Administrators can configure both physical and virtual FortiGate interfaces inNetwork > Interfaces. There are different options for configuring interfaces when FortiGate is in NAT mode or transparent mode.
The available options will vary depending on feature visibility, licensing, device model, and other factors. The following list is not comprehensive.
To configure an interface in the GUI:
1. Go toNetwork > Interfaces.
2. ClickCreate New > Interface.
3. Configure the interface fields:
Interface Name Physical interface names cannot be changed.
Alias Enter an alternate name for a physical interface on the FortiGate unit. This field appears when you edit an existing physical interface. The alias does not appear in logs.
The maximum length of the alias is 25 characters.
Type The configuration type for the interface, such as VLAN, Software Switch, 802.3ad Aggregate, and others.
Interface This field is available whenTypeis set toVLAN.
Select the name of the physical interface that you want to add a VLAN interface to. Once created, the VLAN interface is listed below its physical interface in theInterfacelist.
You cannot change the physical interface of a VLAN interface.
VLAN ID This field is available whenTypeis set toVLAN.
Enter the VLAN ID. The VLAN ID can be any number between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch that is connected to the VLAN subinterface.
The VLAN ID can be edited after the interface is added.
VRF ID Virtual Routing and Forwarding (VRF) allows multiple routing table instances to coexist on the same router. One or more interface can have a VRF, and packets are only forwarded between interfaces with the dame VRF.
Virtual Domain Select the virtual domain to add the interface to.
Only administrator accounts with thesuper_adminprofile can change the Virtual Domain.
Interface Members This section can have different formats depending on theType.
Members can be selected for some interface types:
l Software SwitchorHardware Switch: Specify the physical and wireless interfaces joined into the switch.
l 802.3ad AggregateorRedundant Interface: This field includes the available and selected interface lists.
Role Set the role setting for the interface. Different settings will be shown or hidden when editing an interface depending on the role:
l LAN: Used to connected to a local network of endpoints. It is default role for new interfaces.
l WAN: Used to connected to the internet. When WAN is selected, the Estimated bandwidthsetting is available, and the following settings are not:DHCP server,Create address object matching subnet,Device detection,Security mode,One-arm sniffer,Dedicate to extension/fortiap modes, andAdmission Control.and will show Estimated Bandwidth settings.
l DMZ: Used to connected to the DMZ. When selected,DHCP serverand Security modeare not available.
l Undefined: The interface has no specific role. When selected,Create address object matching subnetis not available.
Estimated bandwidth The estimated WAN bandwidth.
The values can be entered manually, or saved from a speed test executed on the interface. The values can be used in SD-WAN rules that use the Maximize Bandwidth or Best Quality strategy.
Traffic mode This option is only available whenTypeisWiFi SSD.
l Tunnel: Tunnel to wireless controller
l Bridge: Local bridge with FortiAP's interface
l Mesh: Mesh downlink Address
Addressing mode Select the addressing mode for the interface.
l Manual: Add an IP address and netmask for the interface. If IPv6 configuration is enabled, you can add both an IPv4 and an IPv6 address.
l DHCP: Get the interface IP address and other network settings from a DHCP server.
l Auto-managed by IPAM: Assign subnets to prevent duplicate IP addresses from overlapping within the same Security Fabric. See Configure IPAM locally on the FortiGate on page 168.
l PPPoE: Get the interface IP address and other network settings from a PPPoE server. This option is only available on the entry-level FortiGate models.
l One-Arm Sniffer: Set the interface as a sniffer port so it can be used to detect attacks. SeeOne-arm sniffer on page 178.
IP/Netmask IfAddressing Modeis set toManual, enter an IPv4 address and subnet mask for the interface. FortiGate interfaces cannot have multiple IP addresses on the same subnet.
IPv6 addressing mode Select the addressing mode for the interface:
l Manual: Add an IP address and netmask for the interface.
l DHCP: Get the interface IP address and other network settings from a DHCP server.
l Delegated: Select anIPv6 upstream interfacethat has DHCPv6 prefix delegation enabled, and enter anIPv6 subnetif needed. The interface will get the IPv6 prefix from the upstream DHCPv6 server that is connected to the IPv6 upstream interface, and form the IPv6 address with the subnet configured on the interface.
IPv6 Address/Prefix IfAddressing Modeis set toManualand IPv6 support is enabled, enter an IPv6 address and subnet mask for the interface. A single interface can have an IPv4 address, IPv6 address, or both.
Auto configure IPv6 address Automatically configure an IPv6 address using Stateless Address Auto- configuration (SLAAC).
This option is available whenIPv6 addressing modeis set toManual.
DHCPv6 prefix delegation Enable/disable DHCPv6 prefix delegation, which can be used to delegate IPv6 prefixes from an upstream DHCPv6 server to another interface or downstream device.
When enabled, there is an option to enable aDHCPv6 prefix hintthat helps the DHCPv6 server provide the desired prefix.
Create address object matching subnet
This option is available and automatically enabled whenRoleis set toLANor DMZ.
This creates an address object that matches the interface subnet and dynamically updates the object when the IP/Netmask changes.
SeeInterface subnet on page 1358for more information.
Secondary IP Address Add additional IPv4 addresses to this interface.
Administrative Access
IPv4 Administrative Access Select the types of administrative access permitted for IPv4 connections to this interface. SeeConfigure administrative access to interfaces on page 166.
IPv6 Administrative Access Select the types of administrative access permitted for IPv6 connections to this interface. SeeConfigure administrative access to interfaces on page 166.
DHCP Server Enable a DHCP server for the interface. SeeDHCP servers and relays on page 390.
Stateless Address Auto- configuration (SLAAC)
Enable to provide IPv6 addresses to connected devices using SLAAC.
DHCPv6 Server Select to enable a DHCPv6 server for the interface.
When enabled, you can configureDNS servicesettings: Delegated(delegate the DNS received from the upstream server),Same as System DNS, or Specify(up to four servers).
You can also enableStateful serverto configure the DHCPv6 server to be stateful. Manually enter the IP range, or use Delegated mode to delegate IP prefixes from an upstream DHCPv6 server connected to the upstream interface.
Network
Device Detection Enable/disable passively gathering device identity information about the devices on the network that are connected to this interface.
Security Mode Enable/disable captive portal authentication for this interface. After enabling captive portal authentication, you can configure the authentication portal, user and group access, custom portal messages, exempt sources and
destinations/services, and redirect after captive portal.
DSL Settings
Physical mode Set toADSLorVDSL.
Transfer mode Set toPTMorATM.
If theTransfer modeis set toATM, theVirtual channel identification,Virtual path identification,ATM protocol, andMUX typecan be configured.
Traffic Shaping
Outbound shaping profile Enable/disable traffic shaping on the interface. This allows you to enforce bandwidth limits on individual interfaces. SeeInterface-based traffic shaping profile on page 1426for more information.
Miscellaneous
Comments Enter a description of the interface of up to 255 characters.
Status Enable/disable the interface.
l Enabled: The interface is active and can accept network traffic.
l Disabled: The interface is not active and cannot accept traffic.
4. ClickOK.
To configure an interface in the CLI:
config system interface edit <name>
set vdom <VDOM_name>
set mode {static | dhcp | pppoe}
set ip <IP_address/netmask>
set security-mode {none | captive-portal | 802.1X}
set egress-shaping-profile <profile>
set device-identification {enable | disable}
set allowaccess {ping https ssh http snmp telnet fgfm radius-acct probe-response fabric ftm}
set eap-supplicant {enable | disable}
set eap-method {peap | tls}
set eap-identity <identity>
set eap-password <password>
set eap-ca-cert <CA_cert>
set eap-user-cert <user_cert>
set secondary-IP enable config secondaryip
edit 1
set ip 9.1.1.2 255.255.255.0
set allowaccess ping https ssh snmp http next
end next end