config system interface
Description: Configure interfaces.
edit <name>
set vdom {string}
set vrf {integer}
set cli-conn-status {integer}
set fortilink [enable|disable]
set mode [static|dhcp|...]
set distance {integer}
set priority {integer}
set dhcp-relay-interface-select-method [auto|sdwan|...]
set dhcp-relay-interface {string}
set dhcp-relay-service [disable|enable]
set dhcp-relay-ip {user}
set dhcp-relay-type [regular|ipsec]
set dhcp-relay-agent-option [enable|disable]
set management-ip {ipv4-classnet-host}
set ip {ipv4-classnet-host}
set allowaccess {option1}, {option2}, ...
set gwdetect [enable|disable]
set ping-serv-status {integer}
set detectserver {user}
set detectprotocol {option1}, {option2}, ...
set ha-priority {integer}
set fail-detect [enable|disable]
set fail-detect-option {option1}, {option2}, ...
set fail-alert-method [link-failed-signal|link-down]
set fail-action-on-extender [soft-restart|hard-restart|...]
set fail-alert-interfaces <name1>, <name2>, ...
set dhcp-client-identifier {string}
set dhcp-renew-time {integer}
set ipunnumbered {ipv4-address}
set username {string}
set pppoe-unnumbered-negotiate [enable|disable]
set password {password}
set idle-timeout {integer}
set detected-peer-mtu {integer}
set disc-retry-timeout {integer}
set padt-retry-timeout {integer}
set service-name {string}
set ac-name {string}
set lcp-echo-interval {integer}
set lcp-max-echo-fails {integer}
set defaultgw [enable|disable]
set dns-server-override [enable|disable]
set auth-type [auto|pap|...]
set pptp-client [enable|disable]
set pptp-user {string}
set pptp-password {password}
set pptp-server-ip {ipv4-address}
set pptp-auth-type [auto|pap|...]
set pptp-timeout {integer}
set arpforward [enable|disable]
set ndiscforward [enable|disable]
set broadcast-forward [enable|disable]
set bfd [global|enable|...]
set bfd-desired-min-tx {integer}
set bfd-detect-mult {integer}
set bfd-required-min-rx {integer}
set l2forward [enable|disable]
set icmp-send-redirect [enable|disable]
set icmp-accept-redirect [enable|disable]
set vlanforward [enable|disable]
set stpforward [enable|disable]
set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]
set ips-sniffer-mode [enable|disable]
set ident-accept [enable|disable]
set ipmac [enable|disable]
set subst [enable|disable]
set macaddr {mac-address}
set substitute-dst-mac {mac-address}
set speed [auto|10full|...]
set status [up|down]
set netbios-forward [disable|enable]
set wins-ip {ipv4-address}
set type [physical|vlan|...]
set dedicated-to [none|management]
set trust-ip-1 {ipv4-classnet-any}
set trust-ip-2 {ipv4-classnet-any}
set trust-ip-3 {ipv4-classnet-any}
set trust-ip6-1 {ipv6-prefix}
set trust-ip6-2 {ipv6-prefix}
set trust-ip6-3 {ipv6-prefix}
set mtu-override [enable|disable]
set mtu {integer}
set wccp [enable|disable]
set netflow-sampler [disable|tx|...]
set sflow-sampler [enable|disable]
set drop-overlapped-fragment [enable|disable]
set drop-fragment [enable|disable]
set src-check [enable|disable]
set sample-rate {integer}
set polling-interval {integer}
set sample-direction [tx|rx|...]
set explicit-web-proxy [enable|disable]
set explicit-ftp-proxy [enable|disable]
set proxy-captive-portal [enable|disable]
set tcp-mss {integer}
set inbandwidth {integer}
set outbandwidth {integer}
set egress-shaping-profile {string}
set ingress-shaping-profile {string}
set disconnect-threshold {integer}
set spillover-threshold {integer}
set ingress-spillover-threshold {integer}
set weight {integer}
set interface {string}
set external [enable|disable]
set vlanid {integer}
set forward-domain {integer}
set remote-ip {ipv4-classnet-host}
set member <interface-name1>, <interface-name2>, ...
set lacp-mode [static|passive|...]
set lacp-ha-slave [enable|disable]
set lacp-speed [slow|fast]
set min-links {integer}
set min-links-down [operational|administrative]
set algorithm [L2|L3|...]
set link-up-delay {integer}
set priority-override [enable|disable]
set aggregate {string}
set redundant-interface {string}
set devindex {integer}
set vindex {integer}
set switch {string}
set description {var-string}
set alias {string}
set security-mode [none|captive-portal|...]
set security-mac-auth-bypass [mac-auth-only|enable|...]
set security-external-web {string}
set security-external-logout {string}
set replacemsg-override-group {string}
set security-redirect-url {string}
set security-exempt-list {string}
set security-groups <name1>, <name2>, ...
set device-identification [enable|disable]
set device-user-identification [enable|disable]
set lldp-reception [enable|disable|...]
set lldp-transmission [enable|disable|...]
set lldp-network-policy {string}
set broadcast-forticlient-discovery [enable|disable]
set estimated-upstream-bandwidth {integer}
set estimated-downstream-bandwidth {integer}
set vrrp-virtual-mac [enable|disable]
config vrrp
Description: VRRP configuration.
edit <vrid>
set version [2|3]
set vrgrp {integer}
set vrip {ipv4-address-any}
set priority {integer}
set adv-interval {integer}
set start-time {integer}
set preempt [enable|disable]
set accept-mode [enable|disable]
set vrdst {ipv4-address-any}
set vrdst-priority {integer}
set ignore-default-route [enable|disable]
set status [enable|disable]
config proxy-arp
Description: VRRP Proxy ARP configuration.
edit <id>
set ip {user}
next
end
next
end
set role [lan|wan|...]
set snmp-index {integer}
set secondary-IP [enable|disable]
config secondaryip
Description: Second IP address of interface.
edit <id>
set ip {ipv4-classnet-host}
set allowaccess {option1}, {option2}, ...
set gwdetect [enable|disable]
set ping-serv-status {integer}
set detectserver {user}
set detectprotocol {option1}, {option2}, ...
set ha-priority {integer}
next
end
set preserve-session-route [enable|disable]
set auto-auth-extension-device [enable|disable]
set ap-discover [enable|disable]
set fortilink-stacking [enable|disable]
set fortilink-neighbor-detect [lldp|fortilink]
set fortilink-split-interface [enable|disable]
set internal {integer}
set fortilink-backup-link {integer}
set switch-controller-access-vlan [enable|disable]
set switch-controller-traffic-policy {string}
set switch-controller-rspan-mode [disable|enable]
set switch-controller-igmp-snooping [enable|disable]
set switch-controller-igmp-snooping-proxy [enable|disable]
set switch-controller-igmp-snooping-fast-leave [enable|disable]
set switch-controller-dhcp-snooping [enable|disable]
set switch-controller-dhcp-snooping-verify-mac [enable|disable]
set switch-controller-dhcp-snooping-option82 [enable|disable]
set switch-controller-arp-inspection [enable|disable]
set switch-controller-learning-limit {integer}
set color {integer}
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
config egress-queues
Description: Configure queues of NP port on egress path.
set cos0 {string}
set cos1 {string}
set cos2 {string}
set cos3 {string}
set cos4 {string}
set cos5 {string}
set cos6 {string}
set cos7 {string}
end
set ingress-cos [disable|cos0|...]
set egress-cos [disable|cos0|...]
config ipv6
Description: IPv6 of interface.
set ip6-mode [static|dhcp|...]
set nd-mode [basic|SEND-compatible]
set nd-cert {string}
set nd-security-level {integer}
set nd-timestamp-delta {integer}
set nd-timestamp-fuzz {integer}
set nd-cga-modifier {user}
set ip6-dns-server-override [enable|disable]
set ip6-address {ipv6-prefix}
config ip6-extra-addr
Description: Extra IPv6 address prefixes of interface.
edit <prefix>
next
end
set ip6-allowaccess {option1}, {option2}, ...
set ip6-send-adv [enable|disable]
set ip6-manage-flag [enable|disable]
set ip6-other-flag [enable|disable]
set ip6-max-interval {integer}
set ip6-min-interval {integer}
set ip6-link-mtu {integer}
set ip6-reachable-time {integer}
set ip6-retrans-time {integer}
set ip6-default-life {integer}
set ip6-hop-limit {integer}
set autoconf [enable|disable]
set ip6-upstream-interface {string}
set ip6-subnet {ipv6-prefix}
config ip6-prefix-list
Description: Advertised prefix list.
edit <prefix>
set autonomous-flag [enable|disable]
set onlink-flag [enable|disable]
set valid-life-time {integer}
set preferred-life-time {integer}
set rdnss {user}
set dnssl <domain1>, <domain2>, ...
next
end
config ip6-delegated-prefix-list
Description: Advertised IPv6 delegated prefix list.
edit <prefix-id>
set upstream-interface {string}
set autonomous-flag [enable|disable]
set onlink-flag [enable|disable]
set subnet {ipv6-network}
set rdnss-service [delegated|default|...]
set rdnss {user}
next
end
set dhcp6-relay-service [disable|enable]
set dhcp6-relay-type {option}
set dhcp6-relay-ip {user}
set dhcp6-client-options {option1}, {option2}, ...
set dhcp6-prefix-delegation [enable|disable]
set dhcp6-information-request [enable|disable]
set dhcp6-prefix-hint {ipv6-network}
set dhcp6-prefix-hint-plt {integer}
set dhcp6-prefix-hint-vlt {integer}
set vrrp-virtual-mac6 [enable|disable]
set vrip6_link_local {ipv6-address}
config vrrp6
Description: IPv6 VRRP configuration.
edit <vrid>
set vrgrp {integer}
set vrip6 {ipv6-address}
set priority {integer}
set adv-interval {integer}
set start-time {integer}
set preempt [enable|disable]
set accept-mode [enable|disable]
set vrdst6 {ipv6-address}
set status [enable|disable]
next
end
end
next
end
Parameter Name | Description | Type | Size |
---|---|---|---|
vdom | Interface is in this virtual domain (VDOM). | string | Maximum length: 31 |
vrf | Virtual Routing Forwarding ID. | integer | Minimum value: 0 Maximum value: 31 |
cli-conn-status | CLI connection status. | integer | Minimum value: 0 Maximum value: 4294967295 |
fortilink | Enable FortiLink to dedicate this interface to manage other Fortinet devices. enable: Enable FortiLink to dedicated interface for managing FortiSwitch devices. disable: Disable FortiLink to dedicated interface for managing FortiSwitch devices. |
option | - |
mode | Addressing mode (static, DHCP, PPPoE). static: Static setting. dhcp: External DHCP client mode. pppoe: External PPPoE mode. |
option | - |
distance | Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route. | integer | Minimum value: 1 Maximum value: 255 |
priority | Priority of learned routes. | integer | Minimum value: 0 Maximum value: 4294967295 |
dhcp-relay-interface-select-method | Specify how to select outgoing interface to reach server. auto: Set outgoing interface automatically. sdwan: Set outgoing interface by SD-WAN or policy routing rules. specify: Set outgoing interface manually. |
option | - |
dhcp-relay-interface | Specify outgoing interface to reach server. | string | Maximum length: 15 |
dhcp-relay-service | Enable/disable allowing this interface to act as a DHCP relay. disable: None. enable: DHCP relay agent. |
option | - |
dhcp-relay-ip | DHCP relay IP address. | user | Not Specified |
dhcp-relay-type | DHCP relay type (regular or IPsec). regular: Regular DHCP relay. ipsec: DHCP relay for IPsec. |
option | - |
dhcp-relay-agent-option | Enable/disable DHCP relay agent option. enable: Enable DHCP relay agent option. disable: Disable DHCP relay agent option. |
option | - |
management-ip | High Availability in-band management IP address of this interface. | ipv4-classnet-host | Not Specified |
ip | Interface IPv4 address and subnet mask, syntax: X.X.X.X/24. | ipv4-classnet-host | Not Specified |
allowaccess | Permitted types of management access to this interface. ping: PING access. https: HTTPS access. ssh: SSH access. snmp: SNMP access. http: HTTP access. telnet: TELNET access. fgfm: FortiManager access. radius-acct: RADIUS accounting access. probe-response: Probe access. fabric: Security Fabric access. ftm: FTM access. |
option | - |
gwdetect | Enable/disable detect gateway alive for first. enable: Enable detect gateway alive for first. disable: Disable detect gateway alive for first. |
option | - |
ping-serv-status | PING server status. | integer | Minimum value: 0 Maximum value: 255 |
detectserver | Gateway's ping server for this IP. | user | Not Specified |
detectprotocol | Protocols used to detect the server. ping: PING. tcp-echo: TCP echo. udp-echo: UDP echo. |
option | - |
ha-priority | HA election priority for the PING server. | integer | Minimum value: 1 Maximum value: 50 |
fail-detect | Enable/disable fail detection features for this interface. enable: Enable interface failed option status. disable: Disable interface failed option status. |
option | - |
fail-detect-option | Options for detecting that this interface has failed. detectserver: Use a ping server to determine if the interface has failed. link-down: Use port detection to determine if the interface has failed. |
option | - |
fail-alert-method | Select link-failed-signal or link-down method to alert about a failed link. link-failed-signal: Link-failed-signal. link-down: Link-down. |
option | - |
fail-action-on-extender | Action on extender when interface fail . soft-restart: Soft-restart-on-extender. hard-restart: Hard-restart-on-extender. reboot: Reboot-on-extender. |
option | - |
fail-alert-interfaces <name> |
Names of the FortiGate interfaces to which the link failure alert is sent. Names of the non-virtual interface. |
string | Maximum length: 79 |
dhcp-client-identifier | DHCP client identifier. | string | Maximum length: 48 |
dhcp-renew-time | DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server. | integer | Minimum value: 300 Maximum value: 604800 |
ipunnumbered | Unnumbered IP used for PPPoE interfaces for which no unique local address is provided. | ipv4-address | Not Specified |
username | Username of the PPPoE account, provided by your ISP. | string | Maximum length: 64 |
pppoe-unnumbered-negotiate | Enable/disable PPPoE unnumbered negotiation. enable: Enable IP address negotiating for unnumbered. disable: Disable IP address negotiating for unnumbered. |
option | - |
password | PPPoE account's password. | password | Not Specified |
idle-timeout | PPPoE auto disconnect after idle timeout seconds, 0 means no timeout. | integer | Minimum value: 0 Maximum value: 32767 |
detected-peer-mtu | MTU of detected peer (0 - 4294967295). | integer | Minimum value: 0 Maximum value: 4294967295 |
disc-retry-timeout | Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout. | integer | Minimum value: 0 Maximum value: 4294967295 |
padt-retry-timeout | PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time. | integer | Minimum value: 0 Maximum value: 4294967295 |
service-name | PPPoE service name. | string | Maximum length: 63 |
ac-name | PPPoE server name. | string | Maximum length: 63 |
lcp-echo-interval | Time in seconds between PPPoE Link Control Protocol (LCP) echo requests. | integer | Minimum value: 0 Maximum value: 32767 |
lcp-max-echo-fails | Maximum missed LCP echo messages before disconnect. | integer | Minimum value: 0 Maximum value: 32767 |
defaultgw | Enable to get the gateway IP from the DHCP or PPPoE server. enable: Enable default gateway. disable: Disable default gateway. |
option | - |
dns-server-override | Enable/disable use DNS acquired by DHCP or PPPoE. enable: Use DNS acquired by DHCP or PPPoE. disable: No not use DNS acquired by DHCP or PPPoE. |
option | - |
auth-type | PPP authentication type to use. auto: Automatically choose authentication. pap: PAP authentication. chap: CHAP authentication. mschapv1: MS-CHAPv1 authentication. mschapv2: MS-CHAPv2 authentication. |
option | - |
pptp-client | Enable/disable PPTP client. enable: Enable PPTP client. disable: Disable PPTP client. |
option | - |
pptp-user | PPTP user name. | string | Maximum length: 64 |
pptp-password | PPTP password. | password | Not Specified |
pptp-server-ip | PPTP server IP address. | ipv4-address | Not Specified |
pptp-auth-type | PPTP authentication type. auto: Automatically choose authentication. pap: PAP authentication. chap: CHAP authentication. mschapv1: MS-CHAPv1 authentication. mschapv2: MS-CHAPv2 authentication. |
option | - |
pptp-timeout | Idle timer in minutes (0 for disabled). | integer | Minimum value: 0 Maximum value: 65535 |
arpforward | Enable/disable ARP forwarding. enable: Enable ARP forwarding. disable: Disable ARP forwarding. |
option | - |
ndiscforward | Enable/disable NDISC forwarding. enable: Enable NDISC forwarding. disable: Disable NDISC forwarding. |
option | - |
broadcast-forward | Enable/disable broadcast forwarding. enable: Enable broadcast forwarding. disable: Disable broadcast forwarding. |
option | - |
bfd | Bidirectional Forwarding Detection (BFD) settings. global: BFD behavior of this interface will be based on global configuration. enable: Enable BFD on this interface and ignore global configuration. disable: Disable BFD on this interface and ignore global configuration. |
option | - |
bfd-desired-min-tx | BFD desired minimal transmit interval. | integer | Minimum value: 1 Maximum value: 100000 |
bfd-detect-mult | BFD detection multiplier. | integer | Minimum value: 1 Maximum value: 50 |
bfd-required-min-rx | BFD required minimal receive interval. | integer | Minimum value: 1 Maximum value: 100000 |
l2forward | Enable/disable l2 forwarding. enable: Enable L2 forwarding. disable: Disable L2 forwarding. |
option | - |
icmp-send-redirect | Enable/disable ICMP send redirect. enable: Enable ICMP send redirect. disable: Disable ICMP send redirect. |
option | - |
icmp-accept-redirect | Enable/disable ICMP accept redirect. enable: Enable ICMP accept redirect. disable: Disable ICMP accept redirect. |
option | - |
vlanforward | Enable/disable traffic forwarding between VLANs on this interface. enable: Enable traffic forwarding. disable: Disable traffic forwarding. |
option | - |
stpforward | Enable/disable STP forwarding. enable: Enable STP forwarding. disable: Disable STP forwarding. |
option | - |
stpforward-mode | Configure STP forwarding mode. rpl-all-ext-id: Replace all extension IDs (root, bridge). rpl-bridge-ext-id: Replace the bridge extension ID only. rpl-nothing: Replace nothing. |
option | - |
ips-sniffer-mode | Enable/disable the use of this interface as a one-armed sniffer. enable: Enable IPS sniffer mode. disable: Disable IPS sniffer mode. |
option | - |
ident-accept | Enable/disable authentication for this interface. enable: Enable determining a user's identity from packet identification. disable: Disable determining a user's identity from packet identification. |
option | - |
ipmac | Enable/disable IP/MAC binding. enable: Enable IP/MAC binding. disable: Disable IP/MAC binding. |
option | - |
subst | Enable to always send packets from this interface to a destination MAC address. enable: Send packets from this interface. disable: Do not send packets from this interface. |
option | - |
macaddr | Change the interface's MAC address. | mac-address | Not Specified |
substitute-dst-mac | Destination MAC address that all packets are sent to from this interface. | mac-address | Not Specified |
speed | Interface speed. The default setting and the options available depend on the interface hardware. auto: Automatically adjust speed. 10full: 10M full-duplex. 10half: 10M half-duplex. 100full: 100M full-duplex. 100half: 100M half-duplex. 1000full: 1000M full-duplex. 1000half: 1000M half-duplex. 1000auto: 1000M auto adjust. 10000full: 10G full-duplex. |
option | - |
status | Bring the interface up or shut the interface down. up: Bring the interface up. down: Shut the interface down. |
option | - |
netbios-forward | Enable/disable NETBIOS forwarding. disable: Disable NETBIOS forwarding. enable: Enable NETBIOS forwarding. |
option | - |
wins-ip | WINS server IP. | ipv4-address | Not Specified |
type | Interface type. physical: Physical interface. vlan: VLAN interface. aggregate: Aggregate interface. redundant: Redundant interface. tunnel: Tunnel interface. vdom-link: VDOM link interface. loopback: Loopback interface. switch: Software switch interface. vap-switch: VAP interface. wl-mesh: WLAN mesh interface. fext-wan: FortiExtender interface. vxlan: VXLAN interface. geneve: GENEVE interface. hdlc: T1/E1 interface. switch-vlan: Switch VLAN interface. emac-vlan: EMAC VLAN interface. |
option | - |
dedicated-to | Configure interface for single purpose. none: Interface not dedicated for any purpose. management: Dedicate this interface for management purposes only. |
option | - |
trust-ip-1 | Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts). | ipv4-classnet-any | Not Specified |
trust-ip-2 | Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts). | ipv4-classnet-any | Not Specified |
trust-ip-3 | Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts). | ipv4-classnet-any | Not Specified |
trust-ip6-1 | Trusted IPv6 host for dedicated management traffic (::/0 for all hosts). | ipv6-prefix | Not Specified |
trust-ip6-2 | Trusted IPv6 host for dedicated management traffic (::/0 for all hosts). | ipv6-prefix | Not Specified |
trust-ip6-3 | Trusted IPv6 host for dedicated management traffic (::/0 for all hosts). | ipv6-prefix | Not Specified |
mtu-override | Enable to set a custom MTU for this interface. enable: Override default MTU. disable: Use default MTU (1500). |
option | - |
mtu | MTU value for this interface. | integer | Minimum value: 0 Maximum value: 4294967295 |
wccp | Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers. enable: Enable WCCP protocol on this interface. disable: Disable WCCP protocol on this interface. |
option | - |
netflow-sampler | Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both). disable: Disable NetFlow protocol on this interface. tx: Monitor transmitted traffic on this interface. rx: Monitor received traffic on this interface. both: Monitor transmitted/received traffic on this interface. |
option | - |
sflow-sampler | Enable/disable sFlow on this interface. enable: Enable sFlow protocol on this interface. disable: Disable sFlow protocol on this interface. |
option | - |
drop-overlapped-fragment | Enable/disable drop overlapped fragment packets. enable: Enable drop of overlapped fragment packets. disable: Disable drop of overlapped fragment packets. |
option | - |
drop-fragment | Enable/disable drop fragment packets. enable: Enable/disable drop fragment packets. disable: Do not drop fragment packets. |
option | - |
src-check | Enable/disable source IP check. enable: Enable source IP check. disable: Disable source IP check. |
option | - |
sample-rate | sFlow sample rate (10 - 99999). | integer | Minimum value: 10 Maximum value: 99999 |
polling-interval | sFlow polling interval (1 - 255 sec). | integer | Minimum value: 1 Maximum value: 255 |
sample-direction | Data that NetFlow collects (rx, tx, or both). tx: Monitor transmitted traffic on this interface. rx: Monitor received traffic on this interface. both: Monitor transmitted/received traffic on this interface. |
option | - |
explicit-web-proxy | Enable/disable the explicit web proxy on this interface. enable: Enable explicit Web proxy on this interface. disable: Disable explicit Web proxy on this interface. |
option | - |
explicit-ftp-proxy | Enable/disable the explicit FTP proxy on this interface. enable: Enable explicit FTP proxy on this interface. disable: Disable explicit FTP proxy on this interface. |
option | - |
proxy-captive-portal | Enable/disable proxy captive portal on this interface. enable: Enable proxy captive portal on this interface. disable: Disable proxy captive portal on this interface. |
option | - |
tcp-mss | TCP maximum segment size. 0 means do not change segment size. | integer | Minimum value: 0 Maximum value: 4294967295 |
inbandwidth | Bandwidth limit for incoming traffic (0 - 16776000 kbps), 0 means unlimited. | integer | Minimum value: 0 Maximum value: 16776000 |
outbandwidth | Bandwidth limit for outgoing traffic (0 - 16776000 kbps). | integer | Minimum value: 0 Maximum value: 16776000 |
egress-shaping-profile | Outgoing traffic shaping profile. | string | Maximum length: 35 |
ingress-shaping-profile | Incoming traffic shaping profile. | string | Maximum length: 35 |
disconnect-threshold | Time in milliseconds to wait before sending a notification that this interface is down or disconnected. | integer | Minimum value: 0 Maximum value: 10000 |
spillover-threshold | Egress Spillover threshold (0 - 16776000 kbps), 0 means unlimited. | integer | Minimum value: 0 Maximum value: 16776000 |
ingress-spillover-threshold | Ingress Spillover threshold (0 - 16776000 kbps). | integer | Minimum value: 0 Maximum value: 16776000 |
weight | Default weight for static routes (if route has no weight configured). | integer | Minimum value: 0 Maximum value: 255 |
interface | Interface name. | string | Maximum length: 15 |
external | Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet). enable: Enable identifying the interface as an external interface. disable: Disable identifying the interface as an external interface. |
option | - |
vlanid | VLAN ID (1 - 4094). | integer | Minimum value: 1 Maximum value: 4094 |
forward-domain | Transparent mode forward domain. | integer | Minimum value: 0 Maximum value: 2147483647 |
remote-ip | Remote IP address of tunnel. | ipv4-classnet-host | Not Specified |
member <interface-name> |
Physical interfaces that belong to the aggregate or redundant interface. Physical interface name. |
string | Maximum length: 79 |
lacp-mode | LACP mode. static: Use static aggregation, do not send and ignore any LACP messages. passive: Passively use LACP to negotiate 802.3ad aggregation. active: Actively use LACP to negotiate 802.3ad aggregation. |
option | - |
lacp-ha-slave | LACP HA slave. enable: Allow HA slave to send/receive LACP messages. disable: Block HA slave from sending/receiving LACP messages. |
option | - |
lacp-speed | How often the interface sends LACP messages. slow: Send LACP message every 30 seconds. fast: Send LACP message every second. |
option | - |
min-links | Minimum number of aggregated ports that must be up. | integer | Minimum value: 1 Maximum value: 32 |
min-links-down | Action to take when less than the configured minimum number of links are active. operational: Set the aggregate operationally down. administrative: Set the aggregate administratively down. |
option | - |
algorithm | Frame distribution algorithm. L2: Use layer 2 address for distribution. L3: Use layer 3 address for distribution. L4: Use layer 4 information for distribution. |
option | - |
link-up-delay | Number of milliseconds to wait before considering a link is up. | integer | Minimum value: 50 Maximum value: 3600000 |
priority-override | Enable/disable fail back to higher priority port once recovered. enable: Enable fail back to higher priority port once recovered. disable: Disable fail back to higher priority port once recovered. |
option | - |
aggregate | Aggregate interface. | string | Maximum length: 15 |
redundant-interface | Redundant interface. | string | Maximum length: 15 |
devindex | Device Index. | integer | Minimum value: 0 Maximum value: 4294967295 |
vindex | Switch control interface VLAN ID. | integer | Minimum value: 0 Maximum value: 65535 |
switch | Contained in switch. | string | Maximum length: 15 |
description | Description. | var-string | Maximum length: 255 |
alias | Alias will be displayed with the interface name to make it easier to distinguish. | string | Maximum length: 25 |
security-mode | Turn on captive portal authentication for this interface. none: No security option. captive-portal: Captive portal authentication. 802.1X: 802.1X port-based authentication. |
option | - |
security-mac-auth-bypass | Enable/disable MAC authentication bypass. mac-auth-only: Enable MAC authentication bypass without EAP. enable: Enable MAC authentication bypass. disable: Disable MAC authentication bypass. |
option | - |
security-external-web | URL of external authentication web server. | string | Maximum length: 127 |
security-external-logout | URL of external authentication logout server. | string | Maximum length: 127 |
replacemsg-override-group | Replacement message override group. | string | Maximum length: 35 |
security-redirect-url | URL redirection after disclaimer/authentication. | string | Maximum length: 127 |
security-exempt-list | Name of security-exempt-list. | string | Maximum length: 35 |
security-groups <name> |
User groups that can authenticate with the captive portal. Names of user groups that can authenticate with the captive portal. |
string | Maximum length: 79 |
device-identification | Enable/disable passively gathering of device identity information about the devices on the network connected to this interface. enable: Enable passive gathering of identity information about hosts. disable: Disable passive gathering of identity information about hosts. |
option | - |
device-user-identification | Enable/disable passive gathering of user identity information about users on this interface. enable: Enable passive gathering of user identity information about users. disable: Disable passive gathering of user identity information about users. |
option | - |
lldp-reception | Enable/disable Link Layer Discovery Protocol (LLDP) reception. enable: Enable reception of Link Layer Discovery Protocol (LLDP). disable: Disable reception of Link Layer Discovery Protocol (LLDP). vdom: Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration setting. |
option | - |
lldp-transmission | Enable/disable Link Layer Discovery Protocol (LLDP) transmission. enable: Enable transmission of Link Layer Discovery Protocol (LLDP). disable: Disable transmission of Link Layer Discovery Protocol (LLDP). vdom: Use VDOM Link Layer Discovery Protocol (LLDP) transmission configuration setting. |
option | - |
lldp-network-policy | LLDP-MED network policy profile. | string | Maximum length: 35 |
broadcast-forticlient-discovery | Enable/disable broadcasting FortiClient discovery messages. enable: Enable broadcasting FortiClient discovery messages. disable: Disable broadcasting FortiClient discovery messages. |
option | - |
estimated-upstream-bandwidth | Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization. | integer | Minimum value: 0 Maximum value: 4294967295 |
estimated-downstream-bandwidth | Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization. | integer | Minimum value: 0 Maximum value: 4294967295 |
vrrp-virtual-mac | Enable/disable use of virtual MAC for VRRP. enable: Enable use of virtual MAC for VRRP. disable: Disable use of virtual MAC for VRRP. |
option | - |
role | Interface role. lan: Connected to local network of endpoints. wan: Connected to Internet. dmz: Connected to server zone. undefined: Interface has no specific role. |
option | - |
snmp-index | Permanent SNMP Index of the interface. | integer | Minimum value: 0 Maximum value: 4294967295 |
secondary-IP | Enable/disable adding a secondary IP to this interface. enable: Enable secondary IP. disable: Disable secondary IP. |
option | - |
preserve-session-route | Enable/disable preservation of session route when dirty. enable: Enable preservation of session route when dirty. disable: Disable preservation of session route when dirty. |
option | - |
auto-auth-extension-device | Enable/disable automatic authorization of dedicated Fortinet extension device on this interface. enable: Enable automatic authorization of dedicated Fortinet extension device on this interface. disable: Disable automatic authorization of dedicated Fortinet extension device on this interface. |
option | - |
ap-discover | Enable/disable automatic registration of unknown FortiAP devices. enable: Enable automatic registration of unknown FortiAP devices. disable: Disable automatic registration of unknown FortiAP devices. |
option | - |
fortilink-stacking | Enable/disable FortiLink switch-stacking on this interface. enable: Enable FortiLink switch stacking. disable: Disable FortiLink switch stacking. |
option | - |
fortilink-neighbor-detect | Protocol for FortiGate neighbor discovery. lldp: Detect FortiLink neighbors using LLDP protocol. fortilink: Detect FortiLink neighbors using FortiLink protocol. |
option | - |
fortilink-split-interface | Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy. enable: Enable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy. disable: Disable FortiLink split interface. |
option | - |
internal | Implicitly created. | integer | Minimum value: 0 Maximum value: 255 |
fortilink-backup-link | fortilink split interface backup link. | integer | Minimum value: 0 Maximum value: 255 |
switch-controller-access-vlan | Block FortiSwitch port-to-port traffic. enable: Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate. disable: Allow normal VLAN traffic. |
option | - |
switch-controller-traffic-policy | Switch controller traffic policy for the VLAN. | string | Maximum length: 63 |
switch-controller-rspan-mode | Stop Layer2 MAC learning and interception of BPDUs and other packets on this interface. disable: Disable RSPAN passthrough mode on this VLAN interface. enable: Enable RSPAN passthrough mode on this VLAN interface. |
option | - |
switch-controller-igmp-snooping | Switch controller IGMP snooping. enable: Enable IGMP snooping. disable: Disable IGMP snooping. |
option | - |
switch-controller-igmp-snooping-proxy | Switch controller IGMP snooping proxy. enable: Enable IGMP snooping proxy. disable: Disable IGMP snooping proxy. |
option | - |
switch-controller-igmp-snooping-fast-leave | Switch controller IGMP snooping fast-leave. enable: Enable IGMP snooping fast-leave. disable: Disable IGMP snooping fast-leave. |
option | - |
switch-controller-dhcp-snooping | Switch controller DHCP snooping. enable: Enable DHCP snooping for FortiSwitch devices. disable: Disable DHCP snooping for FortiSwitch devices. |
option | - |
switch-controller-dhcp-snooping-verify-mac | Switch controller DHCP snooping verify MAC. enable: Enable DHCP snooping verify source MAC for FortiSwitch devices. disable: Disable DHCP snooping verify source MAC for FortiSwitch devices. |
option | - |
switch-controller-dhcp-snooping-option82 | Switch controller DHCP snooping option82. enable: Enable DHCP snooping insert option82 for FortiSwitch devices. disable: Disable DHCP snooping insert option82 for FortiSwitch devices. |
option | - |
switch-controller-arp-inspection | Enable/disable FortiSwitch ARP inspection. enable: Enable ARP inspection for FortiSwitch devices. disable: Disable ARP inspection for FortiSwitch devices. |
option | - |
switch-controller-learning-limit | Limit the number of dynamic MAC addresses on this VLAN (1 - 128, 0 = no limit, default). | integer | Minimum value: 0 Maximum value: 128 |
color | Color of icon on the GUI. | integer | Minimum value: 0 Maximum value: 32 |
ingress-cos | Override incoming CoS in user VLAN tag on VLAN interface or assign a priority VLAN tag on physical interface. disable: Disable. cos0: CoS 0. cos1: CoS 1. cos2: CoS 2. cos3: CoS 3. cos4: CoS 4. cos5: CoS 5. cos6: CoS 6. cos7: CoS 7. |
option | - |
egress-cos | Override outgoing CoS in user VLAN tag. disable: Disable. cos0: CoS 0. cos1: CoS 1. cos2: CoS 2. cos3: CoS 3. cos4: CoS 4. cos5: CoS 5. cos6: CoS 6. cos7: CoS 7. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
version | VRRP version. 2: VRRP version 2. 3: VRRP version 3. |
option | - |
vrgrp | VRRP group ID (1 - 65535). | integer | Minimum value: 1 Maximum value: 65535 |
vrip | IP address of the virtual router. | ipv4-address-any | Not Specified |
priority | Priority of the virtual router (1 - 255). | integer | Minimum value: 1 Maximum value: 255 |
adv-interval | Advertisement interval (1 - 255 seconds). | integer | Minimum value: 1 Maximum value: 255 |
start-time | Startup time (1 - 255 seconds). | integer | Minimum value: 1 Maximum value: 255 |
preempt | Enable/disable preempt mode. enable: Enable preempt mode. disable: Disable preempt mode. |
option | - |
accept-mode | Enable/disable accept mode. enable: Enable accept mode. disable: Disable accept mode. |
option | - |
vrdst | Monitor the route to this destination. | ipv4-address-any | Not Specified |
vrdst-priority | Priority of the virtual router when the virtual router destination becomes unreachable (0 - 254). | integer | Minimum value: 0 Maximum value: 254 |
ignore-default-route | Enable/disable ignoring of default route when checking destination. enable: Enable ignoring of default route when checking destination. disable: Disable ignoring of default route when checking destination. |
option | - |
status | Enable/disable this VRRP configuration. enable: Enable this VRRP configuration. disable: Disable this VRRP configuration. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
ip | Set IP addresses of proxy ARP. | user | Not Specified |
Parameter Name | Description | Type | Size |
---|---|---|---|
ip | Secondary IP address of the interface. | ipv4-classnet-host | Not Specified |
allowaccess | Management access settings for the secondary IP address. ping: PING access. https: HTTPS access. ssh: SSH access. snmp: SNMP access. http: HTTP access. telnet: TELNET access. fgfm: FortiManager access. radius-acct: RADIUS accounting access. probe-response: Probe access. fabric: Security Fabric access. ftm: FTM access. |
option | - |
gwdetect | Enable/disable detect gateway alive for first. enable: Enable detect gateway alive for first. disable: Disable detect gateway alive for first. |
option | - |
ping-serv-status | PING server status. | integer | Minimum value: 0 Maximum value: 255 |
detectserver | Gateway's ping server for this IP. | user | Not Specified |
detectprotocol | Protocols used to detect the server. ping: PING. tcp-echo: TCP echo. udp-echo: UDP echo. |
option | - |
ha-priority | HA election priority for the PING server. | integer | Minimum value: 1 Maximum value: 50 |
Parameter Name | Description | Type | Size |
---|---|---|---|
category | Tag category. | string | Maximum length: 63 |
tags <name> |
Tags. Tag name. |
string | Maximum length: 79 |
Parameter Name | Description | Type | Size |
---|---|---|---|
cos0 | CoS profile name for CoS 0. | string | Maximum length: 35 |
cos1 | CoS profile name for CoS 1. | string | Maximum length: 35 |
cos2 | CoS profile name for CoS 2. | string | Maximum length: 35 |
cos3 | CoS profile name for CoS 3. | string | Maximum length: 35 |
cos4 | CoS profile name for CoS 4. | string | Maximum length: 35 |
cos5 | CoS profile name for CoS 5. | string | Maximum length: 35 |
cos6 | CoS profile name for CoS 6. | string | Maximum length: 35 |
cos7 | CoS profile name for CoS 7. | string | Maximum length: 35 |
Parameter Name | Description | Type | Size |
---|---|---|---|
ip6-mode | Addressing mode (static, DHCP, delegated). static: Static setting. dhcp: DHCPv6 client mode. pppoe: IPv6 over PPPoE mode. delegated: IPv6 address with delegated prefix. |
option | - |
nd-mode | Neighbor discovery mode. basic: Do not support SEND. SEND-compatible: Support SEND. |
option | - |
nd-cert | Neighbor discovery certificate. | string | Maximum length: 35 |
nd-security-level | Neighbor discovery security level (0 - 7; 0 = least secure, default = 0). | integer | Minimum value: 0 Maximum value: 7 |
nd-timestamp-delta | Neighbor discovery timestamp delta value (1 - 3600 sec; default = 300). | integer | Minimum value: 1 Maximum value: 3600 |
nd-timestamp-fuzz | Neighbor discovery timestamp fuzz factor (1 - 60 sec; default = 1). | integer | Minimum value: 1 Maximum value: 60 |
nd-cga-modifier | Neighbor discovery CGA modifier. | user | Not Specified |
ip6-dns-server-override | Enable/disable using the DNS server acquired by DHCP. enable: Enable using the DNS server acquired by DHCP. disable: Disable using the DNS server acquired by DHCP. |
option | - |
ip6-address | Primary IPv6 address prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx | ipv6-prefix | Not Specified |
ip6-allowaccess | Allow management access to the interface. ping: PING access. https: HTTPS access. ssh: SSH access. snmp: SNMP access. http: HTTP access. telnet: TELNET access. fgfm: FortiManager access. fabric: Fabric access. |
option | - |
ip6-send-adv | Enable/disable sending advertisements about the interface. enable: Enable sending advertisements about this interface. disable: Disable sending advertisements about this interface. |
option | - |
ip6-manage-flag | Enable/disable the managed flag. enable: Enable the managed IPv6 flag. disable: Disable the managed IPv6 flag. |
option | - |
ip6-other-flag | Enable/disable the other IPv6 flag. enable: Enable the other IPv6 flag. disable: Disable the other IPv6 flag. |
option | - |
ip6-max-interval | IPv6 maximum interval (4 to 1800 sec). | integer | Minimum value: 4 Maximum value: 1800 |
ip6-min-interval | IPv6 minimum interval (3 to 1350 sec). | integer | Minimum value: 3 Maximum value: 1350 |
ip6-link-mtu | IPv6 link MTU. | integer | Minimum value: 1280 Maximum value: 16000 |
ip6-reachable-time | IPv6 reachable time (milliseconds; 0 means unspecified). | integer | Minimum value: 0 Maximum value: 3600000 |
ip6-retrans-time | IPv6 retransmit time (milliseconds; 0 means unspecified). | integer | Minimum value: 0 Maximum value: 4294967295 |
ip6-default-life | Default life (sec). | integer | Minimum value: 0 Maximum value: 9000 |
ip6-hop-limit | Hop limit (0 means unspecified). | integer | Minimum value: 0 Maximum value: 255 |
autoconf | Enable/disable address auto config. enable: Enable auto-configuration. disable: Disable auto-configuration. |
option | - |
ip6-upstream-interface | Interface name providing delegated information. | string | Maximum length: 15 |
ip6-subnet | Subnet to routing prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx | ipv6-prefix | Not Specified |
dhcp6-relay-service | Enable/disable DHCPv6 relay. disable: Disable DHCPv6 relay enable: Enable DHCPv6 relay. |
option | - |
dhcp6-relay-type | DHCPv6 relay type. regular: Regular DHCP relay. |
option | - |
dhcp6-relay-ip | DHCPv6 relay IP address. | user | Not Specified |
dhcp6-client-options | DHCPv6 client options. rapid: Send rapid commit option. iapd: Send including IA-PD option. iana: Send including IA-NA option. |
option | - |
dhcp6-prefix-delegation | Enable/disable DHCPv6 prefix delegation. enable: Enable DHCPv6 prefix delegation. disable: Disable DHCPv6 prefix delegation. |
option | - |
dhcp6-information-request | Enable/disable DHCPv6 information request. enable: Enable DHCPv6 information request. disable: Disable DHCPv6 information request. |
option | - |
dhcp6-prefix-hint | DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server. | ipv6-network | Not Specified |
dhcp6-prefix-hint-plt | DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time. | integer | Minimum value: 0 Maximum value: 4294967295 |
dhcp6-prefix-hint-vlt | DHCPv6 prefix hint valid life time (sec). | integer | Minimum value: 0 Maximum value: 4294967295 |
vrrp-virtual-mac6 | Enable/disable virtual MAC for VRRP. enable: Enable virtual MAC for VRRP. disable: Disable virtual MAC for VRRP. |
option | - |
vrip6_link_local | Link-local IPv6 address of virtual router. | ipv6-address | Not Specified |
Parameter Name | Description | Type | Size |
---|---|---|---|
autonomous-flag | Enable/disable the autonomous flag. enable: Enable the autonomous flag. disable: Disable the autonomous flag. |
option | - |
onlink-flag | Enable/disable the onlink flag. enable: Enable the onlink flag. disable: Disable the onlink flag. |
option | - |
valid-life-time | Valid life time (sec). | integer | Minimum value: 0 Maximum value: 4294967295 |
preferred-life-time | Preferred life time (sec). | integer | Minimum value: 0 Maximum value: 4294967295 |
rdnss | Recursive DNS server option. | user | Not Specified |
dnssl <domain> |
DNS search list option. Domain name. |
string | Maximum length: 79 |
Parameter Name | Description | Type | Size |
---|---|---|---|
upstream-interface | Name of the interface that provides delegated information. | string | Maximum length: 15 |
autonomous-flag | Enable/disable the autonomous flag. enable: Enable the autonomous flag. disable: Disable the autonomous flag. |
option | - |
onlink-flag | Enable/disable the onlink flag. enable: Enable the onlink flag. disable: Disable the onlink flag. |
option | - |
subnet | Add subnet ID to routing prefix. | ipv6-network | Not Specified |
rdnss-service | Recursive DNS service option. delegated: Delegated RDNSS settings. default: System RDNSS settings. specify: Specify recursive DNS servers. |
option | - |
rdnss | Recursive DNS server option. | user | Not Specified |
Parameter Name | Description | Type | Size |
---|---|---|---|
vrgrp | VRRP group ID (1 - 65535). | integer | Minimum value: 1 Maximum value: 65535 |
vrip6 | IPv6 address of the virtual router. | ipv6-address | Not Specified |
priority | Priority of the virtual router (1 - 255). | integer | Minimum value: 1 Maximum value: 255 |
adv-interval | Advertisement interval (1 - 255 seconds). | integer | Minimum value: 1 Maximum value: 255 |
start-time | Startup time (1 - 255 seconds). | integer | Minimum value: 1 Maximum value: 255 |
preempt | Enable/disable preempt mode. enable: Enable preempt mode. disable: Disable preempt mode. |
option | - |
accept-mode | Enable/disable accept mode. enable: Enable accept mode. disable: Disable accept mode. |
option | - |
vrdst6 | Monitor the route to this destination. | ipv6-address | Not Specified |
status | Enable/disable VRRP. enable: Enable VRRP. disable: Disable VRRP. |
option | - |
config system interface
Description: Configure interfaces.
edit <name>
set vdom {string}
set vrf {integer}
set cli-conn-status {integer}
set fortilink [enable|disable]
set mode [static|dhcp|...]
set distance {integer}
set priority {integer}
set dhcp-relay-interface-select-method [auto|sdwan|...]
set dhcp-relay-interface {string}
set dhcp-relay-service [disable|enable]
set dhcp-relay-ip {user}
set dhcp-relay-type [regular|ipsec]
set dhcp-relay-agent-option [enable|disable]
set management-ip {ipv4-classnet-host}
set ip {ipv4-classnet-host}
set allowaccess {option1}, {option2}, ...
set gwdetect [enable|disable]
set ping-serv-status {integer}
set detectserver {user}
set detectprotocol {option1}, {option2}, ...
set ha-priority {integer}
set fail-detect [enable|disable]
set fail-detect-option {option1}, {option2}, ...
set fail-alert-method [link-failed-signal|link-down]
set fail-action-on-extender [soft-restart|hard-restart|...]
set fail-alert-interfaces <name1>, <name2>, ...
set dhcp-client-identifier {string}
set dhcp-renew-time {integer}
set ipunnumbered {ipv4-address}
set username {string}
set pppoe-unnumbered-negotiate [enable|disable]
set password {password}
set idle-timeout {integer}
set detected-peer-mtu {integer}
set disc-retry-timeout {integer}
set padt-retry-timeout {integer}
set service-name {string}
set ac-name {string}
set lcp-echo-interval {integer}
set lcp-max-echo-fails {integer}
set defaultgw [enable|disable]
set dns-server-override [enable|disable]
set auth-type [auto|pap|...]
set pptp-client [enable|disable]
set pptp-user {string}
set pptp-password {password}
set pptp-server-ip {ipv4-address}
set pptp-auth-type [auto|pap|...]
set pptp-timeout {integer}
set arpforward [enable|disable]
set ndiscforward [enable|disable]
set broadcast-forward [enable|disable]
set bfd [global|enable|...]
set bfd-desired-min-tx {integer}
set bfd-detect-mult {integer}
set bfd-required-min-rx {integer}
set l2forward [enable|disable]
set icmp-send-redirect [enable|disable]
set icmp-accept-redirect [enable|disable]
set vlanforward [enable|disable]
set stpforward [enable|disable]
set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]
set ips-sniffer-mode [enable|disable]
set ident-accept [enable|disable]
set ipmac [enable|disable]
set subst [enable|disable]
set macaddr {mac-address}
set substitute-dst-mac {mac-address}
set speed [auto|10full|...]
set status [up|down]
set netbios-forward [disable|enable]
set wins-ip {ipv4-address}
set type [physical|vlan|...]
set dedicated-to [none|management]
set trust-ip-1 {ipv4-classnet-any}
set trust-ip-2 {ipv4-classnet-any}
set trust-ip-3 {ipv4-classnet-any}
set trust-ip6-1 {ipv6-prefix}
set trust-ip6-2 {ipv6-prefix}
set trust-ip6-3 {ipv6-prefix}
set mtu-override [enable|disable]
set mtu {integer}
set wccp [enable|disable]
set netflow-sampler [disable|tx|...]
set sflow-sampler [enable|disable]
set drop-overlapped-fragment [enable|disable]
set drop-fragment [enable|disable]
set src-check [enable|disable]
set sample-rate {integer}
set polling-interval {integer}
set sample-direction [tx|rx|...]
set explicit-web-proxy [enable|disable]
set explicit-ftp-proxy [enable|disable]
set proxy-captive-portal [enable|disable]
set tcp-mss {integer}
set inbandwidth {integer}
set outbandwidth {integer}
set egress-shaping-profile {string}
set ingress-shaping-profile {string}
set disconnect-threshold {integer}
set spillover-threshold {integer}
set ingress-spillover-threshold {integer}
set weight {integer}
set interface {string}
set external [enable|disable]
set vlanid {integer}
set forward-domain {integer}
set remote-ip {ipv4-classnet-host}
set member <interface-name1>, <interface-name2>, ...
set lacp-mode [static|passive|...]
set lacp-ha-slave [enable|disable]
set lacp-speed [slow|fast]
set min-links {integer}
set min-links-down [operational|administrative]
set algorithm [L2|L3|...]
set link-up-delay {integer}
set priority-override [enable|disable]
set aggregate {string}
set redundant-interface {string}
set devindex {integer}
set vindex {integer}
set switch {string}
set description {var-string}
set alias {string}
set security-mode [none|captive-portal|...]
set security-mac-auth-bypass [mac-auth-only|enable|...]
set security-external-web {string}
set security-external-logout {string}
set replacemsg-override-group {string}
set security-redirect-url {string}
set security-exempt-list {string}
set security-groups <name1>, <name2>, ...
set device-identification [enable|disable]
set device-user-identification [enable|disable]
set lldp-reception [enable|disable|...]
set lldp-transmission [enable|disable|...]
set lldp-network-policy {string}
set broadcast-forticlient-discovery [enable|disable]
set estimated-upstream-bandwidth {integer}
set estimated-downstream-bandwidth {integer}
set vrrp-virtual-mac [enable|disable]
config vrrp
Description: VRRP configuration.
edit <vrid>
set version [2|3]
set vrgrp {integer}
set vrip {ipv4-address-any}
set priority {integer}
set adv-interval {integer}
set start-time {integer}
set preempt [enable|disable]
set accept-mode [enable|disable]
set vrdst {ipv4-address-any}
set vrdst-priority {integer}
set ignore-default-route [enable|disable]
set status [enable|disable]
config proxy-arp
Description: VRRP Proxy ARP configuration.
edit <id>
set ip {user}
next
end
next
end
set role [lan|wan|...]
set snmp-index {integer}
set secondary-IP [enable|disable]
config secondaryip
Description: Second IP address of interface.
edit <id>
set ip {ipv4-classnet-host}
set allowaccess {option1}, {option2}, ...
set gwdetect [enable|disable]
set ping-serv-status {integer}
set detectserver {user}
set detectprotocol {option1}, {option2}, ...
set ha-priority {integer}
next
end
set preserve-session-route [enable|disable]
set auto-auth-extension-device [enable|disable]
set ap-discover [enable|disable]
set fortilink-stacking [enable|disable]
set fortilink-neighbor-detect [lldp|fortilink]
set fortilink-split-interface [enable|disable]
set internal {integer}
set fortilink-backup-link {integer}
set switch-controller-access-vlan [enable|disable]
set switch-controller-traffic-policy {string}
set switch-controller-rspan-mode [disable|enable]
set switch-controller-igmp-snooping [enable|disable]
set switch-controller-igmp-snooping-proxy [enable|disable]
set switch-controller-igmp-snooping-fast-leave [enable|disable]
set switch-controller-dhcp-snooping [enable|disable]
set switch-controller-dhcp-snooping-verify-mac [enable|disable]
set switch-controller-dhcp-snooping-option82 [enable|disable]
set switch-controller-arp-inspection [enable|disable]
set switch-controller-learning-limit {integer}
set color {integer}
config tagging
Description: Config object tagging.
edit <name>
set category {string}
set tags <name1>, <name2>, ...
next
end
config egress-queues
Description: Configure queues of NP port on egress path.
set cos0 {string}
set cos1 {string}
set cos2 {string}
set cos3 {string}
set cos4 {string}
set cos5 {string}
set cos6 {string}
set cos7 {string}
end
set ingress-cos [disable|cos0|...]
set egress-cos [disable|cos0|...]
config ipv6
Description: IPv6 of interface.
set ip6-mode [static|dhcp|...]
set nd-mode [basic|SEND-compatible]
set nd-cert {string}
set nd-security-level {integer}
set nd-timestamp-delta {integer}
set nd-timestamp-fuzz {integer}
set nd-cga-modifier {user}
set ip6-dns-server-override [enable|disable]
set ip6-address {ipv6-prefix}
config ip6-extra-addr
Description: Extra IPv6 address prefixes of interface.
edit <prefix>
next
end
set ip6-allowaccess {option1}, {option2}, ...
set ip6-send-adv [enable|disable]
set ip6-manage-flag [enable|disable]
set ip6-other-flag [enable|disable]
set ip6-max-interval {integer}
set ip6-min-interval {integer}
set ip6-link-mtu {integer}
set ip6-reachable-time {integer}
set ip6-retrans-time {integer}
set ip6-default-life {integer}
set ip6-hop-limit {integer}
set autoconf [enable|disable]
set ip6-upstream-interface {string}
set ip6-subnet {ipv6-prefix}
config ip6-prefix-list
Description: Advertised prefix list.
edit <prefix>
set autonomous-flag [enable|disable]
set onlink-flag [enable|disable]
set valid-life-time {integer}
set preferred-life-time {integer}
set rdnss {user}
set dnssl <domain1>, <domain2>, ...
next
end
config ip6-delegated-prefix-list
Description: Advertised IPv6 delegated prefix list.
edit <prefix-id>
set upstream-interface {string}
set autonomous-flag [enable|disable]
set onlink-flag [enable|disable]
set subnet {ipv6-network}
set rdnss-service [delegated|default|...]
set rdnss {user}
next
end
set dhcp6-relay-service [disable|enable]
set dhcp6-relay-type {option}
set dhcp6-relay-ip {user}
set dhcp6-client-options {option1}, {option2}, ...
set dhcp6-prefix-delegation [enable|disable]
set dhcp6-information-request [enable|disable]
set dhcp6-prefix-hint {ipv6-network}
set dhcp6-prefix-hint-plt {integer}
set dhcp6-prefix-hint-vlt {integer}
set vrrp-virtual-mac6 [enable|disable]
set vrip6_link_local {ipv6-address}
config vrrp6
Description: IPv6 VRRP configuration.
edit <vrid>
set vrgrp {integer}
set vrip6 {ipv6-address}
set priority {integer}
set adv-interval {integer}
set start-time {integer}
set preempt [enable|disable]
set accept-mode [enable|disable]
set vrdst6 {ipv6-address}
set status [enable|disable]
next
end
end
next
end
Parameter Name | Description | Type | Size |
---|---|---|---|
vdom | Interface is in this virtual domain (VDOM). | string | Maximum length: 31 |
vrf | Virtual Routing Forwarding ID. | integer | Minimum value: 0 Maximum value: 31 |
cli-conn-status | CLI connection status. | integer | Minimum value: 0 Maximum value: 4294967295 |
fortilink | Enable FortiLink to dedicate this interface to manage other Fortinet devices. enable: Enable FortiLink to dedicated interface for managing FortiSwitch devices. disable: Disable FortiLink to dedicated interface for managing FortiSwitch devices. |
option | - |
mode | Addressing mode (static, DHCP, PPPoE). static: Static setting. dhcp: External DHCP client mode. pppoe: External PPPoE mode. |
option | - |
distance | Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route. | integer | Minimum value: 1 Maximum value: 255 |
priority | Priority of learned routes. | integer | Minimum value: 0 Maximum value: 4294967295 |
dhcp-relay-interface-select-method | Specify how to select outgoing interface to reach server. auto: Set outgoing interface automatically. sdwan: Set outgoing interface by SD-WAN or policy routing rules. specify: Set outgoing interface manually. |
option | - |
dhcp-relay-interface | Specify outgoing interface to reach server. | string | Maximum length: 15 |
dhcp-relay-service | Enable/disable allowing this interface to act as a DHCP relay. disable: None. enable: DHCP relay agent. |
option | - |
dhcp-relay-ip | DHCP relay IP address. | user | Not Specified |
dhcp-relay-type | DHCP relay type (regular or IPsec). regular: Regular DHCP relay. ipsec: DHCP relay for IPsec. |
option | - |
dhcp-relay-agent-option | Enable/disable DHCP relay agent option. enable: Enable DHCP relay agent option. disable: Disable DHCP relay agent option. |
option | - |
management-ip | High Availability in-band management IP address of this interface. | ipv4-classnet-host | Not Specified |
ip | Interface IPv4 address and subnet mask, syntax: X.X.X.X/24. | ipv4-classnet-host | Not Specified |
allowaccess | Permitted types of management access to this interface. ping: PING access. https: HTTPS access. ssh: SSH access. snmp: SNMP access. http: HTTP access. telnet: TELNET access. fgfm: FortiManager access. radius-acct: RADIUS accounting access. probe-response: Probe access. fabric: Security Fabric access. ftm: FTM access. |
option | - |
gwdetect | Enable/disable detect gateway alive for first. enable: Enable detect gateway alive for first. disable: Disable detect gateway alive for first. |
option | - |
ping-serv-status | PING server status. | integer | Minimum value: 0 Maximum value: 255 |
detectserver | Gateway's ping server for this IP. | user | Not Specified |
detectprotocol | Protocols used to detect the server. ping: PING. tcp-echo: TCP echo. udp-echo: UDP echo. |
option | - |
ha-priority | HA election priority for the PING server. | integer | Minimum value: 1 Maximum value: 50 |
fail-detect | Enable/disable fail detection features for this interface. enable: Enable interface failed option status. disable: Disable interface failed option status. |
option | - |
fail-detect-option | Options for detecting that this interface has failed. detectserver: Use a ping server to determine if the interface has failed. link-down: Use port detection to determine if the interface has failed. |
option | - |
fail-alert-method | Select link-failed-signal or link-down method to alert about a failed link. link-failed-signal: Link-failed-signal. link-down: Link-down. |
option | - |
fail-action-on-extender | Action on extender when interface fail . soft-restart: Soft-restart-on-extender. hard-restart: Hard-restart-on-extender. reboot: Reboot-on-extender. |
option | - |
fail-alert-interfaces <name> |
Names of the FortiGate interfaces to which the link failure alert is sent. Names of the non-virtual interface. |
string | Maximum length: 79 |
dhcp-client-identifier | DHCP client identifier. | string | Maximum length: 48 |
dhcp-renew-time | DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server. | integer | Minimum value: 300 Maximum value: 604800 |
ipunnumbered | Unnumbered IP used for PPPoE interfaces for which no unique local address is provided. | ipv4-address | Not Specified |
username | Username of the PPPoE account, provided by your ISP. | string | Maximum length: 64 |
pppoe-unnumbered-negotiate | Enable/disable PPPoE unnumbered negotiation. enable: Enable IP address negotiating for unnumbered. disable: Disable IP address negotiating for unnumbered. |
option | - |
password | PPPoE account's password. | password | Not Specified |
idle-timeout | PPPoE auto disconnect after idle timeout seconds, 0 means no timeout. | integer | Minimum value: 0 Maximum value: 32767 |
detected-peer-mtu | MTU of detected peer (0 - 4294967295). | integer | Minimum value: 0 Maximum value: 4294967295 |
disc-retry-timeout | Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout. | integer | Minimum value: 0 Maximum value: 4294967295 |
padt-retry-timeout | PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time. | integer | Minimum value: 0 Maximum value: 4294967295 |
service-name | PPPoE service name. | string | Maximum length: 63 |
ac-name | PPPoE server name. | string | Maximum length: 63 |
lcp-echo-interval | Time in seconds between PPPoE Link Control Protocol (LCP) echo requests. | integer | Minimum value: 0 Maximum value: 32767 |
lcp-max-echo-fails | Maximum missed LCP echo messages before disconnect. | integer | Minimum value: 0 Maximum value: 32767 |
defaultgw | Enable to get the gateway IP from the DHCP or PPPoE server. enable: Enable default gateway. disable: Disable default gateway. |
option | - |
dns-server-override | Enable/disable use DNS acquired by DHCP or PPPoE. enable: Use DNS acquired by DHCP or PPPoE. disable: No not use DNS acquired by DHCP or PPPoE. |
option | - |
auth-type | PPP authentication type to use. auto: Automatically choose authentication. pap: PAP authentication. chap: CHAP authentication. mschapv1: MS-CHAPv1 authentication. mschapv2: MS-CHAPv2 authentication. |
option | - |
pptp-client | Enable/disable PPTP client. enable: Enable PPTP client. disable: Disable PPTP client. |
option | - |
pptp-user | PPTP user name. | string | Maximum length: 64 |
pptp-password | PPTP password. | password | Not Specified |
pptp-server-ip | PPTP server IP address. | ipv4-address | Not Specified |
pptp-auth-type | PPTP authentication type. auto: Automatically choose authentication. pap: PAP authentication. chap: CHAP authentication. mschapv1: MS-CHAPv1 authentication. mschapv2: MS-CHAPv2 authentication. |
option | - |
pptp-timeout | Idle timer in minutes (0 for disabled). | integer | Minimum value: 0 Maximum value: 65535 |
arpforward | Enable/disable ARP forwarding. enable: Enable ARP forwarding. disable: Disable ARP forwarding. |
option | - |
ndiscforward | Enable/disable NDISC forwarding. enable: Enable NDISC forwarding. disable: Disable NDISC forwarding. |
option | - |
broadcast-forward | Enable/disable broadcast forwarding. enable: Enable broadcast forwarding. disable: Disable broadcast forwarding. |
option | - |
bfd | Bidirectional Forwarding Detection (BFD) settings. global: BFD behavior of this interface will be based on global configuration. enable: Enable BFD on this interface and ignore global configuration. disable: Disable BFD on this interface and ignore global configuration. |
option | - |
bfd-desired-min-tx | BFD desired minimal transmit interval. | integer | Minimum value: 1 Maximum value: 100000 |
bfd-detect-mult | BFD detection multiplier. | integer | Minimum value: 1 Maximum value: 50 |
bfd-required-min-rx | BFD required minimal receive interval. | integer | Minimum value: 1 Maximum value: 100000 |
l2forward | Enable/disable l2 forwarding. enable: Enable L2 forwarding. disable: Disable L2 forwarding. |
option | - |
icmp-send-redirect | Enable/disable ICMP send redirect. enable: Enable ICMP send redirect. disable: Disable ICMP send redirect. |
option | - |
icmp-accept-redirect | Enable/disable ICMP accept redirect. enable: Enable ICMP accept redirect. disable: Disable ICMP accept redirect. |
option | - |
vlanforward | Enable/disable traffic forwarding between VLANs on this interface. enable: Enable traffic forwarding. disable: Disable traffic forwarding. |
option | - |
stpforward | Enable/disable STP forwarding. enable: Enable STP forwarding. disable: Disable STP forwarding. |
option | - |
stpforward-mode | Configure STP forwarding mode. rpl-all-ext-id: Replace all extension IDs (root, bridge). rpl-bridge-ext-id: Replace the bridge extension ID only. rpl-nothing: Replace nothing. |
option | - |
ips-sniffer-mode | Enable/disable the use of this interface as a one-armed sniffer. enable: Enable IPS sniffer mode. disable: Disable IPS sniffer mode. |
option | - |
ident-accept | Enable/disable authentication for this interface. enable: Enable determining a user's identity from packet identification. disable: Disable determining a user's identity from packet identification. |
option | - |
ipmac | Enable/disable IP/MAC binding. enable: Enable IP/MAC binding. disable: Disable IP/MAC binding. |
option | - |
subst | Enable to always send packets from this interface to a destination MAC address. enable: Send packets from this interface. disable: Do not send packets from this interface. |
option | - |
macaddr | Change the interface's MAC address. | mac-address | Not Specified |
substitute-dst-mac | Destination MAC address that all packets are sent to from this interface. | mac-address | Not Specified |
speed | Interface speed. The default setting and the options available depend on the interface hardware. auto: Automatically adjust speed. 10full: 10M full-duplex. 10half: 10M half-duplex. 100full: 100M full-duplex. 100half: 100M half-duplex. 1000full: 1000M full-duplex. 1000half: 1000M half-duplex. 1000auto: 1000M auto adjust. 10000full: 10G full-duplex. |
option | - |
status | Bring the interface up or shut the interface down. up: Bring the interface up. down: Shut the interface down. |
option | - |
netbios-forward | Enable/disable NETBIOS forwarding. disable: Disable NETBIOS forwarding. enable: Enable NETBIOS forwarding. |
option | - |
wins-ip | WINS server IP. | ipv4-address | Not Specified |
type | Interface type. physical: Physical interface. vlan: VLAN interface. aggregate: Aggregate interface. redundant: Redundant interface. tunnel: Tunnel interface. vdom-link: VDOM link interface. loopback: Loopback interface. switch: Software switch interface. vap-switch: VAP interface. wl-mesh: WLAN mesh interface. fext-wan: FortiExtender interface. vxlan: VXLAN interface. geneve: GENEVE interface. hdlc: T1/E1 interface. switch-vlan: Switch VLAN interface. emac-vlan: EMAC VLAN interface. |
option | - |
dedicated-to | Configure interface for single purpose. none: Interface not dedicated for any purpose. management: Dedicate this interface for management purposes only. |
option | - |
trust-ip-1 | Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts). | ipv4-classnet-any | Not Specified |
trust-ip-2 | Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts). | ipv4-classnet-any | Not Specified |
trust-ip-3 | Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts). | ipv4-classnet-any | Not Specified |
trust-ip6-1 | Trusted IPv6 host for dedicated management traffic (::/0 for all hosts). | ipv6-prefix | Not Specified |
trust-ip6-2 | Trusted IPv6 host for dedicated management traffic (::/0 for all hosts). | ipv6-prefix | Not Specified |
trust-ip6-3 | Trusted IPv6 host for dedicated management traffic (::/0 for all hosts). | ipv6-prefix | Not Specified |
mtu-override | Enable to set a custom MTU for this interface. enable: Override default MTU. disable: Use default MTU (1500). |
option | - |
mtu | MTU value for this interface. | integer | Minimum value: 0 Maximum value: 4294967295 |
wccp | Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers. enable: Enable WCCP protocol on this interface. disable: Disable WCCP protocol on this interface. |
option | - |
netflow-sampler | Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both). disable: Disable NetFlow protocol on this interface. tx: Monitor transmitted traffic on this interface. rx: Monitor received traffic on this interface. both: Monitor transmitted/received traffic on this interface. |
option | - |
sflow-sampler | Enable/disable sFlow on this interface. enable: Enable sFlow protocol on this interface. disable: Disable sFlow protocol on this interface. |
option | - |
drop-overlapped-fragment | Enable/disable drop overlapped fragment packets. enable: Enable drop of overlapped fragment packets. disable: Disable drop of overlapped fragment packets. |
option | - |
drop-fragment | Enable/disable drop fragment packets. enable: Enable/disable drop fragment packets. disable: Do not drop fragment packets. |
option | - |
src-check | Enable/disable source IP check. enable: Enable source IP check. disable: Disable source IP check. |
option | - |
sample-rate | sFlow sample rate (10 - 99999). | integer | Minimum value: 10 Maximum value: 99999 |
polling-interval | sFlow polling interval (1 - 255 sec). | integer | Minimum value: 1 Maximum value: 255 |
sample-direction | Data that NetFlow collects (rx, tx, or both). tx: Monitor transmitted traffic on this interface. rx: Monitor received traffic on this interface. both: Monitor transmitted/received traffic on this interface. |
option | - |
explicit-web-proxy | Enable/disable the explicit web proxy on this interface. enable: Enable explicit Web proxy on this interface. disable: Disable explicit Web proxy on this interface. |
option | - |
explicit-ftp-proxy | Enable/disable the explicit FTP proxy on this interface. enable: Enable explicit FTP proxy on this interface. disable: Disable explicit FTP proxy on this interface. |
option | - |
proxy-captive-portal | Enable/disable proxy captive portal on this interface. enable: Enable proxy captive portal on this interface. disable: Disable proxy captive portal on this interface. |
option | - |
tcp-mss | TCP maximum segment size. 0 means do not change segment size. | integer | Minimum value: 0 Maximum value: 4294967295 |
inbandwidth | Bandwidth limit for incoming traffic (0 - 16776000 kbps), 0 means unlimited. | integer | Minimum value: 0 Maximum value: 16776000 |
outbandwidth | Bandwidth limit for outgoing traffic (0 - 16776000 kbps). | integer | Minimum value: 0 Maximum value: 16776000 |
egress-shaping-profile | Outgoing traffic shaping profile. | string | Maximum length: 35 |
ingress-shaping-profile | Incoming traffic shaping profile. | string | Maximum length: 35 |
disconnect-threshold | Time in milliseconds to wait before sending a notification that this interface is down or disconnected. | integer | Minimum value: 0 Maximum value: 10000 |
spillover-threshold | Egress Spillover threshold (0 - 16776000 kbps), 0 means unlimited. | integer | Minimum value: 0 Maximum value: 16776000 |
ingress-spillover-threshold | Ingress Spillover threshold (0 - 16776000 kbps). | integer | Minimum value: 0 Maximum value: 16776000 |
weight | Default weight for static routes (if route has no weight configured). | integer | Minimum value: 0 Maximum value: 255 |
interface | Interface name. | string | Maximum length: 15 |
external | Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet). enable: Enable identifying the interface as an external interface. disable: Disable identifying the interface as an external interface. |
option | - |
vlanid | VLAN ID (1 - 4094). | integer | Minimum value: 1 Maximum value: 4094 |
forward-domain | Transparent mode forward domain. | integer | Minimum value: 0 Maximum value: 2147483647 |
remote-ip | Remote IP address of tunnel. | ipv4-classnet-host | Not Specified |
member <interface-name> |
Physical interfaces that belong to the aggregate or redundant interface. Physical interface name. |
string | Maximum length: 79 |
lacp-mode | LACP mode. static: Use static aggregation, do not send and ignore any LACP messages. passive: Passively use LACP to negotiate 802.3ad aggregation. active: Actively use LACP to negotiate 802.3ad aggregation. |
option | - |
lacp-ha-slave | LACP HA slave. enable: Allow HA slave to send/receive LACP messages. disable: Block HA slave from sending/receiving LACP messages. |
option | - |
lacp-speed | How often the interface sends LACP messages. slow: Send LACP message every 30 seconds. fast: Send LACP message every second. |
option | - |
min-links | Minimum number of aggregated ports that must be up. | integer | Minimum value: 1 Maximum value: 32 |
min-links-down | Action to take when less than the configured minimum number of links are active. operational: Set the aggregate operationally down. administrative: Set the aggregate administratively down. |
option | - |
algorithm | Frame distribution algorithm. L2: Use layer 2 address for distribution. L3: Use layer 3 address for distribution. L4: Use layer 4 information for distribution. |
option | - |
link-up-delay | Number of milliseconds to wait before considering a link is up. | integer | Minimum value: 50 Maximum value: 3600000 |
priority-override | Enable/disable fail back to higher priority port once recovered. enable: Enable fail back to higher priority port once recovered. disable: Disable fail back to higher priority port once recovered. |
option | - |
aggregate | Aggregate interface. | string | Maximum length: 15 |
redundant-interface | Redundant interface. | string | Maximum length: 15 |
devindex | Device Index. | integer | Minimum value: 0 Maximum value: 4294967295 |
vindex | Switch control interface VLAN ID. | integer | Minimum value: 0 Maximum value: 65535 |
switch | Contained in switch. | string | Maximum length: 15 |
description | Description. | var-string | Maximum length: 255 |
alias | Alias will be displayed with the interface name to make it easier to distinguish. | string | Maximum length: 25 |
security-mode | Turn on captive portal authentication for this interface. none: No security option. captive-portal: Captive portal authentication. 802.1X: 802.1X port-based authentication. |
option | - |
security-mac-auth-bypass | Enable/disable MAC authentication bypass. mac-auth-only: Enable MAC authentication bypass without EAP. enable: Enable MAC authentication bypass. disable: Disable MAC authentication bypass. |
option | - |
security-external-web | URL of external authentication web server. | string | Maximum length: 127 |
security-external-logout | URL of external authentication logout server. | string | Maximum length: 127 |
replacemsg-override-group | Replacement message override group. | string | Maximum length: 35 |
security-redirect-url | URL redirection after disclaimer/authentication. | string | Maximum length: 127 |
security-exempt-list | Name of security-exempt-list. | string | Maximum length: 35 |
security-groups <name> |
User groups that can authenticate with the captive portal. Names of user groups that can authenticate with the captive portal. |
string | Maximum length: 79 |
device-identification | Enable/disable passively gathering of device identity information about the devices on the network connected to this interface. enable: Enable passive gathering of identity information about hosts. disable: Disable passive gathering of identity information about hosts. |
option | - |
device-user-identification | Enable/disable passive gathering of user identity information about users on this interface. enable: Enable passive gathering of user identity information about users. disable: Disable passive gathering of user identity information about users. |
option | - |
lldp-reception | Enable/disable Link Layer Discovery Protocol (LLDP) reception. enable: Enable reception of Link Layer Discovery Protocol (LLDP). disable: Disable reception of Link Layer Discovery Protocol (LLDP). vdom: Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration setting. |
option | - |
lldp-transmission | Enable/disable Link Layer Discovery Protocol (LLDP) transmission. enable: Enable transmission of Link Layer Discovery Protocol (LLDP). disable: Disable transmission of Link Layer Discovery Protocol (LLDP). vdom: Use VDOM Link Layer Discovery Protocol (LLDP) transmission configuration setting. |
option | - |
lldp-network-policy | LLDP-MED network policy profile. | string | Maximum length: 35 |
broadcast-forticlient-discovery | Enable/disable broadcasting FortiClient discovery messages. enable: Enable broadcasting FortiClient discovery messages. disable: Disable broadcasting FortiClient discovery messages. |
option | - |
estimated-upstream-bandwidth | Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization. | integer | Minimum value: 0 Maximum value: 4294967295 |
estimated-downstream-bandwidth | Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization. | integer | Minimum value: 0 Maximum value: 4294967295 |
vrrp-virtual-mac | Enable/disable use of virtual MAC for VRRP. enable: Enable use of virtual MAC for VRRP. disable: Disable use of virtual MAC for VRRP. |
option | - |
role | Interface role. lan: Connected to local network of endpoints. wan: Connected to Internet. dmz: Connected to server zone. undefined: Interface has no specific role. |
option | - |
snmp-index | Permanent SNMP Index of the interface. | integer | Minimum value: 0 Maximum value: 4294967295 |
secondary-IP | Enable/disable adding a secondary IP to this interface. enable: Enable secondary IP. disable: Disable secondary IP. |
option | - |
preserve-session-route | Enable/disable preservation of session route when dirty. enable: Enable preservation of session route when dirty. disable: Disable preservation of session route when dirty. |
option | - |
auto-auth-extension-device | Enable/disable automatic authorization of dedicated Fortinet extension device on this interface. enable: Enable automatic authorization of dedicated Fortinet extension device on this interface. disable: Disable automatic authorization of dedicated Fortinet extension device on this interface. |
option | - |
ap-discover | Enable/disable automatic registration of unknown FortiAP devices. enable: Enable automatic registration of unknown FortiAP devices. disable: Disable automatic registration of unknown FortiAP devices. |
option | - |
fortilink-stacking | Enable/disable FortiLink switch-stacking on this interface. enable: Enable FortiLink switch stacking. disable: Disable FortiLink switch stacking. |
option | - |
fortilink-neighbor-detect | Protocol for FortiGate neighbor discovery. lldp: Detect FortiLink neighbors using LLDP protocol. fortilink: Detect FortiLink neighbors using FortiLink protocol. |
option | - |
fortilink-split-interface | Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy. enable: Enable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy. disable: Disable FortiLink split interface. |
option | - |
internal | Implicitly created. | integer | Minimum value: 0 Maximum value: 255 |
fortilink-backup-link | fortilink split interface backup link. | integer | Minimum value: 0 Maximum value: 255 |
switch-controller-access-vlan | Block FortiSwitch port-to-port traffic. enable: Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate. disable: Allow normal VLAN traffic. |
option | - |
switch-controller-traffic-policy | Switch controller traffic policy for the VLAN. | string | Maximum length: 63 |
switch-controller-rspan-mode | Stop Layer2 MAC learning and interception of BPDUs and other packets on this interface. disable: Disable RSPAN passthrough mode on this VLAN interface. enable: Enable RSPAN passthrough mode on this VLAN interface. |
option | - |
switch-controller-igmp-snooping | Switch controller IGMP snooping. enable: Enable IGMP snooping. disable: Disable IGMP snooping. |
option | - |
switch-controller-igmp-snooping-proxy | Switch controller IGMP snooping proxy. enable: Enable IGMP snooping proxy. disable: Disable IGMP snooping proxy. |
option | - |
switch-controller-igmp-snooping-fast-leave | Switch controller IGMP snooping fast-leave. enable: Enable IGMP snooping fast-leave. disable: Disable IGMP snooping fast-leave. |
option | - |
switch-controller-dhcp-snooping | Switch controller DHCP snooping. enable: Enable DHCP snooping for FortiSwitch devices. disable: Disable DHCP snooping for FortiSwitch devices. |
option | - |
switch-controller-dhcp-snooping-verify-mac | Switch controller DHCP snooping verify MAC. enable: Enable DHCP snooping verify source MAC for FortiSwitch devices. disable: Disable DHCP snooping verify source MAC for FortiSwitch devices. |
option | - |
switch-controller-dhcp-snooping-option82 | Switch controller DHCP snooping option82. enable: Enable DHCP snooping insert option82 for FortiSwitch devices. disable: Disable DHCP snooping insert option82 for FortiSwitch devices. |
option | - |
switch-controller-arp-inspection | Enable/disable FortiSwitch ARP inspection. enable: Enable ARP inspection for FortiSwitch devices. disable: Disable ARP inspection for FortiSwitch devices. |
option | - |
switch-controller-learning-limit | Limit the number of dynamic MAC addresses on this VLAN (1 - 128, 0 = no limit, default). | integer | Minimum value: 0 Maximum value: 128 |
color | Color of icon on the GUI. | integer | Minimum value: 0 Maximum value: 32 |
ingress-cos | Override incoming CoS in user VLAN tag on VLAN interface or assign a priority VLAN tag on physical interface. disable: Disable. cos0: CoS 0. cos1: CoS 1. cos2: CoS 2. cos3: CoS 3. cos4: CoS 4. cos5: CoS 5. cos6: CoS 6. cos7: CoS 7. |
option | - |
egress-cos | Override outgoing CoS in user VLAN tag. disable: Disable. cos0: CoS 0. cos1: CoS 1. cos2: CoS 2. cos3: CoS 3. cos4: CoS 4. cos5: CoS 5. cos6: CoS 6. cos7: CoS 7. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
version | VRRP version. 2: VRRP version 2. 3: VRRP version 3. |
option | - |
vrgrp | VRRP group ID (1 - 65535). | integer | Minimum value: 1 Maximum value: 65535 |
vrip | IP address of the virtual router. | ipv4-address-any | Not Specified |
priority | Priority of the virtual router (1 - 255). | integer | Minimum value: 1 Maximum value: 255 |
adv-interval | Advertisement interval (1 - 255 seconds). | integer | Minimum value: 1 Maximum value: 255 |
start-time | Startup time (1 - 255 seconds). | integer | Minimum value: 1 Maximum value: 255 |
preempt | Enable/disable preempt mode. enable: Enable preempt mode. disable: Disable preempt mode. |
option | - |
accept-mode | Enable/disable accept mode. enable: Enable accept mode. disable: Disable accept mode. |
option | - |
vrdst | Monitor the route to this destination. | ipv4-address-any | Not Specified |
vrdst-priority | Priority of the virtual router when the virtual router destination becomes unreachable (0 - 254). | integer | Minimum value: 0 Maximum value: 254 |
ignore-default-route | Enable/disable ignoring of default route when checking destination. enable: Enable ignoring of default route when checking destination. disable: Disable ignoring of default route when checking destination. |
option | - |
status | Enable/disable this VRRP configuration. enable: Enable this VRRP configuration. disable: Disable this VRRP configuration. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
ip | Set IP addresses of proxy ARP. | user | Not Specified |
Parameter Name | Description | Type | Size |
---|---|---|---|
ip | Secondary IP address of the interface. | ipv4-classnet-host | Not Specified |
allowaccess | Management access settings for the secondary IP address. ping: PING access. https: HTTPS access. ssh: SSH access. snmp: SNMP access. http: HTTP access. telnet: TELNET access. fgfm: FortiManager access. radius-acct: RADIUS accounting access. probe-response: Probe access. fabric: Security Fabric access. ftm: FTM access. |
option | - |
gwdetect | Enable/disable detect gateway alive for first. enable: Enable detect gateway alive for first. disable: Disable detect gateway alive for first. |
option | - |
ping-serv-status | PING server status. | integer | Minimum value: 0 Maximum value: 255 |
detectserver | Gateway's ping server for this IP. | user | Not Specified |
detectprotocol | Protocols used to detect the server. ping: PING. tcp-echo: TCP echo. udp-echo: UDP echo. |
option | - |
ha-priority | HA election priority for the PING server. | integer | Minimum value: 1 Maximum value: 50 |
Parameter Name | Description | Type | Size |
---|---|---|---|
category | Tag category. | string | Maximum length: 63 |
tags <name> |
Tags. Tag name. |
string | Maximum length: 79 |
Parameter Name | Description | Type | Size |
---|---|---|---|
cos0 | CoS profile name for CoS 0. | string | Maximum length: 35 |
cos1 | CoS profile name for CoS 1. | string | Maximum length: 35 |
cos2 | CoS profile name for CoS 2. | string | Maximum length: 35 |
cos3 | CoS profile name for CoS 3. | string | Maximum length: 35 |
cos4 | CoS profile name for CoS 4. | string | Maximum length: 35 |
cos5 | CoS profile name for CoS 5. | string | Maximum length: 35 |
cos6 | CoS profile name for CoS 6. | string | Maximum length: 35 |
cos7 | CoS profile name for CoS 7. | string | Maximum length: 35 |
Parameter Name | Description | Type | Size |
---|---|---|---|
ip6-mode | Addressing mode (static, DHCP, delegated). static: Static setting. dhcp: DHCPv6 client mode. pppoe: IPv6 over PPPoE mode. delegated: IPv6 address with delegated prefix. |
option | - |
nd-mode | Neighbor discovery mode. basic: Do not support SEND. SEND-compatible: Support SEND. |
option | - |
nd-cert | Neighbor discovery certificate. | string | Maximum length: 35 |
nd-security-level | Neighbor discovery security level (0 - 7; 0 = least secure, default = 0). | integer | Minimum value: 0 Maximum value: 7 |
nd-timestamp-delta | Neighbor discovery timestamp delta value (1 - 3600 sec; default = 300). | integer | Minimum value: 1 Maximum value: 3600 |
nd-timestamp-fuzz | Neighbor discovery timestamp fuzz factor (1 - 60 sec; default = 1). | integer | Minimum value: 1 Maximum value: 60 |
nd-cga-modifier | Neighbor discovery CGA modifier. | user | Not Specified |
ip6-dns-server-override | Enable/disable using the DNS server acquired by DHCP. enable: Enable using the DNS server acquired by DHCP. disable: Disable using the DNS server acquired by DHCP. |
option | - |
ip6-address | Primary IPv6 address prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx | ipv6-prefix | Not Specified |
ip6-allowaccess | Allow management access to the interface. ping: PING access. https: HTTPS access. ssh: SSH access. snmp: SNMP access. http: HTTP access. telnet: TELNET access. fgfm: FortiManager access. fabric: Fabric access. |
option | - |
ip6-send-adv | Enable/disable sending advertisements about the interface. enable: Enable sending advertisements about this interface. disable: Disable sending advertisements about this interface. |
option | - |
ip6-manage-flag | Enable/disable the managed flag. enable: Enable the managed IPv6 flag. disable: Disable the managed IPv6 flag. |
option | - |
ip6-other-flag | Enable/disable the other IPv6 flag. enable: Enable the other IPv6 flag. disable: Disable the other IPv6 flag. |
option | - |
ip6-max-interval | IPv6 maximum interval (4 to 1800 sec). | integer | Minimum value: 4 Maximum value: 1800 |
ip6-min-interval | IPv6 minimum interval (3 to 1350 sec). | integer | Minimum value: 3 Maximum value: 1350 |
ip6-link-mtu | IPv6 link MTU. | integer | Minimum value: 1280 Maximum value: 16000 |
ip6-reachable-time | IPv6 reachable time (milliseconds; 0 means unspecified). | integer | Minimum value: 0 Maximum value: 3600000 |
ip6-retrans-time | IPv6 retransmit time (milliseconds; 0 means unspecified). | integer | Minimum value: 0 Maximum value: 4294967295 |
ip6-default-life | Default life (sec). | integer | Minimum value: 0 Maximum value: 9000 |
ip6-hop-limit | Hop limit (0 means unspecified). | integer | Minimum value: 0 Maximum value: 255 |
autoconf | Enable/disable address auto config. enable: Enable auto-configuration. disable: Disable auto-configuration. |
option | - |
ip6-upstream-interface | Interface name providing delegated information. | string | Maximum length: 15 |
ip6-subnet | Subnet to routing prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx | ipv6-prefix | Not Specified |
dhcp6-relay-service | Enable/disable DHCPv6 relay. disable: Disable DHCPv6 relay enable: Enable DHCPv6 relay. |
option | - |
dhcp6-relay-type | DHCPv6 relay type. regular: Regular DHCP relay. |
option | - |
dhcp6-relay-ip | DHCPv6 relay IP address. | user | Not Specified |
dhcp6-client-options | DHCPv6 client options. rapid: Send rapid commit option. iapd: Send including IA-PD option. iana: Send including IA-NA option. |
option | - |
dhcp6-prefix-delegation | Enable/disable DHCPv6 prefix delegation. enable: Enable DHCPv6 prefix delegation. disable: Disable DHCPv6 prefix delegation. |
option | - |
dhcp6-information-request | Enable/disable DHCPv6 information request. enable: Enable DHCPv6 information request. disable: Disable DHCPv6 information request. |
option | - |
dhcp6-prefix-hint | DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server. | ipv6-network | Not Specified |
dhcp6-prefix-hint-plt | DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time. | integer | Minimum value: 0 Maximum value: 4294967295 |
dhcp6-prefix-hint-vlt | DHCPv6 prefix hint valid life time (sec). | integer | Minimum value: 0 Maximum value: 4294967295 |
vrrp-virtual-mac6 | Enable/disable virtual MAC for VRRP. enable: Enable virtual MAC for VRRP. disable: Disable virtual MAC for VRRP. |
option | - |
vrip6_link_local | Link-local IPv6 address of virtual router. | ipv6-address | Not Specified |
Parameter Name | Description | Type | Size |
---|---|---|---|
autonomous-flag | Enable/disable the autonomous flag. enable: Enable the autonomous flag. disable: Disable the autonomous flag. |
option | - |
onlink-flag | Enable/disable the onlink flag. enable: Enable the onlink flag. disable: Disable the onlink flag. |
option | - |
valid-life-time | Valid life time (sec). | integer | Minimum value: 0 Maximum value: 4294967295 |
preferred-life-time | Preferred life time (sec). | integer | Minimum value: 0 Maximum value: 4294967295 |
rdnss | Recursive DNS server option. | user | Not Specified |
dnssl <domain> |
DNS search list option. Domain name. |
string | Maximum length: 79 |
Parameter Name | Description | Type | Size |
---|---|---|---|
upstream-interface | Name of the interface that provides delegated information. | string | Maximum length: 15 |
autonomous-flag | Enable/disable the autonomous flag. enable: Enable the autonomous flag. disable: Disable the autonomous flag. |
option | - |
onlink-flag | Enable/disable the onlink flag. enable: Enable the onlink flag. disable: Disable the onlink flag. |
option | - |
subnet | Add subnet ID to routing prefix. | ipv6-network | Not Specified |
rdnss-service | Recursive DNS service option. delegated: Delegated RDNSS settings. default: System RDNSS settings. specify: Specify recursive DNS servers. |
option | - |
rdnss | Recursive DNS server option. | user | Not Specified |
Parameter Name | Description | Type | Size |
---|---|---|---|
vrgrp | VRRP group ID (1 - 65535). | integer | Minimum value: 1 Maximum value: 65535 |
vrip6 | IPv6 address of the virtual router. | ipv6-address | Not Specified |
priority | Priority of the virtual router (1 - 255). | integer | Minimum value: 1 Maximum value: 255 |
adv-interval | Advertisement interval (1 - 255 seconds). | integer | Minimum value: 1 Maximum value: 255 |
start-time | Startup time (1 - 255 seconds). | integer | Minimum value: 1 Maximum value: 255 |
preempt | Enable/disable preempt mode. enable: Enable preempt mode. disable: Disable preempt mode. |
option | - |
accept-mode | Enable/disable accept mode. enable: Enable accept mode. disable: Disable accept mode. |
option | - |
vrdst6 | Monitor the route to this destination. | ipv6-address | Not Specified |
status | Enable/disable VRRP. enable: Enable VRRP. disable: Disable VRRP. |
option | - |