Fortinet white logo
Fortinet white logo

CLI Reference

system interface

Configure interfaces.

  config system interface
      Description: Configure interfaces.
      edit <name>
          set vdom {string}
          set vrf {integer}
          set cli-conn-status {integer}
          set fortilink [enable|disable]
          set mode [static|dhcp|...]
          config client-options
              Description: DHCP client options.
              edit <id>
                  set code {integer}
                  set type [hex|string|...]
                  set value {string}
                  set ip {user}
              next
          end
          set distance {integer}
          set priority {integer}
          set dhcp-relay-service [disable|enable]
          set dhcp-relay-ip {user}
          set dhcp-relay-type [regular|ipsec]
          set dhcp-relay-agent-option [enable|disable]
          set management-ip {ipv4-classnet-host}
          set ip {ipv4-classnet-host}
          set allowaccess {option1}, {option2}, ...
          set gwdetect [enable|disable]
          set ping-serv-status {integer}
          set detectserver {user}
          set detectprotocol {option1}, {option2}, ...
          set ha-priority {integer}
          set fail-detect [enable|disable]
          set fail-detect-option {option1}, {option2}, ...
          set fail-alert-method [link-failed-signal|link-down]
          set fail-action-on-extender [soft-restart|hard-restart|...]
          set fail-alert-interfaces <name1>, <name2>, ...
          set dhcp-client-identifier {string}
          set dhcp-renew-time {integer}
          set ipunnumbered {ipv4-address}
          set username {string}
          set pppoe-unnumbered-negotiate [enable|disable]
          set password {password}
          set idle-timeout {integer}
          set detected-peer-mtu {integer}
          set disc-retry-timeout {integer}
          set padt-retry-timeout {integer}
          set service-name {string}
          set ac-name {string}
          set lcp-echo-interval {integer}
          set lcp-max-echo-fails {integer}
          set defaultgw [enable|disable]
          set dns-server-override [enable|disable]
          set auth-type [auto|pap|...]
          set pptp-client [enable|disable]
          set pptp-user {string}
          set pptp-password {password}
          set pptp-server-ip {ipv4-address}
          set pptp-auth-type [auto|pap|...]
          set pptp-timeout {integer}
          set arpforward [enable|disable]
          set ndiscforward [enable|disable]
          set broadcast-forward [enable|disable]
          set bfd [global|enable|...]
          set bfd-desired-min-tx {integer}
          set bfd-detect-mult {integer}
          set bfd-required-min-rx {integer}
          set l2forward [enable|disable]
          set icmp-send-redirect [enable|disable]
          set icmp-accept-redirect [enable|disable]
          set vlanforward [enable|disable]
          set stpforward [enable|disable]
          set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]
          set ips-sniffer-mode [enable|disable]
          set ident-accept [enable|disable]
          set ipmac [enable|disable]
          set subst [enable|disable]
          set macaddr {mac-address}
          set substitute-dst-mac {mac-address}
          set speed [auto|10full|...]
          set status [up|down]
          set netbios-forward [disable|enable]
          set wins-ip {ipv4-address}
          set type [physical|vlan|...]
          set dedicated-to [none|management]
          set trust-ip-1 {ipv4-classnet-any}
          set trust-ip-2 {ipv4-classnet-any}
          set trust-ip-3 {ipv4-classnet-any}
          set trust-ip6-1 {ipv6-prefix}
          set trust-ip6-2 {ipv6-prefix}
          set trust-ip6-3 {ipv6-prefix}
          set mtu-override [enable|disable]
          set mtu {integer}
          set wccp [enable|disable]
          set netflow-sampler [disable|tx|...]
          set sflow-sampler [enable|disable]
          set drop-overlapped-fragment [enable|disable]
          set drop-fragment [enable|disable]
          set src-check [enable|disable]
          set sample-rate {integer}
          set polling-interval {integer}
          set sample-direction [tx|rx|...]
          set explicit-web-proxy [enable|disable]
          set explicit-ftp-proxy [enable|disable]
          set proxy-captive-portal [enable|disable]
          set tcp-mss {integer}
          set inbandwidth {integer}
          set outbandwidth {integer}
          set egress-shaping-profile {string}
          set ingress-shaping-profile {string}
          set disconnect-threshold {integer}
          set spillover-threshold {integer}
          set ingress-spillover-threshold {integer}
          set weight {integer}
          set interface {string}
          set external [enable|disable]
          set vlan-protocol [8021q|8021ad]
          set vlanid {integer}
          set forward-domain {integer}
          set remote-ip {ipv4-classnet-host}
          set member <interface-name1>, <interface-name2>, ...
          set lacp-mode [static|passive|...]
          set lacp-ha-slave [enable|disable]
          set lacp-speed [slow|fast]
          set min-links {integer}
          set min-links-down [operational|administrative]
          set algorithm [L2|L3|...]
          set link-up-delay {integer}
          set priority-override [enable|disable]
          set aggregate {string}
          set redundant-interface {string}
          set devindex {integer}
          set vindex {integer}
          set switch {string}
          set description {var-string}
          set alias {string}
          set security-mode [none|captive-portal|...]
          set security-mac-auth-bypass [mac-auth-only|enable|...]
          set security-external-web {string}
          set security-external-logout {string}
          set replacemsg-override-group {string}
          set security-redirect-url {string}
          set security-exempt-list {string}
          set security-groups <name1>, <name2>, ...
          set device-identification [enable|disable]
          set device-user-identification [enable|disable]
          set lldp-reception [enable|disable|...]
          set lldp-transmission [enable|disable|...]
          set lldp-network-policy {string}
          set estimated-upstream-bandwidth {integer}
          set estimated-downstream-bandwidth {integer}
          set measured-upstream-bandwidth {integer}
          set measured-downstream-bandwidth {integer}
          set bandwidth-measure-time {integer}
          set monitor-bandwidth [enable|disable]
          set vrrp-virtual-mac [enable|disable]
          config vrrp
              Description: VRRP configuration.
              edit <vrid>
                  set version [2|3]
                  set vrgrp {integer}
                  set vrip {ipv4-address-any}
                  set priority {integer}
                  set adv-interval {integer}
                  set start-time {integer}
                  set preempt [enable|disable]
                  set accept-mode [enable|disable]
                  set vrdst {ipv4-address-any}
                  set vrdst-priority {integer}
                  set ignore-default-route [enable|disable]
                  set status [enable|disable]
                  config proxy-arp
                      Description: VRRP Proxy ARP configuration.
                      edit <id>
                          set ip {user}
                      next
                  end
              next
          end
          set role [lan|wan|...]
          set snmp-index {integer}
          set secondary-IP [enable|disable]
          config secondaryip
              Description: Second IP address of interface.
              edit <id>
                  set ip {ipv4-classnet-host}
                  set allowaccess {option1}, {option2}, ...
                  set gwdetect [enable|disable]
                  set ping-serv-status {integer}
                  set detectserver {user}
                  set detectprotocol {option1}, {option2}, ...
                  set ha-priority {integer}
              next
          end
          set preserve-session-route [enable|disable]
          set auto-auth-extension-device [enable|disable]
          set ap-discover [enable|disable]
          set fortilink-stacking [enable|disable]
          set fortilink-neighbor-detect [lldp|fortilink]
          set ip-managed-by-fortiipam [enable|disable]
          set managed-subnetwork-size [256|512|...]
          set fortilink-split-interface [enable|disable]
          set internal {integer}
          set fortilink-backup-link {integer}
          set switch-controller-access-vlan [enable|disable]
          set switch-controller-traffic-policy {string}
          set switch-controller-rspan-mode [disable|enable]
          set switch-controller-mgmt-vlan {integer}
          set switch-controller-igmp-snooping [enable|disable]
          set switch-controller-igmp-snooping-proxy [enable|disable]
          set switch-controller-igmp-snooping-fast-leave [enable|disable]
          set switch-controller-dhcp-snooping [enable|disable]
          set switch-controller-dhcp-snooping-verify-mac [enable|disable]
          set switch-controller-dhcp-snooping-option82 [enable|disable]
          set switch-controller-arp-inspection [enable|disable]
          set switch-controller-learning-limit {integer}
          set switch-controller-nac {string}
          set switch-controller-feature [none|default-vlan|...]
          set swc-vlan {integer}
          set color {integer}
          config tagging
              Description: Config object tagging.
              edit <name>
                  set category {string}
                  set tags <name1>, <name2>, ...
              next
          end
          config egress-queues
              Description: Configure queues of NP port on egress path.
              set cos0 {string}
              set cos1 {string}
              set cos2 {string}
              set cos3 {string}
              set cos4 {string}
              set cos5 {string}
              set cos6 {string}
              set cos7 {string}
          end
          set ingress-cos [disable|cos0|...]
          set egress-cos [disable|cos0|...]
          config ipv6
              Description: IPv6 of interface.
              set ip6-mode [static|dhcp|...]
              set nd-mode [basic|SEND-compatible]
              set nd-cert {string}
              set nd-security-level {integer}
              set nd-timestamp-delta {integer}
              set nd-timestamp-fuzz {integer}
              set nd-cga-modifier {user}
              set ip6-dns-server-override [enable|disable]
              set ip6-address {ipv6-prefix}
              config ip6-extra-addr
                  Description: Extra IPv6 address prefixes of interface.
                  edit <prefix>

                  next
              end
              set ip6-allowaccess {option1}, {option2}, ...
              set ip6-send-adv [enable|disable]
              set ip6-manage-flag [enable|disable]
              set ip6-other-flag [enable|disable]
              set ip6-max-interval {integer}
              set ip6-min-interval {integer}
              set ip6-link-mtu {integer}
              set ip6-reachable-time {integer}
              set ip6-retrans-time {integer}
              set ip6-default-life {integer}
              set ip6-hop-limit {integer}
              set autoconf [enable|disable]
              set unique-autoconf-addr [enable|disable]
              set interface-identifier {ipv6-address}
              set ip6-upstream-interface {string}
              set ip6-subnet {ipv6-prefix}
              config ip6-prefix-list
                  Description: Advertised prefix list.
                  edit <prefix>
                      set autonomous-flag [enable|disable]
                      set onlink-flag [enable|disable]
                      set valid-life-time {integer}
                      set preferred-life-time {integer}
                      set rdnss {user}
                      set dnssl <domain1>, <domain2>, ...
                  next
              end
              config ip6-delegated-prefix-list
                  Description: Advertised IPv6 delegated prefix list.
                  edit <prefix-id>
                      set upstream-interface {string}
                      set autonomous-flag [enable|disable]
                      set onlink-flag [enable|disable]
                      set subnet {ipv6-network}
                      set rdnss-service [delegated|default|...]
                      set rdnss {user}
                  next
              end
              set dhcp6-relay-service [disable|enable]
              set dhcp6-relay-type {option}
              set dhcp6-relay-ip {user}
              set dhcp6-client-options {option1}, {option2}, ...
              set dhcp6-prefix-delegation [enable|disable]
              set dhcp6-information-request [enable|disable]
              set dhcp6-prefix-hint {ipv6-network}
              set dhcp6-prefix-hint-plt {integer}
              set dhcp6-prefix-hint-vlt {integer}
              set vrrp-virtual-mac6 [enable|disable]
              set vrip6_link_local {ipv6-address}
              config vrrp6
                  Description: IPv6 VRRP configuration.
                  edit <vrid>
                      set vrgrp {integer}
                      set vrip6 {ipv6-address}
                      set priority {integer}
                      set adv-interval {integer}
                      set start-time {integer}
                      set preempt [enable|disable]
                      set accept-mode [enable|disable]
                      set vrdst6 {ipv6-address}
                      set status [enable|disable]
                  next
              end
          end
      next
  end

config system interface

Parameter Name Description Type Size
vdom Interface is in this virtual domain (VDOM). string Maximum length: 31
vrf Virtual Routing Forwarding ID. integer Minimum value: 0 Maximum value: 31
cli-conn-status CLI connection status. integer Minimum value: 0 Maximum value: 4294967295
fortilink Enable FortiLink to dedicate this interface to manage other Fortinet devices.
enable: Enable FortiLink to dedicated interface for managing FortiSwitch devices.
disable: Disable FortiLink to dedicated interface for managing FortiSwitch devices.
option -
mode Addressing mode (static, DHCP, PPPoE).
static: Static setting.
dhcp: External DHCP client mode.
pppoe: External PPPoE mode.
option -
distance Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route. integer Minimum value: 1 Maximum value: 255
priority Priority of learned routes. integer Minimum value: 0 Maximum value: 4294967295
dhcp-relay-service Enable/disable allowing this interface to act as a DHCP relay.
disable: None.
enable: DHCP relay agent.
option -
dhcp-relay-ip DHCP relay IP address. user Not Specified
dhcp-relay-type DHCP relay type (regular or IPsec).
regular: Regular DHCP relay.
ipsec: DHCP relay for IPsec.
option -
dhcp-relay-agent-option Enable/disable DHCP relay agent option.
enable: Enable DHCP relay agent option.
disable: Disable DHCP relay agent option.
option -
management-ip High Availability in-band management IP address of this interface. ipv4-classnet-host Not Specified
ip Interface IPv4 address and subnet mask, syntax: X.X.X.X/24. ipv4-classnet-host Not Specified
allowaccess Permitted types of management access to this interface.
ping: PING access.
https: HTTPS access.
ssh: SSH access.
snmp: SNMP access.
http: HTTP access.
telnet: TELNET access.
fgfm: FortiManager access.
radius-acct: RADIUS accounting access.
probe-response: Probe access.
fabric: Security Fabric access.
ftm: FTM access.
option -
gwdetect Enable/disable detect gateway alive for first.
enable: Enable detect gateway alive for first.
disable: Disable detect gateway alive for first.
option -
ping-serv-status PING server status. integer Minimum value: 0 Maximum value: 255
detectserver Gateway's ping server for this IP. user Not Specified
detectprotocol Protocols used to detect the server.
ping: PING.
tcp-echo: TCP echo.
udp-echo: UDP echo.
option -
ha-priority HA election priority for the PING server. integer Minimum value: 1 Maximum value: 50
fail-detect Enable/disable fail detection features for this interface.
enable: Enable interface failed option status.
disable: Disable interface failed option status.
option -
fail-detect-option Options for detecting that this interface has failed.
detectserver: Use a ping server to determine if the interface has failed.
link-down: Use port detection to determine if the interface has failed.
option -
fail-alert-method Select link-failed-signal or link-down method to alert about a failed link.
link-failed-signal: Link-failed-signal.
link-down: Link-down.
option -
fail-action-on-extender Action on extender when interface fail .
soft-restart: Soft-restart-on-extender.
hard-restart: Hard-restart-on-extender.
reboot: Reboot-on-extender.
option -
fail-alert-interfaces <name> Names of the FortiGate interfaces to which the link failure alert is sent.
Names of the non-virtual interface.
string Maximum length: 79
dhcp-client-identifier DHCP client identifier. string Maximum length: 48
dhcp-renew-time DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server. integer Minimum value: 300 Maximum value: 604800
ipunnumbered Unnumbered IP used for PPPoE interfaces for which no unique local address is provided. ipv4-address Not Specified
username Username of the PPPoE account, provided by your ISP. string Maximum length: 64
pppoe-unnumbered-negotiate Enable/disable PPPoE unnumbered negotiation.
enable: Enable IP address negotiating for unnumbered.
disable: Disable IP address negotiating for unnumbered.
option -
password PPPoE account's password. password Not Specified
idle-timeout PPPoE auto disconnect after idle timeout seconds, 0 means no timeout. integer Minimum value: 0 Maximum value: 32767
detected-peer-mtu MTU of detected peer (0 - 4294967295). integer Minimum value: 0 Maximum value: 4294967295
disc-retry-timeout Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout. integer Minimum value: 0 Maximum value: 4294967295
padt-retry-timeout PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time. integer Minimum value: 0 Maximum value: 4294967295
service-name PPPoE service name. string Maximum length: 63
ac-name PPPoE server name. string Maximum length: 63
lcp-echo-interval Time in seconds between PPPoE Link Control Protocol (LCP) echo requests. integer Minimum value: 0 Maximum value: 32767
lcp-max-echo-fails Maximum missed LCP echo messages before disconnect. integer Minimum value: 0 Maximum value: 32767
defaultgw Enable to get the gateway IP from the DHCP or PPPoE server.
enable: Enable default gateway.
disable: Disable default gateway.
option -
dns-server-override Enable/disable use DNS acquired by DHCP or PPPoE.
enable: Use DNS acquired by DHCP or PPPoE.
disable: No not use DNS acquired by DHCP or PPPoE.
option -
auth-type PPP authentication type to use.
auto: Automatically choose authentication.
pap: PAP authentication.
chap: CHAP authentication.
mschapv1: MS-CHAPv1 authentication.
mschapv2: MS-CHAPv2 authentication.
option -
pptp-client Enable/disable PPTP client.
enable: Enable PPTP client.
disable: Disable PPTP client.
option -
pptp-user PPTP user name. string Maximum length: 64
pptp-password PPTP password. password Not Specified
pptp-server-ip PPTP server IP address. ipv4-address Not Specified
pptp-auth-type PPTP authentication type.
auto: Automatically choose authentication.
pap: PAP authentication.
chap: CHAP authentication.
mschapv1: MS-CHAPv1 authentication.
mschapv2: MS-CHAPv2 authentication.
option -
pptp-timeout Idle timer in minutes (0 for disabled). integer Minimum value: 0 Maximum value: 65535
arpforward Enable/disable ARP forwarding.
enable: Enable ARP forwarding.
disable: Disable ARP forwarding.
option -
ndiscforward Enable/disable NDISC forwarding.
enable: Enable NDISC forwarding.
disable: Disable NDISC forwarding.
option -
broadcast-forward Enable/disable broadcast forwarding.
enable: Enable broadcast forwarding.
disable: Disable broadcast forwarding.
option -
bfd Bidirectional Forwarding Detection (BFD) settings.
global: BFD behavior of this interface will be based on global configuration.
enable: Enable BFD on this interface and ignore global configuration.
disable: Disable BFD on this interface and ignore global configuration.
option -
bfd-desired-min-tx BFD desired minimal transmit interval. integer Minimum value: 1 Maximum value: 100000
bfd-detect-mult BFD detection multiplier. integer Minimum value: 1 Maximum value: 50
bfd-required-min-rx BFD required minimal receive interval. integer Minimum value: 1 Maximum value: 100000
l2forward Enable/disable l2 forwarding.
enable: Enable L2 forwarding.
disable: Disable L2 forwarding.
option -
icmp-send-redirect Enable/disable ICMP send redirect.
enable: Enable ICMP send redirect.
disable: Disable ICMP send redirect.
option -
icmp-accept-redirect Enable/disable ICMP accept redirect.
enable: Enable ICMP accept redirect.
disable: Disable ICMP accept redirect.
option -
vlanforward Enable/disable traffic forwarding between VLANs on this interface.
enable: Enable traffic forwarding.
disable: Disable traffic forwarding.
option -
stpforward Enable/disable STP forwarding.
enable: Enable STP forwarding.
disable: Disable STP forwarding.
option -
stpforward-mode Configure STP forwarding mode.
rpl-all-ext-id: Replace all extension IDs (root, bridge).
rpl-bridge-ext-id: Replace the bridge extension ID only.
rpl-nothing: Replace nothing.
option -
ips-sniffer-mode Enable/disable the use of this interface as a one-armed sniffer.
enable: Enable IPS sniffer mode.
disable: Disable IPS sniffer mode.
option -
ident-accept Enable/disable authentication for this interface.
enable: Enable determining a user's identity from packet identification.
disable: Disable determining a user's identity from packet identification.
option -
ipmac Enable/disable IP/MAC binding.
enable: Enable IP/MAC binding.
disable: Disable IP/MAC binding.
option -
subst Enable to always send packets from this interface to a destination MAC address.
enable: Send packets from this interface.
disable: Do not send packets from this interface.
option -
macaddr Change the interface's MAC address. mac-address Not Specified
substitute-dst-mac Destination MAC address that all packets are sent to from this interface. mac-address Not Specified
speed Interface speed. The default setting and the options available depend on the interface hardware.
auto: Automatically adjust speed.
10full: 10M full-duplex.
10half: 10M half-duplex.
100full: 100M full-duplex.
100half: 100M half-duplex.
1000full: 1000M full-duplex.
1000half: 1000M half-duplex.
1000auto: 1000M auto adjust.
10000full: 10G full-duplex.
option -
status Bring the interface up or shut the interface down.
up: Bring the interface up.
down: Shut the interface down.
option -
netbios-forward Enable/disable NETBIOS forwarding.
disable: Disable NETBIOS forwarding.
enable: Enable NETBIOS forwarding.
option -
wins-ip WINS server IP. ipv4-address Not Specified
type Interface type.
physical: Physical interface.
vlan: VLAN interface.
aggregate: Aggregate interface.
redundant: Redundant interface.
tunnel: Tunnel interface.
vdom-link: VDOM link interface.
loopback: Loopback interface.
switch: Software switch interface.
vap-switch: VAP interface.
wl-mesh: WLAN mesh interface.
fext-wan: FortiExtender interface.
vxlan: VXLAN interface.
geneve: GENEVE interface.
hdlc: T1/E1 interface.
switch-vlan: Switch VLAN interface.
emac-vlan: EMAC VLAN interface.
option -
dedicated-to Configure interface for single purpose.
none: Interface not dedicated for any purpose.
management: Dedicate this interface for management purposes only.
option -
trust-ip-1 Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts). ipv4-classnet-any Not Specified
trust-ip-2 Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts). ipv4-classnet-any Not Specified
trust-ip-3 Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts). ipv4-classnet-any Not Specified
trust-ip6-1 Trusted IPv6 host for dedicated management traffic (::/0 for all hosts). ipv6-prefix Not Specified
trust-ip6-2 Trusted IPv6 host for dedicated management traffic (::/0 for all hosts). ipv6-prefix Not Specified
trust-ip6-3 Trusted IPv6 host for dedicated management traffic (::/0 for all hosts). ipv6-prefix Not Specified
mtu-override Enable to set a custom MTU for this interface.
enable: Override default MTU.
disable: Use default MTU (1500).
option -
mtu MTU value for this interface. integer Minimum value: 0 Maximum value: 4294967295
wccp Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.
enable: Enable WCCP protocol on this interface.
disable: Disable WCCP protocol on this interface.
option -
netflow-sampler Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).
disable: Disable NetFlow protocol on this interface.
tx: Monitor transmitted traffic on this interface.
rx: Monitor received traffic on this interface.
both: Monitor transmitted/received traffic on this interface.
option -
sflow-sampler Enable/disable sFlow on this interface.
enable: Enable sFlow protocol on this interface.
disable: Disable sFlow protocol on this interface.
option -
drop-overlapped-fragment Enable/disable drop overlapped fragment packets.
enable: Enable drop of overlapped fragment packets.
disable: Disable drop of overlapped fragment packets.
option -
drop-fragment Enable/disable drop fragment packets.
enable: Enable/disable drop fragment packets.
disable: Do not drop fragment packets.
option -
src-check Enable/disable source IP check.
enable: Enable source IP check.
disable: Disable source IP check.
option -
sample-rate sFlow sample rate (10 - 99999). integer Minimum value: 10 Maximum value: 99999
polling-interval sFlow polling interval (1 - 255 sec). integer Minimum value: 1 Maximum value: 255
sample-direction Data that NetFlow collects (rx, tx, or both).
tx: Monitor transmitted traffic on this interface.
rx: Monitor received traffic on this interface.
both: Monitor transmitted/received traffic on this interface.
option -
explicit-web-proxy Enable/disable the explicit web proxy on this interface.
enable: Enable explicit Web proxy on this interface.
disable: Disable explicit Web proxy on this interface.
option -
explicit-ftp-proxy Enable/disable the explicit FTP proxy on this interface.
enable: Enable explicit FTP proxy on this interface.
disable: Disable explicit FTP proxy on this interface.
option -
proxy-captive-portal Enable/disable proxy captive portal on this interface.
enable: Enable proxy captive portal on this interface.
disable: Disable proxy captive portal on this interface.
option -
tcp-mss TCP maximum segment size. 0 means do not change segment size. integer Minimum value: 0 Maximum value: 4294967295
inbandwidth Bandwidth limit for incoming traffic (0 - 16776000 kbps), 0 means unlimited. integer Minimum value: 0 Maximum value: 16776000
outbandwidth Bandwidth limit for outgoing traffic (0 - 16776000 kbps), 0 means unlimited. integer Minimum value: 0 Maximum value: 16776000
egress-shaping-profile Outgoing traffic shaping profile. string Maximum length: 35
ingress-shaping-profile Incoming traffic shaping profile. string Maximum length: 35
disconnect-threshold Time in milliseconds to wait before sending a notification that this interface is down or disconnected. integer Minimum value: 0 Maximum value: 10000
spillover-threshold Egress Spillover threshold (0 - 16776000 kbps), 0 means unlimited. integer Minimum value: 0 Maximum value: 16776000
ingress-spillover-threshold Ingress Spillover threshold (0 - 16776000 kbps), 0 means unlimited. integer Minimum value: 0 Maximum value: 16776000
weight Default weight for static routes (if route has no weight configured). integer Minimum value: 0 Maximum value: 255
interface Interface name. string Maximum length: 15
external Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet).
enable: Enable identifying the interface as an external interface.
disable: Disable identifying the interface as an external interface.
option -
vlan-protocol Ethernet protocol of VLAN.
8021q: IEEE 802.1Q.
8021ad: 802.1AD.
option -
vlanid VLAN ID (1 - 4094). integer Minimum value: 1 Maximum value: 4094
forward-domain Transparent mode forward domain. integer Minimum value: 0 Maximum value: 2147483647
remote-ip Remote IP address of tunnel. ipv4-classnet-host Not Specified
member <interface-name> Physical interfaces that belong to the aggregate or redundant interface.
Physical interface name.
string Maximum length: 79
lacp-mode LACP mode.
static: Use static aggregation, do not send and ignore any LACP messages.
passive: Passively use LACP to negotiate 802.3ad aggregation.
active: Actively use LACP to negotiate 802.3ad aggregation.
option -
lacp-ha-slave LACP HA slave.
enable: Allow HA slave to send/receive LACP messages.
disable: Block HA slave from sending/receiving LACP messages.
option -
lacp-speed How often the interface sends LACP messages.
slow: Send LACP message every 30 seconds.
fast: Send LACP message every second.
option -
min-links Minimum number of aggregated ports that must be up. integer Minimum value: 1 Maximum value: 32
min-links-down Action to take when less than the configured minimum number of links are active.
operational: Set the aggregate operationally down.
administrative: Set the aggregate administratively down.
option -
algorithm Frame distribution algorithm.
L2: Use layer 2 address for distribution.
L3: Use layer 3 address for distribution.
L4: Use layer 4 information for distribution.
option -
link-up-delay Number of milliseconds to wait before considering a link is up. integer Minimum value: 50 Maximum value: 3600000
priority-override Enable/disable fail back to higher priority port once recovered.
enable: Enable fail back to higher priority port once recovered.
disable: Disable fail back to higher priority port once recovered.
option -
aggregate Aggregate interface. string Maximum length: 15
redundant-interface Redundant interface. string Maximum length: 15
devindex Device Index. integer Minimum value: 0 Maximum value: 4294967295
vindex Switch control interface VLAN ID. integer Minimum value: 0 Maximum value: 65535
switch Contained in switch. string Maximum length: 15
description Description. var-string Maximum length: 255
alias Alias will be displayed with the interface name to make it easier to distinguish. string Maximum length: 25
security-mode Turn on captive portal authentication for this interface.
none: No security option.
captive-portal: Captive portal authentication.
802.1X: 802.1X port-based authentication.
option -
security-mac-auth-bypass Enable/disable MAC authentication bypass.
mac-auth-only: Enable MAC authentication bypass without EAP.
enable: Enable MAC authentication bypass.
disable: Disable MAC authentication bypass.
option -
security-external-web URL of external authentication web server. string Maximum length: 127
security-external-logout URL of external authentication logout server. string Maximum length: 127
replacemsg-override-group Replacement message override group. string Maximum length: 35
security-redirect-url URL redirection after disclaimer/authentication. string Maximum length: 127
security-exempt-list Name of security-exempt-list. string Maximum length: 35
security-groups <name> User groups that can authenticate with the captive portal.
Names of user groups that can authenticate with the captive portal.
string Maximum length: 79
device-identification Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.
enable: Enable passive gathering of identity information about hosts.
disable: Disable passive gathering of identity information about hosts.
option -
device-user-identification Enable/disable passive gathering of user identity information about users on this interface.
enable: Enable passive gathering of user identity information about users.
disable: Disable passive gathering of user identity information about users.
option -
lldp-reception Enable/disable Link Layer Discovery Protocol (LLDP) reception.
enable: Enable reception of Link Layer Discovery Protocol (LLDP).
disable: Disable reception of Link Layer Discovery Protocol (LLDP).
vdom: Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration setting.
option -
lldp-transmission Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
enable: Enable transmission of Link Layer Discovery Protocol (LLDP).
disable: Disable transmission of Link Layer Discovery Protocol (LLDP).
vdom: Use VDOM Link Layer Discovery Protocol (LLDP) transmission configuration setting.
option -
lldp-network-policy LLDP-MED network policy profile. string Maximum length: 35
estimated-upstream-bandwidth Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization. integer Minimum value: 0 Maximum value: 4294967295
estimated-downstream-bandwidth Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization. integer Minimum value: 0 Maximum value: 4294967295
measured-upstream-bandwidth Measured upstream bandwidth (kbps). integer Minimum value: 0 Maximum value: 4294967295
measured-downstream-bandwidth Measured downstream bandwidth (kbps). integer Minimum value: 0 Maximum value: 4294967295
bandwidth-measure-time Bandwidth measure time integer Minimum value: 0 Maximum value: 4294967295
monitor-bandwidth Enable monitoring bandwidth on this interface.
enable: Enable monitoring bandwidth on this interface.
disable: Disable monitoring bandwidth on this interface.
option -
vrrp-virtual-mac Enable/disable use of virtual MAC for VRRP.
enable: Enable use of virtual MAC for VRRP.
disable: Disable use of virtual MAC for VRRP.
option -
role Interface role.
lan: Connected to local network of endpoints.
wan: Connected to Internet.
dmz: Connected to server zone.
undefined: Interface has no specific role.
option -
snmp-index Permanent SNMP Index of the interface. integer Minimum value: 1 Maximum value: 2147483647
secondary-IP Enable/disable adding a secondary IP to this interface.
enable: Enable secondary IP.
disable: Disable secondary IP.
option -
preserve-session-route Enable/disable preservation of session route when dirty.
enable: Enable preservation of session route when dirty.
disable: Disable preservation of session route when dirty.
option -
auto-auth-extension-device Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.
enable: Enable automatic authorization of dedicated Fortinet extension device on this interface.
disable: Disable automatic authorization of dedicated Fortinet extension device on this interface.
option -
ap-discover Enable/disable automatic registration of unknown FortiAP devices.
enable: Enable automatic registration of unknown FortiAP devices.
disable: Disable automatic registration of unknown FortiAP devices.
option -
fortilink-stacking Enable/disable FortiLink switch-stacking on this interface.
enable: Enable FortiLink switch stacking.
disable: Disable FortiLink switch stacking.
option -
fortilink-neighbor-detect Protocol for FortiGate neighbor discovery.
lldp: Detect FortiLink neighbors using LLDP protocol.
fortilink: Detect FortiLink neighbors using FortiLink protocol.
option -
ip-managed-by-fortiipam Enable/disable automatic IP address assignment of this interface by FortiIPAM.
enable: Enable automatic IP address assignment of this interface by FortiIPAM.
disable: Disable automatic IP address assignment of this interface by FortiIPAM.
option -
managed-subnetwork-size Number of IP addresses to be allocated by FortiIPAM and used by this FortiGate unit's DHCP server settings.
256: Allocate a subnet with 256 IP addresses.
512: Allocate a subnet with 512 IP addresses.
1024: Allocate a subnet with 1024 IP addresses.
2048: Allocate a subnet with 2048 IP addresses.
4096: Allocate a subnet with 4096 IP addresses.
8192: Allocate a subnet with 8192 IP addresses.
16384: Allocate a subnet with 16384 IP addresses.
32768: Allocate a subnet with 32768 IP addresses.
65536: Allocate a subnet with 65536 IP addresses.
option -
fortilink-split-interface Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.
enable: Enable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.
disable: Disable FortiLink split interface.
option -
internal Implicitly created. integer Minimum value: 0 Maximum value: 255
fortilink-backup-link fortilink split interface backup link. integer Minimum value: 0 Maximum value: 255
switch-controller-access-vlan Block FortiSwitch port-to-port traffic.
enable: Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate.
disable: Allow normal VLAN traffic.
option -
switch-controller-traffic-policy Switch controller traffic policy for the VLAN. string Maximum length: 63
switch-controller-rspan-mode Stop Layer2 MAC learning and interception of BPDUs and other packets on this interface.
disable: Disable RSPAN passthrough mode on this VLAN interface.
enable: Enable RSPAN passthrough mode on this VLAN interface.
option -
switch-controller-mgmt-vlan VLAN to use for FortiLink management purposes. integer Minimum value: 1 Maximum value: 4094
switch-controller-igmp-snooping Switch controller IGMP snooping.
enable: Enable IGMP snooping.
disable: Disable IGMP snooping.
option -
switch-controller-igmp-snooping-proxy Switch controller IGMP snooping proxy.
enable: Enable IGMP snooping proxy.
disable: Disable IGMP snooping proxy.
option -
switch-controller-igmp-snooping-fast-leave Switch controller IGMP snooping fast-leave.
enable: Enable IGMP snooping fast-leave.
disable: Disable IGMP snooping fast-leave.
option -
switch-controller-dhcp-snooping Switch controller DHCP snooping.
enable: Enable DHCP snooping for FortiSwitch devices.
disable: Disable DHCP snooping for FortiSwitch devices.
option -
switch-controller-dhcp-snooping-verify-mac Switch controller DHCP snooping verify MAC.
enable: Enable DHCP snooping verify source MAC for FortiSwitch devices.
disable: Disable DHCP snooping verify source MAC for FortiSwitch devices.
option -
switch-controller-dhcp-snooping-option82 Switch controller DHCP snooping option82.
enable: Enable DHCP snooping insert option82 for FortiSwitch devices.
disable: Disable DHCP snooping insert option82 for FortiSwitch devices.
option -
switch-controller-arp-inspection Enable/disable FortiSwitch ARP inspection.
enable: Enable ARP inspection for FortiSwitch devices.
disable: Disable ARP inspection for FortiSwitch devices.
option -
switch-controller-learning-limit Limit the number of dynamic MAC addresses on this VLAN (1 - 128, 0 = no limit, default). integer Minimum value: 0 Maximum value: 128
switch-controller-nac Integrated NAC settings for managed FortiSwitch. string Maximum length: 35
switch-controller-feature Interface's purpose when assigning traffic (read only).
none: VLAN for generic purpose.
default-vlan: Default VLAN (native) assigned to all switch ports upon discovery.
quarantine: VLAN for quarantined traffic.
rspan: VLAN for RSPAN/ERSPAN mirrored traffic.
voice: VLAN dedicated for voice devices.
video: VLAN dedicated for camera devices.
nac: VLAN dedicated for NAC onboarding devices.
option -
swc-vlan Creation status for switch-controller VLANs. integer Minimum value: 0 Maximum value: 4294967295
color Color of icon on the GUI. integer Minimum value: 0 Maximum value: 32
ingress-cos Override incoming CoS in user VLAN tag on VLAN interface or assign a priority VLAN tag on physical interface.
disable: Disable.
cos0: CoS 0.
cos1: CoS 1.
cos2: CoS 2.
cos3: CoS 3.
cos4: CoS 4.
cos5: CoS 5.
cos6: CoS 6.
cos7: CoS 7.
option -
egress-cos Override outgoing CoS in user VLAN tag.
disable: Disable.
cos0: CoS 0.
cos1: CoS 1.
cos2: CoS 2.
cos3: CoS 3.
cos4: CoS 4.
cos5: CoS 5.
cos6: CoS 6.
cos7: CoS 7.
option -

config client-options

Parameter Name Description Type Size
code DHCP client option code. integer Minimum value: 0 Maximum value: 255
type DHCP client option type.
hex: DHCP option in hex.
string: DHCP option in string.
ip: DHCP option in IP.
fqdn: DHCP option in domain search option format.
option -
value DHCP client option value. string Maximum length: 312
ip DHCP option IPs. user Not Specified

config vrrp

Parameter Name Description Type Size
version VRRP version.
2: VRRP version 2.
3: VRRP version 3.
option -
vrgrp VRRP group ID (1 - 65535). integer Minimum value: 1 Maximum value: 65535
vrip IP address of the virtual router. ipv4-address-any Not Specified
priority Priority of the virtual router (1 - 255). integer Minimum value: 1 Maximum value: 255
adv-interval Advertisement interval (1 - 255 seconds). integer Minimum value: 1 Maximum value: 255
start-time Startup time (1 - 255 seconds). integer Minimum value: 1 Maximum value: 255
preempt Enable/disable preempt mode.
enable: Enable preempt mode.
disable: Disable preempt mode.
option -
accept-mode Enable/disable accept mode.
enable: Enable accept mode.
disable: Disable accept mode.
option -
vrdst Monitor the route to this destination. ipv4-address-any Not Specified
vrdst-priority Priority of the virtual router when the virtual router destination becomes unreachable (0 - 254). integer Minimum value: 0 Maximum value: 254
ignore-default-route Enable/disable ignoring of default route when checking destination.
enable: Enable ignoring of default route when checking destination.
disable: Disable ignoring of default route when checking destination.
option -
status Enable/disable this VRRP configuration.
enable: Enable this VRRP configuration.
disable: Disable this VRRP configuration.
option -

config proxy-arp

Parameter Name Description Type Size
ip Set IP addresses of proxy ARP. user Not Specified

config secondaryip

Parameter Name Description Type Size
ip Secondary IP address of the interface. ipv4-classnet-host Not Specified
allowaccess Management access settings for the secondary IP address.
ping: PING access.
https: HTTPS access.
ssh: SSH access.
snmp: SNMP access.
http: HTTP access.
telnet: TELNET access.
fgfm: FortiManager access.
radius-acct: RADIUS accounting access.
probe-response: Probe access.
fabric: Security Fabric access.
ftm: FTM access.
option -
gwdetect Enable/disable detect gateway alive for first.
enable: Enable detect gateway alive for first.
disable: Disable detect gateway alive for first.
option -
ping-serv-status PING server status. integer Minimum value: 0 Maximum value: 255
detectserver Gateway's ping server for this IP. user Not Specified
detectprotocol Protocols used to detect the server.
ping: PING.
tcp-echo: TCP echo.
udp-echo: UDP echo.
option -
ha-priority HA election priority for the PING server. integer Minimum value: 1 Maximum value: 50

config tagging

Parameter Name Description Type Size
category Tag category. string Maximum length: 63
tags <name> Tags.
Tag name.
string Maximum length: 79

config egress-queues

Parameter Name Description Type Size
cos0 CoS profile name for CoS 0. string Maximum length: 35
cos1 CoS profile name for CoS 1. string Maximum length: 35
cos2 CoS profile name for CoS 2. string Maximum length: 35
cos3 CoS profile name for CoS 3. string Maximum length: 35
cos4 CoS profile name for CoS 4. string Maximum length: 35
cos5 CoS profile name for CoS 5. string Maximum length: 35
cos6 CoS profile name for CoS 6. string Maximum length: 35
cos7 CoS profile name for CoS 7. string Maximum length: 35

config ipv6

Parameter Name Description Type Size
ip6-mode Addressing mode (static, DHCP, delegated).
static: Static setting.
dhcp: DHCPv6 client mode.
pppoe: IPv6 over PPPoE mode.
delegated: IPv6 address with delegated prefix.
option -
nd-mode Neighbor discovery mode.
basic: Do not support SEND.
SEND-compatible: Support SEND.
option -
nd-cert Neighbor discovery certificate. string Maximum length: 35
nd-security-level Neighbor discovery security level (0 - 7; 0 = least secure, default = 0). integer Minimum value: 0 Maximum value: 7
nd-timestamp-delta Neighbor discovery timestamp delta value (1 - 3600 sec; default = 300). integer Minimum value: 1 Maximum value: 3600
nd-timestamp-fuzz Neighbor discovery timestamp fuzz factor (1 - 60 sec; default = 1). integer Minimum value: 1 Maximum value: 60
nd-cga-modifier Neighbor discovery CGA modifier. user Not Specified
ip6-dns-server-override Enable/disable using the DNS server acquired by DHCP.
enable: Enable using the DNS server acquired by DHCP.
disable: Disable using the DNS server acquired by DHCP.
option -
ip6-address Primary IPv6 address prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx ipv6-prefix Not Specified
ip6-allowaccess Allow management access to the interface.
ping: PING access.
https: HTTPS access.
ssh: SSH access.
snmp: SNMP access.
http: HTTP access.
telnet: TELNET access.
fgfm: FortiManager access.
fabric: Fabric access.
option -
ip6-send-adv Enable/disable sending advertisements about the interface.
enable: Enable sending advertisements about this interface.
disable: Disable sending advertisements about this interface.
option -
ip6-manage-flag Enable/disable the managed flag.
enable: Enable the managed IPv6 flag.
disable: Disable the managed IPv6 flag.
option -
ip6-other-flag Enable/disable the other IPv6 flag.
enable: Enable the other IPv6 flag.
disable: Disable the other IPv6 flag.
option -
ip6-max-interval IPv6 maximum interval (4 to 1800 sec). integer Minimum value: 4 Maximum value: 1800
ip6-min-interval IPv6 minimum interval (3 to 1350 sec). integer Minimum value: 3 Maximum value: 1350
ip6-link-mtu IPv6 link MTU. integer Minimum value: 1280 Maximum value: 16000
ip6-reachable-time IPv6 reachable time (milliseconds; 0 means unspecified). integer Minimum value: 0 Maximum value: 3600000
ip6-retrans-time IPv6 retransmit time (milliseconds; 0 means unspecified). integer Minimum value: 0 Maximum value: 4294967295
ip6-default-life Default life (sec). integer Minimum value: 0 Maximum value: 9000
ip6-hop-limit Hop limit (0 means unspecified). integer Minimum value: 0 Maximum value: 255
autoconf Enable/disable address auto config.
enable: Enable auto-configuration.
disable: Disable auto-configuration.
option -
unique-autoconf-addr Enable/disable unique auto config address.
enable: Enable unique auto-configuration address.
disable: Disable unique auto-configuration address.
option -
interface-identifier IPv6 interface identifier. ipv6-address Not Specified
ip6-upstream-interface Interface name providing delegated information. string Maximum length: 15
ip6-subnet Subnet to routing prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx ipv6-prefix Not Specified
dhcp6-relay-service Enable/disable DHCPv6 relay.
disable: Disable DHCPv6 relay
enable: Enable DHCPv6 relay.
option -
dhcp6-relay-type DHCPv6 relay type.
regular: Regular DHCP relay.
option -
dhcp6-relay-ip DHCPv6 relay IP address. user Not Specified
dhcp6-client-options DHCPv6 client options.
rapid: Send rapid commit option.
iapd: Send including IA-PD option.
iana: Send including IA-NA option.
option -
dhcp6-prefix-delegation Enable/disable DHCPv6 prefix delegation.
enable: Enable DHCPv6 prefix delegation.
disable: Disable DHCPv6 prefix delegation.
option -
dhcp6-information-request Enable/disable DHCPv6 information request.
enable: Enable DHCPv6 information request.
disable: Disable DHCPv6 information request.
option -
dhcp6-prefix-hint DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server. ipv6-network Not Specified
dhcp6-prefix-hint-plt DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time. integer Minimum value: 0 Maximum value: 4294967295
dhcp6-prefix-hint-vlt DHCPv6 prefix hint valid life time (sec). integer Minimum value: 0 Maximum value: 4294967295
vrrp-virtual-mac6 Enable/disable virtual MAC for VRRP.
enable: Enable virtual MAC for VRRP.
disable: Disable virtual MAC for VRRP.
option -
vrip6_link_local Link-local IPv6 address of virtual router. ipv6-address Not Specified

config ip6-prefix-list

Parameter Name Description Type Size
autonomous-flag Enable/disable the autonomous flag.
enable: Enable the autonomous flag.
disable: Disable the autonomous flag.
option -
onlink-flag Enable/disable the onlink flag.
enable: Enable the onlink flag.
disable: Disable the onlink flag.
option -
valid-life-time Valid life time (sec). integer Minimum value: 0 Maximum value: 4294967295
preferred-life-time Preferred life time (sec). integer Minimum value: 0 Maximum value: 4294967295
rdnss Recursive DNS server option. user Not Specified
dnssl <domain> DNS search list option.
Domain name.
string Maximum length: 79

config ip6-delegated-prefix-list

Parameter Name Description Type Size
upstream-interface Name of the interface that provides delegated information. string Maximum length: 15
autonomous-flag Enable/disable the autonomous flag.
enable: Enable the autonomous flag.
disable: Disable the autonomous flag.
option -
onlink-flag Enable/disable the onlink flag.
enable: Enable the onlink flag.
disable: Disable the onlink flag.
option -
subnet Add subnet ID to routing prefix. ipv6-network Not Specified
rdnss-service Recursive DNS service option.
delegated: Delegated RDNSS settings.
default: System RDNSS settings.
specify: Specify recursive DNS servers.
option -
rdnss Recursive DNS server option. user Not Specified

config vrrp6

Parameter Name Description Type Size
vrgrp VRRP group ID (1 - 65535). integer Minimum value: 1 Maximum value: 65535
vrip6 IPv6 address of the virtual router. ipv6-address Not Specified
priority Priority of the virtual router (1 - 255). integer Minimum value: 1 Maximum value: 255
adv-interval Advertisement interval (1 - 255 seconds). integer Minimum value: 1 Maximum value: 255
start-time Startup time (1 - 255 seconds). integer Minimum value: 1 Maximum value: 255
preempt Enable/disable preempt mode.
enable: Enable preempt mode.
disable: Disable preempt mode.
option -
accept-mode Enable/disable accept mode.
enable: Enable accept mode.
disable: Disable accept mode.
option -
vrdst6 Monitor the route to this destination. ipv6-address Not Specified
status Enable/disable VRRP.
enable: Enable VRRP.
disable: Disable VRRP.
option -

system interface

Configure interfaces.

  config system interface
      Description: Configure interfaces.
      edit <name>
          set vdom {string}
          set vrf {integer}
          set cli-conn-status {integer}
          set fortilink [enable|disable]
          set mode [static|dhcp|...]
          config client-options
              Description: DHCP client options.
              edit <id>
                  set code {integer}
                  set type [hex|string|...]
                  set value {string}
                  set ip {user}
              next
          end
          set distance {integer}
          set priority {integer}
          set dhcp-relay-service [disable|enable]
          set dhcp-relay-ip {user}
          set dhcp-relay-type [regular|ipsec]
          set dhcp-relay-agent-option [enable|disable]
          set management-ip {ipv4-classnet-host}
          set ip {ipv4-classnet-host}
          set allowaccess {option1}, {option2}, ...
          set gwdetect [enable|disable]
          set ping-serv-status {integer}
          set detectserver {user}
          set detectprotocol {option1}, {option2}, ...
          set ha-priority {integer}
          set fail-detect [enable|disable]
          set fail-detect-option {option1}, {option2}, ...
          set fail-alert-method [link-failed-signal|link-down]
          set fail-action-on-extender [soft-restart|hard-restart|...]
          set fail-alert-interfaces <name1>, <name2>, ...
          set dhcp-client-identifier {string}
          set dhcp-renew-time {integer}
          set ipunnumbered {ipv4-address}
          set username {string}
          set pppoe-unnumbered-negotiate [enable|disable]
          set password {password}
          set idle-timeout {integer}
          set detected-peer-mtu {integer}
          set disc-retry-timeout {integer}
          set padt-retry-timeout {integer}
          set service-name {string}
          set ac-name {string}
          set lcp-echo-interval {integer}
          set lcp-max-echo-fails {integer}
          set defaultgw [enable|disable]
          set dns-server-override [enable|disable]
          set auth-type [auto|pap|...]
          set pptp-client [enable|disable]
          set pptp-user {string}
          set pptp-password {password}
          set pptp-server-ip {ipv4-address}
          set pptp-auth-type [auto|pap|...]
          set pptp-timeout {integer}
          set arpforward [enable|disable]
          set ndiscforward [enable|disable]
          set broadcast-forward [enable|disable]
          set bfd [global|enable|...]
          set bfd-desired-min-tx {integer}
          set bfd-detect-mult {integer}
          set bfd-required-min-rx {integer}
          set l2forward [enable|disable]
          set icmp-send-redirect [enable|disable]
          set icmp-accept-redirect [enable|disable]
          set vlanforward [enable|disable]
          set stpforward [enable|disable]
          set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]
          set ips-sniffer-mode [enable|disable]
          set ident-accept [enable|disable]
          set ipmac [enable|disable]
          set subst [enable|disable]
          set macaddr {mac-address}
          set substitute-dst-mac {mac-address}
          set speed [auto|10full|...]
          set status [up|down]
          set netbios-forward [disable|enable]
          set wins-ip {ipv4-address}
          set type [physical|vlan|...]
          set dedicated-to [none|management]
          set trust-ip-1 {ipv4-classnet-any}
          set trust-ip-2 {ipv4-classnet-any}
          set trust-ip-3 {ipv4-classnet-any}
          set trust-ip6-1 {ipv6-prefix}
          set trust-ip6-2 {ipv6-prefix}
          set trust-ip6-3 {ipv6-prefix}
          set mtu-override [enable|disable]
          set mtu {integer}
          set wccp [enable|disable]
          set netflow-sampler [disable|tx|...]
          set sflow-sampler [enable|disable]
          set drop-overlapped-fragment [enable|disable]
          set drop-fragment [enable|disable]
          set src-check [enable|disable]
          set sample-rate {integer}
          set polling-interval {integer}
          set sample-direction [tx|rx|...]
          set explicit-web-proxy [enable|disable]
          set explicit-ftp-proxy [enable|disable]
          set proxy-captive-portal [enable|disable]
          set tcp-mss {integer}
          set inbandwidth {integer}
          set outbandwidth {integer}
          set egress-shaping-profile {string}
          set ingress-shaping-profile {string}
          set disconnect-threshold {integer}
          set spillover-threshold {integer}
          set ingress-spillover-threshold {integer}
          set weight {integer}
          set interface {string}
          set external [enable|disable]
          set vlan-protocol [8021q|8021ad]
          set vlanid {integer}
          set forward-domain {integer}
          set remote-ip {ipv4-classnet-host}
          set member <interface-name1>, <interface-name2>, ...
          set lacp-mode [static|passive|...]
          set lacp-ha-slave [enable|disable]
          set lacp-speed [slow|fast]
          set min-links {integer}
          set min-links-down [operational|administrative]
          set algorithm [L2|L3|...]
          set link-up-delay {integer}
          set priority-override [enable|disable]
          set aggregate {string}
          set redundant-interface {string}
          set devindex {integer}
          set vindex {integer}
          set switch {string}
          set description {var-string}
          set alias {string}
          set security-mode [none|captive-portal|...]
          set security-mac-auth-bypass [mac-auth-only|enable|...]
          set security-external-web {string}
          set security-external-logout {string}
          set replacemsg-override-group {string}
          set security-redirect-url {string}
          set security-exempt-list {string}
          set security-groups <name1>, <name2>, ...
          set device-identification [enable|disable]
          set device-user-identification [enable|disable]
          set lldp-reception [enable|disable|...]
          set lldp-transmission [enable|disable|...]
          set lldp-network-policy {string}
          set estimated-upstream-bandwidth {integer}
          set estimated-downstream-bandwidth {integer}
          set measured-upstream-bandwidth {integer}
          set measured-downstream-bandwidth {integer}
          set bandwidth-measure-time {integer}
          set monitor-bandwidth [enable|disable]
          set vrrp-virtual-mac [enable|disable]
          config vrrp
              Description: VRRP configuration.
              edit <vrid>
                  set version [2|3]
                  set vrgrp {integer}
                  set vrip {ipv4-address-any}
                  set priority {integer}
                  set adv-interval {integer}
                  set start-time {integer}
                  set preempt [enable|disable]
                  set accept-mode [enable|disable]
                  set vrdst {ipv4-address-any}
                  set vrdst-priority {integer}
                  set ignore-default-route [enable|disable]
                  set status [enable|disable]
                  config proxy-arp
                      Description: VRRP Proxy ARP configuration.
                      edit <id>
                          set ip {user}
                      next
                  end
              next
          end
          set role [lan|wan|...]
          set snmp-index {integer}
          set secondary-IP [enable|disable]
          config secondaryip
              Description: Second IP address of interface.
              edit <id>
                  set ip {ipv4-classnet-host}
                  set allowaccess {option1}, {option2}, ...
                  set gwdetect [enable|disable]
                  set ping-serv-status {integer}
                  set detectserver {user}
                  set detectprotocol {option1}, {option2}, ...
                  set ha-priority {integer}
              next
          end
          set preserve-session-route [enable|disable]
          set auto-auth-extension-device [enable|disable]
          set ap-discover [enable|disable]
          set fortilink-stacking [enable|disable]
          set fortilink-neighbor-detect [lldp|fortilink]
          set ip-managed-by-fortiipam [enable|disable]
          set managed-subnetwork-size [256|512|...]
          set fortilink-split-interface [enable|disable]
          set internal {integer}
          set fortilink-backup-link {integer}
          set switch-controller-access-vlan [enable|disable]
          set switch-controller-traffic-policy {string}
          set switch-controller-rspan-mode [disable|enable]
          set switch-controller-mgmt-vlan {integer}
          set switch-controller-igmp-snooping [enable|disable]
          set switch-controller-igmp-snooping-proxy [enable|disable]
          set switch-controller-igmp-snooping-fast-leave [enable|disable]
          set switch-controller-dhcp-snooping [enable|disable]
          set switch-controller-dhcp-snooping-verify-mac [enable|disable]
          set switch-controller-dhcp-snooping-option82 [enable|disable]
          set switch-controller-arp-inspection [enable|disable]
          set switch-controller-learning-limit {integer}
          set switch-controller-nac {string}
          set switch-controller-feature [none|default-vlan|...]
          set swc-vlan {integer}
          set color {integer}
          config tagging
              Description: Config object tagging.
              edit <name>
                  set category {string}
                  set tags <name1>, <name2>, ...
              next
          end
          config egress-queues
              Description: Configure queues of NP port on egress path.
              set cos0 {string}
              set cos1 {string}
              set cos2 {string}
              set cos3 {string}
              set cos4 {string}
              set cos5 {string}
              set cos6 {string}
              set cos7 {string}
          end
          set ingress-cos [disable|cos0|...]
          set egress-cos [disable|cos0|...]
          config ipv6
              Description: IPv6 of interface.
              set ip6-mode [static|dhcp|...]
              set nd-mode [basic|SEND-compatible]
              set nd-cert {string}
              set nd-security-level {integer}
              set nd-timestamp-delta {integer}
              set nd-timestamp-fuzz {integer}
              set nd-cga-modifier {user}
              set ip6-dns-server-override [enable|disable]
              set ip6-address {ipv6-prefix}
              config ip6-extra-addr
                  Description: Extra IPv6 address prefixes of interface.
                  edit <prefix>

                  next
              end
              set ip6-allowaccess {option1}, {option2}, ...
              set ip6-send-adv [enable|disable]
              set ip6-manage-flag [enable|disable]
              set ip6-other-flag [enable|disable]
              set ip6-max-interval {integer}
              set ip6-min-interval {integer}
              set ip6-link-mtu {integer}
              set ip6-reachable-time {integer}
              set ip6-retrans-time {integer}
              set ip6-default-life {integer}
              set ip6-hop-limit {integer}
              set autoconf [enable|disable]
              set unique-autoconf-addr [enable|disable]
              set interface-identifier {ipv6-address}
              set ip6-upstream-interface {string}
              set ip6-subnet {ipv6-prefix}
              config ip6-prefix-list
                  Description: Advertised prefix list.
                  edit <prefix>
                      set autonomous-flag [enable|disable]
                      set onlink-flag [enable|disable]
                      set valid-life-time {integer}
                      set preferred-life-time {integer}
                      set rdnss {user}
                      set dnssl <domain1>, <domain2>, ...
                  next
              end
              config ip6-delegated-prefix-list
                  Description: Advertised IPv6 delegated prefix list.
                  edit <prefix-id>
                      set upstream-interface {string}
                      set autonomous-flag [enable|disable]
                      set onlink-flag [enable|disable]
                      set subnet {ipv6-network}
                      set rdnss-service [delegated|default|...]
                      set rdnss {user}
                  next
              end
              set dhcp6-relay-service [disable|enable]
              set dhcp6-relay-type {option}
              set dhcp6-relay-ip {user}
              set dhcp6-client-options {option1}, {option2}, ...
              set dhcp6-prefix-delegation [enable|disable]
              set dhcp6-information-request [enable|disable]
              set dhcp6-prefix-hint {ipv6-network}
              set dhcp6-prefix-hint-plt {integer}
              set dhcp6-prefix-hint-vlt {integer}
              set vrrp-virtual-mac6 [enable|disable]
              set vrip6_link_local {ipv6-address}
              config vrrp6
                  Description: IPv6 VRRP configuration.
                  edit <vrid>
                      set vrgrp {integer}
                      set vrip6 {ipv6-address}
                      set priority {integer}
                      set adv-interval {integer}
                      set start-time {integer}
                      set preempt [enable|disable]
                      set accept-mode [enable|disable]
                      set vrdst6 {ipv6-address}
                      set status [enable|disable]
                  next
              end
          end
      next
  end

config system interface

Parameter Name Description Type Size
vdom Interface is in this virtual domain (VDOM). string Maximum length: 31
vrf Virtual Routing Forwarding ID. integer Minimum value: 0 Maximum value: 31
cli-conn-status CLI connection status. integer Minimum value: 0 Maximum value: 4294967295
fortilink Enable FortiLink to dedicate this interface to manage other Fortinet devices.
enable: Enable FortiLink to dedicated interface for managing FortiSwitch devices.
disable: Disable FortiLink to dedicated interface for managing FortiSwitch devices.
option -
mode Addressing mode (static, DHCP, PPPoE).
static: Static setting.
dhcp: External DHCP client mode.
pppoe: External PPPoE mode.
option -
distance Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route. integer Minimum value: 1 Maximum value: 255
priority Priority of learned routes. integer Minimum value: 0 Maximum value: 4294967295
dhcp-relay-service Enable/disable allowing this interface to act as a DHCP relay.
disable: None.
enable: DHCP relay agent.
option -
dhcp-relay-ip DHCP relay IP address. user Not Specified
dhcp-relay-type DHCP relay type (regular or IPsec).
regular: Regular DHCP relay.
ipsec: DHCP relay for IPsec.
option -
dhcp-relay-agent-option Enable/disable DHCP relay agent option.
enable: Enable DHCP relay agent option.
disable: Disable DHCP relay agent option.
option -
management-ip High Availability in-band management IP address of this interface. ipv4-classnet-host Not Specified
ip Interface IPv4 address and subnet mask, syntax: X.X.X.X/24. ipv4-classnet-host Not Specified
allowaccess Permitted types of management access to this interface.
ping: PING access.
https: HTTPS access.
ssh: SSH access.
snmp: SNMP access.
http: HTTP access.
telnet: TELNET access.
fgfm: FortiManager access.
radius-acct: RADIUS accounting access.
probe-response: Probe access.
fabric: Security Fabric access.
ftm: FTM access.
option -
gwdetect Enable/disable detect gateway alive for first.
enable: Enable detect gateway alive for first.
disable: Disable detect gateway alive for first.
option -
ping-serv-status PING server status. integer Minimum value: 0 Maximum value: 255
detectserver Gateway's ping server for this IP. user Not Specified
detectprotocol Protocols used to detect the server.
ping: PING.
tcp-echo: TCP echo.
udp-echo: UDP echo.
option -
ha-priority HA election priority for the PING server. integer Minimum value: 1 Maximum value: 50
fail-detect Enable/disable fail detection features for this interface.
enable: Enable interface failed option status.
disable: Disable interface failed option status.
option -
fail-detect-option Options for detecting that this interface has failed.
detectserver: Use a ping server to determine if the interface has failed.
link-down: Use port detection to determine if the interface has failed.
option -
fail-alert-method Select link-failed-signal or link-down method to alert about a failed link.
link-failed-signal: Link-failed-signal.
link-down: Link-down.
option -
fail-action-on-extender Action on extender when interface fail .
soft-restart: Soft-restart-on-extender.
hard-restart: Hard-restart-on-extender.
reboot: Reboot-on-extender.
option -
fail-alert-interfaces <name> Names of the FortiGate interfaces to which the link failure alert is sent.
Names of the non-virtual interface.
string Maximum length: 79
dhcp-client-identifier DHCP client identifier. string Maximum length: 48
dhcp-renew-time DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server. integer Minimum value: 300 Maximum value: 604800
ipunnumbered Unnumbered IP used for PPPoE interfaces for which no unique local address is provided. ipv4-address Not Specified
username Username of the PPPoE account, provided by your ISP. string Maximum length: 64
pppoe-unnumbered-negotiate Enable/disable PPPoE unnumbered negotiation.
enable: Enable IP address negotiating for unnumbered.
disable: Disable IP address negotiating for unnumbered.
option -
password PPPoE account's password. password Not Specified
idle-timeout PPPoE auto disconnect after idle timeout seconds, 0 means no timeout. integer Minimum value: 0 Maximum value: 32767
detected-peer-mtu MTU of detected peer (0 - 4294967295). integer Minimum value: 0 Maximum value: 4294967295
disc-retry-timeout Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout. integer Minimum value: 0 Maximum value: 4294967295
padt-retry-timeout PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time. integer Minimum value: 0 Maximum value: 4294967295
service-name PPPoE service name. string Maximum length: 63
ac-name PPPoE server name. string Maximum length: 63
lcp-echo-interval Time in seconds between PPPoE Link Control Protocol (LCP) echo requests. integer Minimum value: 0 Maximum value: 32767
lcp-max-echo-fails Maximum missed LCP echo messages before disconnect. integer Minimum value: 0 Maximum value: 32767
defaultgw Enable to get the gateway IP from the DHCP or PPPoE server.
enable: Enable default gateway.
disable: Disable default gateway.
option -
dns-server-override Enable/disable use DNS acquired by DHCP or PPPoE.
enable: Use DNS acquired by DHCP or PPPoE.
disable: No not use DNS acquired by DHCP or PPPoE.
option -
auth-type PPP authentication type to use.
auto: Automatically choose authentication.
pap: PAP authentication.
chap: CHAP authentication.
mschapv1: MS-CHAPv1 authentication.
mschapv2: MS-CHAPv2 authentication.
option -
pptp-client Enable/disable PPTP client.
enable: Enable PPTP client.
disable: Disable PPTP client.
option -
pptp-user PPTP user name. string Maximum length: 64
pptp-password PPTP password. password Not Specified
pptp-server-ip PPTP server IP address. ipv4-address Not Specified
pptp-auth-type PPTP authentication type.
auto: Automatically choose authentication.
pap: PAP authentication.
chap: CHAP authentication.
mschapv1: MS-CHAPv1 authentication.
mschapv2: MS-CHAPv2 authentication.
option -
pptp-timeout Idle timer in minutes (0 for disabled). integer Minimum value: 0 Maximum value: 65535
arpforward Enable/disable ARP forwarding.
enable: Enable ARP forwarding.
disable: Disable ARP forwarding.
option -
ndiscforward Enable/disable NDISC forwarding.
enable: Enable NDISC forwarding.
disable: Disable NDISC forwarding.
option -
broadcast-forward Enable/disable broadcast forwarding.
enable: Enable broadcast forwarding.
disable: Disable broadcast forwarding.
option -
bfd Bidirectional Forwarding Detection (BFD) settings.
global: BFD behavior of this interface will be based on global configuration.
enable: Enable BFD on this interface and ignore global configuration.
disable: Disable BFD on this interface and ignore global configuration.
option -
bfd-desired-min-tx BFD desired minimal transmit interval. integer Minimum value: 1 Maximum value: 100000
bfd-detect-mult BFD detection multiplier. integer Minimum value: 1 Maximum value: 50
bfd-required-min-rx BFD required minimal receive interval. integer Minimum value: 1 Maximum value: 100000
l2forward Enable/disable l2 forwarding.
enable: Enable L2 forwarding.
disable: Disable L2 forwarding.
option -
icmp-send-redirect Enable/disable ICMP send redirect.
enable: Enable ICMP send redirect.
disable: Disable ICMP send redirect.
option -
icmp-accept-redirect Enable/disable ICMP accept redirect.
enable: Enable ICMP accept redirect.
disable: Disable ICMP accept redirect.
option -
vlanforward Enable/disable traffic forwarding between VLANs on this interface.
enable: Enable traffic forwarding.
disable: Disable traffic forwarding.
option -
stpforward Enable/disable STP forwarding.
enable: Enable STP forwarding.
disable: Disable STP forwarding.
option -
stpforward-mode Configure STP forwarding mode.
rpl-all-ext-id: Replace all extension IDs (root, bridge).
rpl-bridge-ext-id: Replace the bridge extension ID only.
rpl-nothing: Replace nothing.
option -
ips-sniffer-mode Enable/disable the use of this interface as a one-armed sniffer.
enable: Enable IPS sniffer mode.
disable: Disable IPS sniffer mode.
option -
ident-accept Enable/disable authentication for this interface.
enable: Enable determining a user's identity from packet identification.
disable: Disable determining a user's identity from packet identification.
option -
ipmac Enable/disable IP/MAC binding.
enable: Enable IP/MAC binding.
disable: Disable IP/MAC binding.
option -
subst Enable to always send packets from this interface to a destination MAC address.
enable: Send packets from this interface.
disable: Do not send packets from this interface.
option -
macaddr Change the interface's MAC address. mac-address Not Specified
substitute-dst-mac Destination MAC address that all packets are sent to from this interface. mac-address Not Specified
speed Interface speed. The default setting and the options available depend on the interface hardware.
auto: Automatically adjust speed.
10full: 10M full-duplex.
10half: 10M half-duplex.
100full: 100M full-duplex.
100half: 100M half-duplex.
1000full: 1000M full-duplex.
1000half: 1000M half-duplex.
1000auto: 1000M auto adjust.
10000full: 10G full-duplex.
option -
status Bring the interface up or shut the interface down.
up: Bring the interface up.
down: Shut the interface down.
option -
netbios-forward Enable/disable NETBIOS forwarding.
disable: Disable NETBIOS forwarding.
enable: Enable NETBIOS forwarding.
option -
wins-ip WINS server IP. ipv4-address Not Specified
type Interface type.
physical: Physical interface.
vlan: VLAN interface.
aggregate: Aggregate interface.
redundant: Redundant interface.
tunnel: Tunnel interface.
vdom-link: VDOM link interface.
loopback: Loopback interface.
switch: Software switch interface.
vap-switch: VAP interface.
wl-mesh: WLAN mesh interface.
fext-wan: FortiExtender interface.
vxlan: VXLAN interface.
geneve: GENEVE interface.
hdlc: T1/E1 interface.
switch-vlan: Switch VLAN interface.
emac-vlan: EMAC VLAN interface.
option -
dedicated-to Configure interface for single purpose.
none: Interface not dedicated for any purpose.
management: Dedicate this interface for management purposes only.
option -
trust-ip-1 Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts). ipv4-classnet-any Not Specified
trust-ip-2 Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts). ipv4-classnet-any Not Specified
trust-ip-3 Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts). ipv4-classnet-any Not Specified
trust-ip6-1 Trusted IPv6 host for dedicated management traffic (::/0 for all hosts). ipv6-prefix Not Specified
trust-ip6-2 Trusted IPv6 host for dedicated management traffic (::/0 for all hosts). ipv6-prefix Not Specified
trust-ip6-3 Trusted IPv6 host for dedicated management traffic (::/0 for all hosts). ipv6-prefix Not Specified
mtu-override Enable to set a custom MTU for this interface.
enable: Override default MTU.
disable: Use default MTU (1500).
option -
mtu MTU value for this interface. integer Minimum value: 0 Maximum value: 4294967295
wccp Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers.
enable: Enable WCCP protocol on this interface.
disable: Disable WCCP protocol on this interface.
option -
netflow-sampler Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both).
disable: Disable NetFlow protocol on this interface.
tx: Monitor transmitted traffic on this interface.
rx: Monitor received traffic on this interface.
both: Monitor transmitted/received traffic on this interface.
option -
sflow-sampler Enable/disable sFlow on this interface.
enable: Enable sFlow protocol on this interface.
disable: Disable sFlow protocol on this interface.
option -
drop-overlapped-fragment Enable/disable drop overlapped fragment packets.
enable: Enable drop of overlapped fragment packets.
disable: Disable drop of overlapped fragment packets.
option -
drop-fragment Enable/disable drop fragment packets.
enable: Enable/disable drop fragment packets.
disable: Do not drop fragment packets.
option -
src-check Enable/disable source IP check.
enable: Enable source IP check.
disable: Disable source IP check.
option -
sample-rate sFlow sample rate (10 - 99999). integer Minimum value: 10 Maximum value: 99999
polling-interval sFlow polling interval (1 - 255 sec). integer Minimum value: 1 Maximum value: 255
sample-direction Data that NetFlow collects (rx, tx, or both).
tx: Monitor transmitted traffic on this interface.
rx: Monitor received traffic on this interface.
both: Monitor transmitted/received traffic on this interface.
option -
explicit-web-proxy Enable/disable the explicit web proxy on this interface.
enable: Enable explicit Web proxy on this interface.
disable: Disable explicit Web proxy on this interface.
option -
explicit-ftp-proxy Enable/disable the explicit FTP proxy on this interface.
enable: Enable explicit FTP proxy on this interface.
disable: Disable explicit FTP proxy on this interface.
option -
proxy-captive-portal Enable/disable proxy captive portal on this interface.
enable: Enable proxy captive portal on this interface.
disable: Disable proxy captive portal on this interface.
option -
tcp-mss TCP maximum segment size. 0 means do not change segment size. integer Minimum value: 0 Maximum value: 4294967295
inbandwidth Bandwidth limit for incoming traffic (0 - 16776000 kbps), 0 means unlimited. integer Minimum value: 0 Maximum value: 16776000
outbandwidth Bandwidth limit for outgoing traffic (0 - 16776000 kbps), 0 means unlimited. integer Minimum value: 0 Maximum value: 16776000
egress-shaping-profile Outgoing traffic shaping profile. string Maximum length: 35
ingress-shaping-profile Incoming traffic shaping profile. string Maximum length: 35
disconnect-threshold Time in milliseconds to wait before sending a notification that this interface is down or disconnected. integer Minimum value: 0 Maximum value: 10000
spillover-threshold Egress Spillover threshold (0 - 16776000 kbps), 0 means unlimited. integer Minimum value: 0 Maximum value: 16776000
ingress-spillover-threshold Ingress Spillover threshold (0 - 16776000 kbps), 0 means unlimited. integer Minimum value: 0 Maximum value: 16776000
weight Default weight for static routes (if route has no weight configured). integer Minimum value: 0 Maximum value: 255
interface Interface name. string Maximum length: 15
external Enable/disable identifying the interface as an external interface (which usually means it's connected to the Internet).
enable: Enable identifying the interface as an external interface.
disable: Disable identifying the interface as an external interface.
option -
vlan-protocol Ethernet protocol of VLAN.
8021q: IEEE 802.1Q.
8021ad: 802.1AD.
option -
vlanid VLAN ID (1 - 4094). integer Minimum value: 1 Maximum value: 4094
forward-domain Transparent mode forward domain. integer Minimum value: 0 Maximum value: 2147483647
remote-ip Remote IP address of tunnel. ipv4-classnet-host Not Specified
member <interface-name> Physical interfaces that belong to the aggregate or redundant interface.
Physical interface name.
string Maximum length: 79
lacp-mode LACP mode.
static: Use static aggregation, do not send and ignore any LACP messages.
passive: Passively use LACP to negotiate 802.3ad aggregation.
active: Actively use LACP to negotiate 802.3ad aggregation.
option -
lacp-ha-slave LACP HA slave.
enable: Allow HA slave to send/receive LACP messages.
disable: Block HA slave from sending/receiving LACP messages.
option -
lacp-speed How often the interface sends LACP messages.
slow: Send LACP message every 30 seconds.
fast: Send LACP message every second.
option -
min-links Minimum number of aggregated ports that must be up. integer Minimum value: 1 Maximum value: 32
min-links-down Action to take when less than the configured minimum number of links are active.
operational: Set the aggregate operationally down.
administrative: Set the aggregate administratively down.
option -
algorithm Frame distribution algorithm.
L2: Use layer 2 address for distribution.
L3: Use layer 3 address for distribution.
L4: Use layer 4 information for distribution.
option -
link-up-delay Number of milliseconds to wait before considering a link is up. integer Minimum value: 50 Maximum value: 3600000
priority-override Enable/disable fail back to higher priority port once recovered.
enable: Enable fail back to higher priority port once recovered.
disable: Disable fail back to higher priority port once recovered.
option -
aggregate Aggregate interface. string Maximum length: 15
redundant-interface Redundant interface. string Maximum length: 15
devindex Device Index. integer Minimum value: 0 Maximum value: 4294967295
vindex Switch control interface VLAN ID. integer Minimum value: 0 Maximum value: 65535
switch Contained in switch. string Maximum length: 15
description Description. var-string Maximum length: 255
alias Alias will be displayed with the interface name to make it easier to distinguish. string Maximum length: 25
security-mode Turn on captive portal authentication for this interface.
none: No security option.
captive-portal: Captive portal authentication.
802.1X: 802.1X port-based authentication.
option -
security-mac-auth-bypass Enable/disable MAC authentication bypass.
mac-auth-only: Enable MAC authentication bypass without EAP.
enable: Enable MAC authentication bypass.
disable: Disable MAC authentication bypass.
option -
security-external-web URL of external authentication web server. string Maximum length: 127
security-external-logout URL of external authentication logout server. string Maximum length: 127
replacemsg-override-group Replacement message override group. string Maximum length: 35
security-redirect-url URL redirection after disclaimer/authentication. string Maximum length: 127
security-exempt-list Name of security-exempt-list. string Maximum length: 35
security-groups <name> User groups that can authenticate with the captive portal.
Names of user groups that can authenticate with the captive portal.
string Maximum length: 79
device-identification Enable/disable passively gathering of device identity information about the devices on the network connected to this interface.
enable: Enable passive gathering of identity information about hosts.
disable: Disable passive gathering of identity information about hosts.
option -
device-user-identification Enable/disable passive gathering of user identity information about users on this interface.
enable: Enable passive gathering of user identity information about users.
disable: Disable passive gathering of user identity information about users.
option -
lldp-reception Enable/disable Link Layer Discovery Protocol (LLDP) reception.
enable: Enable reception of Link Layer Discovery Protocol (LLDP).
disable: Disable reception of Link Layer Discovery Protocol (LLDP).
vdom: Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration setting.
option -
lldp-transmission Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
enable: Enable transmission of Link Layer Discovery Protocol (LLDP).
disable: Disable transmission of Link Layer Discovery Protocol (LLDP).
vdom: Use VDOM Link Layer Discovery Protocol (LLDP) transmission configuration setting.
option -
lldp-network-policy LLDP-MED network policy profile. string Maximum length: 35
estimated-upstream-bandwidth Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization. integer Minimum value: 0 Maximum value: 4294967295
estimated-downstream-bandwidth Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization. integer Minimum value: 0 Maximum value: 4294967295
measured-upstream-bandwidth Measured upstream bandwidth (kbps). integer Minimum value: 0 Maximum value: 4294967295
measured-downstream-bandwidth Measured downstream bandwidth (kbps). integer Minimum value: 0 Maximum value: 4294967295
bandwidth-measure-time Bandwidth measure time integer Minimum value: 0 Maximum value: 4294967295
monitor-bandwidth Enable monitoring bandwidth on this interface.
enable: Enable monitoring bandwidth on this interface.
disable: Disable monitoring bandwidth on this interface.
option -
vrrp-virtual-mac Enable/disable use of virtual MAC for VRRP.
enable: Enable use of virtual MAC for VRRP.
disable: Disable use of virtual MAC for VRRP.
option -
role Interface role.
lan: Connected to local network of endpoints.
wan: Connected to Internet.
dmz: Connected to server zone.
undefined: Interface has no specific role.
option -
snmp-index Permanent SNMP Index of the interface. integer Minimum value: 1 Maximum value: 2147483647
secondary-IP Enable/disable adding a secondary IP to this interface.
enable: Enable secondary IP.
disable: Disable secondary IP.
option -
preserve-session-route Enable/disable preservation of session route when dirty.
enable: Enable preservation of session route when dirty.
disable: Disable preservation of session route when dirty.
option -
auto-auth-extension-device Enable/disable automatic authorization of dedicated Fortinet extension device on this interface.
enable: Enable automatic authorization of dedicated Fortinet extension device on this interface.
disable: Disable automatic authorization of dedicated Fortinet extension device on this interface.
option -
ap-discover Enable/disable automatic registration of unknown FortiAP devices.
enable: Enable automatic registration of unknown FortiAP devices.
disable: Disable automatic registration of unknown FortiAP devices.
option -
fortilink-stacking Enable/disable FortiLink switch-stacking on this interface.
enable: Enable FortiLink switch stacking.
disable: Disable FortiLink switch stacking.
option -
fortilink-neighbor-detect Protocol for FortiGate neighbor discovery.
lldp: Detect FortiLink neighbors using LLDP protocol.
fortilink: Detect FortiLink neighbors using FortiLink protocol.
option -
ip-managed-by-fortiipam Enable/disable automatic IP address assignment of this interface by FortiIPAM.
enable: Enable automatic IP address assignment of this interface by FortiIPAM.
disable: Disable automatic IP address assignment of this interface by FortiIPAM.
option -
managed-subnetwork-size Number of IP addresses to be allocated by FortiIPAM and used by this FortiGate unit's DHCP server settings.
256: Allocate a subnet with 256 IP addresses.
512: Allocate a subnet with 512 IP addresses.
1024: Allocate a subnet with 1024 IP addresses.
2048: Allocate a subnet with 2048 IP addresses.
4096: Allocate a subnet with 4096 IP addresses.
8192: Allocate a subnet with 8192 IP addresses.
16384: Allocate a subnet with 16384 IP addresses.
32768: Allocate a subnet with 32768 IP addresses.
65536: Allocate a subnet with 65536 IP addresses.
option -
fortilink-split-interface Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.
enable: Enable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy.
disable: Disable FortiLink split interface.
option -
internal Implicitly created. integer Minimum value: 0 Maximum value: 255
fortilink-backup-link fortilink split interface backup link. integer Minimum value: 0 Maximum value: 255
switch-controller-access-vlan Block FortiSwitch port-to-port traffic.
enable: Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate.
disable: Allow normal VLAN traffic.
option -
switch-controller-traffic-policy Switch controller traffic policy for the VLAN. string Maximum length: 63
switch-controller-rspan-mode Stop Layer2 MAC learning and interception of BPDUs and other packets on this interface.
disable: Disable RSPAN passthrough mode on this VLAN interface.
enable: Enable RSPAN passthrough mode on this VLAN interface.
option -
switch-controller-mgmt-vlan VLAN to use for FortiLink management purposes. integer Minimum value: 1 Maximum value: 4094
switch-controller-igmp-snooping Switch controller IGMP snooping.
enable: Enable IGMP snooping.
disable: Disable IGMP snooping.
option -
switch-controller-igmp-snooping-proxy Switch controller IGMP snooping proxy.
enable: Enable IGMP snooping proxy.
disable: Disable IGMP snooping proxy.
option -
switch-controller-igmp-snooping-fast-leave Switch controller IGMP snooping fast-leave.
enable: Enable IGMP snooping fast-leave.
disable: Disable IGMP snooping fast-leave.
option -
switch-controller-dhcp-snooping Switch controller DHCP snooping.
enable: Enable DHCP snooping for FortiSwitch devices.
disable: Disable DHCP snooping for FortiSwitch devices.
option -
switch-controller-dhcp-snooping-verify-mac Switch controller DHCP snooping verify MAC.
enable: Enable DHCP snooping verify source MAC for FortiSwitch devices.
disable: Disable DHCP snooping verify source MAC for FortiSwitch devices.
option -
switch-controller-dhcp-snooping-option82 Switch controller DHCP snooping option82.
enable: Enable DHCP snooping insert option82 for FortiSwitch devices.
disable: Disable DHCP snooping insert option82 for FortiSwitch devices.
option -
switch-controller-arp-inspection Enable/disable FortiSwitch ARP inspection.
enable: Enable ARP inspection for FortiSwitch devices.
disable: Disable ARP inspection for FortiSwitch devices.
option -
switch-controller-learning-limit Limit the number of dynamic MAC addresses on this VLAN (1 - 128, 0 = no limit, default). integer Minimum value: 0 Maximum value: 128
switch-controller-nac Integrated NAC settings for managed FortiSwitch. string Maximum length: 35
switch-controller-feature Interface's purpose when assigning traffic (read only).
none: VLAN for generic purpose.
default-vlan: Default VLAN (native) assigned to all switch ports upon discovery.
quarantine: VLAN for quarantined traffic.
rspan: VLAN for RSPAN/ERSPAN mirrored traffic.
voice: VLAN dedicated for voice devices.
video: VLAN dedicated for camera devices.
nac: VLAN dedicated for NAC onboarding devices.
option -
swc-vlan Creation status for switch-controller VLANs. integer Minimum value: 0 Maximum value: 4294967295
color Color of icon on the GUI. integer Minimum value: 0 Maximum value: 32
ingress-cos Override incoming CoS in user VLAN tag on VLAN interface or assign a priority VLAN tag on physical interface.
disable: Disable.
cos0: CoS 0.
cos1: CoS 1.
cos2: CoS 2.
cos3: CoS 3.
cos4: CoS 4.
cos5: CoS 5.
cos6: CoS 6.
cos7: CoS 7.
option -
egress-cos Override outgoing CoS in user VLAN tag.
disable: Disable.
cos0: CoS 0.
cos1: CoS 1.
cos2: CoS 2.
cos3: CoS 3.
cos4: CoS 4.
cos5: CoS 5.
cos6: CoS 6.
cos7: CoS 7.
option -

config client-options

Parameter Name Description Type Size
code DHCP client option code. integer Minimum value: 0 Maximum value: 255
type DHCP client option type.
hex: DHCP option in hex.
string: DHCP option in string.
ip: DHCP option in IP.
fqdn: DHCP option in domain search option format.
option -
value DHCP client option value. string Maximum length: 312
ip DHCP option IPs. user Not Specified

config vrrp

Parameter Name Description Type Size
version VRRP version.
2: VRRP version 2.
3: VRRP version 3.
option -
vrgrp VRRP group ID (1 - 65535). integer Minimum value: 1 Maximum value: 65535
vrip IP address of the virtual router. ipv4-address-any Not Specified
priority Priority of the virtual router (1 - 255). integer Minimum value: 1 Maximum value: 255
adv-interval Advertisement interval (1 - 255 seconds). integer Minimum value: 1 Maximum value: 255
start-time Startup time (1 - 255 seconds). integer Minimum value: 1 Maximum value: 255
preempt Enable/disable preempt mode.
enable: Enable preempt mode.
disable: Disable preempt mode.
option -
accept-mode Enable/disable accept mode.
enable: Enable accept mode.
disable: Disable accept mode.
option -
vrdst Monitor the route to this destination. ipv4-address-any Not Specified
vrdst-priority Priority of the virtual router when the virtual router destination becomes unreachable (0 - 254). integer Minimum value: 0 Maximum value: 254
ignore-default-route Enable/disable ignoring of default route when checking destination.
enable: Enable ignoring of default route when checking destination.
disable: Disable ignoring of default route when checking destination.
option -
status Enable/disable this VRRP configuration.
enable: Enable this VRRP configuration.
disable: Disable this VRRP configuration.
option -

config proxy-arp

Parameter Name Description Type Size
ip Set IP addresses of proxy ARP. user Not Specified

config secondaryip

Parameter Name Description Type Size
ip Secondary IP address of the interface. ipv4-classnet-host Not Specified
allowaccess Management access settings for the secondary IP address.
ping: PING access.
https: HTTPS access.
ssh: SSH access.
snmp: SNMP access.
http: HTTP access.
telnet: TELNET access.
fgfm: FortiManager access.
radius-acct: RADIUS accounting access.
probe-response: Probe access.
fabric: Security Fabric access.
ftm: FTM access.
option -
gwdetect Enable/disable detect gateway alive for first.
enable: Enable detect gateway alive for first.
disable: Disable detect gateway alive for first.
option -
ping-serv-status PING server status. integer Minimum value: 0 Maximum value: 255
detectserver Gateway's ping server for this IP. user Not Specified
detectprotocol Protocols used to detect the server.
ping: PING.
tcp-echo: TCP echo.
udp-echo: UDP echo.
option -
ha-priority HA election priority for the PING server. integer Minimum value: 1 Maximum value: 50

config tagging

Parameter Name Description Type Size
category Tag category. string Maximum length: 63
tags <name> Tags.
Tag name.
string Maximum length: 79

config egress-queues

Parameter Name Description Type Size
cos0 CoS profile name for CoS 0. string Maximum length: 35
cos1 CoS profile name for CoS 1. string Maximum length: 35
cos2 CoS profile name for CoS 2. string Maximum length: 35
cos3 CoS profile name for CoS 3. string Maximum length: 35
cos4 CoS profile name for CoS 4. string Maximum length: 35
cos5 CoS profile name for CoS 5. string Maximum length: 35
cos6 CoS profile name for CoS 6. string Maximum length: 35
cos7 CoS profile name for CoS 7. string Maximum length: 35

config ipv6

Parameter Name Description Type Size
ip6-mode Addressing mode (static, DHCP, delegated).
static: Static setting.
dhcp: DHCPv6 client mode.
pppoe: IPv6 over PPPoE mode.
delegated: IPv6 address with delegated prefix.
option -
nd-mode Neighbor discovery mode.
basic: Do not support SEND.
SEND-compatible: Support SEND.
option -
nd-cert Neighbor discovery certificate. string Maximum length: 35
nd-security-level Neighbor discovery security level (0 - 7; 0 = least secure, default = 0). integer Minimum value: 0 Maximum value: 7
nd-timestamp-delta Neighbor discovery timestamp delta value (1 - 3600 sec; default = 300). integer Minimum value: 1 Maximum value: 3600
nd-timestamp-fuzz Neighbor discovery timestamp fuzz factor (1 - 60 sec; default = 1). integer Minimum value: 1 Maximum value: 60
nd-cga-modifier Neighbor discovery CGA modifier. user Not Specified
ip6-dns-server-override Enable/disable using the DNS server acquired by DHCP.
enable: Enable using the DNS server acquired by DHCP.
disable: Disable using the DNS server acquired by DHCP.
option -
ip6-address Primary IPv6 address prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx ipv6-prefix Not Specified
ip6-allowaccess Allow management access to the interface.
ping: PING access.
https: HTTPS access.
ssh: SSH access.
snmp: SNMP access.
http: HTTP access.
telnet: TELNET access.
fgfm: FortiManager access.
fabric: Fabric access.
option -
ip6-send-adv Enable/disable sending advertisements about the interface.
enable: Enable sending advertisements about this interface.
disable: Disable sending advertisements about this interface.
option -
ip6-manage-flag Enable/disable the managed flag.
enable: Enable the managed IPv6 flag.
disable: Disable the managed IPv6 flag.
option -
ip6-other-flag Enable/disable the other IPv6 flag.
enable: Enable the other IPv6 flag.
disable: Disable the other IPv6 flag.
option -
ip6-max-interval IPv6 maximum interval (4 to 1800 sec). integer Minimum value: 4 Maximum value: 1800
ip6-min-interval IPv6 minimum interval (3 to 1350 sec). integer Minimum value: 3 Maximum value: 1350
ip6-link-mtu IPv6 link MTU. integer Minimum value: 1280 Maximum value: 16000
ip6-reachable-time IPv6 reachable time (milliseconds; 0 means unspecified). integer Minimum value: 0 Maximum value: 3600000
ip6-retrans-time IPv6 retransmit time (milliseconds; 0 means unspecified). integer Minimum value: 0 Maximum value: 4294967295
ip6-default-life Default life (sec). integer Minimum value: 0 Maximum value: 9000
ip6-hop-limit Hop limit (0 means unspecified). integer Minimum value: 0 Maximum value: 255
autoconf Enable/disable address auto config.
enable: Enable auto-configuration.
disable: Disable auto-configuration.
option -
unique-autoconf-addr Enable/disable unique auto config address.
enable: Enable unique auto-configuration address.
disable: Disable unique auto-configuration address.
option -
interface-identifier IPv6 interface identifier. ipv6-address Not Specified
ip6-upstream-interface Interface name providing delegated information. string Maximum length: 15
ip6-subnet Subnet to routing prefix, syntax: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx ipv6-prefix Not Specified
dhcp6-relay-service Enable/disable DHCPv6 relay.
disable: Disable DHCPv6 relay
enable: Enable DHCPv6 relay.
option -
dhcp6-relay-type DHCPv6 relay type.
regular: Regular DHCP relay.
option -
dhcp6-relay-ip DHCPv6 relay IP address. user Not Specified
dhcp6-client-options DHCPv6 client options.
rapid: Send rapid commit option.
iapd: Send including IA-PD option.
iana: Send including IA-NA option.
option -
dhcp6-prefix-delegation Enable/disable DHCPv6 prefix delegation.
enable: Enable DHCPv6 prefix delegation.
disable: Disable DHCPv6 prefix delegation.
option -
dhcp6-information-request Enable/disable DHCPv6 information request.
enable: Enable DHCPv6 information request.
disable: Disable DHCPv6 information request.
option -
dhcp6-prefix-hint DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server. ipv6-network Not Specified
dhcp6-prefix-hint-plt DHCPv6 prefix hint preferred life time (sec), 0 means unlimited lease time. integer Minimum value: 0 Maximum value: 4294967295
dhcp6-prefix-hint-vlt DHCPv6 prefix hint valid life time (sec). integer Minimum value: 0 Maximum value: 4294967295
vrrp-virtual-mac6 Enable/disable virtual MAC for VRRP.
enable: Enable virtual MAC for VRRP.
disable: Disable virtual MAC for VRRP.
option -
vrip6_link_local Link-local IPv6 address of virtual router. ipv6-address Not Specified

config ip6-prefix-list

Parameter Name Description Type Size
autonomous-flag Enable/disable the autonomous flag.
enable: Enable the autonomous flag.
disable: Disable the autonomous flag.
option -
onlink-flag Enable/disable the onlink flag.
enable: Enable the onlink flag.
disable: Disable the onlink flag.
option -
valid-life-time Valid life time (sec). integer Minimum value: 0 Maximum value: 4294967295
preferred-life-time Preferred life time (sec). integer Minimum value: 0 Maximum value: 4294967295
rdnss Recursive DNS server option. user Not Specified
dnssl <domain> DNS search list option.
Domain name.
string Maximum length: 79

config ip6-delegated-prefix-list

Parameter Name Description Type Size
upstream-interface Name of the interface that provides delegated information. string Maximum length: 15
autonomous-flag Enable/disable the autonomous flag.
enable: Enable the autonomous flag.
disable: Disable the autonomous flag.
option -
onlink-flag Enable/disable the onlink flag.
enable: Enable the onlink flag.
disable: Disable the onlink flag.
option -
subnet Add subnet ID to routing prefix. ipv6-network Not Specified
rdnss-service Recursive DNS service option.
delegated: Delegated RDNSS settings.
default: System RDNSS settings.
specify: Specify recursive DNS servers.
option -
rdnss Recursive DNS server option. user Not Specified

config vrrp6

Parameter Name Description Type Size
vrgrp VRRP group ID (1 - 65535). integer Minimum value: 1 Maximum value: 65535
vrip6 IPv6 address of the virtual router. ipv6-address Not Specified
priority Priority of the virtual router (1 - 255). integer Minimum value: 1 Maximum value: 255
adv-interval Advertisement interval (1 - 255 seconds). integer Minimum value: 1 Maximum value: 255
start-time Startup time (1 - 255 seconds). integer Minimum value: 1 Maximum value: 255
preempt Enable/disable preempt mode.
enable: Enable preempt mode.
disable: Disable preempt mode.
option -
accept-mode Enable/disable accept mode.
enable: Enable accept mode.
disable: Disable accept mode.
option -
vrdst6 Monitor the route to this destination. ipv6-address Not Specified
status Enable/disable VRRP.
enable: Enable VRRP.
disable: Disable VRRP.
option -