Fortinet white logo
Fortinet white logo

CLI Reference

config system interface

config system interface

Configure interfaces.

config system interface

Description: Configure interfaces.

edit <name>

set vdom {string}

set vrf {integer}

set cli-conn-status {integer}

set fortilink [enable|disable]

set mode [static|dhcp|...]

set distance {integer}

set priority {integer}

set dhcp-relay-interface-select-method [auto|sdwan|...]

set dhcp-relay-interface {string}

set dhcp-relay-service [disable|enable]

set dhcp-relay-ip {user}

set dhcp-relay-request-all-server [disable|enable]

set dhcp-relay-type [regular|ipsec]

set dhcp-relay-agent-option [enable|disable]

set management-ip {ipv4-classnet-host}

set ip {ipv4-classnet-host}

set allowaccess {option1}, {option2}, ...

set gwdetect [enable|disable]

set ping-serv-status {integer}

set detectserver {user}

set detectprotocol {option1}, {option2}, ...

set ha-priority {integer}

set fail-detect [enable|disable]

set fail-detect-option {option1}, {option2}, ...

set fail-alert-method [link-failed-signal|link-down]

set fail-action-on-extender [soft-restart|hard-restart|...]

set fail-alert-interfaces <name1>, <name2>, ...

set dhcp-client-identifier {string}

set dhcp-renew-time {integer}

set ipunnumbered {ipv4-address}

set username {string}

set pppoe-unnumbered-negotiate [enable|disable]

set password {password}

set idle-timeout {integer}

set detected-peer-mtu {integer}

set disc-retry-timeout {integer}

set padt-retry-timeout {integer}

set service-name {string}

set ac-name {string}

set lcp-echo-interval {integer}

set lcp-max-echo-fails {integer}

set defaultgw [enable|disable]

set dns-server-override [enable|disable]

set auth-type [auto|pap|...]

set pptp-client [enable|disable]

set pptp-user {string}

set pptp-password {password}

set pptp-server-ip {ipv4-address}

set pptp-auth-type [auto|pap|...]

set pptp-timeout {integer}

set arpforward [enable|disable]

set ndiscforward [enable|disable]

set broadcast-forward [enable|disable]

set bfd [global|enable|...]

set bfd-desired-min-tx {integer}

set bfd-detect-mult {integer}

set bfd-required-min-rx {integer}

set l2forward [enable|disable]

set icmp-send-redirect [enable|disable]

set icmp-accept-redirect [enable|disable]

set vlanforward [enable|disable]

set stpforward [enable|disable]

set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]

set ips-sniffer-mode [enable|disable]

set ident-accept [enable|disable]

set ipmac [enable|disable]

set subst [enable|disable]

set macaddr {mac-address}

set substitute-dst-mac {mac-address}

set poe [enable|disable]

set speed [auto|10full|...]

set status [up|down]

set netbios-forward [disable|enable]

set wins-ip {ipv4-address}

set type [physical|vlan|...]

set dedicated-to [none|management]

set trust-ip-1 {ipv4-classnet-any}

set trust-ip-2 {ipv4-classnet-any}

set trust-ip-3 {ipv4-classnet-any}

set trust-ip6-1 {ipv6-prefix}

set trust-ip6-2 {ipv6-prefix}

set trust-ip6-3 {ipv6-prefix}

set mtu-override [enable|disable]

set mtu {integer}

set wccp [enable|disable]

set netflow-sampler [disable|tx|...]

set sflow-sampler [enable|disable]

set drop-overlapped-fragment [enable|disable]

set drop-fragment [enable|disable]

set src-check [enable|disable]

set sample-rate {integer}

set polling-interval {integer}

set sample-direction [tx|rx|...]

set explicit-web-proxy [enable|disable]

set explicit-ftp-proxy [enable|disable]

set proxy-captive-portal [enable|disable]

set tcp-mss {integer}

set inbandwidth {integer}

set outbandwidth {integer}

set egress-shaping-profile {string}

set ingress-shaping-profile {string}

set disconnect-threshold {integer}

set spillover-threshold {integer}

set ingress-spillover-threshold {integer}

set weight {integer}

set interface {string}

set external [enable|disable]

set vlanid {integer}

set trunk [enable|disable]

set forward-domain {integer}

set remote-ip {ipv4-classnet-host}

set member <interface-name1>, <interface-name2>, ...

set lacp-mode [static|passive|...]

set lacp-ha-slave [enable|disable]

set lacp-speed [slow|fast]

set min-links {integer}

set min-links-down [operational|administrative]

set algorithm [L2|L3|...]

set link-up-delay {integer}

set priority-override [enable|disable]

set aggregate {string}

set redundant-interface {string}

set devindex {integer}

set vindex {integer}

set switch {string}

set description {var-string}

set alias {string}

set l2tp-client [enable|disable]

config l2tp-client-settings

Description: L2TP client settings.

set user {string}

set password {password}

set peer-host {string}

set peer-mask {ipv4-netmask}

set peer-port {integer}

set auth-type [auto|pap|...]

set mtu {integer}

set distance {integer}

set priority {integer}

set defaultgw [enable|disable]

set ip {ipv4-classnet-host}

end

set security-mode [none|captive-portal|...]

set security-mac-auth-bypass [mac-auth-only|enable|...]

set security-8021x-mode [default|dynamic-vlan|...]

set security-8021x-master {string}

set security-8021x-dynamic-vlan-id {integer}

set security-external-web {string}

set security-external-logout {string}

set replacemsg-override-group {string}

set security-redirect-url {string}

set security-exempt-list {string}

set security-groups <name1>, <name2>, ...

set stp [disable|enable]

set stp-ha-slave [disable|enable|...]

set device-identification [enable|disable]

set device-user-identification [enable|disable]

set lldp-reception [enable|disable|...]

set lldp-transmission [enable|disable|...]

set lldp-network-policy {string}

set broadcast-forticlient-discovery [enable|disable]

set estimated-upstream-bandwidth {integer}

set estimated-downstream-bandwidth {integer}

set vrrp-virtual-mac [enable|disable]

config vrrp

Description: VRRP configuration.

edit <vrid>

set version [2|3]

set vrgrp {integer}

set vrip {ipv4-address-any}

set priority {integer}

set adv-interval {integer}

set start-time {integer}

set preempt [enable|disable]

set accept-mode [enable|disable]

set vrdst {ipv4-address-any}

set vrdst-priority {integer}

set ignore-default-route [enable|disable]

set status [enable|disable]

config proxy-arp

Description: VRRP Proxy ARP configuration.

edit <id>

set ip {user}

next

end

next

end

set role [lan|wan|...]

set snmp-index {integer}

set secondary-IP [enable|disable]

config secondaryip

Description: Second IP address of interface.

edit <id>

set ip {ipv4-classnet-host}

set allowaccess {option1}, {option2}, ...

set gwdetect [enable|disable]

set ping-serv-status {integer}

set detectserver {user}

set detectprotocol {option1}, {option2}, ...

set ha-priority {integer}

next

end

set preserve-session-route [enable|disable]

set auto-auth-extension-device [enable|disable]

set ap-discover [enable|disable]

set fortilink-stacking [enable|disable]

set fortilink-neighbor-detect [lldp|fortilink]

set fortilink-split-interface [enable|disable]

set internal {integer}

set fortilink-backup-link {integer}

set switch-controller-access-vlan [enable|disable]

set switch-controller-traffic-policy {string}

set switch-controller-rspan-mode [disable|enable]

set switch-controller-igmp-snooping [enable|disable]

set switch-controller-igmp-snooping-proxy [enable|disable]

set switch-controller-igmp-snooping-fast-leave [enable|disable]

set switch-controller-dhcp-snooping [enable|disable]

set switch-controller-dhcp-snooping-verify-mac [enable|disable]

set switch-controller-dhcp-snooping-option82 [enable|disable]

set switch-controller-arp-inspection [enable|disable]

set switch-controller-learning-limit {integer}

set color {integer}

config tagging

Description: Config object tagging.

edit <name>

set category {string}

set tags <name1>, <name2>, ...

next

end

config ipv6

Description: IPv6 of interface.

set ip6-mode [static|dhcp|...]

set nd-mode [basic|SEND-compatible]

set nd-cert {string}

set nd-security-level {integer}

set nd-timestamp-delta {integer}

set nd-timestamp-fuzz {integer}

set nd-cga-modifier {user}

set ip6-dns-server-override [enable|disable]

set ip6-address {ipv6-prefix}

config ip6-extra-addr

Description: Extra IPv6 address prefixes of interface.

edit <prefix>

next

end

set ip6-allowaccess {option1}, {option2}, ...

set ip6-send-adv [enable|disable]

set ip6-manage-flag [enable|disable]

set ip6-other-flag [enable|disable]

set ip6-max-interval {integer}

set ip6-min-interval {integer}

set ip6-link-mtu {integer}

set ip6-reachable-time {integer}

set ip6-retrans-time {integer}

set ip6-default-life {integer}

set ip6-hop-limit {integer}

set autoconf [enable|disable]

set ip6-upstream-interface {string}

set ip6-subnet {ipv6-prefix}

config ip6-prefix-list

Description: Advertised prefix list.

edit <prefix>

set autonomous-flag [enable|disable]

set onlink-flag [enable|disable]

set valid-life-time {integer}

set preferred-life-time {integer}

set rdnss {user}

set dnssl <domain1>, <domain2>, ...

next

end

config ip6-delegated-prefix-list

Description: Advertised IPv6 delegated prefix list.

edit <prefix-id>

set upstream-interface {string}

set autonomous-flag [enable|disable]

set onlink-flag [enable|disable]

set subnet {ipv6-network}

set rdnss-service [delegated|default|...]

set rdnss {user}

next

end

set dhcp6-relay-service [disable|enable]

set dhcp6-relay-type {option}

set dhcp6-relay-ip {user}

set dhcp6-client-options {option1}, {option2}, ...

set dhcp6-prefix-delegation [enable|disable]

set dhcp6-information-request [enable|disable]

set dhcp6-prefix-hint {ipv6-network}

set dhcp6-prefix-hint-plt {integer}

set dhcp6-prefix-hint-vlt {integer}

set vrrp-virtual-mac6 [enable|disable]

set vrip6_link_local {ipv6-address}

config vrrp6

Description: IPv6 VRRP configuration.

edit <vrid>

set vrgrp {integer}

set vrip6 {ipv6-address}

set priority {integer}

set adv-interval {integer}

set start-time {integer}

set preempt [enable|disable]

set accept-mode [enable|disable]

set vrdst6 {ipv6-address}

set status [enable|disable]

next

end

end

next

end

config system interface

Parameter

Description

Type

Size

vdom

Interface is in this virtual domain (VDOM).

string

Not Specified

vrf

Virtual Routing Forwarding ID.

integer

Minimum value: 0 Maximum value: 31

cli-conn-status

CLI connection status.

integer

Minimum value: 0 Maximum value: 4294967295

fortilink

Enable FortiLink to dedicate this interface to manage other Fortinet devices.

option

-

Option

Description

enable

Enable FortiLink to dedicated interface for managing FortiSwitch devices.

disable

Disable FortiLink to dedicated interface for managing FortiSwitch devices.

mode

Addressing mode (static, DHCP, PPPoE).

option

-

Option

Description

static

Static setting.

dhcp

External DHCP client mode.

pppoe

External PPPoE mode.

distance

Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route.

integer

Minimum value: 1 Maximum value: 255

priority

Priority of learned routes.

integer

Minimum value: 0 Maximum value: 4294967295

dhcp-relay-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

dhcp-relay-interface

Specify outgoing interface to reach server.

string

Not Specified

dhcp-relay-service

Enable/disable allowing this interface to act as a DHCP relay.

option

-

Option

Description

disable

None.

enable

DHCP relay agent.

dhcp-relay-ip

DHCP relay IP address.

user

Not Specified

dhcp-relay-request-all-server

Enable/disable sending DHCP request to all servers.

option

-

Option

Description

disable

Only send DHCP request to matching server.

enable

Sending DHCP request to all servers.

dhcp-relay-type

DHCP relay type (regular or IPsec).

option

-

Option

Description

regular

Regular DHCP relay.

ipsec

DHCP relay for IPsec.

dhcp-relay-agent-option

Enable/disable DHCP relay agent option.

option

-

Option

Description

enable

Enable DHCP relay agent option.

disable

Disable DHCP relay agent option.

management-ip

High Availability in-band management IP address of this interface.

ipv4-classnet-host

Not Specified

ip

Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.

ipv4-classnet-host

Not Specified

allowaccess

Permitted types of management access to this interface.

option

-

Option

Description

ping

PING access.

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

http

HTTP access.

telnet

TELNET access.

fgfm

FortiManager access.

radius-acct

RADIUS accounting access.

probe-response

Probe access.

fabric

Security Fabric access.

ftm

FTM access.

gwdetect

Enable/disable detect gateway alive for first.

option

-

Option

Description

enable

Enable detect gateway alive for first.

disable

Disable detect gateway alive for first.

ping-serv-status

PING server status.

integer

Minimum value: 0 Maximum value: 255

detectserver

Gateway's ping server for this IP.

user

Not Specified

detectprotocol

Protocols used to detect the server.

option

-

Option

Description

ping

PING.

tcp-echo

TCP echo.

udp-echo

UDP echo.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

fail-detect

Enable/disable fail detection features for this interface.

option

-

Option

Description

enable

Enable interface failed option status.

disable

Disable interface failed option status.

fail-detect-option

Options for detecting that this interface has failed.

option

-

Option

Description

detectserver

Use a ping server to determine if the interface has failed.

link-down

Use port detection to determine if the interface has failed.

fail-alert-method

Select link-failed-signal or link-down method to alert about a failed link.

option

-

Option

Description

link-failed-signal

Link-failed-signal.

link-down

Link-down.

fail-action-on-extender

Action on extender when interface fail .

option

-

Option

Description

soft-restart

Soft-restart-on-extender.

hard-restart

Hard-restart-on-extender.

reboot

Reboot-on-extender.

fail-alert-interfaces <name>

Names of the FortiGate interfaces to which the link failure alert is sent.

Names of the non-virtual interface.

string

Maximum length: 79

dhcp-client-identifier

DHCP client identifier.

string

Not Specified

dhcp-renew-time

DHCP renew time in seconds , 0 means use the renew time provided by the server.

integer

Minimum value: 300 Maximum value: 604800

ipunnumbered

Unnumbered IP used for PPPoE interfaces for which no unique local address is provided.

ipv4-address

Not Specified

username

Username of the PPPoE account, provided by your ISP.

string

Not Specified

pppoe-unnumbered-negotiate

Enable/disable PPPoE unnumbered negotiation.

option

-

Option

Description

enable

Enable IP address negotiating for unnumbered.

disable

Disable IP address negotiating for unnumbered.

password

PPPoE account's password.

password

Not Specified

idle-timeout

PPPoE auto disconnect after idle timeout seconds, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 32767

detected-peer-mtu

MTU of detected peer .

integer

Minimum value: 0 Maximum value: 4294967295

disc-retry-timeout

Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 4294967295

padt-retry-timeout

PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time.

integer

Minimum value: 0 Maximum value: 4294967295

service-name

PPPoE service name.

string

Not Specified

ac-name

PPPoE server name.

string

Not Specified

lcp-echo-interval

Time in seconds between PPPoE Link Control Protocol (LCP) echo requests.

integer

Minimum value: 0 Maximum value: 32767

lcp-max-echo-fails

Maximum missed LCP echo messages before disconnect.

integer

Minimum value: 0 Maximum value: 32767

defaultgw

Enable to get the gateway IP from the DHCP or PPPoE server.

option

-

Option

Description

enable

Enable default gateway.

disable

Disable default gateway.

dns-server-override

Enable/disable use DNS acquired by DHCP or PPPoE.

option

-

Option

Description

enable

Use DNS acquired by DHCP or PPPoE.

disable

No not use DNS acquired by DHCP or PPPoE.

auth-type

PPP authentication type to use.

option

-

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

pptp-client

Enable/disable PPTP client.

option

-

Option

Description

enable

Enable PPTP client.

disable

Disable PPTP client.

pptp-user

PPTP user name.

string

Not Specified

pptp-password

PPTP password.

password

Not Specified

pptp-server-ip

PPTP server IP address.

ipv4-address

Not Specified

pptp-auth-type

PPTP authentication type.

option

-

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

pptp-timeout

Idle timer in minutes (0 for disabled).

integer

Minimum value: 0 Maximum value: 65535

arpforward

Enable/disable ARP forwarding.

option

-

Option

Description

enable

Enable ARP forwarding.

disable

Disable ARP forwarding.

ndiscforward

Enable/disable NDISC forwarding.

option

-

Option

Description

enable

Enable NDISC forwarding.

disable

Disable NDISC forwarding.

broadcast-forward

Enable/disable broadcast forwarding.

option

-

Option

Description

enable

Enable broadcast forwarding.

disable

Disable broadcast forwarding.

bfd

Bidirectional Forwarding Detection (BFD) settings.

option

-

Option

Description

global

BFD behavior of this interface will be based on global configuration.

enable

Enable BFD on this interface and ignore global configuration.

disable

Disable BFD on this interface and ignore global configuration.

bfd-desired-min-tx

BFD desired minimal transmit interval.

integer

Minimum value: 1 Maximum value: 100000

bfd-detect-mult

BFD detection multiplier.

integer

Minimum value: 1 Maximum value: 50

bfd-required-min-rx

BFD required minimal receive interval.

integer

Minimum value: 1 Maximum value: 100000

l2forward

Enable/disable l2 forwarding.

option

-

Option

Description

enable

Enable L2 forwarding.

disable

Disable L2 forwarding.

icmp-send-redirect

Enable/disable ICMP send redirect.

option

-

Option

Description

enable

Enable ICMP send redirect.

disable

Disable ICMP send redirect.

icmp-accept-redirect

Enable/disable ICMP accept redirect.

option

-

Option

Description

enable

Enable ICMP accept redirect.

disable

Disable ICMP accept redirect.

vlanforward

Enable/disable traffic forwarding between VLANs on this interface.

option

-

Option

Description

enable

Enable traffic forwarding.

disable

Disable traffic forwarding.

stpforward

Enable/disable STP forwarding.

option

-

Option

Description

enable

Enable STP forwarding.

disable

Disable STP forwarding.

stpforward-mode

Configure STP forwarding mode.

option

-

Option

Description

rpl-all-ext-id

Replace all extension IDs (root, bridge).

rpl-bridge-ext-id

Replace the bridge extension ID only.

rpl-nothing

Replace nothing.

ips-sniffer-mode

Enable/disable the use of this interface as a one-armed sniffer.

option

-

Option

Description

enable

Enable IPS sniffer mode.

disable

Disable IPS sniffer mode.

ident-accept

Enable/disable authentication for this interface.

option

-

Option

Description

enable

Enable determining a user's identity from packet identification.

disable

Disable determining a user's identity from packet identification.

ipmac

Enable/disable IP/MAC binding.

option

-

Option

Description

enable

Enable IP/MAC binding.

disable

Disable IP/MAC binding.

subst

Enable to always send packets from this interface to a destination MAC address.

option

-

Option

Description

enable

Send packets from this interface.

disable

Do not send packets from this interface.

macaddr

Change the interface's MAC address.

mac-address

Not Specified

substitute-dst-mac

Destination MAC address that all packets are sent to from this interface.

mac-address

Not Specified

poe *

Enable/disable PoE status.

option

-

Option

Description

enable

Enable PoE status.

disable

Disable PoE status.

speed

Interface speed. The default setting and the options available depend on the interface hardware.

option

-

Option

Description

auto

Automatically adjust speed.

10full

10M full-duplex.

10half

10M half-duplex.

100full

100M full-duplex.

100half

100M half-duplex.

1000full

1000M full-duplex.

1000half

1000M half-duplex.

1000auto

1000M auto adjust.

status

Bring the interface up or shut the interface down.

option

-

Option

Description

up

Bring the interface up.

down

Shut the interface down.

netbios-forward

Enable/disable NETBIOS forwarding.

option

-

Option

Description

disable

Disable NETBIOS forwarding.

enable

Enable NETBIOS forwarding.

wins-ip

WINS server IP.

ipv4-address

Not Specified

type

Interface type.

option

-

Option

Description

physical

Physical interface.

vlan

VLAN interface.

aggregate

Aggregate interface.

redundant

Redundant interface.

tunnel

Tunnel interface.

vdom-link

VDOM link interface.

loopback

Loopback interface.

switch

Software switch interface.

hard-switch

Hardware switch interface.

vap-switch

VAP interface.

wl-mesh

WLAN mesh interface.

fext-wan

FortiExtender interface.

vxlan

VXLAN interface.

geneve

GENEVE interface.

hdlc

T1/E1 interface.

switch-vlan

Switch VLAN interface.

emac-vlan

EMAC VLAN interface.

dedicated-to

Configure interface for single purpose.

option

-

Option

Description

none

Interface not dedicated for any purpose.

management

Dedicate this interface for management purposes only.

trust-ip-1

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

trust-ip-2

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

trust-ip-3

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

trust-ip6-1

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

trust-ip6-2

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

trust-ip6-3

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

mtu-override

Enable to set a custom MTU for this interface.

option

-

Option

Description

enable

Override default MTU.

disable

Use default MTU (1500).

mtu

MTU value for this interface.

integer

Minimum value: 0 Maximum value: 4294967295

wccp

Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.

option

-

Option

Description

enable

Enable WCCP protocol on this interface.

disable

Disable WCCP protocol on this interface.

netflow-sampler

Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).

option

-

Option

Description

disable

Disable NetFlow protocol on this interface.

tx

Monitor transmitted traffic on this interface.

rx

Monitor received traffic on this interface.

both

Monitor transmitted/received traffic on this interface.

sflow-sampler

Enable/disable sFlow on this interface.

option

-

Option

Description

enable

Enable sFlow protocol on this interface.

disable

Disable sFlow protocol on this interface.

drop-overlapped-fragment

Enable/disable drop overlapped fragment packets.

option

-

Option

Description

enable

Enable drop of overlapped fragment packets.

disable

Disable drop of overlapped fragment packets.

drop-fragment

Enable/disable drop fragment packets.

option

-

Option

Description

enable

Enable/disable drop fragment packets.

disable

Do not drop fragment packets.

src-check

Enable/disable source IP check.

option

-

Option

Description

enable

Enable source IP check.

disable

Disable source IP check.

sample-rate

sFlow sample rate .

integer

Minimum value: 10 Maximum value: 99999

polling-interval

sFlow polling interval .

integer

Minimum value: 1 Maximum value: 255

sample-direction

Data that NetFlow collects (rx, tx, or both).

option

-

Option

Description

tx

Monitor transmitted traffic on this interface.

rx

Monitor received traffic on this interface.

both

Monitor transmitted/received traffic on this interface.

explicit-web-proxy

Enable/disable the explicit web proxy on this interface.

option

-

Option

Description

enable

Enable explicit Web proxy on this interface.

disable

Disable explicit Web proxy on this interface.

explicit-ftp-proxy

Enable/disable the explicit FTP proxy on this interface.

option

-

Option

Description

enable

Enable explicit FTP proxy on this interface.

disable

Disable explicit FTP proxy on this interface.

proxy-captive-portal

Enable/disable proxy captive portal on this interface.

option

-

Option

Description

enable

Enable proxy captive portal on this interface.

disable

Disable proxy captive portal on this interface.

tcp-mss

TCP maximum segment size. 0 means do not change segment size.

integer

Minimum value: 0 Maximum value: 4294967295

inbandwidth

Bandwidth limit for incoming traffic , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

outbandwidth

Bandwidth limit for outgoing traffic .

integer

Minimum value: 0 Maximum value: 16776000

egress-shaping-profile

Outgoing traffic shaping profile.

string

Not Specified

ingress-shaping-profile

Incoming traffic shaping profile.

string

Not Specified

disconnect-threshold

Time in milliseconds to wait before sending a notification that this interface is down or disconnected.

integer

Minimum value: 0 Maximum value: 10000

spillover-threshold

Egress Spillover threshold , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

ingress-spillover-threshold

Ingress Spillover threshold .

integer

Minimum value: 0 Maximum value: 16776000

weight

Default weight for static routes (if route has no weight configured).

integer

Minimum value: 0 Maximum value: 255

interface

Interface name.

string

Not Specified

external

Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet).

option

-

Option

Description

enable

Enable identifying the interface as an external interface.

disable

Disable identifying the interface as an external interface.

vlanid

VLAN ID .

integer

Minimum value: 1 Maximum value: 4094

trunk *

Enable/disable VLAN trunk.

option

-

Option

Description

enable

Enable VLAN trunk on this interface.

disable

Disable VLAN trunk on this interface.

forward-domain

Transparent mode forward domain.

integer

Minimum value: 0 Maximum value: 2147483647

remote-ip

Remote IP address of tunnel.

ipv4-classnet-host

Not Specified

member <interface-name>

Physical interfaces that belong to the aggregate or redundant interface.

Physical interface name.

string

Maximum length: 79

lacp-mode

LACP mode.

option

-

Option

Description

static

Use static aggregation, do not send and ignore any LACP messages.

passive

Passively use LACP to negotiate 802.3ad aggregation.

active

Actively use LACP to negotiate 802.3ad aggregation.

lacp-ha-slave

LACP HA slave.

option

-

Option

Description

enable

Allow HA slave to send/receive LACP messages.

disable

Block HA slave from sending/receiving LACP messages.

lacp-speed

How often the interface sends LACP messages.

option

-

Option

Description

slow

Send LACP message every 30 seconds.

fast

Send LACP message every second.

min-links

Minimum number of aggregated ports that must be up.

integer

Minimum value: 1 Maximum value: 32

min-links-down

Action to take when less than the configured minimum number of links are active.

option

-

Option

Description

operational

Set the aggregate operationally down.

administrative

Set the aggregate administratively down.

algorithm

Frame distribution algorithm.

option

-

Option

Description

L2

Use layer 2 address for distribution.

L3

Use layer 3 address for distribution.

L4

Use layer 4 information for distribution.

link-up-delay

Number of milliseconds to wait before considering a link is up.

integer

Minimum value: 50 Maximum value: 3600000

priority-override

Enable/disable fail back to higher priority port once recovered.

option

-

Option

Description

enable

Enable fail back to higher priority port once recovered.

disable

Disable fail back to higher priority port once recovered.

aggregate

Aggregate interface.

string

Not Specified

redundant-interface

Redundant interface.

string

Not Specified

devindex

Device Index.

integer

Minimum value: 0 Maximum value: 4294967295

vindex

Switch control interface VLAN ID.

integer

Minimum value: 0 Maximum value: 65535

switch

Contained in switch.

string

Not Specified

description

Description.

var-string

Not Specified

alias

Alias will be displayed with the interface name to make it easier to distinguish.

string

Not Specified

l2tp-client *

Enable/disable this interface as a Layer 2 Tunnelling Protocol (L2TP) client.

option

-

Option

Description

enable

Enable L2TP client.

disable

Disable L2TP client.

security-mode

Turn on captive portal authentication for this interface.

option

-

Option

Description

none

No security option.

captive-portal

Captive portal authentication.

802.1X

802.1X port-based authentication.

security-mac-auth-bypass

Enable/disable MAC authentication bypass.

option

-

Option

Description

mac-auth-only

Enable MAC authentication bypass without EAP.

enable

Enable MAC authentication bypass.

disable

Disable MAC authentication bypass.

security-8021x-mode *

802.1X mode.

option

-

Option

Description

default

802.1X default mode.

dynamic-vlan

802.1X dynamic VLAN (master) mode.

fallback

802.1X fallback (master) mode.

slave

802.1X slave mode.

security-8021x-master *

802.1X master virtual-switch.

string

Not Specified

security-8021x-dynamic-vlan-id *

VLAN ID for virtual switch.

integer

Minimum value: 0 Maximum value: 4094

security-external-web

URL of external authentication web server.

string

Not Specified

security-external-logout

URL of external authentication logout server.

string

Not Specified

replacemsg-override-group

Replacement message override group.

string

Not Specified

security-redirect-url

URL redirection after disclaimer/authentication.

string

Not Specified

security-exempt-list

Name of security-exempt-list.

string

Not Specified

security-groups <name>

User groups that can authenticate with the captive portal.

Names of user groups that can authenticate with the captive portal.

string

Maximum length: 79

stp *

Enable/disable STP.

option

-

Option

Description

disable

Disable STP.

enable

Enable STP.

stp-ha-slave *

Control STP behaviour on HA slave.

option

-

Option

Description

disable

Disable STP negotiation on HA slave.

enable

Enable STP negotiation on HA slave.

priority-adjust

Enable STP negotiation on HA slave and make priority lower than HA master.

device-identification

Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.

option

-

Option

Description

enable

Enable passive gathering of identity information about hosts.

disable

Disable passive gathering of identity information about hosts.

device-user-identification

Enable/disable passive gathering of user identity information about users on this interface.

option

-

Option

Description

enable

Enable passive gathering of user identity information about users.

disable

Disable passive gathering of user identity information about users.

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception.

option

-

Option

Description

enable

Enable reception of Link Layer Discovery Protocol (LLDP).

disable

Disable reception of Link Layer Discovery Protocol (LLDP).

vdom

Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration setting.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission.

option

-

Option

Description

enable

Enable transmission of Link Layer Discovery Protocol (LLDP).

disable

Disable transmission of Link Layer Discovery Protocol (LLDP).

vdom

Use VDOM Link Layer Discovery Protocol (LLDP) transmission configuration setting.

lldp-network-policy

LLDP-MED network policy profile.

string

Not Specified

broadcast-forticlient-discovery

Enable/disable broadcasting FortiClient discovery messages.

option

-

Option

Description

enable

Enable broadcasting FortiClient discovery messages.

disable

Disable broadcasting FortiClient discovery messages.

estimated-upstream-bandwidth

Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

estimated-downstream-bandwidth

Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

vrrp-virtual-mac

Enable/disable use of virtual MAC for VRRP.

option

-

Option

Description

enable

Enable use of virtual MAC for VRRP.

disable

Disable use of virtual MAC for VRRP.

role

Interface role.

option

-

Option

Description

lan

Connected to local network of endpoints.

wan

Connected to Internet.

dmz

Connected to server zone.

undefined

Interface has no specific role.

snmp-index

Permanent SNMP Index of the interface.

integer

Minimum value: 0 Maximum value: 4294967295

secondary-IP

Enable/disable adding a secondary IP to this interface.

option

-

Option

Description

enable

Enable secondary IP.

disable

Disable secondary IP.

preserve-session-route

Enable/disable preservation of session route when dirty.

option

-

Option

Description

enable

Enable preservation of session route when dirty.

disable

Disable preservation of session route when dirty.

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.

option

-

Option

Description

enable

Enable automatic authorization of dedicated Fortinet extension device on this interface.

disable

Disable automatic authorization of dedicated Fortinet extension device on this interface.

ap-discover

Enable/disable automatic registration of unknown FortiAP devices.

option

-

Option

Description

enable

Enable automatic registration of unknown FortiAP devices.

disable

Disable automatic registration of unknown FortiAP devices.

fortilink-stacking

Enable/disable FortiLink switch-stacking on this interface.

option

-

Option

Description

enable

Enable FortiLink switch stacking.

disable

Disable FortiLink switch stacking.

fortilink-neighbor-detect

Protocol for FortiGate neighbor discovery.

option

-

Option

Description

lldp

Detect FortiLink neighbors using LLDP protocol.

fortilink

Detect FortiLink neighbors using FortiLink protocol.

fortilink-split-interface

Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.

option

-

Option

Description

enable

Enable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.

disable

Disable FortiLink split interface.

internal

Implicitly created.

integer

Minimum value: 0 Maximum value: 255

fortilink-backup-link

fortilink split interface backup link.

integer

Minimum value: 0 Maximum value: 255

switch-controller-access-vlan

Block FortiSwitch port-to-port traffic.

option

-

Option

Description

enable

Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate.

disable

Allow normal VLAN traffic.

switch-controller-traffic-policy

Switch controller traffic policy for the VLAN.

string

Not Specified

switch-controller-rspan-mode

Stop Layer2 MAC learning and interception of BPDUs and other packets on this interface.

option

-

Option

Description

disable

Disable RSPAN passthrough mode on this VLAN interface.

enable

Enable RSPAN passthrough mode on this VLAN interface.

switch-controller-igmp-snooping

Switch controller IGMP snooping.

option

-

Option

Description

enable

Enable IGMP snooping.

disable

Disable IGMP snooping.

switch-controller-igmp-snooping-proxy

Switch controller IGMP snooping proxy.

option

-

Option

Description

enable

Enable IGMP snooping proxy.

disable

Disable IGMP snooping proxy.

switch-controller-igmp-snooping-fast-leave

Switch controller IGMP snooping fast-leave.

option

-

Option

Description

enable

Enable IGMP snooping fast-leave.

disable

Disable IGMP snooping fast-leave.

switch-controller-dhcp-snooping

Switch controller DHCP snooping.

option

-

Option

Description

enable

Enable DHCP snooping for FortiSwitch devices.

disable

Disable DHCP snooping for FortiSwitch devices.

switch-controller-dhcp-snooping-verify-mac

Switch controller DHCP snooping verify MAC.

option

-

Option

Description

enable

Enable DHCP snooping verify source MAC for FortiSwitch devices.

disable

Disable DHCP snooping verify source MAC for FortiSwitch devices.

switch-controller-dhcp-snooping-option82

Switch controller DHCP snooping option82.

option

-

Option

Description

enable

Enable DHCP snooping insert option82 for FortiSwitch devices.

disable

Disable DHCP snooping insert option82 for FortiSwitch devices.

switch-controller-arp-inspection

Enable/disable FortiSwitch ARP inspection.

option

-

Option

Description

enable

Enable ARP inspection for FortiSwitch devices.

disable

Disable ARP inspection for FortiSwitch devices.

switch-controller-learning-limit

Limit the number of dynamic MAC addresses on this VLAN .

integer

Minimum value: 0 Maximum value: 128

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

* This parameter may not exist in some models.

config l2tp-client-settings

Parameter

Description

Type

Size

user

L2TP user name.

string

Not Specified

password

L2TP password.

password

Not Specified

peer-host

L2TP peer host address.

string

Not Specified

peer-mask

L2TP peer mask.

ipv4-netmask

Not Specified

peer-port

L2TP peer port number.

integer

Minimum value: 1 Maximum value: 65535

auth-type

L2TP authentication type.

option

-

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

mtu

L2TP MTU.

integer

Minimum value: 40 Maximum value: 65535

distance

Distance of learned routes.

integer

Minimum value: 1 Maximum value: 255

priority

Priority of learned routes.

integer

Minimum value: 0 Maximum value: 4294967295

defaultgw

Enable/disable default gateway.

option

-

Option

Description

enable

Enable default gateway.

disable

Disable default gateway.

ip

IP.

ipv4-classnet-host

Not Specified

config vrrp

Parameter

Description

Type

Size

version

VRRP version.

option

-

Option

Description

2

VRRP version 2.

3

VRRP version 3.

vrgrp

VRRP group ID .

integer

Minimum value: 1 Maximum value: 65535

vrip

IP address of the virtual router.

ipv4-address-any

Not Specified

priority

Priority of the virtual router .

integer

Minimum value: 1 Maximum value: 255

adv-interval

Advertisement interval .

integer

Minimum value: 1 Maximum value: 255

start-time

Startup time .

integer

Minimum value: 1 Maximum value: 255

preempt

Enable/disable preempt mode.

option

-

Option

Description

enable

Enable preempt mode.

disable

Disable preempt mode.

accept-mode

Enable/disable accept mode.

option

-

Option

Description

enable

Enable accept mode.

disable

Disable accept mode.

vrdst

Monitor the route to this destination.

ipv4-address-any

Not Specified

vrdst-priority

Priority of the virtual router when the virtual router destination becomes unreachable .

integer

Minimum value: 0 Maximum value: 254

ignore-default-route

Enable/disable ignoring of default route when checking destination.

option

-

Option

Description

enable

Enable ignoring of default route when checking destination.

disable

Disable ignoring of default route when checking destination.

status

Enable/disable this VRRP configuration.

option

-

Option

Description

enable

Enable this VRRP configuration.

disable

Disable this VRRP configuration.

config proxy-arp

Parameter

Description

Type

Size

ip

Set IP addresses of proxy ARP.

user

Not Specified

config secondaryip

Parameter

Description

Type

Size

ip

Secondary IP address of the interface.

ipv4-classnet-host

Not Specified

allowaccess

Management access settings for the secondary IP address.

option

-

Option

Description

ping

PING access.

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

http

HTTP access.

telnet

TELNET access.

fgfm

FortiManager access.

radius-acct

RADIUS accounting access.

probe-response

Probe access.

fabric

Security Fabric access.

ftm

FTM access.

gwdetect

Enable/disable detect gateway alive for first.

option

-

Option

Description

enable

Enable detect gateway alive for first.

disable

Disable detect gateway alive for first.

ping-serv-status

PING server status.

integer

Minimum value: 0 Maximum value: 255

detectserver

Gateway's ping server for this IP.

user

Not Specified

detectprotocol

Protocols used to detect the server.

option

-

Option

Description

ping

PING.

tcp-echo

TCP echo.

udp-echo

UDP echo.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

config tagging

Parameter

Description

Type

Size

category

Tag category.

string

Not Specified

tags <name>

Tags.

Tag name.

string

Maximum length: 79

config ipv6

Parameter

Description

Type

Size

ip6-mode

Addressing mode (static, DHCP, delegated).

option

-

Option

Description

static

Static setting.

dhcp

DHCPv6 client mode.

pppoe

IPv6 over PPPoE mode.

delegated

IPv6 address with delegated prefix.

nd-mode

Neighbor discovery mode.

option

-

Option

Description

basic

Do not support SEND.

SEND-compatible

Support SEND.

nd-cert

Neighbor discovery certificate.

string

Not Specified

nd-security-level

Neighbor discovery security level .

integer

Minimum value: 0 Maximum value: 7

nd-timestamp-delta

Neighbor discovery timestamp delta value .

integer

Minimum value: 1 Maximum value: 3600

nd-timestamp-fuzz

Neighbor discovery timestamp fuzz factor .

integer

Minimum value: 1 Maximum value: 60

nd-cga-modifier

Neighbor discovery CGA modifier.

user

Not Specified

ip6-dns-server-override

Enable/disable using the DNS server acquired by DHCP.

option

-

Option

Description

enable

Enable using the DNS server acquired by DHCP.

disable

Disable using the DNS server acquired by DHCP.

ip6-address

Primary IPv6 address prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx

ipv6-prefix

Not Specified

ip6-allowaccess

Allow management access to the interface.

option

-

Option

Description

ping

PING access.

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

http

HTTP access.

telnet

TELNET access.

fgfm

FortiManager access.

fabric

Fabric access.

ip6-send-adv

Enable/disable sending advertisements about the interface.

option

-

Option

Description

enable

Enable sending advertisements about this interface.

disable

Disable sending advertisements about this interface.

ip6-manage-flag

Enable/disable the managed flag.

option

-

Option

Description

enable

Enable the managed IPv6 flag.

disable

Disable the managed IPv6 flag.

ip6-other-flag

Enable/disable the other IPv6 flag.

option

-

Option

Description

enable

Enable the other IPv6 flag.

disable

Disable the other IPv6 flag.

ip6-max-interval

IPv6 maximum interval (4 to 1800 sec).

integer

Minimum value: 4 Maximum value: 1800

ip6-min-interval

IPv6 minimum interval (3 to 1350 sec).

integer

Minimum value: 3 Maximum value: 1350

ip6-link-mtu

IPv6 link MTU.

integer

Minimum value: 1280 Maximum value: 16000

ip6-reachable-time

IPv6 reachable time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 3600000

ip6-retrans-time

IPv6 retransmit time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 4294967295

ip6-default-life

Default life (sec).

integer

Minimum value: 0 Maximum value: 9000

ip6-hop-limit

Hop limit (0 means unspecified).

integer

Minimum value: 0 Maximum value: 255

autoconf

Enable/disable address auto config.

option

-

Option

Description

enable

Enable auto-configuration.

disable

Disable auto-configuration.

ip6-upstream-interface

Interface name providing delegated information.

string

Not Specified

ip6-subnet

Subnet to routing prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx

ipv6-prefix

Not Specified

dhcp6-relay-service

Enable/disable DHCPv6 relay.

option

-

Option

Description

disable

Disable DHCPv6 relay

enable

Enable DHCPv6 relay.

dhcp6-relay-type

DHCPv6 relay type.

option

-

Option

Description

regular

Regular DHCP relay.

dhcp6-relay-ip

DHCPv6 relay IP address.

user

Not Specified

dhcp6-client-options

DHCPv6 client options.

option

-

Option

Description

rapid

Send rapid commit option.

iapd

Send including IA-PD option.

iana

Send including IA-NA option.

dhcp6-prefix-delegation

Enable/disable DHCPv6 prefix delegation.

option

-

Option

Description

enable

Enable DHCPv6 prefix delegation.

disable

Disable DHCPv6 prefix delegation.

dhcp6-information-request

Enable/disable DHCPv6 information request.

option

-

Option

Description

enable

Enable DHCPv6 information request.

disable

Disable DHCPv6 information request.

dhcp6-prefix-hint

DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server.

ipv6-network

Not Specified

dhcp6-prefix-hint-plt

DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time.

integer

Minimum value: 0 Maximum value: 4294967295

dhcp6-prefix-hint-vlt

DHCPv6 prefix hint valid life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

vrrp-virtual-mac6

Enable/disable virtual MAC for VRRP.

option

-

Option

Description

enable

Enable virtual MAC for VRRP.

disable

Disable virtual MAC for VRRP.

vrip6_link_local

Link-local IPv6 address of virtual router.

ipv6-address

Not Specified

config ip6-prefix-list

Parameter

Description

Type

Size

autonomous-flag

Enable/disable the autonomous flag.

option

-

Option

Description

enable

Enable the autonomous flag.

disable

Disable the autonomous flag.

onlink-flag

Enable/disable the onlink flag.

option

-

Option

Description

enable

Enable the onlink flag.

disable

Disable the onlink flag.

valid-life-time

Valid life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

preferred-life-time

Preferred life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

rdnss

Recursive DNS server option.

user

Not Specified

dnssl <domain>

DNS search list option.

Domain name.

string

Maximum length: 79

config ip6-delegated-prefix-list

Parameter

Description

Type

Size

upstream-interface

Name of the interface that provides delegated information.

string

Not Specified

autonomous-flag

Enable/disable the autonomous flag.

option

-

Option

Description

enable

Enable the autonomous flag.

disable

Disable the autonomous flag.

onlink-flag

Enable/disable the onlink flag.

option

-

Option

Description

enable

Enable the onlink flag.

disable

Disable the onlink flag.

subnet

Add subnet ID to routing prefix.

ipv6-network

Not Specified

rdnss-service

Recursive DNS service option.

option

-

Option

Description

delegated

Delegated RDNSS settings.

default

System RDNSS settings.

specify

Specify recursive DNS servers.

rdnss

Recursive DNS server option.

user

Not Specified

config vrrp6

Parameter

Description

Type

Size

vrgrp

VRRP group ID .

integer

Minimum value: 1 Maximum value: 65535

vrip6

IPv6 address of the virtual router.

ipv6-address

Not Specified

priority

Priority of the virtual router .

integer

Minimum value: 1 Maximum value: 255

adv-interval

Advertisement interval .

integer

Minimum value: 1 Maximum value: 255

start-time

Startup time .

integer

Minimum value: 1 Maximum value: 255

preempt

Enable/disable preempt mode.

option

-

Option

Description

enable

Enable preempt mode.

disable

Disable preempt mode.

accept-mode

Enable/disable accept mode.

option

-

Option

Description

enable

Enable accept mode.

disable

Disable accept mode.

vrdst6

Monitor the route to this destination.

ipv6-address

Not Specified

status

Enable/disable VRRP.

option

-

Option

Description

enable

Enable VRRP.

disable

Disable VRRP.

config system interface

config system interface

Configure interfaces.

config system interface

Description: Configure interfaces.

edit <name>

set vdom {string}

set vrf {integer}

set cli-conn-status {integer}

set fortilink [enable|disable]

set mode [static|dhcp|...]

set distance {integer}

set priority {integer}

set dhcp-relay-interface-select-method [auto|sdwan|...]

set dhcp-relay-interface {string}

set dhcp-relay-service [disable|enable]

set dhcp-relay-ip {user}

set dhcp-relay-request-all-server [disable|enable]

set dhcp-relay-type [regular|ipsec]

set dhcp-relay-agent-option [enable|disable]

set management-ip {ipv4-classnet-host}

set ip {ipv4-classnet-host}

set allowaccess {option1}, {option2}, ...

set gwdetect [enable|disable]

set ping-serv-status {integer}

set detectserver {user}

set detectprotocol {option1}, {option2}, ...

set ha-priority {integer}

set fail-detect [enable|disable]

set fail-detect-option {option1}, {option2}, ...

set fail-alert-method [link-failed-signal|link-down]

set fail-action-on-extender [soft-restart|hard-restart|...]

set fail-alert-interfaces <name1>, <name2>, ...

set dhcp-client-identifier {string}

set dhcp-renew-time {integer}

set ipunnumbered {ipv4-address}

set username {string}

set pppoe-unnumbered-negotiate [enable|disable]

set password {password}

set idle-timeout {integer}

set detected-peer-mtu {integer}

set disc-retry-timeout {integer}

set padt-retry-timeout {integer}

set service-name {string}

set ac-name {string}

set lcp-echo-interval {integer}

set lcp-max-echo-fails {integer}

set defaultgw [enable|disable]

set dns-server-override [enable|disable]

set auth-type [auto|pap|...]

set pptp-client [enable|disable]

set pptp-user {string}

set pptp-password {password}

set pptp-server-ip {ipv4-address}

set pptp-auth-type [auto|pap|...]

set pptp-timeout {integer}

set arpforward [enable|disable]

set ndiscforward [enable|disable]

set broadcast-forward [enable|disable]

set bfd [global|enable|...]

set bfd-desired-min-tx {integer}

set bfd-detect-mult {integer}

set bfd-required-min-rx {integer}

set l2forward [enable|disable]

set icmp-send-redirect [enable|disable]

set icmp-accept-redirect [enable|disable]

set vlanforward [enable|disable]

set stpforward [enable|disable]

set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]

set ips-sniffer-mode [enable|disable]

set ident-accept [enable|disable]

set ipmac [enable|disable]

set subst [enable|disable]

set macaddr {mac-address}

set substitute-dst-mac {mac-address}

set poe [enable|disable]

set speed [auto|10full|...]

set status [up|down]

set netbios-forward [disable|enable]

set wins-ip {ipv4-address}

set type [physical|vlan|...]

set dedicated-to [none|management]

set trust-ip-1 {ipv4-classnet-any}

set trust-ip-2 {ipv4-classnet-any}

set trust-ip-3 {ipv4-classnet-any}

set trust-ip6-1 {ipv6-prefix}

set trust-ip6-2 {ipv6-prefix}

set trust-ip6-3 {ipv6-prefix}

set mtu-override [enable|disable]

set mtu {integer}

set wccp [enable|disable]

set netflow-sampler [disable|tx|...]

set sflow-sampler [enable|disable]

set drop-overlapped-fragment [enable|disable]

set drop-fragment [enable|disable]

set src-check [enable|disable]

set sample-rate {integer}

set polling-interval {integer}

set sample-direction [tx|rx|...]

set explicit-web-proxy [enable|disable]

set explicit-ftp-proxy [enable|disable]

set proxy-captive-portal [enable|disable]

set tcp-mss {integer}

set inbandwidth {integer}

set outbandwidth {integer}

set egress-shaping-profile {string}

set ingress-shaping-profile {string}

set disconnect-threshold {integer}

set spillover-threshold {integer}

set ingress-spillover-threshold {integer}

set weight {integer}

set interface {string}

set external [enable|disable]

set vlanid {integer}

set trunk [enable|disable]

set forward-domain {integer}

set remote-ip {ipv4-classnet-host}

set member <interface-name1>, <interface-name2>, ...

set lacp-mode [static|passive|...]

set lacp-ha-slave [enable|disable]

set lacp-speed [slow|fast]

set min-links {integer}

set min-links-down [operational|administrative]

set algorithm [L2|L3|...]

set link-up-delay {integer}

set priority-override [enable|disable]

set aggregate {string}

set redundant-interface {string}

set devindex {integer}

set vindex {integer}

set switch {string}

set description {var-string}

set alias {string}

set l2tp-client [enable|disable]

config l2tp-client-settings

Description: L2TP client settings.

set user {string}

set password {password}

set peer-host {string}

set peer-mask {ipv4-netmask}

set peer-port {integer}

set auth-type [auto|pap|...]

set mtu {integer}

set distance {integer}

set priority {integer}

set defaultgw [enable|disable]

set ip {ipv4-classnet-host}

end

set security-mode [none|captive-portal|...]

set security-mac-auth-bypass [mac-auth-only|enable|...]

set security-8021x-mode [default|dynamic-vlan|...]

set security-8021x-master {string}

set security-8021x-dynamic-vlan-id {integer}

set security-external-web {string}

set security-external-logout {string}

set replacemsg-override-group {string}

set security-redirect-url {string}

set security-exempt-list {string}

set security-groups <name1>, <name2>, ...

set stp [disable|enable]

set stp-ha-slave [disable|enable|...]

set device-identification [enable|disable]

set device-user-identification [enable|disable]

set lldp-reception [enable|disable|...]

set lldp-transmission [enable|disable|...]

set lldp-network-policy {string}

set broadcast-forticlient-discovery [enable|disable]

set estimated-upstream-bandwidth {integer}

set estimated-downstream-bandwidth {integer}

set vrrp-virtual-mac [enable|disable]

config vrrp

Description: VRRP configuration.

edit <vrid>

set version [2|3]

set vrgrp {integer}

set vrip {ipv4-address-any}

set priority {integer}

set adv-interval {integer}

set start-time {integer}

set preempt [enable|disable]

set accept-mode [enable|disable]

set vrdst {ipv4-address-any}

set vrdst-priority {integer}

set ignore-default-route [enable|disable]

set status [enable|disable]

config proxy-arp

Description: VRRP Proxy ARP configuration.

edit <id>

set ip {user}

next

end

next

end

set role [lan|wan|...]

set snmp-index {integer}

set secondary-IP [enable|disable]

config secondaryip

Description: Second IP address of interface.

edit <id>

set ip {ipv4-classnet-host}

set allowaccess {option1}, {option2}, ...

set gwdetect [enable|disable]

set ping-serv-status {integer}

set detectserver {user}

set detectprotocol {option1}, {option2}, ...

set ha-priority {integer}

next

end

set preserve-session-route [enable|disable]

set auto-auth-extension-device [enable|disable]

set ap-discover [enable|disable]

set fortilink-stacking [enable|disable]

set fortilink-neighbor-detect [lldp|fortilink]

set fortilink-split-interface [enable|disable]

set internal {integer}

set fortilink-backup-link {integer}

set switch-controller-access-vlan [enable|disable]

set switch-controller-traffic-policy {string}

set switch-controller-rspan-mode [disable|enable]

set switch-controller-igmp-snooping [enable|disable]

set switch-controller-igmp-snooping-proxy [enable|disable]

set switch-controller-igmp-snooping-fast-leave [enable|disable]

set switch-controller-dhcp-snooping [enable|disable]

set switch-controller-dhcp-snooping-verify-mac [enable|disable]

set switch-controller-dhcp-snooping-option82 [enable|disable]

set switch-controller-arp-inspection [enable|disable]

set switch-controller-learning-limit {integer}

set color {integer}

config tagging

Description: Config object tagging.

edit <name>

set category {string}

set tags <name1>, <name2>, ...

next

end

config ipv6

Description: IPv6 of interface.

set ip6-mode [static|dhcp|...]

set nd-mode [basic|SEND-compatible]

set nd-cert {string}

set nd-security-level {integer}

set nd-timestamp-delta {integer}

set nd-timestamp-fuzz {integer}

set nd-cga-modifier {user}

set ip6-dns-server-override [enable|disable]

set ip6-address {ipv6-prefix}

config ip6-extra-addr

Description: Extra IPv6 address prefixes of interface.

edit <prefix>

next

end

set ip6-allowaccess {option1}, {option2}, ...

set ip6-send-adv [enable|disable]

set ip6-manage-flag [enable|disable]

set ip6-other-flag [enable|disable]

set ip6-max-interval {integer}

set ip6-min-interval {integer}

set ip6-link-mtu {integer}

set ip6-reachable-time {integer}

set ip6-retrans-time {integer}

set ip6-default-life {integer}

set ip6-hop-limit {integer}

set autoconf [enable|disable]

set ip6-upstream-interface {string}

set ip6-subnet {ipv6-prefix}

config ip6-prefix-list

Description: Advertised prefix list.

edit <prefix>

set autonomous-flag [enable|disable]

set onlink-flag [enable|disable]

set valid-life-time {integer}

set preferred-life-time {integer}

set rdnss {user}

set dnssl <domain1>, <domain2>, ...

next

end

config ip6-delegated-prefix-list

Description: Advertised IPv6 delegated prefix list.

edit <prefix-id>

set upstream-interface {string}

set autonomous-flag [enable|disable]

set onlink-flag [enable|disable]

set subnet {ipv6-network}

set rdnss-service [delegated|default|...]

set rdnss {user}

next

end

set dhcp6-relay-service [disable|enable]

set dhcp6-relay-type {option}

set dhcp6-relay-ip {user}

set dhcp6-client-options {option1}, {option2}, ...

set dhcp6-prefix-delegation [enable|disable]

set dhcp6-information-request [enable|disable]

set dhcp6-prefix-hint {ipv6-network}

set dhcp6-prefix-hint-plt {integer}

set dhcp6-prefix-hint-vlt {integer}

set vrrp-virtual-mac6 [enable|disable]

set vrip6_link_local {ipv6-address}

config vrrp6

Description: IPv6 VRRP configuration.

edit <vrid>

set vrgrp {integer}

set vrip6 {ipv6-address}

set priority {integer}

set adv-interval {integer}

set start-time {integer}

set preempt [enable|disable]

set accept-mode [enable|disable]

set vrdst6 {ipv6-address}

set status [enable|disable]

next

end

end

next

end

config system interface

Parameter

Description

Type

Size

vdom

Interface is in this virtual domain (VDOM).

string

Not Specified

vrf

Virtual Routing Forwarding ID.

integer

Minimum value: 0 Maximum value: 31

cli-conn-status

CLI connection status.

integer

Minimum value: 0 Maximum value: 4294967295

fortilink

Enable FortiLink to dedicate this interface to manage other Fortinet devices.

option

-

Option

Description

enable

Enable FortiLink to dedicated interface for managing FortiSwitch devices.

disable

Disable FortiLink to dedicated interface for managing FortiSwitch devices.

mode

Addressing mode (static, DHCP, PPPoE).

option

-

Option

Description

static

Static setting.

dhcp

External DHCP client mode.

pppoe

External PPPoE mode.

distance

Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route.

integer

Minimum value: 1 Maximum value: 255

priority

Priority of learned routes.

integer

Minimum value: 0 Maximum value: 4294967295

dhcp-relay-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

dhcp-relay-interface

Specify outgoing interface to reach server.

string

Not Specified

dhcp-relay-service

Enable/disable allowing this interface to act as a DHCP relay.

option

-

Option

Description

disable

None.

enable

DHCP relay agent.

dhcp-relay-ip

DHCP relay IP address.

user

Not Specified

dhcp-relay-request-all-server

Enable/disable sending DHCP request to all servers.

option

-

Option

Description

disable

Only send DHCP request to matching server.

enable

Sending DHCP request to all servers.

dhcp-relay-type

DHCP relay type (regular or IPsec).

option

-

Option

Description

regular

Regular DHCP relay.

ipsec

DHCP relay for IPsec.

dhcp-relay-agent-option

Enable/disable DHCP relay agent option.

option

-

Option

Description

enable

Enable DHCP relay agent option.

disable

Disable DHCP relay agent option.

management-ip

High Availability in-band management IP address of this interface.

ipv4-classnet-host

Not Specified

ip

Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.

ipv4-classnet-host

Not Specified

allowaccess

Permitted types of management access to this interface.

option

-

Option

Description

ping

PING access.

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

http

HTTP access.

telnet

TELNET access.

fgfm

FortiManager access.

radius-acct

RADIUS accounting access.

probe-response

Probe access.

fabric

Security Fabric access.

ftm

FTM access.

gwdetect

Enable/disable detect gateway alive for first.

option

-

Option

Description

enable

Enable detect gateway alive for first.

disable

Disable detect gateway alive for first.

ping-serv-status

PING server status.

integer

Minimum value: 0 Maximum value: 255

detectserver

Gateway's ping server for this IP.

user

Not Specified

detectprotocol

Protocols used to detect the server.

option

-

Option

Description

ping

PING.

tcp-echo

TCP echo.

udp-echo

UDP echo.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

fail-detect

Enable/disable fail detection features for this interface.

option

-

Option

Description

enable

Enable interface failed option status.

disable

Disable interface failed option status.

fail-detect-option

Options for detecting that this interface has failed.

option

-

Option

Description

detectserver

Use a ping server to determine if the interface has failed.

link-down

Use port detection to determine if the interface has failed.

fail-alert-method

Select link-failed-signal or link-down method to alert about a failed link.

option

-

Option

Description

link-failed-signal

Link-failed-signal.

link-down

Link-down.

fail-action-on-extender

Action on extender when interface fail .

option

-

Option

Description

soft-restart

Soft-restart-on-extender.

hard-restart

Hard-restart-on-extender.

reboot

Reboot-on-extender.

fail-alert-interfaces <name>

Names of the FortiGate interfaces to which the link failure alert is sent.

Names of the non-virtual interface.

string

Maximum length: 79

dhcp-client-identifier

DHCP client identifier.

string

Not Specified

dhcp-renew-time

DHCP renew time in seconds , 0 means use the renew time provided by the server.

integer

Minimum value: 300 Maximum value: 604800

ipunnumbered

Unnumbered IP used for PPPoE interfaces for which no unique local address is provided.

ipv4-address

Not Specified

username

Username of the PPPoE account, provided by your ISP.

string

Not Specified

pppoe-unnumbered-negotiate

Enable/disable PPPoE unnumbered negotiation.

option

-

Option

Description

enable

Enable IP address negotiating for unnumbered.

disable

Disable IP address negotiating for unnumbered.

password

PPPoE account's password.

password

Not Specified

idle-timeout

PPPoE auto disconnect after idle timeout seconds, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 32767

detected-peer-mtu

MTU of detected peer .

integer

Minimum value: 0 Maximum value: 4294967295

disc-retry-timeout

Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout.

integer

Minimum value: 0 Maximum value: 4294967295

padt-retry-timeout

PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time.

integer

Minimum value: 0 Maximum value: 4294967295

service-name

PPPoE service name.

string

Not Specified

ac-name

PPPoE server name.

string

Not Specified

lcp-echo-interval

Time in seconds between PPPoE Link Control Protocol (LCP) echo requests.

integer

Minimum value: 0 Maximum value: 32767

lcp-max-echo-fails

Maximum missed LCP echo messages before disconnect.

integer

Minimum value: 0 Maximum value: 32767

defaultgw

Enable to get the gateway IP from the DHCP or PPPoE server.

option

-

Option

Description

enable

Enable default gateway.

disable

Disable default gateway.

dns-server-override

Enable/disable use DNS acquired by DHCP or PPPoE.

option

-

Option

Description

enable

Use DNS acquired by DHCP or PPPoE.

disable

No not use DNS acquired by DHCP or PPPoE.

auth-type

PPP authentication type to use.

option

-

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

pptp-client

Enable/disable PPTP client.

option

-

Option

Description

enable

Enable PPTP client.

disable

Disable PPTP client.

pptp-user

PPTP user name.

string

Not Specified

pptp-password

PPTP password.

password

Not Specified

pptp-server-ip

PPTP server IP address.

ipv4-address

Not Specified

pptp-auth-type

PPTP authentication type.

option

-

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

pptp-timeout

Idle timer in minutes (0 for disabled).

integer

Minimum value: 0 Maximum value: 65535

arpforward

Enable/disable ARP forwarding.

option

-

Option

Description

enable

Enable ARP forwarding.

disable

Disable ARP forwarding.

ndiscforward

Enable/disable NDISC forwarding.

option

-

Option

Description

enable

Enable NDISC forwarding.

disable

Disable NDISC forwarding.

broadcast-forward

Enable/disable broadcast forwarding.

option

-

Option

Description

enable

Enable broadcast forwarding.

disable

Disable broadcast forwarding.

bfd

Bidirectional Forwarding Detection (BFD) settings.

option

-

Option

Description

global

BFD behavior of this interface will be based on global configuration.

enable

Enable BFD on this interface and ignore global configuration.

disable

Disable BFD on this interface and ignore global configuration.

bfd-desired-min-tx

BFD desired minimal transmit interval.

integer

Minimum value: 1 Maximum value: 100000

bfd-detect-mult

BFD detection multiplier.

integer

Minimum value: 1 Maximum value: 50

bfd-required-min-rx

BFD required minimal receive interval.

integer

Minimum value: 1 Maximum value: 100000

l2forward

Enable/disable l2 forwarding.

option

-

Option

Description

enable

Enable L2 forwarding.

disable

Disable L2 forwarding.

icmp-send-redirect

Enable/disable ICMP send redirect.

option

-

Option

Description

enable

Enable ICMP send redirect.

disable

Disable ICMP send redirect.

icmp-accept-redirect

Enable/disable ICMP accept redirect.

option

-

Option

Description

enable

Enable ICMP accept redirect.

disable

Disable ICMP accept redirect.

vlanforward

Enable/disable traffic forwarding between VLANs on this interface.

option

-

Option

Description

enable

Enable traffic forwarding.

disable

Disable traffic forwarding.

stpforward

Enable/disable STP forwarding.

option

-

Option

Description

enable

Enable STP forwarding.

disable

Disable STP forwarding.

stpforward-mode

Configure STP forwarding mode.

option

-

Option

Description

rpl-all-ext-id

Replace all extension IDs (root, bridge).

rpl-bridge-ext-id

Replace the bridge extension ID only.

rpl-nothing

Replace nothing.

ips-sniffer-mode

Enable/disable the use of this interface as a one-armed sniffer.

option

-

Option

Description

enable

Enable IPS sniffer mode.

disable

Disable IPS sniffer mode.

ident-accept

Enable/disable authentication for this interface.

option

-

Option

Description

enable

Enable determining a user's identity from packet identification.

disable

Disable determining a user's identity from packet identification.

ipmac

Enable/disable IP/MAC binding.

option

-

Option

Description

enable

Enable IP/MAC binding.

disable

Disable IP/MAC binding.

subst

Enable to always send packets from this interface to a destination MAC address.

option

-

Option

Description

enable

Send packets from this interface.

disable

Do not send packets from this interface.

macaddr

Change the interface's MAC address.

mac-address

Not Specified

substitute-dst-mac

Destination MAC address that all packets are sent to from this interface.

mac-address

Not Specified

poe *

Enable/disable PoE status.

option

-

Option

Description

enable

Enable PoE status.

disable

Disable PoE status.

speed

Interface speed. The default setting and the options available depend on the interface hardware.

option

-

Option

Description

auto

Automatically adjust speed.

10full

10M full-duplex.

10half

10M half-duplex.

100full

100M full-duplex.

100half

100M half-duplex.

1000full

1000M full-duplex.

1000half

1000M half-duplex.

1000auto

1000M auto adjust.

status

Bring the interface up or shut the interface down.

option

-

Option

Description

up

Bring the interface up.

down

Shut the interface down.

netbios-forward

Enable/disable NETBIOS forwarding.

option

-

Option

Description

disable

Disable NETBIOS forwarding.

enable

Enable NETBIOS forwarding.

wins-ip

WINS server IP.

ipv4-address

Not Specified

type

Interface type.

option

-

Option

Description

physical

Physical interface.

vlan

VLAN interface.

aggregate

Aggregate interface.

redundant

Redundant interface.

tunnel

Tunnel interface.

vdom-link

VDOM link interface.

loopback

Loopback interface.

switch

Software switch interface.

hard-switch

Hardware switch interface.

vap-switch

VAP interface.

wl-mesh

WLAN mesh interface.

fext-wan

FortiExtender interface.

vxlan

VXLAN interface.

geneve

GENEVE interface.

hdlc

T1/E1 interface.

switch-vlan

Switch VLAN interface.

emac-vlan

EMAC VLAN interface.

dedicated-to

Configure interface for single purpose.

option

-

Option

Description

none

Interface not dedicated for any purpose.

management

Dedicate this interface for management purposes only.

trust-ip-1

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

trust-ip-2

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

trust-ip-3

Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

ipv4-classnet-any

Not Specified

trust-ip6-1

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

trust-ip6-2

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

trust-ip6-3

Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

ipv6-prefix

Not Specified

mtu-override

Enable to set a custom MTU for this interface.

option

-

Option

Description

enable

Override default MTU.

disable

Use default MTU (1500).

mtu

MTU value for this interface.

integer

Minimum value: 0 Maximum value: 4294967295

wccp

Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.

option

-

Option

Description

enable

Enable WCCP protocol on this interface.

disable

Disable WCCP protocol on this interface.

netflow-sampler

Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).

option

-

Option

Description

disable

Disable NetFlow protocol on this interface.

tx

Monitor transmitted traffic on this interface.

rx

Monitor received traffic on this interface.

both

Monitor transmitted/received traffic on this interface.

sflow-sampler

Enable/disable sFlow on this interface.

option

-

Option

Description

enable

Enable sFlow protocol on this interface.

disable

Disable sFlow protocol on this interface.

drop-overlapped-fragment

Enable/disable drop overlapped fragment packets.

option

-

Option

Description

enable

Enable drop of overlapped fragment packets.

disable

Disable drop of overlapped fragment packets.

drop-fragment

Enable/disable drop fragment packets.

option

-

Option

Description

enable

Enable/disable drop fragment packets.

disable

Do not drop fragment packets.

src-check

Enable/disable source IP check.

option

-

Option

Description

enable

Enable source IP check.

disable

Disable source IP check.

sample-rate

sFlow sample rate .

integer

Minimum value: 10 Maximum value: 99999

polling-interval

sFlow polling interval .

integer

Minimum value: 1 Maximum value: 255

sample-direction

Data that NetFlow collects (rx, tx, or both).

option

-

Option

Description

tx

Monitor transmitted traffic on this interface.

rx

Monitor received traffic on this interface.

both

Monitor transmitted/received traffic on this interface.

explicit-web-proxy

Enable/disable the explicit web proxy on this interface.

option

-

Option

Description

enable

Enable explicit Web proxy on this interface.

disable

Disable explicit Web proxy on this interface.

explicit-ftp-proxy

Enable/disable the explicit FTP proxy on this interface.

option

-

Option

Description

enable

Enable explicit FTP proxy on this interface.

disable

Disable explicit FTP proxy on this interface.

proxy-captive-portal

Enable/disable proxy captive portal on this interface.

option

-

Option

Description

enable

Enable proxy captive portal on this interface.

disable

Disable proxy captive portal on this interface.

tcp-mss

TCP maximum segment size. 0 means do not change segment size.

integer

Minimum value: 0 Maximum value: 4294967295

inbandwidth

Bandwidth limit for incoming traffic , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

outbandwidth

Bandwidth limit for outgoing traffic .

integer

Minimum value: 0 Maximum value: 16776000

egress-shaping-profile

Outgoing traffic shaping profile.

string

Not Specified

ingress-shaping-profile

Incoming traffic shaping profile.

string

Not Specified

disconnect-threshold

Time in milliseconds to wait before sending a notification that this interface is down or disconnected.

integer

Minimum value: 0 Maximum value: 10000

spillover-threshold

Egress Spillover threshold , 0 means unlimited.

integer

Minimum value: 0 Maximum value: 16776000

ingress-spillover-threshold

Ingress Spillover threshold .

integer

Minimum value: 0 Maximum value: 16776000

weight

Default weight for static routes (if route has no weight configured).

integer

Minimum value: 0 Maximum value: 255

interface

Interface name.

string

Not Specified

external

Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet).

option

-

Option

Description

enable

Enable identifying the interface as an external interface.

disable

Disable identifying the interface as an external interface.

vlanid

VLAN ID .

integer

Minimum value: 1 Maximum value: 4094

trunk *

Enable/disable VLAN trunk.

option

-

Option

Description

enable

Enable VLAN trunk on this interface.

disable

Disable VLAN trunk on this interface.

forward-domain

Transparent mode forward domain.

integer

Minimum value: 0 Maximum value: 2147483647

remote-ip

Remote IP address of tunnel.

ipv4-classnet-host

Not Specified

member <interface-name>

Physical interfaces that belong to the aggregate or redundant interface.

Physical interface name.

string

Maximum length: 79

lacp-mode

LACP mode.

option

-

Option

Description

static

Use static aggregation, do not send and ignore any LACP messages.

passive

Passively use LACP to negotiate 802.3ad aggregation.

active

Actively use LACP to negotiate 802.3ad aggregation.

lacp-ha-slave

LACP HA slave.

option

-

Option

Description

enable

Allow HA slave to send/receive LACP messages.

disable

Block HA slave from sending/receiving LACP messages.

lacp-speed

How often the interface sends LACP messages.

option

-

Option

Description

slow

Send LACP message every 30 seconds.

fast

Send LACP message every second.

min-links

Minimum number of aggregated ports that must be up.

integer

Minimum value: 1 Maximum value: 32

min-links-down

Action to take when less than the configured minimum number of links are active.

option

-

Option

Description

operational

Set the aggregate operationally down.

administrative

Set the aggregate administratively down.

algorithm

Frame distribution algorithm.

option

-

Option

Description

L2

Use layer 2 address for distribution.

L3

Use layer 3 address for distribution.

L4

Use layer 4 information for distribution.

link-up-delay

Number of milliseconds to wait before considering a link is up.

integer

Minimum value: 50 Maximum value: 3600000

priority-override

Enable/disable fail back to higher priority port once recovered.

option

-

Option

Description

enable

Enable fail back to higher priority port once recovered.

disable

Disable fail back to higher priority port once recovered.

aggregate

Aggregate interface.

string

Not Specified

redundant-interface

Redundant interface.

string

Not Specified

devindex

Device Index.

integer

Minimum value: 0 Maximum value: 4294967295

vindex

Switch control interface VLAN ID.

integer

Minimum value: 0 Maximum value: 65535

switch

Contained in switch.

string

Not Specified

description

Description.

var-string

Not Specified

alias

Alias will be displayed with the interface name to make it easier to distinguish.

string

Not Specified

l2tp-client *

Enable/disable this interface as a Layer 2 Tunnelling Protocol (L2TP) client.

option

-

Option

Description

enable

Enable L2TP client.

disable

Disable L2TP client.

security-mode

Turn on captive portal authentication for this interface.

option

-

Option

Description

none

No security option.

captive-portal

Captive portal authentication.

802.1X

802.1X port-based authentication.

security-mac-auth-bypass

Enable/disable MAC authentication bypass.

option

-

Option

Description

mac-auth-only

Enable MAC authentication bypass without EAP.

enable

Enable MAC authentication bypass.

disable

Disable MAC authentication bypass.

security-8021x-mode *

802.1X mode.

option

-

Option

Description

default

802.1X default mode.

dynamic-vlan

802.1X dynamic VLAN (master) mode.

fallback

802.1X fallback (master) mode.

slave

802.1X slave mode.

security-8021x-master *

802.1X master virtual-switch.

string

Not Specified

security-8021x-dynamic-vlan-id *

VLAN ID for virtual switch.

integer

Minimum value: 0 Maximum value: 4094

security-external-web

URL of external authentication web server.

string

Not Specified

security-external-logout

URL of external authentication logout server.

string

Not Specified

replacemsg-override-group

Replacement message override group.

string

Not Specified

security-redirect-url

URL redirection after disclaimer/authentication.

string

Not Specified

security-exempt-list

Name of security-exempt-list.

string

Not Specified

security-groups <name>

User groups that can authenticate with the captive portal.

Names of user groups that can authenticate with the captive portal.

string

Maximum length: 79

stp *

Enable/disable STP.

option

-

Option

Description

disable

Disable STP.

enable

Enable STP.

stp-ha-slave *

Control STP behaviour on HA slave.

option

-

Option

Description

disable

Disable STP negotiation on HA slave.

enable

Enable STP negotiation on HA slave.

priority-adjust

Enable STP negotiation on HA slave and make priority lower than HA master.

device-identification

Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.

option

-

Option

Description

enable

Enable passive gathering of identity information about hosts.

disable

Disable passive gathering of identity information about hosts.

device-user-identification

Enable/disable passive gathering of user identity information about users on this interface.

option

-

Option

Description

enable

Enable passive gathering of user identity information about users.

disable

Disable passive gathering of user identity information about users.

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception.

option

-

Option

Description

enable

Enable reception of Link Layer Discovery Protocol (LLDP).

disable

Disable reception of Link Layer Discovery Protocol (LLDP).

vdom

Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration setting.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission.

option

-

Option

Description

enable

Enable transmission of Link Layer Discovery Protocol (LLDP).

disable

Disable transmission of Link Layer Discovery Protocol (LLDP).

vdom

Use VDOM Link Layer Discovery Protocol (LLDP) transmission configuration setting.

lldp-network-policy

LLDP-MED network policy profile.

string

Not Specified

broadcast-forticlient-discovery

Enable/disable broadcasting FortiClient discovery messages.

option

-

Option

Description

enable

Enable broadcasting FortiClient discovery messages.

disable

Disable broadcasting FortiClient discovery messages.

estimated-upstream-bandwidth

Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

estimated-downstream-bandwidth

Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization.

integer

Minimum value: 0 Maximum value: 4294967295

vrrp-virtual-mac

Enable/disable use of virtual MAC for VRRP.

option

-

Option

Description

enable

Enable use of virtual MAC for VRRP.

disable

Disable use of virtual MAC for VRRP.

role

Interface role.

option

-

Option

Description

lan

Connected to local network of endpoints.

wan

Connected to Internet.

dmz

Connected to server zone.

undefined

Interface has no specific role.

snmp-index

Permanent SNMP Index of the interface.

integer

Minimum value: 0 Maximum value: 4294967295

secondary-IP

Enable/disable adding a secondary IP to this interface.

option

-

Option

Description

enable

Enable secondary IP.

disable

Disable secondary IP.

preserve-session-route

Enable/disable preservation of session route when dirty.

option

-

Option

Description

enable

Enable preservation of session route when dirty.

disable

Disable preservation of session route when dirty.

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.

option

-

Option

Description

enable

Enable automatic authorization of dedicated Fortinet extension device on this interface.

disable

Disable automatic authorization of dedicated Fortinet extension device on this interface.

ap-discover

Enable/disable automatic registration of unknown FortiAP devices.

option

-

Option

Description

enable

Enable automatic registration of unknown FortiAP devices.

disable

Disable automatic registration of unknown FortiAP devices.

fortilink-stacking

Enable/disable FortiLink switch-stacking on this interface.

option

-

Option

Description

enable

Enable FortiLink switch stacking.

disable

Disable FortiLink switch stacking.

fortilink-neighbor-detect

Protocol for FortiGate neighbor discovery.

option

-

Option

Description

lldp

Detect FortiLink neighbors using LLDP protocol.

fortilink

Detect FortiLink neighbors using FortiLink protocol.

fortilink-split-interface

Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.

option

-

Option

Description

enable

Enable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.

disable

Disable FortiLink split interface.

internal

Implicitly created.

integer

Minimum value: 0 Maximum value: 255

fortilink-backup-link

fortilink split interface backup link.

integer

Minimum value: 0 Maximum value: 255

switch-controller-access-vlan

Block FortiSwitch port-to-port traffic.

option

-

Option

Description

enable

Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate.

disable

Allow normal VLAN traffic.

switch-controller-traffic-policy

Switch controller traffic policy for the VLAN.

string

Not Specified

switch-controller-rspan-mode

Stop Layer2 MAC learning and interception of BPDUs and other packets on this interface.

option

-

Option

Description

disable

Disable RSPAN passthrough mode on this VLAN interface.

enable

Enable RSPAN passthrough mode on this VLAN interface.

switch-controller-igmp-snooping

Switch controller IGMP snooping.

option

-

Option

Description

enable

Enable IGMP snooping.

disable

Disable IGMP snooping.

switch-controller-igmp-snooping-proxy

Switch controller IGMP snooping proxy.

option

-

Option

Description

enable

Enable IGMP snooping proxy.

disable

Disable IGMP snooping proxy.

switch-controller-igmp-snooping-fast-leave

Switch controller IGMP snooping fast-leave.

option

-

Option

Description

enable

Enable IGMP snooping fast-leave.

disable

Disable IGMP snooping fast-leave.

switch-controller-dhcp-snooping

Switch controller DHCP snooping.

option

-

Option

Description

enable

Enable DHCP snooping for FortiSwitch devices.

disable

Disable DHCP snooping for FortiSwitch devices.

switch-controller-dhcp-snooping-verify-mac

Switch controller DHCP snooping verify MAC.

option

-

Option

Description

enable

Enable DHCP snooping verify source MAC for FortiSwitch devices.

disable

Disable DHCP snooping verify source MAC for FortiSwitch devices.

switch-controller-dhcp-snooping-option82

Switch controller DHCP snooping option82.

option

-

Option

Description

enable

Enable DHCP snooping insert option82 for FortiSwitch devices.

disable

Disable DHCP snooping insert option82 for FortiSwitch devices.

switch-controller-arp-inspection

Enable/disable FortiSwitch ARP inspection.

option

-

Option

Description

enable

Enable ARP inspection for FortiSwitch devices.

disable

Disable ARP inspection for FortiSwitch devices.

switch-controller-learning-limit

Limit the number of dynamic MAC addresses on this VLAN .

integer

Minimum value: 0 Maximum value: 128

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

* This parameter may not exist in some models.

config l2tp-client-settings

Parameter

Description

Type

Size

user

L2TP user name.

string

Not Specified

password

L2TP password.

password

Not Specified

peer-host

L2TP peer host address.

string

Not Specified

peer-mask

L2TP peer mask.

ipv4-netmask

Not Specified

peer-port

L2TP peer port number.

integer

Minimum value: 1 Maximum value: 65535

auth-type

L2TP authentication type.

option

-

Option

Description

auto

Automatically choose authentication.

pap

PAP authentication.

chap

CHAP authentication.

mschapv1

MS-CHAPv1 authentication.

mschapv2

MS-CHAPv2 authentication.

mtu

L2TP MTU.

integer

Minimum value: 40 Maximum value: 65535

distance

Distance of learned routes.

integer

Minimum value: 1 Maximum value: 255

priority

Priority of learned routes.

integer

Minimum value: 0 Maximum value: 4294967295

defaultgw

Enable/disable default gateway.

option

-

Option

Description

enable

Enable default gateway.

disable

Disable default gateway.

ip

IP.

ipv4-classnet-host

Not Specified

config vrrp

Parameter

Description

Type

Size

version

VRRP version.

option

-

Option

Description

2

VRRP version 2.

3

VRRP version 3.

vrgrp

VRRP group ID .

integer

Minimum value: 1 Maximum value: 65535

vrip

IP address of the virtual router.

ipv4-address-any

Not Specified

priority

Priority of the virtual router .

integer

Minimum value: 1 Maximum value: 255

adv-interval

Advertisement interval .

integer

Minimum value: 1 Maximum value: 255

start-time

Startup time .

integer

Minimum value: 1 Maximum value: 255

preempt

Enable/disable preempt mode.

option

-

Option

Description

enable

Enable preempt mode.

disable

Disable preempt mode.

accept-mode

Enable/disable accept mode.

option

-

Option

Description

enable

Enable accept mode.

disable

Disable accept mode.

vrdst

Monitor the route to this destination.

ipv4-address-any

Not Specified

vrdst-priority

Priority of the virtual router when the virtual router destination becomes unreachable .

integer

Minimum value: 0 Maximum value: 254

ignore-default-route

Enable/disable ignoring of default route when checking destination.

option

-

Option

Description

enable

Enable ignoring of default route when checking destination.

disable

Disable ignoring of default route when checking destination.

status

Enable/disable this VRRP configuration.

option

-

Option

Description

enable

Enable this VRRP configuration.

disable

Disable this VRRP configuration.

config proxy-arp

Parameter

Description

Type

Size

ip

Set IP addresses of proxy ARP.

user

Not Specified

config secondaryip

Parameter

Description

Type

Size

ip

Secondary IP address of the interface.

ipv4-classnet-host

Not Specified

allowaccess

Management access settings for the secondary IP address.

option

-

Option

Description

ping

PING access.

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

http

HTTP access.

telnet

TELNET access.

fgfm

FortiManager access.

radius-acct

RADIUS accounting access.

probe-response

Probe access.

fabric

Security Fabric access.

ftm

FTM access.

gwdetect

Enable/disable detect gateway alive for first.

option

-

Option

Description

enable

Enable detect gateway alive for first.

disable

Disable detect gateway alive for first.

ping-serv-status

PING server status.

integer

Minimum value: 0 Maximum value: 255

detectserver

Gateway's ping server for this IP.

user

Not Specified

detectprotocol

Protocols used to detect the server.

option

-

Option

Description

ping

PING.

tcp-echo

TCP echo.

udp-echo

UDP echo.

ha-priority

HA election priority for the PING server.

integer

Minimum value: 1 Maximum value: 50

config tagging

Parameter

Description

Type

Size

category

Tag category.

string

Not Specified

tags <name>

Tags.

Tag name.

string

Maximum length: 79

config ipv6

Parameter

Description

Type

Size

ip6-mode

Addressing mode (static, DHCP, delegated).

option

-

Option

Description

static

Static setting.

dhcp

DHCPv6 client mode.

pppoe

IPv6 over PPPoE mode.

delegated

IPv6 address with delegated prefix.

nd-mode

Neighbor discovery mode.

option

-

Option

Description

basic

Do not support SEND.

SEND-compatible

Support SEND.

nd-cert

Neighbor discovery certificate.

string

Not Specified

nd-security-level

Neighbor discovery security level .

integer

Minimum value: 0 Maximum value: 7

nd-timestamp-delta

Neighbor discovery timestamp delta value .

integer

Minimum value: 1 Maximum value: 3600

nd-timestamp-fuzz

Neighbor discovery timestamp fuzz factor .

integer

Minimum value: 1 Maximum value: 60

nd-cga-modifier

Neighbor discovery CGA modifier.

user

Not Specified

ip6-dns-server-override

Enable/disable using the DNS server acquired by DHCP.

option

-

Option

Description

enable

Enable using the DNS server acquired by DHCP.

disable

Disable using the DNS server acquired by DHCP.

ip6-address

Primary IPv6 address prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx

ipv6-prefix

Not Specified

ip6-allowaccess

Allow management access to the interface.

option

-

Option

Description

ping

PING access.

https

HTTPS access.

ssh

SSH access.

snmp

SNMP access.

http

HTTP access.

telnet

TELNET access.

fgfm

FortiManager access.

fabric

Fabric access.

ip6-send-adv

Enable/disable sending advertisements about the interface.

option

-

Option

Description

enable

Enable sending advertisements about this interface.

disable

Disable sending advertisements about this interface.

ip6-manage-flag

Enable/disable the managed flag.

option

-

Option

Description

enable

Enable the managed IPv6 flag.

disable

Disable the managed IPv6 flag.

ip6-other-flag

Enable/disable the other IPv6 flag.

option

-

Option

Description

enable

Enable the other IPv6 flag.

disable

Disable the other IPv6 flag.

ip6-max-interval

IPv6 maximum interval (4 to 1800 sec).

integer

Minimum value: 4 Maximum value: 1800

ip6-min-interval

IPv6 minimum interval (3 to 1350 sec).

integer

Minimum value: 3 Maximum value: 1350

ip6-link-mtu

IPv6 link MTU.

integer

Minimum value: 1280 Maximum value: 16000

ip6-reachable-time

IPv6 reachable time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 3600000

ip6-retrans-time

IPv6 retransmit time (milliseconds; 0 means unspecified).

integer

Minimum value: 0 Maximum value: 4294967295

ip6-default-life

Default life (sec).

integer

Minimum value: 0 Maximum value: 9000

ip6-hop-limit

Hop limit (0 means unspecified).

integer

Minimum value: 0 Maximum value: 255

autoconf

Enable/disable address auto config.

option

-

Option

Description

enable

Enable auto-configuration.

disable

Disable auto-configuration.

ip6-upstream-interface

Interface name providing delegated information.

string

Not Specified

ip6-subnet

Subnet to routing prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx

ipv6-prefix

Not Specified

dhcp6-relay-service

Enable/disable DHCPv6 relay.

option

-

Option

Description

disable

Disable DHCPv6 relay

enable

Enable DHCPv6 relay.

dhcp6-relay-type

DHCPv6 relay type.

option

-

Option

Description

regular

Regular DHCP relay.

dhcp6-relay-ip

DHCPv6 relay IP address.

user

Not Specified

dhcp6-client-options

DHCPv6 client options.

option

-

Option

Description

rapid

Send rapid commit option.

iapd

Send including IA-PD option.

iana

Send including IA-NA option.

dhcp6-prefix-delegation

Enable/disable DHCPv6 prefix delegation.

option

-

Option

Description

enable

Enable DHCPv6 prefix delegation.

disable

Disable DHCPv6 prefix delegation.

dhcp6-information-request

Enable/disable DHCPv6 information request.

option

-

Option

Description

enable

Enable DHCPv6 information request.

disable

Disable DHCPv6 information request.

dhcp6-prefix-hint

DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server.

ipv6-network

Not Specified

dhcp6-prefix-hint-plt

DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time.

integer

Minimum value: 0 Maximum value: 4294967295

dhcp6-prefix-hint-vlt

DHCPv6 prefix hint valid life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

vrrp-virtual-mac6

Enable/disable virtual MAC for VRRP.

option

-

Option

Description

enable

Enable virtual MAC for VRRP.

disable

Disable virtual MAC for VRRP.

vrip6_link_local

Link-local IPv6 address of virtual router.

ipv6-address

Not Specified

config ip6-prefix-list

Parameter

Description

Type

Size

autonomous-flag

Enable/disable the autonomous flag.

option

-

Option

Description

enable

Enable the autonomous flag.

disable

Disable the autonomous flag.

onlink-flag

Enable/disable the onlink flag.

option

-

Option

Description

enable

Enable the onlink flag.

disable

Disable the onlink flag.

valid-life-time

Valid life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

preferred-life-time

Preferred life time (sec).

integer

Minimum value: 0 Maximum value: 4294967295

rdnss

Recursive DNS server option.

user

Not Specified

dnssl <domain>

DNS search list option.

Domain name.

string

Maximum length: 79

config ip6-delegated-prefix-list

Parameter

Description

Type

Size

upstream-interface

Name of the interface that provides delegated information.

string

Not Specified

autonomous-flag

Enable/disable the autonomous flag.

option

-

Option

Description

enable

Enable the autonomous flag.

disable

Disable the autonomous flag.

onlink-flag

Enable/disable the onlink flag.

option

-

Option

Description

enable

Enable the onlink flag.

disable

Disable the onlink flag.

subnet

Add subnet ID to routing prefix.

ipv6-network

Not Specified

rdnss-service

Recursive DNS service option.

option

-

Option

Description

delegated

Delegated RDNSS settings.

default

System RDNSS settings.

specify

Specify recursive DNS servers.

rdnss

Recursive DNS server option.

user

Not Specified

config vrrp6

Parameter

Description

Type

Size

vrgrp

VRRP group ID .

integer

Minimum value: 1 Maximum value: 65535

vrip6

IPv6 address of the virtual router.

ipv6-address

Not Specified

priority

Priority of the virtual router .

integer

Minimum value: 1 Maximum value: 255

adv-interval

Advertisement interval .

integer

Minimum value: 1 Maximum value: 255

start-time

Startup time .

integer

Minimum value: 1 Maximum value: 255

preempt

Enable/disable preempt mode.

option

-

Option

Description

enable

Enable preempt mode.

disable

Disable preempt mode.

accept-mode

Enable/disable accept mode.

option

-

Option

Description

enable

Enable accept mode.

disable

Disable accept mode.

vrdst6

Monitor the route to this destination.

ipv6-address

Not Specified

status

Enable/disable VRRP.

option

-

Option

Description

enable

Enable VRRP.

disable

Disable VRRP.