system : interface
 
interface
Use this command to edit the configuration of a FortiGate physical interface, VLAN subinterface, IEEE 802.3ad aggregate interface, redundant interface, or IPSec tunnel interface.
In the following table, VLAN subinterface can be substituted for interface in most places except that you can only configure VLAN subinterfaces with static IP addresses. Use the edit command to add a VLAN subinterface.
 
VLAN communication over the backplane interfaces is available for FortiGate-5000 modules installed in a FortiGate-5020 chassis. The FortiSwitch-5003 does not support VLAN-tagged packets so VLAN communication is not available over the FortiGate-5050 and FortiGate-5140 chassis backplanes.
Some fields are specific to aggregate interfaces. These appear at the end of the list of commands under “variables for aggregate and redundant interfaces (some FortiGate models)”.
Some FortiGate models have multiple interfaces that are grouped as a switch named “internal”. This is switch mode and it is the default. As an alternative, you can select interface mode to use each interface independently. For more information, see internal-switch-mode in system global.
Using the one-arm intrusion detection system (IDS), you can now configure a FortiGate unit to operate as an IDS appliance by sniffing packets for attacks without actually receiving and otherwise processing the packets. For more information, see the ips-sniffer-mode {enable | disable} field.
An interface’s IPv6 address can be included in a Multi Listener Discovery (MLD) report. By default the FortiGate unit includes no addresses in the MLD report. For more information, see the ip6-send-adv {enable | disable} field.
Syntax
Entering a name string for the edit field that is not the name of a physical interface adds a VLAN subinterface.
config system interface
edit <interface_name>
set allowaccess <access_types>
set alias <name_string>
set arpforward {enable | disable}
set atm-protocol {ipoa | none}
set auth-type <ppp_auth_method>
set bfd {enable | disable | global}
set bfd-desired-min-tx <interval_msec>
set bfd-detect-mult <multiplier>
set bfd-required-min-rx <interval_msec>
set broadcast-forward {enable | disable}
set defaultgw {enable | disable}
set dedicated-to {management | none}
set description <text>
set device-access-list <list_name>
set device-identification {enable | disable}
set device-netscan {enable | disable}
set device-user-identification {enable | disable}
set dhcp-client-identifier <client_name_str>
set dhcp-relay-ip <dhcp_relay1_ipv4> {... <dhcp_relay8_ipv4>}
set dhcp-relay-service {enable | disable}
set dhcp-relay-type {ipsec | regular}
set disc-retry-timeout <pppoe_retry_seconds>
set distance <admin_distance>
set dns-server-override {enable | disable}
set drop-fragment {enable | disable}
set drop-overlapped-fragment {enable | disable}
set elbc-default-gw <ipv4_addr>
set explicit-ftp-proxy {enable | disable}
set explicit-web-proxy {enable | disable}
set external {enable | disable)
set fail-detect {enable | disable}
set fail-detect-option {link-down | detectserver}
set fail-alert-method {link‑down | link‑failed‑signal}
set fail-alert-interfaces {port1 port2 ...}
set forward-domain <collision_group_number>
set fp-anomaly [...]
set gi-gk {enable | disable}
set icmp-redirect {enable | disable}
set ident-accept {enable | disable}
set idle-timeout <pppoe_timeout_seconds>
set inbandwidth <bandwidth_integer>
set interface <port_name>
set ip <interface_ipv4mask>
set ipmac {enable | disable}
set ips-sniffer-mode {enable | disable}
set ipunnumbered <unnumbered_ipv4>
set l2forward {enable | disable}
set l2tp-client {enable | disable}
set lacp-ha-slave {enable | disable}
set lacp-mode {active | passive | static}
set lacp-speed {fast | slow}
set lcp-echo-interval <lcp_interval_secs>
set lcp-max-echo-fails <missed_echoes>
set link-up-delay <secs_int>
set listen-forticlient-connection {enable | disable}
set lldp-transmission {enable | disable | vdom}
set macaddr <mac_address>
set mediatype {serdes-sfp | sgmii-sfp}
set member <if_name1> <if_name2> ...
set min-links <int>
set min-links-down {operational | administrative}
set mode <interface_mode>
set mtu <mtu_bytes>
set mtu-override {enable | disable}
set netbios-forward {disable | enable}
set nontp-web-proxy {disable | enable}
set outbandwidth <bandwidth_integer>
set padt-retry-timeout <padt_retry_seconds>
set password <pppoe_password>
set pbx-user-portal {enable | disable}
set phone-auto-provision {enable | disable}
set poe {disable | enable}
set polling-interval <interval_int>
set pppoe-unnumbered-negotiate {disable | enable}
set pptp-client {disable | enable}
set pptp-user <pptp_username>
set pptp-password <pptp_userpassword>
set pptp-server-ip <pptp_serverid>
set pptp-auth-type <pptp_authtype>
set pptp-timeout <pptp_idletimeout>
set priority <learned_priority>
set priority-override {enable | disable}
set remote-ip <ipv4>
set replacemsg-override-group {group-name}
set sample-direction {both | rx | tx}
set sample-rate <rate_int>
set secondary-IP {enable | disable}
set security-exempt-list <list_name>
set security-external-web <url>
set security-groups [group1 [group2 ... groupn]]}
set security-mode {none | captive‑portal | 802.1X}
set security-redirect-url <url_str>
set sflow-sampler {disable | enable}
set snmp-index <id_int>
set speed <interface_speed>
set spillover-threshold <threshold_int>
set status {down | up}
set stpforward {enable | disable}
set stpforward-mode {rpl‑all‑ext‑id | rpl‑bridge‑ext‑id | rpl‑nothing}
set subst {enable | disable}
set substitute-dst-mac <destination_mac_addres>
set tcp-mss <max_send_bytes>
set trunk {enable | disable}
set trust-ip-1 <ipmask>
set trust-ip-2 <ipmask>
set trust-ip-3 <ipmask>
set type {aggregate | hard‑switch | hdlc | loopback | physical | redundant | tunnel | vap‑switch | vdom‑link | vlan | wireless}
set username <pppoe_username>
set vdom <vdom_name>
set vlanforward {enable | disable}
set vlanid <id_number>
set voip {enable | disable}
set vrrp-virtual-mac {enable | disable}
set wccp {enable | disable}
set weight <int>
set wifi-acl {allow | deny}
set wifi-auth {PSK | radius | usergroup}
set wifi-broadcast_ssid {enable | disable}
set wifi-encrypt {AES | TKIP}
set wifi-fragment_threshold <packet_size>
set wifi-key <hex_key>
set wifi-mac-filter {enable | disable}
set wifi-passphrase <pass_str>
set wifi-radius-server <server_name>
set wifi-rts_threshold <integer>
set wifi-security <sec_mode>
set wifi-ssid <id_str>
set wifi-auto-connect {enable | disable}
set wifi-auto-save {enable | disable}
set wins-ip <wins_server_ip>
config ipv6
set autoconf {enable | disable}
set dhcp6-relay-server {enable | disable}
set dhcp6-relay-ip {ip1_ipv6 ... ipn_ipv6}
set ip6-address <if_ipv6mask>
set ip6-allowaccess <access_types>
set ip6-default-life <ipv6_life_seconds>
set ip6-hop-limit <ipv6_hops_limit>
set ip6-link-mtu <ipv6_mtu>
set ip6-manage-flag {disable | enable}
set ip6-max-interval <adverts_max_seconds>
set ip6-min-interval <adverts_min_seconds>
set ip6-mode {static | dhcp6 | pppoe}
set ip6-other-flag {enable | disable}
set ip6-reachable-time <reachable_msecs>
set ip6-retrans-time <retrans_msecs>
set ip6-send-adv {enable | disable}
config ip6-prefix-list
edit <ipv6_prefix>
set autonomous-flag {enable | disable}
set onlink-flag {enable | disable}
set preferred-life-time <seconds>
set valid-life-time <seconds>
end
end
config ip6-extra-address
edit <prefix_ipv6>
end
end
config l2tp-client-settings
set auth-type {auto | chap | mschapv1 | mschapv2 | pap}
set defaultgw {enable | disable}
set distance <admin_distance>
set mtu <integer>
set password <password>
set peer-host <ipv4_addr>
set peer-mask <netmask>
set peer-port <port_num>
set priority <integer>
set user <string>
end
config secondaryip
edit <secondary_ip_id>
set allowaccess <access_types>
set ip <interface_ipv4mask>
end
end
config vrrp
edit <VRID_int>
set adv-interval <seconds_int>
set preempt {enable | disable}
set priority <prio_int>
set start-time <seconds_int>
set status {enable | disable}
set vrdst <ipv4_addr1> [<ipv4_addr2>]
set vrgrp <grp_int>
set vrip <ipv4_addr>
end
config wifi-mac_list
edit <entry_number>
set mac <mac_address>
end
config wifi-networks
edit <network_id>
set wifi-key <key_str>
set wifi-keyindex <index_int>
set wifi-passphrase <psk_str>
set wifi-security {wpa‑personal | wep128 | wep64 | open}
set wifi-ssid <ssid_str>
end
 
A VLAN cannot have the same name as a zone or a virtual domain.
Variable
Description
Default
allowaccess <access_types>
Enter the types of management access permitted on this interface or secondary IP address. Separate types with spaces. Use the append or clear commands (instead of set) to add or remove an option from the list.
Valid types are:
auto‑ipsec — required for IPsec auto-configuration
capwap — required for interfaces that carry CAPWAP control traffic. Interfaces dedicated for FortiAP unit use have this option enabled automatically.
fgfm — FortiManager management access
http — enable HTTP admin access
https — enable HTTPS admin access
ping — allow ping response. Useful for testing.
probe‑response — allow access by config system server-probe command
radius‑acct — RADIUS Accounting server access
snmp — SNMP management access
ssh — enable admin access via SSH
telnet — enable admin access via Telnet
Varies for each interface.
alias <name_string>
Enter an alias name for the interface. Once configured, the alias will be displayed with the interface name to make it easier to distinguish. The alias can be a maximum of 25 characters.
This option is only available when interface type is physical.
 
arpforward {enable | disable}
Enable or disable forwarding of ARP packets on this interface.
ARP forwarding is required for DHCP relay and MS Windows Client browsing.
enable
atm-protocol {ipoa | none}
Enable IPoA protocol. This is available on ADSL interfaces that support IPoA.
none
auth-type <ppp_auth_method>
Select the PPP authentication method for this interface. Choose one of:
auto — select authentication method automatically
chap — CHAP
mschapv1 — Microsoft CHAP v1
mschapv2 — Microsoft CHAP v2
pap — PAP
This is available only when mode is pppoe, and type of interface is physical.
auto
bfd {enable | disable | global}
The status of Bidirectional Forwarding Detection (bfd) on this interface:
enable — enable BFD and ignore global BFD configuration.
disable — disable BFD on this interface.
global — use the BFD configuration in system settings for the virtual domain to which this interface belongs.
The BFD-related fields below are available only if bfd is enabled.
global
bfd-desired-min-tx <interval_msec>
Enter the minimum desired interval for the BFD transmit interval. Valid range is from 1 to 100 000 msec.
This is available only if bfd is enable.
50
bfd-detect-mult <multiplier>
Select the BFD detection multiplier.
This is available only if bfd is enable.
3
bfd-required-min-rx <interval_msec>
Enter the minimum required interface for the BFD receive interval. Valid range is from 1 to 100 000 msec.
This is available only if bfd is enable.
50
broadcast-forward {enable | disable}
Select to enable automatic forwarding of broadcast packets.
Use with caution. Enabling this option may make the FortiGate unit vulnerable to broadcast-based DoS attacks such as ping floods.
disable
defaultgw {enable | disable}
Enable to get the gateway IP address from the DHCP or PPPoE server.
This is valid only when the mode is one of DHCP or PPPoE.
disable
dedicated-to {management | none}
Select whether this port is dedicated to unit management or not. This is available on “mgmt” ports where mode is static.
none
description <text>
Optionally, enter up to 255 characters to describe this interface.
No default.
device-access-list <list_name>
Enter the device access list to use. The device access list is configured in user device-access-list. This field is available when device-identification is enabled.
No default.
device-identification {enable | disable}
Enable to attempt to discover OS and device information for source hosts.
disable
device-netscan {enable | disable}
Enable to include detected devices in network vulnerability scans. This is available if device‑identification is enabled.
disable
device-user-identification {enable | disable}
Enable to attempt to determine user name for source hosts.
enable
dhcp-client-identifier <client_name_str>
Override the default DHCP client identifier used by this interface.The DHCP client identifier is used by DHCP to identify individual DHCP clients (in this case individual FortiGate interfaces).
By default the DHCP client identifier for each FortiGate interface is created based on the FortiGate model name and the interface MAC address. In some cases you may want to specify your own DHCP client identifier using this command.
This is available if mode is set to dhcp.
 
dhcp-relay-ip <dhcp_relay1_ipv4> {... <dhcp_relay8_ipv4>}
Set DHCP relay IP addresses. You can specify up to eight DHCP relay servers for DHCP coverage of subnets.
Generally, clients respond to the first offer they receive. The relay agent broadcasts back the DHCPREQUEST and ACKNOWLEDGE messages so that other DHCP servers do not reserve the addresses they offered.
Do not set dhcp-relay-ip to 0.0.0.0.
No default.
dhcp-relay-service {enable | disable}
Enable to provide DHCP relay service on this interface. The DHCP type relayed depends on the setting of dhcp-relay-type.
There must be no other DHCP server of the same type (regular or ipsec) configured on this interface.
disable
dhcp-relay-type {ipsec | regular}
Set dhcp_type to ipsec or regular depending on type of firewall traffic.
regular
disc-retry-timeout <pppoe_retry_seconds>
Set the initial PPPoE discovery timeout in seconds. This is the time to wait before retrying to start a PPPoE discovery. Set to 0 to disable this feature.
This field is only available in NAT/Route mode when mode is set to pppoe.
1
distance <admin_distance>
Configure the administrative distance for routes learned through PPPoE or DHCP. Use the administrative distance to specify the relative priorities of different routes to the same destination. A lower administrative distance indicates a more preferred route. Distance can be an integer from 1‑255. For more information, see router static “distance <distance>”
This variable is only available in NAT/Route mode when mode is set to dhcp or pppoe.
1
dns-server-override {enable | disable}
Disable to prevent this interface from using DNS server addresses it acquires via DHCP or PPPoe.
This variable is only displayed if mode is set to dhcp or pppoe.
enable
drop-fragment {enable | disable}
Enable to drop fragmented packets log them as invalid.
disable
drop-overlapped-fragment {enable | disable}
Enable or disable dropping overlapped packet fragments.
disable
edit <interface_name>
Edit an existing interface or create a new VLAN interface.
None.
edit <ipv6_prefix>
Enter the IPv6 prefix you want to configure. For settings, see the edit <ipv6_prefix> variables section of this table.
None.
edit <secondary_ip_id>
Enter an integer identifier, e.g., 1, for the secondary ip address that you want to configure.
None.
elbc-default-gw <ipv4_addr>
Use to add a default gateway to hidden front panel ports in ELBC mode.
When in ELBC mode the front panel ports are placed in a secret hidden VDOM. This prevents the user from adding routes to that interface. Using the elbc-default-gw attribute present on front panel ports the user can add a default gateway to these interfaces.
 
explicit-ftp-proxy {enable | disable}
Enable explicit FTP proxy on this interface. For more information, see “explicit”.
disable
explicit-web-proxy {enable | disable}
Enable explicit Web proxy on this interface. For more information, see “explicit”.
disable
external {enable | disable)
Enable to indicate that an interface is an external interface connected to an external network. This option is used for SIP NAT when the config VoIP profile SIP contact-fixup option is disabled.
disable
fail-detect {enable | disable}
Enable interface failure detection.
disable
fail-detect-option {link-down | detectserver}
Select whether the FortiGate unit detects interface failure by port detection (link-down) or ping server (detectserver). detectserver is only available in NAT mode.
link‑down
fail-alert-method
{link‑down | link‑failed‑signal}
Select the signal that the FortiGate unit uses to signal the link failure: Link Down or Link Failed.
link‑down
fail-alert-interfaces {port1 port2 ...}
Select the interfaces to which failure detection applies.
 
forward-domain <collision_group_number>
Specify the collision domain to which this interface belongs. Layer 2 broadcasts are limited to the same group. By default, all interfaces are in group 0.
Collision domains prevent the forwarding of ARP packets to all VLANs on an interface. Without collision domains, duplicate MAC addresses on VLANs may cause ARP packets to be duplicated. Duplicate ARP packets can cause some switches to reset.
This command is only available in Transparent mode.
0
fp-anomaly [...]
Enable NP2 hardware fast path anomaly checking on an interface and specify whether to drop or allow (pass) different types of anomalies.
When no options are specified, anomaly checking performed by the network processor is disabled. If pass options are specified, packets may still be rejected by other anomaly checks, including policy-required IPS performed using the FortiGate unit main processing resources.
Log messages are generated when packets are dropped due to options in this setting.
The fp-anomaly option is available for NP2-enabled interfaces.
No options specified (disabled)
gi-gk {enable | disable}
Enable FortiOS Carrier Gi Gatekeeper to enable the Gi firewall on this interface as part of the anti-overbilling configuration.
disable
icmp-redirect {enable | disable}
Disable to stop ICMP redirect from sending from this interface.
ICMP redirect messages are sent by a router to notify the original sender of packets that there is a better route available.
enable
ident-accept {enable | disable}
Enable or disable passing ident packets (TCP port 113) to the firewall policy. If set to disable, the FortiGate unit sends a TCP reset packet in response to an ident packet.
disable
idle-timeout <pppoe_timeout_seconds>
Disconnect if the PPPoE connection is idle for the specified number of seconds. Set to zero to disable this feature.
This is available when mode is set to pppoe.
0
inbandwidth <bandwidth_integer>
Enter the Kbit/sec limit for incoming traffic for this interface.
Use this command to configure inbound traffic shaping for an interface. Inbound traffic shaping limits the bandwidth accepted by the interface. Limiting inbound traffic takes precedence over traffic shaping applied by firewall policies.
You can set inbound traffic shaping for any FortiGate unit interface and it can be active for more than one FortiGate unit interface at a time. Setting <bandwidth_integer> to 0 (the default) means unlimited bandwidth or no traffic shaping.
This does not affect traffic offloaded to NP2, NP4 and SP3 processors.
0
interface <port_name>
Enter the physical or VAP interface this virtual interface is linked to.
This is available only when adding virtual interfaces such as VLANs and VPNs.
None.
ip <interface_ipv4mask>
Enter the interface IP address and netmask.
This is not available if mode is set to dhcp or pppoe. You can set the IP and netmask, but it will not display.
This is only available in NAT/Route mode.
The IP address cannot be on the same subnet as any other FortiGate unit interface.
Varies for each interface.
ipmac {enable | disable}
Enable or disable IP/MAC binding for the specified interface. For information about configuring IP/MAC binding settings, see “ipmacbinding setting” and “ipmacbinding table”.
disable
ips-sniffer-mode {enable | disable}
Enable to configure this interface to operate as a one-armed sniffer as part of configuring a FortiGate unit to operate as an IDS appliance by sniffing packets for attacks without actually receiving and otherwise processing the packets. Once the interface is enabled for sniffing you cannot use the interface for other traffic. You must add sniffer policies for the interface to actually sniff packets.
For more information on one-armed IPS, see firewall sniffer.
disable
ipunnumbered <unnumbered_ipv4>
Enable IP unnumbered mode for PPPoE. Specify the IP address to be borrowed by the interface. This IP address can be the same as the IP address of another interface or can be any IP address.
This is only available when mode is pppoe.
The Unnumbered IP may be used for PPPoE interfaces for which no unique local address is provided. If you have been assigned a block of IP addresses by your ISP for example, you can add any of these IP addresses to the Unnumbered IP.
No default.
l2forward
{enable | disable}
Enable to allow layer-2 forwarding for this interface.
If there are layer-2 protocols such as IPX, PPTP or L2TP in use on your network, you need to configure your FortiGate unit interfaces to pass these protocols without blocking.
Enabling l2forward may cause packets to repeatedly loop through the network, much like a broadcast storm. In this case either disable l2forward, or enable Spanning Tree Protocol (STP) on your network’s switches and routers.
For more information, see FortiGate VLANs and VDOMs.
disable
l2tp-client
{enable | disable}
Enable or disable this interface as a Layer 2 Tunneling Protocol (L2TP) client.
Enabling makes config l2tp-client-settings visible.
You may need to enable l2forward on this interface.
This is available only on FortiGate 50 series, 60 series, and 100A.
The interface can not be part of an aggregate interface, and the FortiGate unit can not be in Transparent mode, or HA mode. If l2tp-client is enabled on an interface, the FortiGate unit will not enter HA mode until the L2TP client is disabled.
disable
lcp-echo-interval <lcp_interval_secs>
Set the interval in seconds between PPPoE Link Control Protocol (LCP) echo requests.
This is available only when mode is pppoe.
5
lcp-max-echo-fails <missed_echoes>
Set the maximum number of missed LCP echoes before the PPPoE link is disconnected.
This is only available when mode is pppoe.
3
link-up-delay <secs_int>
Enter how long to wait (in seconds) before considering an aggregate or redundant link to be up. Range 50 to 3 600 000.
50
listen-forticlient-connection {enable | disable}
Enable listening for FortiClient endpoints connecting. This is required for endpoint compliance on endpoints that are connected to the interface through a router.
listen-forticlient-connection must be configured on the internal interface and on the IPsec tunnel interface if connection is via VPN.
disable
lldp-transmission {enable | disable | vdom}
Enable or disable Link Layer Discovery Protocol (LLDP) for this interface, or apply VDOM-level setting specified in lldp-transmission in system settings.
vdom
macaddr <mac_address>
Override the factory set MAC address of this interface by specifying a new MAC address. Use the form xx:xx:xx:xx:xx:xx.
This is only used for physical interfaces.
Factory set.
mediatype {serdes-sfp | sgmii-sfp}
Some FortiGate SFP interfaces can operate in SerDes (Serializer/Deserializer) or SGMII (Serial Gigabit Media Independent Interface) mode. The mode that the interface operates in depends on the type of SFP transceiver installed. Use this field to switch the interface between these two modes.
Set mediatype to:
serdes-sfp if you have installed a SerDes transceiver. In SerDes mode an SFP interface can only operate at 1000 Mbps.
sgmii-sfp if you have installed an SGMII transceiver. In SGMII mode the interface can operate at 10, 100, or 1000 Mbps.
This field is available on network interfaces to which it is relevant, including FortiGate-ASM-FB4 and port3 to port18 of the FortiGate-3016B.
serdes-sfp
mode <interface_mode>
Configure the connection mode for the interface as one of:
static — configure a static IP address for the interface.
dhcp — configure the interface to receive its IP address from an external DHCP server.
pppoe — configure the interface to receive its IP address from an external PPPoE server. This is available only in NAT/Route mode.
eoa — Ethernet over ATM
pppoa — IP over ATM (also known as bridged mode).
This variable is only available in NAT/Route mode.
static
mtu <mtu_bytes>
Set a custom maximum transmission unit (MTU) size in bytes. Ideally set mtu to the size of the smallest MTU of all the networks between this FortiGate unit and the packet destination.
<mtu_bytes> valid ranges are:
68 to 1 500 bytes in static mode
576 to 1 500 bytes in dhcp mode
576 to 1 492 bytes in pppoe mode
up to 9 000 bytes for NP2-accelerated interfaces
over 1 500 bytes on high end FortiGate models on some interfaces.
If you enter an MTU that is not supported, an error message informs you of the valid range for this interface.
In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU.
If you configure an MTU size larger than 1 500 on your FortiGate unit, all other network equipment on the route to the destination must also support that frame size.
You can set the MTU of a physical interface, a VLAN interface, and some tunnel interfaces (not IPsec). All virtual interfaces inherit the MTU of the parent physical interface.
The variable mtu is only available when mtu-override is enabled.
1 500
mtu-override {enable | disable}
Select enable to use custom MTU size instead of default (1 500). This is available only for physical interfaces and some tunnel interfaces (not IPsec).
Some models support MTU sizes larger than the standard 1 500 bytes.
disable
netbios-forward {disable | enable}
Enable to forward Network Basic Input/Output System (NetBIOS) broadcasts to a Windows Internet Name Service (WINS) server. Use wins-ip <wins_server_ip> to set the WINS server IP address.
This variable is only available in NAT/Route mode.
disable
nontp-web-proxy {disable | enable}
Enable to turn on web cache support for this interface, such as accepting HTTP proxies and DNS requests. Web caching accelerates web applications and web servers by reducing bandwidth usage, server load, and perceived latency. For more information, see web-proxy explicit.
This variable is only available when this interface is in NAT/Route mode.
disable
outbandwidth <bandwidth_integer>
Enter the Kbit/sec limit for outgoing (egress) traffic for this interface.
Use this command to configure outbound traffic shaping for an interface. Outbound traffic shaping limits the bandwidth accepted by the interface. Limiting outbound traffic takes precedence over traffic shaping applied by firewall policies.
You can set outbound traffic shaping for any FortiGate interface and it can be active for more than one FortiGate interface at a time.
Setting <bandwidth_integer> to 0 (the default) means unlimited bandwidth or no traffic shaping.
This does not affect traffic offloaded to NP2, NP4 and SP3 processors.
0
padt-retry-timeout <padt_retry_seconds>
Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. PADT must be supported by your ISP.
This is available in NAT/Route mode when mode is pppoe.
1
password <pppoe_password>
Enter the password to connect to the PPPoE server.
This is available in NAT/Route mode when mode is pppoe.
No default.
pbx-user-portal {enable | disable}
Enable PBX user portal on the interface.
This command is available only on FortiGate Voice units.
disable
phone-auto-provision {enable | disable}
Enable SIP phone auto-provisioning on the interface.
This command is available only on FortiGate Voice units.
disable
poe {disable | enable}
Enable or disable PoE (Power over Ethernet). This option is only available on models with PoE feature.
disable
polling-interval <interval_int>
Set the amount of time in seconds that the sFlow agent waits between sending collected data to the sFlow collector. The range is 1 to 255 seconds.
A higher polling-interval means less data is sent across the network but also means that the sFlow collector’s picture of the network may be out of date.
20
pppoe-unnumbered-negotiate {disable | enable}
Disable to resolve problems when mode is set to PPPoE, and ipunnumbered is set. The default configuration may not work in some regions, such as Japan.
This is only available when mode is pppoe and ipunnumbered is set.
enable
pptp-client {disable | enable}
Enable to configure and use a point-to-point tunneling protocol (PPTP) client.
You may need to enable l2forward on this interface.
This command is not available when in HA mode. If the pptp-client is enabled on an interface, the FortiGate unit will not enter HA mode until that pptp-client is disabled.
disable
pptp-user <pptp_username>
Enter the name of the PPTP user.
No default.
pptp-password <pptp_userpassword>
Enter the password for the PPTP user.
No default.
pptp-server-ip <pptp_serverid>
Enter the IP address for the PPTP server.
No default.
pptp-auth-type <pptp_authtype>
Enter the authentication type for the PPTP user.
No default.
pptp-timeout <pptp_idletimeout>
Enter the idle timeout in minutes. Use this timeout to shut down the PPTP user session if it is idle for this number of seconds. 0 for disabled.
No default.
priority <learned_priority>
Enter the priority of routes using this interface.
For more information on priority, see router static.
This is only available when mode is pppoe or dhcp.
0
priority-override {enable | disable}
Enable fail back to higher priority port once recovered.
enable
remote-ip <ipv4>
Enter an IP address for the remote end of a tunnel interface.
If you want to use dynamic routing with the tunnel, or be able to ping the tunnel interface, you must specify an address for the remote end of the tunnel in remote-ip and an address for this end of the tunnel in ip.
This is only available if type is tunnel.
No default.
replacemsg-override-group {group-name}
Enter the replacement message override group name. This is for captive portal messages when security-mode is captive‑portal.
No default.
sample-direction {both | rx | tx}
Configure the sFlow agent to sample traffic received by the interface (rx) or sent from the interface (tx) or both.
both
sample-rate <rate_int>
Set the sample rate for the sFlow agent added to this interface. The sample rate defines the average number of packets to wait between samples. For example, the default sample-rate of 2000 samples 1 of every 2000 packets. The sample-rate range is 10 to 99999 packets between samples.
The lower the sample-rate the higher the number of packets sampled. Sampling more packets increases the accuracy of the sampling data but also increases the CPU and network bandwidth required to support sFlow. The default sample-rate of 2000 provides high enough accuracy in most cases.
You can increase the sample-rate to reduce accuracy. You can also reduce the sample-rate to increase accuracy.
2000
secondary-IP {enable | disable}
Enable to add a secondary IP address to the interface. This option must be enabled before configuring a secondary IP address.
When disabled, the web-based manager interface displays only the option to enable secondary IP.
disable
security-exempt-list <list_name>
Optionally, specify a security exempt list. The members will bypass the captive portal.
No default.
security-external-web <url>
Enter URL of external authentication web server. This is available when security-mode is captive-portal.
No default.
security-groups [group1 [group2 ... groupn]]}
Optionally, enter the groups that are allowed access to this interface. This is available when security-mode is captive‑portal.
Null
security-mode {none | captive‑portal | 802.1X}
Set security mode for this interface:
none
captive-portal — allow only authenticated members of security-groups access through this interface.
802.1X — available only on FGT60C, FWF60C, FWF60CM, FGT80C, FGT80CM, FWF80CM, FWF81C, FGT110C, and FGT111C.
none
security-redirect-url <url_str>
Specify URL for redirection after captive portal authentication.
No default.
sflow-sampler {disable | enable}
Add an sFlow agent to an interface. You can also configure the sFlow agent’s sample-rate, polling-interval, and sample-direction. You can add sFlow agents to any FortiGate interface, including physical interfaces, VLAN interfaces, and aggregate interfaces.
After adding the sFlow agent you can configure the sFlow
For more information about sFlow see system sflow.
disable
snmp-index <id_int>
Optionally, specify the index number of this interface for SNMP purposes.
null
speed <interface_speed>
The interface speed:
auto — the default speed. The interface uses auto-negotiation to determine the connection speed. Change the speed only if the interface is connected to a device that does not support auto-negotiation.
10full — 10 Mbps, full duplex
10half — 10 Mbps, half duplex
100full — 100 Mbps, full duplex
100half — 100 Mbps, half duplex
1000full — 1000 Mbps, full duplex
1000half — 1000 Mbps, half duplex
Speed options vary for different models and interfaces. Enter a space and a “?” after the speed field to display a list of speeds available for your model and interface.
You cannot change the speed for switch interfaces.
Note: XG2 interfaces on models 3140B and 3950B cannot be configured for 1000Mbps.
auto
spillover-threshold <threshold_int>
Set the spillover-threshold to limit the amount of bandwidth processed by the Interface. The range is 0-16 776 000 Kbps.
Set the spillover-threshold for an interface if the ECMP route failover and load balance method, configured by the v4‑ecmp‑mode field of the config system settings command is set to usage-based.
The FortiGate unit sends all ECMP-routed sessions to the lowest numbered interface until the bandwidth being processed by this interface reaches its spillover threshold. The FortiGate unit then spills additional sessions over to the next lowest numbered interface.
0
status {down | up}
Start or stop the interface. If the interface is stopped, it does not accept or send packets.
If you stop a physical interface, associated virtual interfaces such as VLAN interfaces will also stop.
up
(down for VLANs)
stpforward
{enable | disable}
Enable to forward Spanning Tree Protocol (STP) packets through this interface. STP maps the network to provide the least-cost-path from point to point while blocking all other ports for that path. This prevents any loops which would flood the network.
If your network uses layer-2 protocols, and has looping issues STP will stop this. For more information, see FortiGate VLANs and VDOMs.
disable
stpforward-mode {rpl‑all‑ext‑id | rpl‑bridge‑ext‑id | rpl‑nothing}
Choose the STP forwarding mode;
rpl-all-ext-id Replace all extension IDs (root, bridge).
rpl-bridge-ext-id Replace bridge extension ID only.
rpl-nothing Replace nothing.
rpl‑all‑ext‑id
subst {enable | disable}
Enable to use a substitute destination MAC address for this address.
This feature may be used with virtual interfaces to prevent network loops.
disable
substitute-dst-mac <destination_mac_addres>
Enter the substitute destination MAC address to use when subst is enabled. Use the xx:xx:xx:xx:xx:xx format.
No default.
tcp-mss <max_send_bytes>
Enter the FortiGate unit’s maximum sending size for TCP packets.
No default.
trunk {enable | disable}
Enable or disable trunk on interface. virtual-switch-vlan must be enabled in system global.
disable
trust-ip-1 <ipmask>
trust-ip-2 <ipmask>
trust-ip-3 <ipmask>
Enter trusted source addresses for this management interface. Packets from other source addresses are dropped. This is available on “mgmt” interfaces where dedicate-to is management.
0.0.0.0/24
type {aggregate | hard‑switch | hdlc | loopback | physical | redundant | tunnel | vap‑switch | vdom‑link | vlan | wireless}
Enter set type ? to see a list of the interface types that can be created. Other interface types are visible when viewing field values (using get system interface for example), but cannot be changed.
vlan for newly created interface, physical otherwise.
username <pppoe_username>
Enter the user name used to connect to the PPPoE server.
This is only available in NAT/Route mode when mode is set to pppoe.
No default.
vdom <vdom_name>
Enter the name of the virtual domain to which this interface belongs.
When you change this field, the physical interface moves to the specified virtual domain. Virtual IP previously added for this interface are deleted. You should also manually delete any routes that include this interface as they may now be inaccessible.
root
vlanforward {enable | disable}
Enable or disable forwarding of traffic between VLANs on this interface. When disabled, VLAN traffic will be delivered to its own VLAN only.
enable
disable (v5.2.2 and later)
vlanid <id_number>
Enter a VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface.
The VLAN ID can be any number between 1 and 4094, as 0 and 4095 are reserved, but it must match the VLAN ID added by the IEEE 802.1Q-compliant router on the other end of the connection. Two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN ID to different physical interfaces, and you can add more multiple VLANs with different VLAN IDs to the same physical interface.
This is available only when editing an interface with a type of VLAN.
No default.
voip
{enable | disable}
Enable the VoIP SIP protocol for allowing SIP traffic on the interface.
This command is available only on FortiGate Voice units.
disable
vrrp-virtual-mac {enable | disable}
Enable VRRP virtual MAC addresses for the VRRP routers added to this interface. See RFC 3768 for information about the VRRP virtual MAC addresses.
disable
wccp {enable | disable}
Enable to WCCP on an interface. This setting specifies the interface the FortiGate unit sends and receives WCCP packets and redirected traffic.
disable
weight <int>
Set the default weight for static routes on this interface. This applies if a route has no weight configured.
0
wifi-auto-connect {enable | disable}
Enable to have client mode WiFi automatically connect to nearest saved WiFi network.
enable
wifi-auto-save {enable | disable}
Enable to have client mode WiFi automatically save the passphrase when it connects to a WiFi network.
disable
wins-ip <wins_server_ip>
Enter the IP address of a WINS server to which to forward NetBIOS broadcasts.
This WINS server address is only used if netbios-forward is enabled.
This variable is only available in NAT/Route mode.
No default.
config ipv6 variables
autoconf {enable | disable}
Enable or disable automatic configuration of the IPv6 address.
When enabled, and ip6-send-adv is disabled, the FortiGate unit acts as a stateless address auto-configuration client (SLAAC).
disable
dhcp6-relay-server {enable | disable}
Enable or disable DHCP relay service for IPv6.
disable
dhcp6-relay-ip {ip1_ipv6 ... ipn_ipv6}
Enter the IP address of one or more IPv6 DHCP relays. This is available if dhcp-relay-server is enabled.
No default.
ip6-address <if_ipv6mask>
The interface IPv6 address and netmask. The format for IPv6 addresses and netmasks is described in RFC 3513.
This is available in NAT/Route mode only.
::/0
ip6-allowaccess <access_types>
Enter the types of management access permitted on this IPv6 interface.
Valid types are: fgfm, http, https, ping, snmp, ssh, and telnet. Separate the types with spaces. If you want to add or remove an option from the list, retype the list as required.
Varies for each interface.
ip6-default-life <ipv6_life_seconds>
Enter the number, in seconds, to add to the Router Lifetime field of router advertisements sent from the interface. The valid range is 0 to 9000.
This is available in NAT/Route mode only.
1800
ip6-hop-limit <ipv6_hops_limit>
Enter the number to be added to the Cur Hop Limit field in the router advertisements sent out this interface. Entering 0 means no hop limit is specified. This is available in NAT/Route mode only.
This is available in NAT/Route mode only.
0
ip6-link-mtu <ipv6_mtu>
Enter the MTU number to add to the router advertisements options field. Entering 0 means that no MTU options are sent.
This is available in NAT/Route mode only.
0
ip6-manage-flag
{disable | enable}
Enable or disable the managed address configuration flag in router advertisements.
This is available in NAT/Route mode only.
disable
ip6-max-interval <adverts_max_seconds>
Enter the maximum time interval, in seconds, between sending unsolicited multicast router advertisements from the interface. The valid range is 4 to 1800.
This is available in NAT/Route mode only.
600
ip6-min-interval <adverts_min_seconds>
Enter the minimum time interval, in seconds, between sending unsolicited multicast router advertisements from the interface. The valid range is 4 to 1800.
This is available in NAT/Route mode only.
198
ip6-mode {static | dhcp6 | pppoe}
Select either static, DHCP or PPPoE-assigned address for this interface in IPv6 operation. PPPoE is available only if IPv4 mode is pppoe.
static
ip6-other-flag {enable | disable}
Enable or disable the other stateful configuration flag in router advertisements.
This is available in NAT/Route mode only.
disable
ip6-reachable-time <reachable_msecs>
Enter the number to be added to the reachable time field in the router advertisements. The valid range is 0 to 3600. Entering 0 means no reachable time is specified.
This is available in NAT/Route mode only.
0
ip6-retrans-time <retrans_msecs>
Enter the number to be added to the Retrans Timer field in the router advertisements. Entering 0 means that the Retrans Timer is not specified.
This is available in NAT/Route mode only.
0
ip6-send-adv
{enable | disable}
Enable or disable the flag indicating whether or not to send periodic router advertisements and to respond to router solicitations.
When enabled, this interface’s address will be added to all-routers group (FF02::02) and be included in an Multi Listener Discovery (MLD) report. If no interfaces on the FortiGate unit have ip6-send-adv enabled, the FortiGate unit will only listen to the all-hosts group (FF02::01) which is explicitly excluded from MLD reports according to RFC 2710 section 5.
When disabled, and autoconf is enabled, the FortiGate unit acts as a stateless address auto-configuration client (SLAAC).
This is available in NAT/Route mode only.
disable
edit <ipv6_prefix> variables
autonomous-flag
{enable | disable}
Set the state of the autonomous flag for the IPv6 prefix.
disable
onlink-flag
{enable | disable}
Set the state of the on-link flag ("L-bit") in the IPv6 prefix.
 
preferred-life-time <seconds>
Enter the preferred lifetime, in seconds, for this IPv6 prefix.
604800
valid-life-time <seconds>
Enter the valid lifetime, in seconds, for this IPv6 prefix.
2592000
config ip6-extra-addr
Configure a secondary address for this IPv6 interface.
 
<prefix_ipv6>
IPv6 address prefix.
 
config l2tp-client-settings
auth-type {auto | chap | mschapv1 | mschapv2 | pap}
Select the type of authorization used with this client:
auto — automatically choose type of authorization.
chap — use Challenge-Handshake Authentication Protocol.
mschapv1 — use Microsoft version of CHAP version 1.
mschapv2 — use Microsoft version of CHAP version 2.
pap — use Password Authentication Protocol.
auto
defaultgw
{enable | disable}
Enable to use the default gateway.
disable
distance <admin_distance>
Enter the administration distance of learned routes.
2
mtu <integer>
Enter the Maximum Transmission Unit (MTU) for L2TP.
1460
password <password>
Enter the password for L2TP.
n/a
peer-host <ipv4_addr>
Enter the IP address of the L2TP host.
n/a
peer-mask <netmask>
Enter the netmask used to connect to L2TP peers connected to this interface.
255.255.255.255
peer-port <port_num>
Enter the port used to connect to L2TP peers on this interface.
1701
priority <integer>
Enter the priority of routes learned through L2TP. This will be used to resolve any ties in the routing table.
0
user <string>
Enter the L2TP user name used to connect.
n/a
variables for ADSL interface (some FortiGate models)
gwaddr <IPv4>
Enter the IP address of the gateway for this interface.
 
mux-type {llc‑encaps | vc-encaps}
Enter the MUX type as either llc-encaps or vc-encaps.
This information is provided by your ISP
 
vci <integer>
Enter the virtual circuit identification VCI number. Valid numbers are from 0 to 255. This number is provided by your ISP.
0
vpi <integer>
Enter the virtual circuit identification VPI number. Valid numbers
are from 0 to 65535. This number is provided by your ISP.
35
variables for aggregate and redundant interfaces (some FortiGate models)
These variables are available only when type is aggregate or redundant.
algorithm {L2 | L3 | L4}
Enter the algorithm used to control how frames are distributed across links in an aggregated interface (also called a Link Aggregation Group (LAG)). The algorithm must match that used by connected switches. Enter one of:
L2 — use source and destination MAC addresses.
L3 — use source and destination IP addresses, fall back to L2 algorithm if IP information is not available.
L4 — use TCP, UDP or ESP header information.
L4
lacp-ha-slave {enable | disable}
This option affects how the aggregate interface participates in Link Aggregation Control Protocol (LACP) negotiation when HA is enabled for the VDOM. It takes effect only if Active-Passive HA is enabled and lacp-mode is not static. Enter enable to participate in LACP negotiation as a slave or disable to not participate.
enable
lacp-mode {active | passive | static}
Enter one of active, passive, or static.
active — send LACP PDU packets to negotiate link aggregation connections. This is the default.
passive respond to LACP PDU packets and negotiate link aggregation connections
static — link aggregation is configured statically
active
lacp-speed {fast | slow}
slow — sends LACP PDU packets every 30 seconds to negotiate link aggregation connections. This is the default.
fast — sends LACP PDU packets every second, as recommended in the IEEE 802.3ad standard.
This is available only when type is aggregate.
slow
member <if_name1> <if_name2> ...
Specify a list of physical interfaces that are part of an aggregate or redundant group. To modify a list, enter the complete revised list.
If VDOMs are enabled, then vdom must be set the same for each interface before you enter the member list.
An interface is available to be part of an aggregate or redundant group only if
it is a physical interface, not a VLAN interface
it is not already part of an aggregated or redundant interface
it is in the same VDOM as the aggregated interface
it has no defined IP address and is not configured for DHCP or PPPoE
it has no DHCP server or relay configured on it
it does not have any VLAN subinterfaces
it is not referenced in any firewall policy, VIP or multicast policy
it is not an HA heartbeat device or monitored by HA
In a redundant group, failover to the next member interface happens when the active interface fails or is disconnected.
The order you specify the interfaces in the member list is the order they will become active in the redundant group. For example if you enter set member port5 port1, then port5 will be active at the start, and when it fails or is disconnected port1 will become active.
This is only available when type is aggregate or redundant.
No default.
min-links <int>
When type is aggregate, set the minimum number of members that must be working.
1
min-links-down {operational | administrative}
When type is aggregate and the interface is down because of min-links limit, choose whether interface is down operationally or only administratively.
operational
VRRP fields
Add one or more VRRP virtual routers to a FortiGate interface. For information about VRRP, see RFC 3768.
 
<VRID_int>
VRRP virtual router ID (1 to 255). Identifies the VRRP virtual router.
 
adv-interval <seconds_int>
VRRP advertisement interval (1-255 seconds).
1
preempt {enable | disable}
Enable or disable VRRP preempt mode. In preempt mode a higher priority backup unit can preempt a lower priority master unit.
enable
priority <prio_int>
Priority of this virtual router (1-255). The VRRP virtual router on a network with the highest priority becomes the master.
100
start-time <seconds_int>
The startup time of this virtual router (1-255 seconds). The startup time is the maximum time that the backup unit waits between receiving advertisement messages from the master unit.
3
status {enable | disable}
Enable or disable this virtual router.
enable
vrdst <ipv4_addr1> [<ipv4_addr2>]
Monitor the route to these destinations. You can enter one or two addresses. Failure will be reportd only if both monitored IPs are reported down.
null
vrgrp <grp_int>
Enter the VRRP group ID. Range 1 to 65535. 0 means no group.
0
vrip <ipv4_addr>
IP address of the virtual router.
0.0.0.0
WiFi fields (AP-mode)
mac <mac_address>
Enter a MAC address for the MAC filter list. This is used in the config wifi-mac_list subcommand.
No default.
wifi-acl {allow | deny}
Select whether MAC filter list allows or denies access.
deny
wifi-auth {PSK | radius | usergroup}
Select either Pre-shared Key (PSK) or radius to authenticate users connecting to this interface. This is available only when wifi-security is set to WPA.
Select usergroup to add a usergroup with the wifi-usergroup keyword. This option is only available when wifi-security is set to wpa-enterprise or wpa2-enterprise.
PSK
wifi-broadcast_ssid {enable | disable}
Enable if you want FortiWiFi-60 to broadcast its SSID.
disable
wifi-encrypt {AES | TKIP}
Select either Advanced Encryption Standard (AES) or Temporal Key Integrity Protocol (TKIP) for encryption on this WLAN interface.
This is available only when wifi-security is set to WPA.
TKIP
wifi-fragment_threshold <packet_size>
Set the maximum size of a data packet before it is broken into smaller packets, reducing the chance of packet collisions. If the packet size is larger than the threshold, the FortiWiFi unit will fragment the transmission. If the packet size less than the threshold, the FortiWiFi unit will not fragment the transmission.
Range 800-2346. A setting of 2346 bytes effectively disables this option.
This is available in AP mode only.
2346
wifi-key <hex_key>
Enter a WEP key. The WEP key must be 10 or 26 hexadecimal digits (0-9 a-f). For a 64-bit WEP key, enter 10 hexadecimal digits. For a 128-bit WEP key, enter 26 hexadecimal digits.
wifi-security must be set to WEP128 or WEP64.
This is available in AP mode only.
No default.
wifi-mac-filter {enable | disable}
Enable MAC filtering for the wireless interface.
disable
wifi-passphrase <pass_str>
Enter shared key for WPA_PSK security.
wifi-security must be set to WPA_PSK.
This is available in AP mode only.
fortinet
wifi-radius-server <server_name>
Set RADIUS server name for WPA_RADIUS security.
wifi-security must be set to WPA_RADIUS.
This is available in AP mode only.
No default.
wifi-rts_threshold <integer>
The request to send (RTS) threshold is the maximum size, in bytes, of a packet that the FortiWiFi will accept without sending RTS/CTS packets to the sending wireless device. In some cases, larger packets being sent may cause collisions, slowing data transmissions.
The valid range is 256 to 2346. A setting of 2347 bytes effectively disables this option.
This is available in AP mode only.
2346
wifi-security <sec_mode>
Enter security (encryption) mode:
none — Communication is not encrypted.
wep64 — WEP 64-bit encryption
wep128 — WEP 128-bit encryption
wpa-personal — WPA or WPA2, personal authentication (PSK)
wpa-enterprise — WPA or WPA2, enterprise authentication (802.1x)
wpa2-personal — WPA2 encryption, personal authentication (PSK)
wpa2-enterprise — WPA or WPA2, enterprise authentication (802.1x)
wpa_radius — WPA encryption via RADIUS server.
This is available in AP mode only.
wpa-personal
wifi-ssid <id_str>
Change the Service Set ID (SSID) as required.
The SSID is the wireless network name that this FortiWiFi-60A WLAN broadcasts. Users who wish to use the wireless network should configure their computers to connect to the network that broadcasts this network name.
fortinet
WiFi-Networks field (Client mode)
<network_id>
Enter an integer ID.
 
wifi-key <key_str>
Enter the pre-shared key for WEP security on this network.
No default.
wifi-keyindex <index_int>
Enter the pre-shared key index for WEP security on this network.
1
wifi-passphrase <psk_str>
Enter the pre-shared key for WPA-Personal security on this network.
No default.
wifi-security {wpa‑personal | wep128 | wep64 | open}
Select the security that this network uses.
wpa‑personal
wifi-ssid <ssid_str>
Enter the SSID for this network.
fortinet