Fortinet white logo
Fortinet white logo

Administration Guide

Interfaces

Interfaces

Physical and virtual interfaces allow traffic to flow between internal networks, and between the internet and internal networks. FortiOS has options for configuring interfaces and groups of sub-networks that can scale as your organization grows. The following table lists commonly used interface types.

Interface type

Description

Physical

A physical interface can be connected to with either Ethernet or optical cables. Depending on the FortiGate model, there is a varying number of Ethernet or optical physical interfaces. Some FortiGates have a grouping of interfaces labeled as lan that have a built-in switch functionality.

See Physical interface for more information.

VLAN

A virtual local area network (VLAN) logically divides a local area network (LAN) into distinct broadcast domains using IEEE 802.1Q VLAN tags. A VLAN interface supports VLAN tagging and is associated with a physical interface that can be connected to a device, such as a switch or a router that supports these tags. VLANs can be used on a FortiGate in NAT or transparent mode, and the FortiGate functions differently depending on the operation mode

See VLAN for more information.

Aggregate

An aggregate interface uses a link aggregation method to combine multiple physical interfaces to increase throughput and to provide redundancy. FortiOS supports a link aggregation (LAG) interface using the Link Aggregation Control Protocol (LACP) based on IEEE 802.3ad/802.1ax.

See Aggregation and redundancy for more information.

Redundant

A redundant interface combines multiple physical interfaces where traffic only uses one of the interfaces at a time. Its primary purpose is to provide redundancy. This interface is typically used with a fully-meshed HA configuration.

See Aggregation and redundancy for more information.

Loopback

A loopback interface is a logical interface that is always up because it has no physical link dependency, and the attached subnet is always present in the routing table. It can be accessed through several physical or VLAN interfaces.

See Loopback interface for more information.

Software switch

A software switch is a virtual switch interface implemented in firmware that allows member interfaces to be added to it. Devices connected to member interfaces communicate on the same subnet, and packets are processed by the FortiGate’s CPU. A software switch supports adding a wireless SSID as a member interface.

See Software switch for more information.

Hardware switch

A hardware switch is a virtual switch interface implemented at the hardware level that allows member interfaces to be added to it. Devices connected to member interfaces communicate on the same subnet. A hardware switch relies on specific hardware to optimize processing and supports the Spanning Tree Protocol (STP).

See Hardware switch for more information.

Zone

A zone is a logical group containing one or more physical or virtual interfaces. Grouping interfaces in zones can simplify firewall policy configurations.

See Zone for more information.

Virtual wire pair

A virtual wire pair (VWP) is an interface that acts like a virtual wire consisting of two interfaces, with an interface at each of the wire. No IP addressing is configured on a VWP, and communication is restricted between the two interfaces using firewall policies.

See Virtual wire pair for more information.

FortiExtender WAN extension

A FortiExtender WAN extension is a managed interface that allows a connected FortiExtender to provide WAN connectivity to the FortiGate.

See FortiExtender for more information.

FortiExtender LAN extension

A FortiExtender LAN extension is a managed interface that allows a connected FortiExtender to provide LAN connectivity to the FortiGate.

See FortiExtender for more information.

Enhanced MAC VLAN

An enhanced media access control (MAC) VLAN, or EMAC VLAN, interface allows a physical interface to be virtually subdivided into multiple virtual interfaces with different MAC addresses. In FortiOS, the EMAC VLAN functionality acts like a bridge.

See Enhanced MAC VLAN for more information.

VXLAN

A Virtual Extensible LAN (VXLAN) interface encapsulates layer 2 Ethernet frames within layer 3 IP packets and is used for cloud and data center networks.

See VXLAN for more information.

Tunnel

A tunnel virtual interface is used for IPsec interface-based or GRE tunnels and are created when configuring IPsec VPN and GRE tunnels, respectively. The tunnel interface can be configured with IP addresses on both sides of the tunnel since this is a requirement when using a tunnel interface with a dynamic routing protocol.

See OSPF with IPsec VPN for network redundancy, GRE over IPsec, and Cisco GRE-over-IPsec VPN for more information.

WiFi SSID

A WiFi SSID interface is used to control wireless network user access to a wireless local radio on a FortiWiFi or to a wireless access point using a FortiAP. The SSID is created using the WiFi & Switch Controller > SSIDs page, and it appears in the Network > Interfaces page once it is created.

See Defining a wireless network interface (SSID) in the FortiWiFi and FortiAP Configuration Guide for more information.

VDOM link

A VDOM link allows VDOMs to communicate internally without using additional physical interfaces.

See Inter-VDOM routing for more information.

Interfaces

Interfaces

Physical and virtual interfaces allow traffic to flow between internal networks, and between the internet and internal networks. FortiOS has options for configuring interfaces and groups of sub-networks that can scale as your organization grows. The following table lists commonly used interface types.

Interface type

Description

Physical

A physical interface can be connected to with either Ethernet or optical cables. Depending on the FortiGate model, there is a varying number of Ethernet or optical physical interfaces. Some FortiGates have a grouping of interfaces labeled as lan that have a built-in switch functionality.

See Physical interface for more information.

VLAN

A virtual local area network (VLAN) logically divides a local area network (LAN) into distinct broadcast domains using IEEE 802.1Q VLAN tags. A VLAN interface supports VLAN tagging and is associated with a physical interface that can be connected to a device, such as a switch or a router that supports these tags. VLANs can be used on a FortiGate in NAT or transparent mode, and the FortiGate functions differently depending on the operation mode

See VLAN for more information.

Aggregate

An aggregate interface uses a link aggregation method to combine multiple physical interfaces to increase throughput and to provide redundancy. FortiOS supports a link aggregation (LAG) interface using the Link Aggregation Control Protocol (LACP) based on IEEE 802.3ad/802.1ax.

See Aggregation and redundancy for more information.

Redundant

A redundant interface combines multiple physical interfaces where traffic only uses one of the interfaces at a time. Its primary purpose is to provide redundancy. This interface is typically used with a fully-meshed HA configuration.

See Aggregation and redundancy for more information.

Loopback

A loopback interface is a logical interface that is always up because it has no physical link dependency, and the attached subnet is always present in the routing table. It can be accessed through several physical or VLAN interfaces.

See Loopback interface for more information.

Software switch

A software switch is a virtual switch interface implemented in firmware that allows member interfaces to be added to it. Devices connected to member interfaces communicate on the same subnet, and packets are processed by the FortiGate’s CPU. A software switch supports adding a wireless SSID as a member interface.

See Software switch for more information.

Hardware switch

A hardware switch is a virtual switch interface implemented at the hardware level that allows member interfaces to be added to it. Devices connected to member interfaces communicate on the same subnet. A hardware switch relies on specific hardware to optimize processing and supports the Spanning Tree Protocol (STP).

See Hardware switch for more information.

Zone

A zone is a logical group containing one or more physical or virtual interfaces. Grouping interfaces in zones can simplify firewall policy configurations.

See Zone for more information.

Virtual wire pair

A virtual wire pair (VWP) is an interface that acts like a virtual wire consisting of two interfaces, with an interface at each of the wire. No IP addressing is configured on a VWP, and communication is restricted between the two interfaces using firewall policies.

See Virtual wire pair for more information.

FortiExtender WAN extension

A FortiExtender WAN extension is a managed interface that allows a connected FortiExtender to provide WAN connectivity to the FortiGate.

See FortiExtender for more information.

FortiExtender LAN extension

A FortiExtender LAN extension is a managed interface that allows a connected FortiExtender to provide LAN connectivity to the FortiGate.

See FortiExtender for more information.

Enhanced MAC VLAN

An enhanced media access control (MAC) VLAN, or EMAC VLAN, interface allows a physical interface to be virtually subdivided into multiple virtual interfaces with different MAC addresses. In FortiOS, the EMAC VLAN functionality acts like a bridge.

See Enhanced MAC VLAN for more information.

VXLAN

A Virtual Extensible LAN (VXLAN) interface encapsulates layer 2 Ethernet frames within layer 3 IP packets and is used for cloud and data center networks.

See VXLAN for more information.

Tunnel

A tunnel virtual interface is used for IPsec interface-based or GRE tunnels and are created when configuring IPsec VPN and GRE tunnels, respectively. The tunnel interface can be configured with IP addresses on both sides of the tunnel since this is a requirement when using a tunnel interface with a dynamic routing protocol.

See OSPF with IPsec VPN for network redundancy, GRE over IPsec, and Cisco GRE-over-IPsec VPN for more information.

WiFi SSID

A WiFi SSID interface is used to control wireless network user access to a wireless local radio on a FortiWiFi or to a wireless access point using a FortiAP. The SSID is created using the WiFi & Switch Controller > SSIDs page, and it appears in the Network > Interfaces page once it is created.

See Defining a wireless network interface (SSID) in the FortiWiFi and FortiAP Configuration Guide for more information.

VDOM link

A VDOM link allows VDOMs to communicate internally without using additional physical interfaces.

See Inter-VDOM routing for more information.