Configuring system settings : Configuring network settings : Configuring the network interfaces : Editing network interfaces
Editing network interfaces
You can edit FortiMail’s physical network interfaces to change their IP addresses, netmasks, administrative access protocols, and other settings. You can also create or edit logical interfaces, such as VLANs, redundant interfaces and the loopback interface.
 
Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiMail unit.
If your FortiMail unit operates in transparent mode and depending on your network topology, you may need to configure the network interfaces of the FortiMail unit.
If all email servers protected by the FortiMail unit are located on the same subnet, no network interface configuration is necessary. Bridging is the default configuration for network interfaces when the FortiMail unit operates in transparent mode, and the FortiMail unit will bridge all connections occurring through it from the network to the protected email servers.
If email servers protected by the FortiMail unit are located on different subnets, you must connect those email servers through separate physical ports on the FortiMail unit, and configure the network interfaces associated with those ports, assigning IP addresses and removing them from the bridge.
It is possible to configure a mixture of bridging and non-bridging network interfaces. For example, if some email servers belong to the same subnet, network interfaces for those email servers may remain in the bridge group; email servers belonging to other subnets may be attached to network interfaces that are not associated with the bridge.
 
You can restrict which IP addresses are permitted to log in as a FortiMail administrator through network interfaces. For details, see “Configuring administrator accounts”.
To create or edit a network interface
1. Go to System > Network > Interface.
2. Double-click a network interface to modify it or select the interface and click Edit. If you want to create a logical interface, click New.
The Edit Interface dialog appears. Its appearance varies by:
the operation mode of the FortiMail unit (gateway, transparent, or server)
if the FortiMail unit is operating in transparent mode, by whether the network interface is port1, which is required to be configured as a Layer 2 bridge and associated with the management IP, and therefore cannot be configured with its own IP and Netmask
3. For gateway mode or server mode, configure the following:
 
GUI item
Description
Interface Name
If you are editing an existing interface, this field displays the name (such as port2) and media access control (MAC) address for this network interface.
If you are creating a logical interface, enter a name for the interface.
Type
If you are creating a logical interface, select which type of interface you want to create. For information about logical interface types, see “About FortiMail logical interfaces”.
 
VLAN
If you want to create a VLAN subinterface, select the interface for which you want to create the subinterface for.
Then specify a VLAN ID. Valid VLAN ID numbers are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved.
 
Redundant
If you want to create a redundant interface, select the interface members from the available interfaces. Usually, you need to include two or more interfaces as the redundant interface members.
 
Loopback
If you want to add a loopback interface, select the Loopback type and the interface name will be automatically reset to “loopback”. You can only add one loopback interface on FortiMail.
Addressing mode
 
Manual
Select to enter a static IP address, then enter the IP address and netmask for the network interface.
 
 
IP/Netmask
Enter the IP address and netmask for the network interface. If the FortiMail unit is operating in gateway mode or server mode, this option is available only if Manual is selected.
Note: IP addresses of different interfaces cannot be on the same subnet.
 
DHCP
Select to retrieve a dynamic IP address using DHCP.
This option appears only if the FortiMail unit is operating in gateway mode or server mode.
 
 
Retrieve default gateway and DNS from server
Enable to retrieve both the default gateway and DNS addresses from the DHCP server, replacing any manually configured values.
 
 
Connect to server
Enable for the FortiMail unit to attempt to obtain DNS addressing information from the DHCP server.
Disable this option if you are configuring the network interface offline, and do not want the unit to attempt to obtain addressing information at this time.
Access
Enable protocols that this network interface should accept for connections to the FortiMail unit itself. (These options do not affect connections that will travel through the FortiMail unit.)
HTTPS: Enable to allow secure HTTPS connections to the web‑based manager, webmail, and per-recipient quarantine through this network interface.
HTTP: Enable to allow HTTP connections to the web‑based manager, webmail, and per-recipient quarantine through this network interface.
For information on redirecting HTTP requests for webmail and per-recipient quarantines to HTTPS, see “Configuring global quarantine report settings”.
PING: Enable to allow ICMP ECHO (ping) responses from this network interface.
For information on configuring the network interface from which the FortiMail unit itself will send pings, see the FortiMail CLI Reference.
SSH: Enable to allow SSH connections to the CLI through this network interface.
SNMP: Enable to allow SNMP connections (queries) to this network interface.
For information on further restricting access, or on configuring the network interface that will be the source of traps, see “Configuring the network interfaces”.
TELNET: Enable to allow Telnet connections to the CLI through this network interface.
Caution: HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiMail unit. For information on further restricting access of administrative connections, see “Configuring administrator accounts”.
MTU
 
Override default MTU value (1500)
Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes.
If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.
The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value; for example, RFC 2516 prescribes a value of 1492 for the PPPoE protocol.
Administrative status
Select either:
Up: Enable (that is, bring up) the network interface so that it can send and receive traffic.
Down: Disable (that is, bring down) the network interface so that it cannot send or receive traffic.
4. If the FortiMail unit is operating in transparent mode, configure the following:
 
GUI item
Description
Interface Name
Displays the name (such as port2) and media access control (MAC) address for this network interface.
If you are creating a logical interface, enter a name for the interface.
Type
If you are creating a logical interface, select which type of interface you want to create. For information about logical interface types, see “About FortiMail logical interfaces”.
 
VLAN
If you want to create a VLAN subinterface, select the interface for which you want to create the subinterface for.
Then specify a VLAN ID. Valid VLAN ID numbers are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved.
 
Redundant
If you want to create a redundant interface, select the interface members from the available interfaces. Usually, you need to include two or more interfaces as the redundant interface members.
 
Loopback
If you want to add a loopback interface, select the Loopback type and the interface name will be automatically reset to “loopback”. You can only add one loopback interface on FortiMail.
Addressing mode
 
Do not associate with management IP
Enable to configure an IP address and netmask for this network interface, separate from the management IP, then configure “IP/Netmask”.
This option appears only if the network interface is not port1, which is required to be a member of the bridge.
 
 
IP/Netmask
Enter the IP address and netmask for the network interface. If the FortiMail unit is operating in transparent mode, this option is available only if “Do not associate with management IP” is enabled.
Access
Enable protocols that this network interface should accept for connections to the FortiMail unit itself. (These options do not affect connections that will travel through the FortiMail unit.)
HTTPS: Enable to allow secure HTTPS connections to the web‑based manager, webmail, and per-recipient quarantine through this network interface.
HTTP: Enable to allow HTTP connections to the web‑based manager, webmail, and per-recipient quarantine through this network interface.
For information on redirecting HTTP requests for webmail and per-recipient quarantines to HTTPS, see “Configuring global quarantine report settings”.
PING: Enable to allow ICMP ECHO (ping) responses from this network interface.
For information on configuring the network interface from which the FortiMail unit itself will send pings, see the FortiMail CLI Reference.
SSH: Enable to allow SSH connections to the CLI through this network interface.
SNMP: Enable to allow SNMP connections (queries) to this network interface.
For information on further restricting access, or on configuring the network interface that will be the source of traps, see “Configuring the network interfaces”.
TELNET: Enable to allow Telnet connections to the CLI through this network interface.
Caution: HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiMail unit. For information on further restricting access of administrative connections, see “Configuring administrator accounts”.
MTU
 
Override default MTU value (1500)
Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes.
If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.
The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value; for example, RFC 2516 prescribes a value of 1492 for the PPPoE protocol.
Administrative status
Select either:
Up: Enable (that is, bring up) the network interface so that it can send and receive traffic.
Down: Disable (that is, bring down) the network interface so that it cannot send or receive traffic.
SMTP Proxy
When operating in transparent mode, the FortiMail unit can use either transparent proxies or an implicit relay to inspect SMTP connections. If connection pick-up is enabled for connections on that network interface, the FortiMail unit can scan and process the connection. If not enabled, the FortiMail unit can either block or permit the connection to pass through unmodified.
Exceptions to SMTP connections that can be proxied or relayed include SMTP connections destined for the FortiMail unit itself. For those local connections, such as email messages from email users requesting deletion or release of their quarantined email, you must choose to either allow or block the connection.
For more information about FortiMail transparent mode proxy and implicit STMP relay, see “Configuring proxies (transparent mode only)”.
Note: When a FortiMail unit proxies or relays traffic, whether the email will be scanned or not depends on the policies you specify. For more information about policies, see “Configuring policies”.
 
Incoming connections
Select how the proxy or built-in MTA will handle SMTP connections for that interface that are incoming to the IP addresses of email servers belonging to a protected domain.
Pass through: Permit connections but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.
Drop: Drop connections.
Proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see “Configuring policies”.
Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have selected Proxy more than once on this page. For an example, see “Avoiding scanning email twice”.
 
Outgoing connections
Select how the proxy or built-in MTA will handle SMTP connections for that interface that are outgoing to the IP addresses of email servers that are not a protected domain.
Pass through: Permit connections but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.
Drop: Drop connections.
Proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see “Configuring policies”.
Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have selected Proxy more than once on this page. For an example, see “Avoiding scanning email twice”.
 
Local connections
elect how the FortiMail unit will handle SMTP connections on each network interface that are destined for the FortiMail unit itself, such as quarantine release or delete messages and Bayesian training messages.
Allow: SMTP connections will be allowed.
Disallow: SMTP connections will be blocked.
To configure a non-bridging network interface
1. Go to System > Network > Interface.
2. Double-click the network interface to modify it or select the interface and click Edit.
 
port1 is required to be a member of the bridge and cannot be removed from it.
3. Enable Do not associate with management IP.
This option appears only when the FortiMail unit is operating in transparent mode and the network interface is not port1, which is required to be a member of the bridge.
4. In IP/Netmask, enter the IP address and netmask of the network interface.
5. Click OK.
Repeat this procedure for each network interface that is connected to an email server on a distinct subnet. When complete, configure static routes for those email servers. For details, see “Configuring static routes”.