prefix-hint

DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server.

ipv6-network

Not Specified

::/0

prefix-hint-plt

DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time.

integer

Minimum value: 0 Maximum value: 4294967295

604800

prefix-hint-vlt

DHCPv6 prefix hint valid life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

2592000

config ip6-delegated-prefix-list

Parameter

Description

Type

Size

Default

autonomous-flag

Enable/disable the autonomous flag.

option

-

enable

Option

Description

enable

Enable the autonomous flag.

disable

Disable the autonomous flag.

delegated-prefix-iaid

IAID of obtained delegated-prefix from the upstream interface.

integer

Minimum value: 0 Maximum value: 4294967295

0

onlink-flag

Enable/disable the onlink flag.

option

-

enable

Option

Description

enable

Enable the onlink flag.

disable

Disable the onlink flag.

prefix-id

Prefix ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

rdnss

Recursive DNS server option.

user

Not Specified

rdnss-service

Recursive DNS service option.

option

-

specify

Option

Description

delegated

Delegated RDNSS settings.

default

System RDNSS settings.

specify

Specify recursive DNS servers.

subnet

Add subnet ID to routing prefix.

ipv6-network

Not Specified

::/0

upstream-interface

Name of the interface that provides delegated information.

string

Maximum length: 15

config ip6-dnssl-list

Parameter

Description

Type

Size

Default

dnssl-life-time

DNS search list time in seconds.

integer

Minimum value: 0 Maximum value: 4294967295

1800

domain

Domain name.

string

Maximum length: 79

config ip6-extra-addr

Parameter

Description

Type

Size

Default

prefix

IPv6 address prefix.

ipv6-prefix

Not Specified

::/0

config ip6-prefix-list

Parameter

Description

Type

Size

Default

autonomous-flag

Enable/disable the autonomous flag.

option

-

enable

Option

Description

enable

Enable the autonomous flag.

disable

Disable the autonomous flag.

onlink-flag

Enable/disable the onlink flag.

option

-

enable

Option

Description

enable

Enable the onlink flag.

disable

Disable the onlink flag.

preferred-life-time

Preferred life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

604800

prefix

IPv6 prefix.

ipv6-network

Not Specified

::/0

valid-life-time

Valid life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

2592000

config ip6-rdnss-list

Parameter

Description

Type

Size

Default

rdnss

Recursive DNS server option.

ipv6-address

Not Specified

::

rdnss-life-time

Recursive DNS server life time in seconds.

integer

Minimum value: 0 Maximum value: 4294967295

1800

config ip6-route-list

Parameter

Description

Type

Size

Default

route

IPv6 route.

ipv6-network

Not Specified

::/0

route-life-time

Route life time in seconds.

integer

Minimum value: 0 Maximum value: 65535

1800

route-pref

Set route preference to the interface.

option

-

medium

Option

Description

medium

Medium route preferences in RA packet.

high

High route preferences in RA packet.

low

Low route preferences in RA packet.

config vrrp6

Parameter

Description

Type

Size

Default

accept-mode

Enable/disable accept mode.

option

-

enable

Option

Description

enable

Enable accept mode.

disable

Disable accept mode.

adv-interval

Advertisement interval.

integer

Minimum value: 250 Maximum value: 255000

1000

ignore-default-route

Enable/disable ignoring of default route when checking destination.

option

-

disable

Option

Description

enable

Ignore default route when checking destination.

disable

Do not ignore default route when checking destination.

preempt

Enable/disable preempt mode.

option

-

enable

Option

Description

enable

Enable preempt mode.

disable

Disable preempt mode.

priority

Priority of the virtual router.

integer

Minimum value: 1 Maximum value: 255

100

start-time

Startup time.

integer

Minimum value: 1 Maximum value: 255

3

status

Enable/disable VRRP.

option

-

enable

Option

Description

enable

Enable VRRP.

disable

Disable VRRP.

vrdst-priority

Priority of the virtual router when the virtual router destination becomes unreachable.

integer

Minimum value: 0 Maximum value: 254

0

vrdst6

Monitor the route to this destination.

ipv6-address

Not Specified

vrgrp

VRRP group ID.

integer

Minimum value: 1 Maximum value: 65535

0

vrid

Virtual router identifier.

integer

Minimum value: 1 Maximum value: 255

0

vrip6

IPv6 address of the virtual router.

ipv6-address

Not Specified

::

config l2tp-client-settings

Parameter

Description

Type

Size

Default

auth-type

L2TP authentication type.

option

-

auto

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

defaultgw

Enable/disable default gateway.

option

-

disable

Option

Description

enable

Enable default gateway.

disable

Disable default gateway.

distance

Distance of learned routes.

integer

Minimum value: 1 Maximum value: 255

2

hello-interval

L2TP hello message interval in seconds.

integer

Minimum value: 0 Maximum value: 3600

60

ip

IP. Read-only.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

mtu

L2TP MTU.

integer

Minimum value: 40 Maximum value: 65535

1460

password

L2TP password.

password

Not Specified

peer-host

L2TP peer host address.

string

Maximum length: 255

peer-mask

L2TP peer mask.

ipv4-netmask

Not Specified

255.255.255.255

peer-port

L2TP peer port number.

integer

Minimum value: 1 Maximum value: 65535

1701

priority

Priority of learned routes.

integer

Minimum value: 1 Maximum value: 65535

1

user

L2TP user name.

string

Maximum length: 127

config mirroring-filter

Parameter

Description

Type

Size

Default

filter-dport

Destinatin port of mirroring filter.

integer

Minimum value: 0 Maximum value: 65535

0

filter-dstip

Destinatin IP and mask of mirroring filter.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

filter-protocol

Protocol of mirroring filter.

integer

Minimum value: 0 Maximum value: 255

0

filter-sport

Source port of mirroring filter.

integer

Minimum value: 0 Maximum value: 65535

0

filter-srcip

Source IP and mask of mirroring filter.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

config secondaryip

Parameter

Description

Type

Size

Default

allowaccess

Management access settings for the secondary IP address.

option

-

Option

Description

ping

PING access.

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

http

HTTP access.

telnet

TELNET access.

fgfm

FortiManager access.

radius-acct

RADIUS accounting access.

probe-response

Probe access.

fabric

Security Fabric access.

ftm

FTM access.

speed-test

Speed test access.

scim

System for Cross-domain Identity Management (SCIM) access.

detectprotocol

Protocols used to detect the server.

option

-

ping

Option

Description

ping

PING.

tcp-echo

TCP echo.

udp-echo

UDP echo.

detectserver

Gateway's ping server for this IP.

user

Not Specified

gwdetect

Enable/disable detect gateway alive for first.

option

-

disable

Option

Description

enable

Enable detect gateway alive for first.

disable

Disable detect gateway alive for first.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

1

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

Secondary IP address of the interface.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

ping-serv-status

PING server status. Read-only.

integer

Minimum value: 0 Maximum value: 255

0

secip-relay-ip

DHCP relay IP address.

user

Not Specified

config tagging

Parameter

Description

Type

Size

Default

category

Tag category.

string

Maximum length: 63

name

Tagging entry name.

string

Maximum length: 63

tags <name>

Tags.

Tag name.

string

Maximum length: 79

config vrrp

Parameter

Description

Type

Size

Default

accept-mode

Enable/disable accept mode.

option

-

enable

Option

Description

enable

Enable accept mode.

disable

Disable accept mode.

adv-interval

Advertisement interval.

integer

Minimum value: 250 Maximum value: 255000

1000

ignore-default-route

Enable/disable ignoring of default route when checking destination.

option

-

disable

Option

Description

enable

Ignore default route when checking destination.

disable

Do not ignore default route when checking destination.

preempt

Enable/disable preempt mode.

option

-

enable

Option

Description

enable

Enable preempt mode.

disable

Disable preempt mode.

priority

Priority of the virtual router.

integer

Minimum value: 1 Maximum value: 255

100

start-time

Startup time.

integer

Minimum value: 1 Maximum value: 255

3

status

Enable/disable this VRRP configuration.

option

-

enable

Option

Description

enable

Enable this VRRP configuration.

disable

Disable this VRRP configuration.

version

VRRP version.

option

-

2

Option

Description

2

VRRP version 2.

3

VRRP version 3.

vrdst

Monitor the route to this destination.

ipv4-address-any

Not Specified

vrdst-priority

Priority of the virtual router when the virtual router destination becomes unreachable.

integer

Minimum value: 0 Maximum value: 254

0

vrgrp

VRRP group ID.

integer

Minimum value: 1 Maximum value: 65535

0

vrid

Virtual router identifier.

integer

Minimum value: 1 Maximum value: 255

0

vrip

IP address of the virtual router.

ipv4-address-any

Not Specified

0.0.0.0

config proxy-arp

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

Set IP addresses of proxy ARP.

user

Not Specified

config wifi-mac-list

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

mac

MAC address.

mac-address

Not Specified

00:00:00:00:00:00

config wifi-networks

Parameter

Description

Type

Size

Default

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

wifi-ca-certificate

CA certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 79

wifi-client-certificate

Client certificate for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

wifi-eap-type

WPA2/WPA3-ENTERPRISE EAP Method.

option

-

peap

Option

Description

both

EAP PEAP and TLS.

tls

EAP TLS.

peap

EAP PEAP.

wifi-encrypt

Data encryption.

option

-

AES

Option

Description

TKIP

TKIP.

AES

AES.

wifi-key

WiFi WEP Key.

password

Not Specified

wifi-keyindex

WEP key index.

integer

Minimum value: 1 Maximum value: 4

1

wifi-passphrase

WiFi pre-shared key for WPA-PSK or password for WPA3-SAE and WPA2/WPA3-ENTERPRISE.

password

Not Specified

wifi-private-key

Private key for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 35

wifi-private-key-password

Password for private key file for WPA2/WPA3-ENTERPRISE.

password

Not Specified

wifi-security

Wireless access security of SSID.

option

-

wpa-personal

Option

Description

open

Open.

wep64

WEP64.

wep128

WEP128.

wpa-personal

WPA personal.

wpa-only-personal

WPA personal only.

wpa2-only-personal

WPA2 personal only.

wpa3-sae

WPA3 SAE.

owe

OWE.

wpa-enterprise

WPA2/WPA3 ENTERPRISE.

wifi-ssid

IEEE 802.11 Service Set Identifier.

string

Maximum length: 32

fortinet

wifi-username

Username for WPA2/WPA3-ENTERPRISE.

string

Maximum length: 64

fortinet