config : system interface
 
system interface
Use this command to configure:
the network interfaces associated with the physical network ports of the FortiWeb appliance,
VLAN subinterfaces or 802.3ad link aggregates associated with physical network interfaces
Both the network interfaces and VLAN subinterfaces can include administrative access.
 
You can restrict which IP addresses are permitted to log in as a FortiWeb administrator through the network interfaces and VLAN subinterfaces. For details, see “config system admin”.
 
When the FortiWeb appliance is operating in either of the transparent modes, VLANs do not support Cisco discovery protocol (CDP).
 
You can use SNMP traps to notify you when a network interface’s configuration changes, or when a link is brought down or brought up. For details, see “config system snmp community”.
To use this command, your administrator account’s access control profile must have either w or rw permission to the netgrp area. For more information, see “Permissions”.
Syntax
config system interface
edit <interface_name>
set status {up | down}
set type {aggregate | physical | vlan}
set algorithm {layer2 | layer2_3 | layer3_4}
set allowaccess {http https ping snmp ssh telnet}
set ip6-allowaccess {http https ping snmp ssh telnet}
set description "<comment_str>"
set interface <interface_name>
set intf {<port_name> ...}
set ip <interface_ipv4mask>
[set ip6 <interface_ipv6mask>]
set mode {static | dhcp}
set vlanid <vlan-id_int>
set lacp-speed {fast | slow}
next
end
Variable
Description
Default
<interface_name>
Type the name of a network interface. The maximum length is 15 characters.
No default.
status {up | down}
Enable (select up) to bring up the network interface so that it is permitted to receive and/or transmit traffic.
Note: This administrative status from this command is not the same as its detected physical link status.
For example, even though you have used config system interface to configure port1 with set status up, if the cable is physically unplugged, diagnose hardware nic list port1 may indicate correctly that the link is down (Link detected: no).
up
algorithm {layer2 | layer2_3 | layer3_4}
Select the connectivity layers that will be considered when distributing frames among the aggregated physical ports.
layer2 — Consider only the MAC address. This results in the most even distribution of frames, but may be disruptive to TCP if packets frequently arrive out of order.
layer2_3 — Consider both the MAC address and IP session. Queue frames involving the same session to the same port. This results in slightly less even distribution, and still does not guarantee perfectly ordered TCP sessions, but does result in less jitter within the session.
layer3_4 — Consider both the IP session and TCP connection. Queue frames involving the same session and connection to the same port. Distribution is not even, but this does prevent TCP retransmissions associated with link aggregation.
layer2
allowaccess {http https ping snmp ssh telnet}
Type the IPv4 protocols that will be permitted for administrative connections to the network interface or VLAN subinterface.
Separate each protocol with a space. To remove from or add to the list of permitted administrative access protocols, retype the entire list.
ping — Allow ICMP ping responses from this network interface.
http — Allow HTTP access to the web UI.
Caution: HTTP connections are not secure and can be intercepted by a third party. To reduce risk to the security of your FortiMail appliance, enable this option only on network interfaces connected directly to your management computer.
https — Allow secure HTTP (HTTPS) access to the web UI.
snmp — Allow SNMP access. For more information, see “config system snmp community”.
Note: This setting only configures which network interface will receive SNMP queries. To configure which network interface will send traffic, see “config system snmp community”.
ssh — Allow SSH access to the CLI.
telnet — Allow Telnet access to the CLI.
Caution: Telnet connections are not secure.
Caution: Enable administrative access only on network interfaces or VLAN subinterfaces that are connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance. Consider allowing ping only when troubleshooting.
ping https ssh
ip6-allowaccess {http https ping snmp ssh telnet}
Type the IPv6 protocols that will be permitted for administrative connections to the network interface or VLAN subinterface.
Separate each protocol with a space. To remove from or add to the list of permitted administrative access protocols, retype the entire list.
ping — Allow ICMP ping responses from this network interface.
http — Allow HTTP access to the web UI.
Caution: HTTP connections are not secure and can be intercepted by a third party. To reduce risk to the security of your FortiMail appliance, enable this option only on network interfaces connected directly to your management computer.
https — Allow secure HTTP (HTTPS) access to the web UI.
snmp — Allow SNMP access. For more information, see “config system snmp community”.
Note: This setting only configures which network interface will receive SNMP queries. To configure which network interface will send traffic, see “config system snmp community”.
ssh — Allow SSH access to the CLI.
telnet — Allow Telnet access to the CLI.
Caution: Telnet connections are not secure.
Caution: Enable administrative access only on network interfaces or VLAN subinterfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiWeb appliance. Consider allowing ping only when troubleshooting.
ping
description "<comment_str>"
Type a description or other comment. If the comment is more than one word or contains an apostrophe, surround the comment with double quotes ( " ). The maximum length is 63 characters.
No default.
interface <interface_name>
Type the name of the network interface with which the VLAN subinterface will be associated. The maximum length is 15 characters.
This field is available only if type is vlan.
No default.
intf {<port_name> ...}
Type the names of 2 physical network interfaces or more that will be combined into the aggregate link. Only physical network interfaces may be aggregated. The maximum length is 15 characters each.
This field is available only if type is vlan.
No default.
ip <interface_ipv4mask>
Type the IPv4 address and netmask of the network interface, if any. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet. The default setting for port1 is 192.168.1.99 with a netmask of 255.255.255.0. Other ports have no default.
Varies by the interface.
ip6 <interface_ipv6mask>
Type the IPv6 address and netmask of the network interface, if any. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet.
::/0
lacp-speed {fast | slow}
Select the rate of transmission for the LACP frames (LACPUs) between FortiWeb and the peer device at the other end of the trunking cables, either:
SLOW — Every 30 seconds.
FAST — Every 1 second.
Note: This must match the setting on the other device. If the rates do not match, FortiWeb or the other device could mistakenly believe that the other’s ports have failed, effectively disabling ports in the trunk.
slow
type {aggregate | physical | vlan}
Indicates whether the interface is directly associated with a physical network port, or is instead a VLAN subinterface or link aggregate.
The default varies by whether you are editing a network interface associated with a physical port (physical) or creating a new subinterface/aggregate (vlan or aggregate).
Varies by the interface.
mode {static | dhcp}
Specify whether the interface obtains its IPv4 address and netmask using DHCP.
You can configure only one network interface to acquire its address via DHCP.
static
vlanid <vlan-id_int>
Type the VLAN ID of packets that belong to this VLAN subinterface.
If one physical network port (that is, a VLAN trunk) will handle multiple VLANs, create multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received.
If multiple different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs.
The VLAN ID is part of the tag that is inserted into each Ethernet frame in order to identify traffic for a specific VLAN. VLAN header addition is handled automatically, and does not require that you adjust the maximum transmission appliance (MTU). Depending on whether the device receiving a packet operates at Layer 2 or Layer 3 of the network, this tag may be added, removed or rewritten before forwarding to other nodes on the network.
For example, a Layer 2 switch or FortiWeb appliance operating in either of the transparent modes would typically add or remove a tag when forwarding traffic among members of the VLAN, but would not route tagged traffic to a different VLAN ID. In contrast, a FortiWeb appliance operating in reverse proxy mode, inspecting the traffic to make routing decisions based upon higher-level layers/protocols, might route traffic between different VLAN IDs (also known as inter-VLAN routing) if indicated by its policy, such as if it has been configured to do WSDL-based routing.
For the maximum number of interfaces, including VLAN subinterfaces, see the FortiWeb Administration Guide.
This field is available only when type is vlan. The valid range is between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface.
Note: Inter-VLAN routing is not supported if the FortiWeb appliance is operating in either of the transparent modes. In that case, you must configure the same VLAN IDs on each physical network port.
0
Example
This example configures the network interface named port1, associated with the first physical network port, with the IP address and subnet mask 10.0.0.1/24. It also enables ICMP ECHO (ping) and HTTPS administrative access to that network interface, and enables it.
config system interface
edit "port1"
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https
set status up
next
end
Example
This example configures the network subinterface named vlan_100, associated with the physical network interface port1, with the IP address and subnet mask 10.0.1.1/24. It does not allow administrative access.
config system interface
edit "vlan_100"
set type vlan
set ip 10.0.1.1 255.255.255.0
set status up
set vlanid 100
set interface port1
next
end
Related topics
config system v-zone
config router static
config server-policy vserver
config system snmp community
config system admin
config system ha
config system network-option
execute ping
diagnose hardware nic
diagnose network ip
diagnose network sniffer