System Management : Configuring network interfaces
 
Configuring network interfaces
The network interfaces that are bound to physical ports have three uses:
Management—Ports mgmt1 and mgmt2 are management interfaces. Management interfaces are used for administrator connections and to send management traffic, like syslog and SNMP traffic. Typically, administrators use mgmt1 for the management interface.
HA—If you plan to deploy HA, you must reserve a physical port for HA heartbeat and synchronization traffic. Do not configure a network interface for the port that will be used for HA; instead, leave it unconfigured or “reserved” for HA. Typically, administrators use mgmt2 for the HA interface.
Traffic—The remaining physical ports can be used for your target traffic—these are your “traffic interfaces.” The FortiDDoS system is deployed inline (between the Internet and your local network resources). Consecutively numbered ports belong to port pairs: Use an odd port numbers (1, 3, 5, and so on) for the LAN-side connection and an even port number (2, 4, 6, and so on) for the WAN-side connection. For example, port1 and port2 are a pair. The port1 interface is connected to a switch that connects servers in the local network; the port2 interface is connected to the network path that receives traffic from the Internet.
By default, ports use autonegotiation to determine the connection speed. In general, you change the speed if the interface is connected to a device that does not support autonegotiation. If the other device uses a fixed speed/duplex setting, you use the configuration page to set the FortiDDoS network interface speed/duplex to the appropriate matching values.
The interface modules for FortiDDoS 1000B and FortiDDoS 2000B models have special guidelines. To avoid issues with speed/duplex for these interface modules, please disregard the possible choices and use the required settings shown in Table 68.
Table 68: Speed/Duplex settings
 
Transceiver/Interface Module
Possible Choices
Required Settings
SFP (1 Gbps)
Auto, 1000Mbps Full Duplex
1000Mbps Full Duplex
SFP+ (10 Gbps)
Auto, 1000Mbps Full Duplex
Auto
LC 850nm optical (10 Gbps)*
Auto, 1000Mbps Full Duplex
Auto
*Available on FortiDDOS 2000B only.
Before you begin:
You must have Read-Write permission for System settings.
To configure a network interface:
1. Go to System > Network > Interface.
2. Double-click the row of the port you want to configure to display the configuration editor.
3. Complete the configuration as described in Table 69.
4. Save the configuration.
Figure 121: Network interface status page
 
 
The Status indicators on the Interface Configuration page display the connectivity status. A green indicator means that the link is connected and negotiation was successful. A red indicator means that the link is not connected or is down.
Figure 122: Network interface speed/duplex settings page
 
Figure 123: Management interfaces settings page
 
 
Table 69: Network interface configuration guidelines
Settings
Guidelines
Speed
Select one of the following speed/duplex settings:
Auto—Speed and duplex are negotiated automatically. Recommended.
10half—10 Mbps, half duplex.
10full—10 Mbps, full duplex.
100half—100 Mbps, half duplex.
100full—100 Mbps, full duplex.
1000half—1000 Mbps, half duplex.
1000full—1000 Mbps, full duplex.
IPv4/Netmask
Management interfaces only.
Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.
IPv6/Netmask
Management interfaces only.
Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.
Administrative Access
Management interfaces only.
Allow inbound service traffic. Select from the following options:
HTTP—Enables connections to the web UI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.
HTTPS—Enables secure connections to the web UI. We recommend this option instead of HTTP.
Ping—Enables ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), the FortiDDOS system replies with ICMP type 0 (ECHO_RESPONSE or “pong”).
SNMP—Enables SNMP queries to this network interface.
SSH—Enables SSH connections to the CLI. We recommend this option instead of Telnet.
Telnet—Enables Telnet connections to the CLI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer.
SQL—Enables SQL queries.
Note: We recommend that you enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH.
 
 
CLI commands:
config system interface
edit <interface>
set speed {auto|10half|10full|100half|100full|1000half|1000full}
set status {up|down}
set ip <address_ipv4> <netmask_ipv4mask>
set allowaccess {http https ping snmp ssh telnet sql}
end