Configuring System Settings

Configuring the network interfaces

The System > Network > Interface tab displays the FortiMail unit’s network interfaces.

You must configure at least one network interface for the FortiMail unit to connect to your network. Depending on your network topology and other considerations, you can connect the FortiMail unit to your network using two or more of the network interfaces. You can configure each network interface separately. You can also configure advanced interface options, including

VLAN subinterfaces, redundant interfaces, and loopback interfaces. For more information, see “About FortiMail logical interfaces” on page 246, and “Editing network interfaces” on page 248.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view the list of network interfaces, go to System > Network > Interface.

Figure 102:Interface tab (server and gateway mode)

Figure 103:Interface tab (transparent mode)

GUI item Description
Name Displays the name of the network interface, such as port1.

If the FortiMail unit is operating in transparent mode, this column also indicates that the management IP address is that of port1. For more information, see “About the management IP” on page 245.

Type Displays the interface type: physical, VLAN, redundant, or loopback. For details, see “About FortiMail logical interfaces” on page 246.
Bridge

Member

In transparent mode, this column indicates if the port is on the same bridge as the management IP. By default, all ports are on the bridge. See “Editing network interfaces” on page 248 for information on bridged networks in transparent mode.

IP/Netmask Displays the IP address and netmask of the network interface.

If the FortiMail unit is in transparent mode, IP/Netmask may alternatively display bridging. This means that “Do not associate with management IP” on page 253 has been disabled, and the network interface is acting as a Layer 2 bridge. If high availability (HA) is also enabled, IP and Netmask may alternatively display bridged (isolated) while the effective HA operating mode is slave and therefore the network interface is currently disconnected from the network, or bridging (waiting for recovery) while the effective HA operating mode is failed and the network interface is currently disconnected from the network but a failover may soon occur, beginning connectivity. For more information, see “Effective Operating Mode” on page 315 and “Virtual IP address” on page 328.

IPv6/Netma Displays the IPv6 address and netmask of the network interface. For more sk information about IPv6 support, see “About IPv6 Support” on page 244.

Access Displays the administrative access and webmail access services that are enabled on the network interface, such as HTTPS for the web UI.
Status Indicates the up (available) or down (unavailable) administrative status for the network interface.

•      Green up arrow: The network interface is up and can receive traffic.

•      Red down arrow: The network interface is down and cannot or receive traffic.

To change the administrative status (that is, bring up or down a network interface), see “Editing network interfaces” on page 248.

Editing network interfaces

You can edit FortiMail’s physical network interfaces to change their IP addresses, netmasks, administrative access protocols, and other settings. You can also create or edit logical interfaces, such as VLANs, redundant interfaces and the loopback interface.

Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiMail unit.

If your FortiMail unit operates in transparent mode and depending on your network topology, you may need to configure the network interfaces of the FortiMail unit.

  • If all email servers protected by the FortiMail unit are located on the same subnet, no network interface configuration is necessary. Bridging is the default configuration for network interfaces when the FortiMail unit operates in transparent mode, and the FortiMail unit will bridge all connections occurring through it from the network to the protected email servers.
  • If email servers protected by the FortiMail unit are located on different subnets, you must connect those email servers through separate physical ports on the FortiMail unit, and configure the network interfaces associated with those ports, assigning IP addresses and removing them from the bridge.

It is possible to configure a mixture of bridging and non-bridging network interfaces. For example, if some email servers belong to the same subnet, network interfaces for those email servers may remain in the bridge group; email servers belonging to other subnets may be attached to network interfaces that are not associated with the bridge.

  1. Go to System > Network > Interface.
  2. Double-click a network interface to modify it or select the interface and click Edit. If you want to create a logical interface, click New.

The Edit Interface dialog appears. Its appearance varies by:

  • the operation mode of the FortiMail unit (gateway, transparent, or server)
  • if the FortiMail unit is operating in transparent mode, by whether the network interface is port1, which is required to be configured as a Layer 2 bridge and associated with the management IP, and therefore cannot be configured with its own IP and Netmask
  1. For gateway mode or server mode, configure the following: Figure 104:Edit Interface dialog (gateway mode and server mode)
GUI item Description
Interface Name If you are editing an existing interface, this field displays the name (such as port2) and media access control (MAC) address for this network interface.

If you are creating a logical interface, enter a name for the interface.

Type If you are creating a logical interface, select which type of interface you want to create. For information about logical interface types, see “About FortiMail logical interfaces” on page 246.
VLAN If you want to create a VLAN subinterface, select the interface for which you want to create the subinterface for.

Then specify a VLAN ID. Valid VLAN ID numbers are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved.

Redundant If you want to create a redundant interface, select the interface members from the available interfaces. Usually, you need to include two or more interfaces as the redundant interface members.
Loopback If you want to add a loopback interface, select the Loopback type and the interface name will be automatically reset to “loopback”.

You can only add one loopback interface on FortiMail.

Addressing mode  
Manual Select to enter a static IP address, then enter the IP address and netmask for the network interface in IP/Netmask.
IP/Netmask Enter the IP address and netmask for the network interface. If the FortiMail unit is operating in gateway mode or server mode, this option is available only if Manual is selected.

Note: IP addresses of different interfaces cannot be on the same subnet.

DHCP Select to retrieve a dynamic IP address using DHCP.

This option appears only if the FortiMail unit is operating in gateway mode or server mode.

Retrieve default Enable to retrieve both the default gateway and DNS addresses gateway and from the DHCP server, replacing any manually configured values. DNS from server

Connect to Enable for the FortiMail unit to attempt to obtain DNS addressing server information from the DHCP server.

Disable this option if you are configuring the network interface offline, and do not want the unit to attempt to obtain addressing information at this time.

 

GUI item Description
Access Enable protocols that this network interface should accept for connections to the FortiMail unit itself. (These options do not affect connections that will travel through the FortiMail unit.)

•      HTTPS: Enable to allow secure HTTPS connections to the web-based manager, webmail, and per-recipient quarantine through this network interface.

•      HTTP: Enable to allow HTTP connections to the web-based manager, webmail, and per-recipient quarantine through this network interface.

For information on redirecting HTTP requests for webmail and per-recipient quarantines to HTTPS, see “Configuring global quarantine report settings” on page 602.

•      PING: Enable to allow ICMP ECHO (ping) responses from this network interface.

For information on configuring the network interface from which the FortiMail unit itself will send pings, see the FortiMail CLI Reference.

•      SSH: Enable to allow SSH connections to the CLI through this network interface.

•      SNMP: Enable to allow SNMP connections (queries) to this network interface.

For information on further restricting access, or on configuring the network interface that will be the source of traps, see “Configuring the network interfaces” on page 247.

•      TELNET: Enable to allow Telnet connections to the CLI through this network interface.

Caution: HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiMail unit. For information on further restricting access of administrative connections, see “Configuring administrator accounts” on page 294.

MTU  
GUI item Description
Override default

MTU value (1500)

Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes.

If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.

The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value; for example, RFC 2516 prescribes a value of 1492 for the PPPoE protocol.

Administrative status Select either:

•      Up: Enable (that is, bring up) the network interface so that it can send and receive traffic.

•      Down: Disable (that is, bring down) the network interface so that it cannot send or receive traffic.

  1. If the FortiMail unit is operating in transparent mode, configure the following:

Figure 105: Editing a network interface (transparent mode, non-bridging)

Figure 106: Editing a network interface (transparent mode, port1)

 

GUI item Description
Interface Name Displays the name (such as port2) and media access control (MAC) address for this network interface.

If you are creating a logical interface, enter a name for the interface.

Type If you are creating a logical interface, select which type of interface you want to create. For information about logical interface types, see “About FortiMail logical interfaces” on page 246.
VLAN If you want to create a VLAN subinterface, select the interface for which you want to create the subinterface for.

Then specify a VLAN ID. Valid VLAN ID numbers are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved.

Redundant If you want to create a redundant interface, select the interface members from the available interfaces. Usually, you need to include two or more interfaces as the redundant interface members.
Loopback If you want to add a loopback interface, select the Loopback type and the interface name will be automatically reset to “loopback”.

You can only add one loopback interface on FortiMail.

Addressing mode  
Do not associate with management

IP

Enable to configure an IP address and netmask for this network interface, separate from the management IP, then configure IIP/Netmask.

This option appears only if the network interface is not port1, which is required to be a member of the bridge.

IP/Netmask Enter the IP address and netmask for the network interface. If the FortiMail unit is operating in transparent mode, this option is available only if Do not associate with management IP is enabled.

 

GUI item Description
Access Enable protocols that this network interface should accept for connections to the FortiMail unit itself. (These options do not affect connections that will travel through the FortiMail unit.)

•      HTTPS: Enable to allow secure HTTPS connections to the web-based manager, webmail, and per-recipient quarantine through this network interface.

•      HTTP: Enable to allow HTTP connections to the web-based manager, webmail, and per-recipient quarantine through this network interface.

For information on redirecting HTTP requests for webmail and per-recipient quarantines to HTTPS, see “Configuring global quarantine report settings” on page 602.

•      PING: Enable to allow ICMP ECHO (ping) responses from this network interface.

For information on configuring the network interface from which the FortiMail unit itself will send pings, see the FortiMail CLI Reference.

•      SSH: Enable to allow SSH connections to the CLI through this network interface.

•      SNMP: Enable to allow SNMP connections (queries) to this network interface.

For information on further restricting access, or on configuring the network interface that will be the source of traps, see “Configuring the network interfaces” on page 247.

•      TELNET: Enable to allow Telnet connections to the CLI through this network interface.

Caution: HTTP and Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiMail unit. For information on further restricting access of administrative connections, see “Configuring administrator accounts” on page 294.

MTU  
Override default

MTU value (1500)

Enable to change the maximum transmission unit (MTU) value, then enter the maximum packet or Ethernet frame size in bytes.

If network devices between the FortiMail unit and its traffic destinations require smaller or larger units of traffic, packets may require additional processing at each node in the network to fragment or defragment the units, resulting in reduced network performance. Adjusting the MTU to match your network can improve network performance.

The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes. Change this if you need a lower value; for example, RFC 2516 prescribes a value of 1492 for the PPPoE protocol.

 

GUI item Description
Administrative status Select either:

•      Up: Enable (that is, bring up) the network interface so that it can send and receive traffic.

•      Down: Disable (that is, bring down) the network interface so that it cannot send or receive traffic.

SMTP Proxy When operating in transparent mode, the FortiMail unit can use either transparent proxies or an implicit relay to inspect SMTP connections. If connection pick-up is enabled for connections on that network interface, the FortiMail unit can scan and process the connection. If not enabled, the FortiMail unit can either block or permit the connection to pass through unmodified.

Exceptions to SMTP connections that can be proxied or relayed include SMTP connections destined for the FortiMail unit itself. For those local connections, such as email messages from email users requesting deletion or release of their quarantined email, you must choose to either allow or block the connection.

For more information about FortiMail transparent mode proxy and implicit STMP relay, see “Configuring proxies (transparent mode only)” on page 414.

Note: When a FortiMail unit proxies or relays traffic, whether the email will be scanned or not depends on the policies you specify. For more information about policies, see “Configuring policies” on page 453.

Incoming connections Select how the proxy or built-in MTA will handle SMTP connections for that interface that are incoming to the IP addresses of email servers belonging to a protected domain.

•      Pass through: Permit connections but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.

•      Drop: Drop connections.

•      Proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see “Configuring policies” on page 453.

Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have selected Proxy more than once on this page. For an example, see “Avoiding scanning email twice” on page 418.

GUI item Description
Outgoing connections Select how the proxy or built-in MTA will handle SMTP connections for that interface that are outgoing to the IP addresses of email servers that are not a protected domain.

•      Pass through: Permit connections but do not proxy or relay. Because traffic is not proxied or relayed, no policies will be applied.

•      Drop: Drop connections.

•      Proxy: Proxy or relay connections. Once intercepted, policies determine any further scanning or logging actions. For more information, see “Configuring policies” on page 453.

Note: Depending on your network topology, you may want to verify that email is not being scanned twice. This could result if, due to mail routing, an email would travel through the FortiMail unit multiple times in order to reach its final destination, and you have selected Proxy more than once on this page. For an example, see “Avoiding scanning email twice” on page 418.

Local connections elect how the FortiMail unit will handle SMTP connections on each network interface that are destined for the FortiMail unit itself, such as quarantine release or delete messages and Bayesian training messages.

•      Allow: SMTP connections will be allowed.

•      Disallow: SMTP connections will be blocked.

To configure a non-bridging network interface

  1. Go to System > Network > Interface.
  2. Double-click the network interface to modify it or select the interface and click Edit.

Figure 107: Editing a network interface (transparent mode, non-bridging)

  1. Enable Do not associate with management IP.

This option appears only when the FortiMail unit is operating in transparent mode and the network interface is not port1, which is required to be a member of the bridge.

  1. In IP/Netmask, enter the IP address and netmask of the network interface.
  2. Click OK.

Repeat this procedure for each network interface that is connected to an email server on a distinct subnet. When complete, configure static routes for those email servers. For details, see “Configuring static routes”.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.