Fortinet black logo

Handbook

Home FortiADC 7.4.3 Handbook
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

Configuring network interfaces

Configuring network interfaces

You can configure the network interface by editing the configuration, however, you cannot create or delete a physical interface configuration.

Before you begin:
  • You must have Read-Write permission for System settings.
To configure a network interface:
  1. Go to Network > Interface.
  2. Double-click the row for a physical interface to edit its configuration or click Create New if you want to configure an aggregate or VLAN interface.
  3. Complete the configuration as described in Network interface configuration.
  4. Save the configuration.

Network interface configuration
Settings Guidelines
Interface
Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.
Status The Status column is not the detected physical link status; it is the administrative status (Up/Down) that indicates whether you permit the network interface to receive and/or transmit packets.
Allow Access

Allow inbound service traffic. Select from the following options:

  • HTTP—Enables connections to the web UI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.
  • HTTPS—Enables secure connections to the web UI. We recommend this option instead of HTTP.
  • Ping—Enables ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiADC will reply with ICMP type 0 (ECHO_RESPONSE or “pong”).
  • SNMP—Enables SNMP queries to this network interface.
  • SSH—Enables SSH connections to the CLI. We recommend this option instead of Telnet.
  • Telnet—Enables Telnet connections to the CLI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.
Dedicated HA management IP

Note: Starting from the v. 4.8.1 release, this option is replaced by "Management Interface". Therefore, it is removed from the GUI though it still remains on the Console. For more information, see Configuring the management interface.
Virtual Domain

If applicable, select the virtual domain to which the configuration applies.

Type

Select from the following:

  • VLAN

  • Aggregate

  • Loopback

  • Softswitch

Note: If you are editing the configuration for a physical interface, you cannot set the type.

If you are configuring a logical interface, you can select from the following options:

  • VLAN—A logical interface you create to VLAN subinterfaces on a single physical interface.

  • Aggregate—A logical interface you create to support the aggregation of multiple physical interfaces.
Mode
  • Static—Specify a static IP address. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet (i.e. overlapping subnets).
  • PPPoE—Use PPPoE to retrieve a configuration for the IP address, gateway, and DNS server. For example, if this interface uses a DSL connection to the Internet, your ISP may require this option.
  • DHCP—Use DHCP to automatically assign IP addresses and other communication parameters, including subnet masks, default gateway addresses, and DNS servers to the host.

Traffic Group

Select either of the following:

  • Default
  • Create New

Available only if Static is selected for Mode.

Floating

Enable/Disable floating IP.

Available only if Static is selected for Mode.

Floating IP

Enter the floating IP.

Available only if Floating is enabled.

Note:

Ensure the Floating IP is different from the Interface IP, otherwise network issues will occur due to the interface/port conflict.

Type Specifics

VLAN

VLAN ID

 VLAN ID of packets that belong to this VLAN.

If one physical network port (that is, a VLAN trunk) will handle multiple VLANs, create multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received.

If multiple different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs.

The valid range is between 1 and 4094. The value you specify must match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface.

Interface

Physical interface associated with the VLAN; for example, port2.

Aggregate

Member

Select the physical interfaces that are included in the aggregation.

Aggregate Mode

 Link aggregation type:
  • 802.3ad
  • Balance-alb
  • Balance-rr
  • Balance-tlb
  • Balance-xor
  • Broadcast

Aggregate Algorithm

 Connectivity layers that will be considered when distributing frames among the aggregated physical ports:
  • Layer 2
  • Layer 2-3
  • Layer 3-4

Softswitch

Member

Select the interfaces that are included in the softswitch.

Mode Specifics

Static

IPv4/Netmask Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.
IPv6/Netmask Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.

WCCP

Enable/disable WCCP to redirect traffic flows in real-time.
Secondary IP Address

Secondary IP addresses can be used when you deploy the system so that it belongs to multiple logical subnets. If you assign multiple IP addresses to an interface, you must assign them static addresses.


To add secondary IP addresses, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add secondary IP addresses and enable inbound traffic to that address.

Trust IP Address

Enable/disable the Trust IPs Access Control (TIAC) feature to restrict access to management interfaces according to the Trust IP Address List. If the source IP is not on the Trust IP Address List, the device will refuse the client directly.

To add IP addresses to the Trust IP Address List, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add IPs to the list.
PPPoE

WCCP

Enable/disable WCCP to redirect traffic flows in real-time.

Trust IP Address

Enable/disable the Trust IPs Access Control (TIAC) feature to restrict access to management interfaces according to the Trust IP Address List. If the source IP is not on the Trust IP Address List, the device will refuse the client directly.

To add IP addresses to the Trust IP Address List, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add IPs to the list.
Username PPPoE account user name.
Password PPPoE account password.
Discovery Retry Timeout Seconds the system waits before it retries to discover the PPPoE server. The default is 5 seconds. The valid range is 1-255.
DNS Server Override Use the DNS addresses retrieved from the PPPoE server instead of the one configured in the FortiADC system settings.
Retrieve Default Gateway Use the default gateway retrieved from the PPPoE server instead of the one configured in the FortiADC system settings.

DHCP

WCCP

Enable/disable WCCP to redirect traffic flows in real-time.

Trust IP Address

Enable/disable the Trust IPs Access Control (TIAC) feature to restrict access to management interfaces according to the Trust IP Address List. If the source IP is not on the Trust IP Address List, the device will refuse the client directly.

To add IP addresses to the Trust IP Address List, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add IPs to the list.

Retrieve Gateway

Use the default gateway retrieved from the DHCP server instead of the one configured in the FortiADC system settings.
Secondary IP List
IP Address Secondary IP addresses can be used when you deploy the system so that it belongs to multiple logical subnets. If you assign multiple IP addresses to an interface, you must assign them static addresses.

To add secondary IP addresses, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add secondary IP addresses and enable inbound traffic to that address. For each address, specify an IP address using the CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24.
Allow Access Select the services that are allowed to send inbound traffic.

Trust IP Address List

Name

 Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.

Type

Select the IP address type:

  • IPv4/Netmask

  • IPv4 Address Range

  • IPv6/Netmask

  • IPv6 Address Range

IPv4/Netmask, IPv6/Netmask

Specify the IP address that can access the interface.

Address Range

Specify a range of IP addresses that can access the interface.
HA Node IP List
IP Address You use the HA node IP list configuration in an HA active-active deployment. On each HA cluster node, add an HA node IP list that includes an entry for each cluster node. When the appliance is in standalone mode, it uses the physical port IP address; when it is in HA mode, it uses the HA node IP list address.

For each address, specify an IP address using the CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24.
Node ID ID of the corresponding node.
Allow Access

Select the services that are allowed to send inbound traffic.

In an HA active-active deployment, if an interface uses secondary IP addresses, you must use the CLI to enable the HA node secondary IP address list, and then configure the list:

FADC # config system interface

FADC (interface) # edit port3

FADC (port3) # set ha-node-secondary-ip enable

FADC (port3) # config ha-node-secondary-ip-list

FADC (ha-node-second~r) # edit 1

Add new entry '1' for node 2221

FADC (1) # set ip 192.168.1.100

FADC (1) # set allowaccess https http ping snmp ssh

FADC (1) # end

FADC (port3) # end

To configure a physical interface in the CLI:

config system interface

edit <port_name>

set ip <ip&netmask>

set allowaccess {http https ping snmp ssh telnet}

end

To configure an aggregate interface in the CLI:

config system interface

edit <specified_name>

set type agg

set aggregate-mode {802.3ad | balance-alb | balance-rr | balance-tlb | balance-xor | broadcast}

set aggregate-algorithm {layer2 | layer2_3 | layer3_4}

set member <port_name> <port_name>

set ip <ip&netmask>

end

To configure a VLAN interface in the CLI:

config system interface

edit <specified_name>

set type vlan

set vlanid <number>

set interface <port_name>

set ip <ip&netmask>

end

To enable/disable the Trust IP Address status in the CLI:

config system interface

edit <port_name>

set trust-ip <enable | disable>

To configure the Trust IP Address List in the CLI:

config trust-ip-list

edit <name>

set type {ip-netmask | ip-range}

set ip-network <ip&netmask>

set start-ip <ip>

set end-ip <ip>

next

edit <name>

set type {ip6-netmask | ip6-range}

set ip6-network <ip6&netmask>

set start-ip6 <ip6>

set end-ip6 <ip6>

next

end

Previous
Next

Configuring network interfaces

You can configure the network interface by editing the configuration, however, you cannot create or delete a physical interface configuration.

Before you begin:
  • You must have Read-Write permission for System settings.
To configure a network interface:
  1. Go to Network > Interface.
  2. Double-click the row for a physical interface to edit its configuration or click Create New if you want to configure an aggregate or VLAN interface.
  3. Complete the configuration as described in Network interface configuration.
  4. Save the configuration.

Network interface configuration
Settings Guidelines
Interface
Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.
Status The Status column is not the detected physical link status; it is the administrative status (Up/Down) that indicates whether you permit the network interface to receive and/or transmit packets.
Allow Access

Allow inbound service traffic. Select from the following options:

  • HTTP—Enables connections to the web UI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.
  • HTTPS—Enables secure connections to the web UI. We recommend this option instead of HTTP.
  • Ping—Enables ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiADC will reply with ICMP type 0 (ECHO_RESPONSE or “pong”).
  • SNMP—Enables SNMP queries to this network interface.
  • SSH—Enables SSH connections to the CLI. We recommend this option instead of Telnet.
  • Telnet—Enables Telnet connections to the CLI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.
Dedicated HA management IP

Note: Starting from the v. 4.8.1 release, this option is replaced by "Management Interface". Therefore, it is removed from the GUI though it still remains on the Console. For more information, see Configuring the management interface.
Virtual Domain

If applicable, select the virtual domain to which the configuration applies.

Type

Select from the following:

  • VLAN

  • Aggregate

  • Loopback

  • Softswitch

Note: If you are editing the configuration for a physical interface, you cannot set the type.

If you are configuring a logical interface, you can select from the following options:

  • VLAN—A logical interface you create to VLAN subinterfaces on a single physical interface.

  • Aggregate—A logical interface you create to support the aggregation of multiple physical interfaces.
Mode
  • Static—Specify a static IP address. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet (i.e. overlapping subnets).
  • PPPoE—Use PPPoE to retrieve a configuration for the IP address, gateway, and DNS server. For example, if this interface uses a DSL connection to the Internet, your ISP may require this option.
  • DHCP—Use DHCP to automatically assign IP addresses and other communication parameters, including subnet masks, default gateway addresses, and DNS servers to the host.

Traffic Group

Select either of the following:

  • Default
  • Create New

Available only if Static is selected for Mode.

Floating

Enable/Disable floating IP.

Available only if Static is selected for Mode.

Floating IP

Enter the floating IP.

Available only if Floating is enabled.

Note:

Ensure the Floating IP is different from the Interface IP, otherwise network issues will occur due to the interface/port conflict.

Type Specifics

VLAN

VLAN ID

 VLAN ID of packets that belong to this VLAN.

If one physical network port (that is, a VLAN trunk) will handle multiple VLANs, create multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received.

If multiple different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs.

The valid range is between 1 and 4094. The value you specify must match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface.

Interface

Physical interface associated with the VLAN; for example, port2.

Aggregate

Member

Select the physical interfaces that are included in the aggregation.

Aggregate Mode

 Link aggregation type:
  • 802.3ad
  • Balance-alb
  • Balance-rr
  • Balance-tlb
  • Balance-xor
  • Broadcast

Aggregate Algorithm

 Connectivity layers that will be considered when distributing frames among the aggregated physical ports:
  • Layer 2
  • Layer 2-3
  • Layer 3-4

Softswitch

Member

Select the interfaces that are included in the softswitch.

Mode Specifics

Static

IPv4/Netmask Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.
IPv6/Netmask Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.

WCCP

Enable/disable WCCP to redirect traffic flows in real-time.
Secondary IP Address

Secondary IP addresses can be used when you deploy the system so that it belongs to multiple logical subnets. If you assign multiple IP addresses to an interface, you must assign them static addresses.


To add secondary IP addresses, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add secondary IP addresses and enable inbound traffic to that address.

Trust IP Address

Enable/disable the Trust IPs Access Control (TIAC) feature to restrict access to management interfaces according to the Trust IP Address List. If the source IP is not on the Trust IP Address List, the device will refuse the client directly.

To add IP addresses to the Trust IP Address List, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add IPs to the list.
PPPoE

WCCP

Enable/disable WCCP to redirect traffic flows in real-time.

Trust IP Address

Enable/disable the Trust IPs Access Control (TIAC) feature to restrict access to management interfaces according to the Trust IP Address List. If the source IP is not on the Trust IP Address List, the device will refuse the client directly.

To add IP addresses to the Trust IP Address List, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add IPs to the list.
Username PPPoE account user name.
Password PPPoE account password.
Discovery Retry Timeout Seconds the system waits before it retries to discover the PPPoE server. The default is 5 seconds. The valid range is 1-255.
DNS Server Override Use the DNS addresses retrieved from the PPPoE server instead of the one configured in the FortiADC system settings.
Retrieve Default Gateway Use the default gateway retrieved from the PPPoE server instead of the one configured in the FortiADC system settings.

DHCP

WCCP

Enable/disable WCCP to redirect traffic flows in real-time.

Trust IP Address

Enable/disable the Trust IPs Access Control (TIAC) feature to restrict access to management interfaces according to the Trust IP Address List. If the source IP is not on the Trust IP Address List, the device will refuse the client directly.

To add IP addresses to the Trust IP Address List, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add IPs to the list.

Retrieve Gateway

Use the default gateway retrieved from the DHCP server instead of the one configured in the FortiADC system settings.
Secondary IP List
IP Address Secondary IP addresses can be used when you deploy the system so that it belongs to multiple logical subnets. If you assign multiple IP addresses to an interface, you must assign them static addresses.

To add secondary IP addresses, enable the feature and save the configuration. After you have saved it the first time, you can edit it to add secondary IP addresses and enable inbound traffic to that address. For each address, specify an IP address using the CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24.
Allow Access Select the services that are allowed to send inbound traffic.

Trust IP Address List

Name

 Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name.

Type

Select the IP address type:

  • IPv4/Netmask

  • IPv4 Address Range

  • IPv6/Netmask

  • IPv6 Address Range

IPv4/Netmask, IPv6/Netmask

Specify the IP address that can access the interface.

Address Range

Specify a range of IP addresses that can access the interface.
HA Node IP List
IP Address You use the HA node IP list configuration in an HA active-active deployment. On each HA cluster node, add an HA node IP list that includes an entry for each cluster node. When the appliance is in standalone mode, it uses the physical port IP address; when it is in HA mode, it uses the HA node IP list address.

For each address, specify an IP address using the CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24.
Node ID ID of the corresponding node.
Allow Access

Select the services that are allowed to send inbound traffic.

In an HA active-active deployment, if an interface uses secondary IP addresses, you must use the CLI to enable the HA node secondary IP address list, and then configure the list:

FADC # config system interface

FADC (interface) # edit port3

FADC (port3) # set ha-node-secondary-ip enable

FADC (port3) # config ha-node-secondary-ip-list

FADC (ha-node-second~r) # edit 1

Add new entry '1' for node 2221

FADC (1) # set ip 192.168.1.100

FADC (1) # set allowaccess https http ping snmp ssh

FADC (1) # end

FADC (port3) # end

To configure a physical interface in the CLI:

config system interface

edit <port_name>

set ip <ip&netmask>

set allowaccess {http https ping snmp ssh telnet}

end

To configure an aggregate interface in the CLI:

config system interface

edit <specified_name>

set type agg

set aggregate-mode {802.3ad | balance-alb | balance-rr | balance-tlb | balance-xor | broadcast}

set aggregate-algorithm {layer2 | layer2_3 | layer3_4}

set member <port_name> <port_name>

set ip <ip&netmask>

end

To configure a VLAN interface in the CLI:

config system interface

edit <specified_name>

set type vlan

set vlanid <number>

set interface <port_name>

set ip <ip&netmask>

end

To enable/disable the Trust IP Address status in the CLI:

config system interface

edit <port_name>

set trust-ip <enable | disable>

To configure the Trust IP Address List in the CLI:

config trust-ip-list

edit <name>

set type {ip-netmask | ip-range}

set ip-network <ip&netmask>

set start-ip <ip>

set end-ip <ip>

next

edit <name>

set type {ip6-netmask | ip6-range}

set ip6-network <ip6&netmask>

set start-ip6 <ip6>

set end-ip6 <ip6>

next

end

Previous
Next