Configuring network interfaces

Chapter 8: System Management > Configuring network interfaces

Configuring network interfaces

The network interfaces that are bound to physical ports have three uses:

Management—Ports mgmt1 and mgmt2 are management interfaces. Management interfaces are used for administrator connections and to send management traffic, like syslog and SNMP traffic. Typically, administrators use mgmt1 for the management interface.
HA—If you plan to deploy HA, you must reserve a physical port for HA heartbeat and synchronization traffic. Do not configure a network interface for the port that will be used for HA; instead, leave it unconfigured or “reserved” for HA. Typically, administrators use mgmt2 for the HA interface.
Traffic—The remaining physical ports can be used for your target traffic—these are your “traffic interfaces.” The FortiDDoS system is deployed inline (between the Internet and your local network resources). Consecutively numbered ports belong to port pairs: Use an odd port numbers (1, 3, 5, and so on) for the LAN-side connection and an even port number (2, 4, 6, and so on) for the WAN-side connection. For example, port1 and port2 are a pair. The port1 interface is connected to a switch that connects servers in the local network; the port2 interface is connected to the network path that receives traffic from the Internet.

By default, ports use auto-negotiation to determine the connection speed. In general, you change the speed if the interface is connected to a device that does not support auto-negotiation. If the other device uses a fixed speed/duplex setting, you use the configuration page to set the FortiDDoS network interface speed/duplex to the appropriate matching values.

The interface modules for FortiDDoS 900B/1000B and FortiDDoS 1200B/2000B models have special guidelines. To avoid issues with speed/duplex for these interface modules, please disregard the possible choices and use the required settings shown in Table 74.

Table 74: Speed/Duplex settings

Transceiver/Interface Module	Possible Choices	Required Settings
SFP (1 Gbps)	Auto, 1000Mbps Full Duplex	1000Mbps Full Duplex
SFP+ (10 Gbps)	Auto, 1000Mbps Full Duplex	Auto
LC 850nm optical (10 Gbps)*	Auto, 1000Mbps Full Duplex	Auto
*Available on FortiDDOS 1200B/2000B only.

Before you begin:

You must have Read-Write permission for System settings.

To configure a network interface:

Go to System > Network > Interface.
Double-click the row of the port you want to configure to display the configuration editor.
Complete the configuration as described in Table 75.
Save the configuration.

Figure 132: Network interface status page

The Status indicators on the Interface Configuration page display the connectivity status. A green indicator means that the link is connected and negotiation was successful. A red indicator means that the link is not connected or is down.

Figure 133: Network interface speed/duplex settings page

Figure 134: Management interfaces settings page

Table 75: Network interface configuration guidelines
Settings	Guidelines
Speed	Select one of the following speed/duplex settings: Auto—Speed and duplex are negotiated automatically. Recommended. 10half—10 Mbps, half duplex. 10full—10 Mbps, full duplex. 100half—100 Mbps, half duplex. 100full—100 Mbps, full duplex. 1000half—1000 Mbps, half duplex. 1000full—1000 Mbps, full duplex.
IPv4/Netmask	Management interfaces only. Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 192.0.2.5/24. Dotted quad formatted subnet masks are not accepted.
IPv6/Netmask	Management interfaces only. Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Dotted quad formatted subnet masks are not accepted.
Administrative Access	Management interfaces only. Allow inbound service traffic. Select from the following options: HTTP—Enables connections to the web UI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer. HTTPS—Enables secure connections to the web UI. We recommend this option instead of HTTP. Ping—Enables ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), the FortiDDOS system replies with ICMP type 0 (ECHO_RESPONSE or “pong”). SNMP—Enables SNMP queries to this network interface. SSH—Enables SSH connections to the CLI. We recommend this option instead of Telnet. Telnet—Enables Telnet connections to the CLI. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer. SQL—Enables SQL queries. Note: We recommend that you enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH.

CLI commands:

config system interface

edit <interface>

set speed {auto|10half|10full|100half|100full|1000half|1000full}

set status {up|down}

set ip <address_ipv4> <netmask_ipv4mask>

set allowaccess {http https ping snmp ssh telnet sql}

end