Configuring network interfaces
You can configure the network interface by editing the configuration, however, you cannot create or delete a physical interface configuration.
Before you begin:
- You must have Read-Write permission for System settings.
To configure a network interface:
- Go to Network > Interface.
- Double-click the row for a physical interface to edit its configuration or click Create New if you want to configure an aggregate or VLAN interface.
- Complete the configuration as described in Network interface configuration.
- Save the configuration.
Settings | Guidelines |
---|---|
Interface | |
Name | Configuration name. Valid characters are A -Z , a -z , 0 -9 , _ , and - . No spaces. After you initially save the configuration, you cannot edit the name. |
Status | The Status column is not the detected physical link status; it is the administrative status (Up/Down) that indicates whether you permit the network interface to receive and/or transmit packets. |
Allow Access |
Allow inbound service traffic. Select from the following options:
|
Dedicated HA management IP |
Note: Starting from the v. 4.8.1 release, this option is replaced by "Management Interface". Therefore, it is removed from the GUI though it still remains on the Console. For more information, see Configuring the management interface. |
Virtual Domain |
If applicable, select the virtual domain to which the configuration applies. |
Type |
Select from the following:
Note: If you are editing the configuration for a physical interface, you cannot set the type. If you are configuring a logical interface, you can select from the following options:
|
Mode |
|
Traffic Group |
Select either of the following:
Available only if Static is selected for Mode. |
Floating |
Enable/Disable floating IP. Available only if Static is selected for Mode. |
Floating IP |
Enter the floating IP. Available only if Floating is enabled. Note: Ensure the Floating IP is different from the Interface IP, otherwise network issues will occur due to the interface/port conflict. |
Type Specifics |
|
VLAN |
|
VLAN ID |
VLAN ID of packets that belong to this VLAN. If one physical network port (that is, a VLAN trunk) will handle multiple VLANs, create multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received. If multiple different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs. The valid range is between 1 and 4094. The value you specify must match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface. |
Interface |
Physical interface associated with the VLAN; for example, port2. |
Aggregate |
|
Member |
Select the physical interfaces that are included in the aggregation. |
Aggregate Mode |
Link aggregation type:
|
Aggregate Algorithm |
Connectivity layers that will be considered when distributing frames among the aggregated physical ports:
|
Softswitch |
|
Member |
Select the interfaces that are included in the softswitch. |
Mode Specifics |
|
Static |
|
IPv4/Netmask | Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted. |
IPv6/Netmask | Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted. |
WCCP |
Enable/disable WCCP to redirect traffic flows in real-time. |
Secondary IP Address |
Secondary IP addresses can be used when you deploy the system so that it belongs to multiple logical subnets. If you assign multiple IP addresses to an interface, you must assign them static addresses.
|
Trust IP Address |
Enable/disable the Trust IPs Access Control (TIAC) feature to restrict access to management interfaces according to the Trust IP Address List. If the source IP is not on the Trust IP Address List, the device will refuse the client directly.
To add IP addresses to the Trust IP Address List, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add IPs to the list. |
PPPoE | |
WCCP |
Enable/disable WCCP to redirect traffic flows in real-time. |
Trust IP Address |
Enable/disable the Trust IPs Access Control (TIAC) feature to restrict access to management interfaces according to the Trust IP Address List. If the source IP is not on the Trust IP Address List, the device will refuse the client directly.
To add IP addresses to the Trust IP Address List, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add IPs to the list. |
Username | PPPoE account user name. |
Password | PPPoE account password. |
Discovery Retry Timeout | Seconds the system waits before it retries to discover the PPPoE server. The default is 5 seconds. The valid range is 1-255. |
DNS Server Override | Use the DNS addresses retrieved from the PPPoE server instead of the one configured in the FortiADC system settings. |
Retrieve Default Gateway | Use the default gateway retrieved from the PPPoE server instead of the one configured in the FortiADC system settings. |
DHCP |
|
WCCP |
Enable/disable WCCP to redirect traffic flows in real-time. |
Trust IP Address |
Enable/disable the Trust IPs Access Control (TIAC) feature to restrict access to management interfaces according to the Trust IP Address List. If the source IP is not on the Trust IP Address List, the device will refuse the client directly.
To add IP addresses to the Trust IP Address List, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add IPs to the list. |
Retrieve Gateway |
Use the default gateway retrieved from the DHCP server instead of the one configured in the FortiADC system settings. |
Secondary IP List | |
IP Address | Secondary IP addresses can be used when you deploy the system so that it belongs to multiple logical subnets. If you assign multiple IP addresses to an interface, you must assign them static addresses. To add secondary IP addresses, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add secondary IP addresses and enable inbound traffic to that address. For each address, specify an IP address using the CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. |
Allow Access | Select the services that are allowed to send inbound traffic. |
Trust IP Address List |
|
Name |
Configuration name. Valid characters are A -Z , a -z , 0 -9 , _ , and - . No spaces. After you initially save the configuration, you cannot edit the name. |
Type |
Select the IP address type:
|
IPv4/Netmask, IPv6/Netmask |
Specify the IP address that can access the interface. |
Address Range |
Specify a range of IP addresses that can access the interface. |
HA Node IP List | |
IP Address | You use the HA node IP list configuration in an HA active-active deployment. On each HA cluster node, add an HA node IP list that includes an entry for each cluster node. When the appliance is in standalone mode, it uses the physical port IP address; when it is in HA mode, it uses the HA node IP list address. For each address, specify an IP address using the CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. |
Node ID | ID of the corresponding node. |
Allow Access |
Select the services that are allowed to send inbound traffic. |
In an HA active-active deployment, if an interface uses secondary IP addresses, you must use the CLI to enable the HA node secondary IP address list, and then configure the list: FADC # config system interface FADC (interface) # edit port3 FADC (port3) # set ha-node-secondary-ip enable FADC (port3) # config ha-node-secondary-ip-list FADC (ha-node-second~r) # edit 1 Add new entry '1' for node 2221 FADC (1) # set ip 192.168.1.100 FADC (1) # set allowaccess https http ping snmp ssh FADC (1) # end FADC (port3) # end
|
To configure a physical interface in the CLI:
config system interface
edit <port_name>
set ip <ip&netmask>
set allowaccess {http https ping snmp ssh telnet}
end
To configure an aggregate interface in the CLI:
config system interface
edit <specified_name>
set type agg
set aggregate-mode {802.3ad | balance-alb | balance-rr | balance-tlb | balance-xor | broadcast}
set aggregate-algorithm {layer2 | layer2_3 | layer3_4}
set member <port_name> <port_name>
set ip <ip&netmask>
end
To configure a VLAN interface in the CLI:
config system interface
edit <specified_name>
set type vlan
set vlanid <number>
set interface <port_name>
set ip <ip&netmask>
end
To enable/disable the Trust IP Address status in the CLI:
config system interface
edit <port_name>
set trust-ip <enable | disable>
To configure the Trust IP Address List in the CLI:
config trust-ip-list
edit <name>
set type {ip-netmask | ip-range}
set ip-network <ip&netmask>
set start-ip <ip>
set end-ip <ip>
next
edit <name>
set type {ip6-netmask | ip6-range}
set ip6-network <ip6&netmask>
set start-ip6 <ip6>
set end-ip6 <ip6>
next
end