System Configuration – Interfaces – FortiOS 6.2

Interface

Interface settings

Administrator can configure both physical and virtual FortiGate interfaces in Network > Interfaces. There are different options for configuring interfaces when FortiGate is in NAT mode or transparent mode.

To configure an interface in the GUI:

  1. Go to Network > Interfaces.
  2. Click Create New > Interface.
  3. Configure the interface fields.
Interface

Name

Physical interface names cannot be changed.
Alias Enter an alternate name for a physical interface on the FortiGate unit. This field appears when you edit an existing physical interface. The alias does not appear in logs.

The maximum length of the alias is 25 characters.

Link Status Indicates whether the interface is connected to a network or not (link status is up or down). This field appears when you edit an existing physical interface.
Interface This field appears when Type is set to VLAN.

Select the name of the physical interface that you want to add a VLAN interface to. Once created, the VLAN interface is listed below its physical interface in the Interface list. You cannot change the physical interface of a VLAN interface except when you add a new VLAN interface.

Virtual

Domain

Select the virtual domain to add the interface to.

Administrator accounts with the super_admin profile can change the Virtual Domain.

Interface

Members

This section can have two different formats depending on the interface type:

Software Switch: This section is a display-only field showing the interfaces that belong to the virtual interface of the software switch.

802.3ad Aggregate orRedundant Interface: This section includes the available interface list and the selected interface list.

IP/Netmask If Addressing Mode is set to Manual, enter an IPv4 address and subnet mask for the interface. FortiGate interfaces cannot have IP addresses on the same subnet.
IPv6 Address If Addressing Mode is set to Manual and IPv6 support is enabled, enter an IPv6 address and subnet mask for the interface. A single interface can have an IPv4 address, IPv6 address, or both.
Secondary IP Address Add additional IPv4 addresses to this interface.

To configure an interface in the CLI:

config system interface

edit “<Interface_Name>”

set vdom “<VDOM_Name>” set mode static/dhcp/pppoe set ip <IP_address> <netmask> set allowaccess ping https ssh http telnet

set secondary-IP enable config secondaryip

edit 1

set ip 9.1.1.2 255.255.255.0 set allowaccess ping https ssh snmp http telnet

next

end

next end

Configure administrative access to interfaces

You can configure the protocols that administrators can use to access interfaces on the FortiGate. This helps secure access to the FortiGate by restricting access to a limited number of protocols. It helps prevent users from accessing interfaces that you don’t want them to access, such as public-facing ports.

As a best practice, you should configure administrative access when you’re setting the IP address for a port.

To configure administrative access to interfaces in the GUI:

  1. Go to Network > Interfaces.
  2. Create or edit an interface.
  3. In the Administrative Access section, select which protocols to enable for IPv4 and IPv6 Administrative Access.
HTTPS Allow secure HTTPS connections to the FortiGate GUI through this interface. If configured, this option is enabled automatically.
PING The interface responds to pings. Use this setting to verify your installation and for testing.
HTTP Allow HTTP connections to the FortiGate GUI through this interface. If configured, this option also enables the HTTPS option.
SSH Allow SSH connections to the CLI through this interface.
SNMP Allow a remote SNMP manager to request SNMP information by connecting to this interface.
FMG-Access Allow FortiManager authorization automatically during the communication exchanges between FortiManager and FortiGate devices.
CAPWAP Allow the FortiGate wireless controller to manage a wireless access point such as a FortiAP device.

Aggregation and redundancy

Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an aggregated (combined) link. This new link has the bandwidth of all the links combined. If a link in the group fails, traffic is transferred automatically to the remaining interfaces. The only noticeable effect is reduced bandwidth.

This feature is similar to redundant interfaces. The major difference is a redundant interface group only uses one link at a time, where an aggregate link group uses the total bandwidth of the functioning links in the group, up to eight (or more).

Some models support the IEEE standard 802.3ad for link aggregation.

An interface is available to be an aggregate interface if:

l It is a physical interface and not a VLAN interface or subinterface. l It is not already part of an aggregate or redundant interface. l It is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs. l It does not have an IP address and is not configured for DHCP or PPPoE. l It is not referenced in any security policy, VIP, IP Pool, or multicast policy. l It is not an HA heartbeat interface. l It is not one of the FortiGate-5000 series backplane interfaces.

When an interface is included in an aggregate interface, it is not listed on the Network > Interfaces page. Interfaces still appear in the CLI although configuration for those interfaces do not take affect. You cannot configure the interface individually and it is not available for inclusion in security policies, VIPs, IP pools, or routing.

Sample configuration

This example creates an aggregate interface on a FortiGate-140D POE using ports 3-5 with an internal IP address of 10.1.1.123, as well as the administrative access to HTTPS and SSH.

To create an aggregate interface using the GUI:

  1. Go to Network > Interfaces and select Create New > Interface.
  2. For Interface Name, enter Aggregate.
  3. For the Type, select 3ad Aggregate.
  4. In the physical Interface Members, click to add interfaces and select ports 4, 5, and 6.
  5. For Addressing mode, select Manual.
  6. For the IP address for the port, enter 1.1.123/24.
  7. For Administrative Access, select HTTPS and SSH.
  8. Select OK.

To create an aggregate interface using the CLI:

FG140P3G15800330 (aggregate) # show config system interface edit “aggregate” set vdom “root”

set ip 10.1.1.123 255.255.255.0

set allowaccess ping https ssh snmp http fgfm radius-acct capwap ftm set type aggregate set member “port3” “port4” “port5” set device-identification enable set lldp-transmission enable set fortiheartbeat enable

set role lan set snmp-index 45

next

end

Redundancy

In a redundant interface, traffic only goes over one interface at any time. This differs from an aggregated interface where traffic goes over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration.

An interface is available to be in a redundant interface if:

  • It is a physical interface and not a VLAN interface.
  • It is not already part of an aggregated or redundant interface. l It is in the same VDOM as the redundant interface.
  • It does not have an IP address and is not configured for DHCP or PPPoE. l It has no DHCP server or relay configured on it.
  • It does not have any VLAN subinterfaces. l It is not referenced in any security policy, VIP, or multicast policy.
  • It is not monitored by HA. l It is not one of the FortiGate-5000 series backplane interfaces.

When an interface is included in a redundant interface, it is not listed on the Network > Interfaces page. You cannot configure the interface individually and it is not available for inclusion in security policies, VIPs, or routing.

Sample configuration

To create a redundant interface using the GUI:

  1. Go to Network > Interfaces and select Create New > Interface.
  2. For Interface Name, enter Redundant.
  3. For the Type, select Redundant Interface.
  4. In the physical Interface Members, click to add interfaces and select ports 4, 5, and 6.
  5. For Addressing mode, select Manual.
  6. For the IP address for the port, enter 13.101.100/24.
  7. For Administrative Access, select HTTPS and SSH.
  8. Select OK.

To create a redundant interface using the CLI:

config system interface edit “red” set vdom “root”

set ip 10.13.101.100 255.255.255.0 set allowaccess https http set type redundant set member “port4” “port5” “port6” set device-identification enable

set role lan set snmp-index 9

next

end

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.