Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiMail unit. |
You can restrict which IP addresses are permitted to log in as a FortiMail administrator through network interfaces. For details, see “Configuring administrator accounts”. |
GUI item | Description | ||
Interface Name | If you are editing an existing interface, this field displays the name (such as port2) and media access control (MAC) address for this network interface. If you are creating a logical interface, enter a name for the interface. | ||
Type | If you are creating a logical interface, select which type of interface you want to create. For information about logical interface types, see “About FortiMail logical interfaces”. | ||
VLAN | If you want to create a VLAN subinterface, select the interface for which you want to create the subinterface for. Then specify a VLAN ID. Valid VLAN ID numbers are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved. | ||
Redundant | If you want to create a redundant interface, select the interface members from the available interfaces. Usually, you need to include two or more interfaces as the redundant interface members. | ||
Loopback | If you want to add a loopback interface, select the Loopback type and the interface name will be automatically reset to “loopback”. You can only add one loopback interface on FortiMail. | ||
Addressing mode | |||
Manual | Select to enter a static IP address, then enter the IP address and netmask for the network interface. | ||
IP/Netmask | Enter the IP address and netmask for the network interface. If the FortiMail unit is operating in gateway mode or server mode, this option is available only if Manual is selected. Note: IP addresses of different interfaces cannot be on the same subnet. | ||
DHCP | Select to retrieve a dynamic IP address using DHCP. This option appears only if the FortiMail unit is operating in gateway mode or server mode. | ||
Retrieve default gateway and DNS from server | Enable to retrieve both the default gateway and DNS addresses from the DHCP server, replacing any manually configured values. | ||
Connect to server | Enable for the FortiMail unit to attempt to obtain DNS addressing information from the DHCP server. Disable this option if you are configuring the network interface offline, and do not want the unit to attempt to obtain addressing information at this time. | ||
Access | Enable protocols that this network interface should accept for connections to the FortiMail unit itself. (These options do not affect connections that will travel through the FortiMail unit.) • HTTPS: Enable to allow secure HTTPS connections to the web‑based manager, webmail, and per-recipient quarantine through this network interface. • HTTP: Enable to allow HTTP connections to the web‑based manager, webmail, and per-recipient quarantine through this network interface. For information on redirecting HTTP requests for webmail and per-recipient quarantines to HTTPS, see “Configuring global quarantine report settings”. • PING: Enable to allow ICMP ECHO (ping) responses from this network interface. For information on configuring the network interface from which the FortiMail unit itself will send pings, see the FortiMail CLI Reference. • SSH: Enable to allow SSH connections to the CLI through this network interface. • SNMP: Enable to allow SNMP connections (queries) to this network interface. For information on further restricting access, or on configuring the network interface that will be the source of traps, see “Configuring the network interfaces”. • TELNET: Enable to allow Telnet connections to the CLI through this network interface. Caution: HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiMail unit. For information on further restricting access of administrative connections, see “Configuring administrator accounts”. | ||
MTU | |||
Override default MTU value (1500) | Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes. If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance. The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value; for example, RFC 2516 prescribes a value of 1492 for the PPPoE protocol. | ||
Administrative status | Select either: • Up: Enable (that is, bring up) the network interface so that it can send and receive traffic. • Down: Disable (that is, bring down) the network interface so that it cannot send or receive traffic. |
GUI item | Description | ||
Interface Name | Displays the name (such as port2) and media access control (MAC) address for this network interface. If you are creating a logical interface, enter a name for the interface. | ||
Type | If you are creating a logical interface, select which type of interface you want to create. For information about logical interface types, see “About FortiMail logical interfaces”. | ||
VLAN | If you want to create a VLAN subinterface, select the interface for which you want to create the subinterface for. Then specify a VLAN ID. Valid VLAN ID numbers are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved. | ||
Redundant | If you want to create a redundant interface, select the interface members from the available interfaces. Usually, you need to include two or more interfaces as the redundant interface members. | ||
Loopback | If you want to add a loopback interface, select the Loopback type and the interface name will be automatically reset to “loopback”. You can only add one loopback interface on FortiMail. | ||
Addressing mode | |||
Do not associate with management IP | Enable to configure an IP address and netmask for this network interface, separate from the management IP, then configure “IP/Netmask”. This option appears only if the network interface is not port1, which is required to be a member of the bridge. | ||
IP/Netmask | Enter the IP address and netmask for the network interface. If the FortiMail unit is operating in transparent mode, this option is available only if “Do not associate with management IP” is enabled. | ||
Access | Enable protocols that this network interface should accept for connections to the FortiMail unit itself. (These options do not affect connections that will travel through the FortiMail unit.) • HTTPS: Enable to allow secure HTTPS connections to the web‑based manager, webmail, and per-recipient quarantine through this network interface. • HTTP: Enable to allow HTTP connections to the web‑based manager, webmail, and per-recipient quarantine through this network interface. For information on redirecting HTTP requests for webmail and per-recipient quarantines to HTTPS, see “Configuring global quarantine report settings”. • PING: Enable to allow ICMP ECHO (ping) responses from this network interface. For information on configuring the network interface from which the FortiMail unit itself will send pings, see the FortiMail CLI Reference. • SSH: Enable to allow SSH connections to the CLI through this network interface. • SNMP: Enable to allow SNMP connections (queries) to this network interface. For information on further restricting access, or on configuring the network interface that will be the source of traps, see “Configuring the network interfaces”. • TELNET: Enable to allow Telnet connections to the CLI through this network interface. Caution: HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiMail unit. For information on further restricting access of administrative connections, see “Configuring administrator accounts”. | ||
MTU | |||
Override default MTU value (1500) | Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes. If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance. The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value; for example, RFC 2516 prescribes a value of 1492 for the PPPoE protocol. | ||
Administrative status | Select either: • Up: Enable (that is, bring up) the network interface so that it can send and receive traffic. • Down: Disable (that is, bring down) the network interface so that it cannot send or receive traffic. | ||
SMTP Proxy | When operating in transparent mode, the FortiMail unit can use either transparent proxies or an implicit relay to inspect SMTP connections. If connection pick-up is enabled for connections on that network interface, the FortiMail unit can scan and process the connection. If not enabled, the FortiMail unit can either block or permit the connection to pass through unmodified. Exceptions to SMTP connections that can be proxied or relayed include SMTP connections destined for the FortiMail unit itself. For those local connections, such as email messages from email users requesting deletion or release of their quarantined email, you must choose to either allow or block the connection. For more information about FortiMail transparent mode proxy and implicit STMP relay, see “Configuring proxies (transparent mode only)”. Note: When a FortiMail unit proxies or relays traffic, whether the email will be scanned or not depends on the policies you specify. For more information about policies, see “Configuring policies”. | ||
Incoming connections | Select how the proxy or built-in MTA will handle SMTP connections for that interface that are incoming to the IP addresses of email servers belonging to a protected domain. • Pass through: Permit connections but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied. • Drop: Drop connections. • Proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see “Configuring policies”. Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have selected Proxy more than once on this page. For an example, see “Avoiding scanning email twice”. | ||
Outgoing connections | Select how the proxy or built-in MTA will handle SMTP connections for that interface that are outgoing to the IP addresses of email servers that are not a protected domain. • Pass through: Permit connections but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied. • Drop: Drop connections. • Proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see “Configuring policies”. Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have selected Proxy more than once on this page. For an example, see “Avoiding scanning email twice”. | ||
Local connections | elect how the FortiMail unit will handle SMTP connections on each network interface that are destined for the FortiMail unit itself, such as quarantine release or delete messages and Bayesian training messages. • Allow: SMTP connections will be allowed. • Disallow: SMTP connections will be blocked. |
port1 is required to be a member of the bridge and cannot be removed from it. |