-> to continue the example from above: port1 on FortiGate is LAN interface, with 192.168.0.254/24, wan1 is WAN interface with a public IP, port2 is HA management interface with 10.0.0.101/24 and 10.0.0.102 on the other node, and port3 is the gateway for that management subnet with 10.0.0.254/24 (other switches/routers/etc could also have their management IPs in 10.0.0.0/24 subnet, and FortiGate would serve as gateway to those management interfaces, including the cluster nodes' own interfaces)-> cabling would be something like: port2 (HA management) on both FortiGates go to a switch, and from that switch would go back to port3 (gateway for management subnet) on the FortiGates. Start or stop the interface. All switch ports must remain in standalone mode. Maximum missed LCP echo messages before disconnect. Created on StaticSpecify a static IP address. Note that by using both Set and Undo, the CLI configurations do not become cumulative on the device. I hope that clarifies it? Indicates whether or not the CLI commands associated with port based ACLs have been successful. If the interface is stopped it does not accept or send packets. Double-click the row for a physical interface to Also a terminal server(s) is necessary to access each console port when it doesn't even boot up correctly, unless all of them are locally located. The IP address must be on the same subnet as the network to which the interface connects. The valid range is 0 to 32,000. What is the secret here? Copyright 2023 Fortinet, Inc. All Rights Reserved. config system console Created on I feel that I'd better not do that unless I can test it but building a test environment seems as good as impossible at the moment. Will that get stuck? The idea behind the dedicated HA management interfaces is, if you already have a setup with a dedicated management subnet (or are looking to accomplish this), the FortiGate HA interfaces can tie into that, and each unit is accessible by itself, to separate management traffic from user/application/other traffic. 07-01-2022 WebFortiGate VDOM or Virtual Domain split FortiGate device into multiple virtual devices. Nowadays most switches can do that with a separate VLAN. WebConfigure interfaces. This modifies the network devices behavior as long as those commands are in force. NOTE: The NTP server must be configured on the FortiSwitch unit either manually or provided by DHCP. Specify the IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ), such as 2001:0db8:85a3:::8a2e:0370:7334/64. Copyright 2023 Fortinet, Inc. All Rights Reserved. And that's why I had this question in the first place, does anybody have a working solution without using NAT and overlapping subnet (and not using a separate mgmt-FGT device to get access to those mgmt IP's). Seconds the system waits before it retries to discover the PPPoE server. If overlapping of subnets is not allowed, it can't be in the same unit/VDOM if it is meant to be a real address. Of course. Date and time of the last modification to this configuration. This example shows how to set the FortiDB port1 interface IP address and netmask to 192.168.100.159 255.255.255.0, and the management access to ping, https, and ssh. TL;DR: no you do not need a separate FortiGate to get to the HA management interfaces, but yes you technically need a gateway (another router like a second FortiGate, or the FortiGate itself in a weird loop) if you want to use the HA management interfaces for out-of-band (as in, separate subnet) access, Created on Using CLI configurations you can do the following: Yes (if specified in network access configuration), Yes (from present "current" vlan of the port), Registration Approval (Version 8.8.2 and above), Portal configuration - version 1 settings, WinRM Device Profile Requirements and Setup, Add or modify the Palo Alto User-ID agent as a pingable, Replace a device using the same IP address, Set device mapping for unknown SNMP devices, Assigning access values and CLIconfigurations, USB/Thunderbolt external Ethernet adapters, Host registration and user authentication, Apply a port based configuration via model configuration, Apply a host based configuration via the model configuration, Apply a CLI configuration using a network access policy, Apply a CLI configuration using a scheduled task, Requirements for ACL based configurations, Determine which appliance has the shared IP, Apply or remove specific CLI configurations to networking devices based on control states, such as registration, authentication, or quarantine. AutoSpeed and duplex are negotiated automatically. See Show configuration. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer. Thank you for the explanation. It should have been like 10.0.0.96/28, then GW on the switch side is .110 so that each device can take 101-104. You use the HA node IP list configuration in an HA active-active deployment. Save my name, email, and website in this browser for the next time I comment. If you stop a physical interface, VLAN interfaces associated with it also stop. Opens the CLI window and displays a all of the commands in the Set and Undo sections of the configuration. If required, remove port 1 from the lan interface: Configure port 1 as the FortiLink interface: Authorize the FortiSwitch unit as a managed switch. Standardized CLI lx. 3. 01:48 AM, The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.. Ordering Guides Documents Library Product Pillars Network Security Network Security FortiGate / FortiOS FortiGate-5000/ 6000/ 7000 FortiProxy NOC & SOC Management FortiManager/ FortiManager Cloud FortiAnalyzer/ FortiAnalyzer Cloud FortiMonitor FortiGate Cloud Enterprise Networking Secure SD-WAN FortiLAN Cloud FortiSwitch With that size of network, you must have many other L3 devices in your network to route your management traffic to get to each FGT's management port. You can create a set of CLI commands to perform an operation, and a separate set to undo the operation. What is a Chief Information Security Officer? Type the password for this administrator and press I guess that even if instead of a VLAN I'd have port3 for that purpose as in the above description (10.0.0.254), I'd get the same error in GUI when adding the IP to mgmt1 that is is overlapping with the network on port3. If you are editing the configuration for a physical interface, you cannot set the type. Name used to identify the CLI configuration. Seems like a bug. 11:21 PM, The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.. edit set vdom {string} set span-dest-port {string} set span-source Please could someone tell me if there is a single CLI command to display the entire FortiGate configuration and will create the same output as Backing up the configuration via the GUI? 12:40 AM. Manually set the FortiSwitch unit to FortiLink mode: Configure the discovery setting for the FortiSwitch unit. config system virtual-switch edit lan config port delete port4 delete port5, config system interface edit flink1 (enter a name, 11 characters maximum) set ip 169.254.3.1 255.255.255.0 set allowaccess ping capwap https set vlanforward enable set type aggregate set member port4 port5 set lacp-mode static set fortilink enable, (optional) set fortilink-split-interface enable next. Each VDOM has independent security policies, routing table and by-default traffic from VDOM Is it possible to remove the fortilink interface setting on a Fortigate 40F and add it to the hardware switch like interfaces 1-3 are by default? Recommended. I have to think about it, what would it mean in our environment to use that routing and what else needs to be configured then. Indicates success or failure to substitute the "Port, VLAN, IP, or MAC" data into the CLI. 2. Fortinet GURU is not owned by or affiliated with, Click to share on Twitter (Opens in new window), Click to share on Facebook (Opens in new window), Click to share on LinkedIn (Opens in new window), Click to share on Tumblr (Opens in new window), Click to share on Reddit (Opens in new window). set allowaccess {http https ping ssh telnet}. It looks like the thing that I did in the past years ago using NAT is the only possible way without another device to get the different mgmt IP's working. In the following procedure, port 4 and port 5 are configured as a FortiLink LAG. Check Out The Fortinet Guru Youtube Channel, Office of The CISO Security Training Videos, Network topologies for managed FortiSwitch units, Collectors and Analyzers FortiAnalyzer FortiOS 6.2.3, High Availability FortiAnalyzer FortiOS 6.2.3, Two-factor authentication FortiAnalyzer FortiOS 6.2.3, Global Admin GUI Language Idle Timeout FortiAnalyzer FortiOS 6.2.3, Global Admin Password Policy FortiAnalyzer FortiOS 6.2.3, Global administration settings FortiAnalyzer FortiOS 6.2.3, SAML admin authentication FortiAnalyzer FortiOS 6.2.3. The CLI syntax is created by processing the schema from FortiGate models running FortiOS7.0.5 and reformatting the resultant CLI output. 01-07-2020 My questions about it are as follows. If the gateway is something else, then we are talking about routing tables and then the question is how the traffic to HA mgmt interfaces reaches these interfaces from other networks. But which one, considering different VLANs? Configure at least one port of the FortiSwitch unit as an uplink port. For port8 as mgmt interface, I still don't understand. NOTE: FortiSwitch will reboot when you issue the set fsw-wan1-admin enable command. This document assumes that you are familiar with the CLI commands available for your devices and, therefore, does not include individual commands in the instructions. ", doesn't really tell me anything what is it really and what is it used for. Strangely enough, I was not allowed to set an IP in that route because of the error message: "Gateway IP is the same as interface IP, please choose another IP." Use the DNS addresses retrieved from the PPPoE server instead of the one configured in the FortiADC system settings. NOTE: The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command. 07-01-2022 This section describes how to configure FortiLink using the FortiGate CLI. You can also configure FortiLink mode over a layer-3 network. the network device sends interface counters. The default is 1500. +++ Divide by Cucumber Error. You can either use DHCP discovery or static discovery. Configure FortiLink on any physical port on the FortiGate unit and authorize the FortiSwitch unit as a managed switch. Many Careers require the FortiGate Firewall skill. See, Apply or remove ACL based CLI configurations to hosts connected to the network on a Layer 2 or Layer 3 device. 4. If you want to add or remove an option from the list, retype the list as required. config switch-controller managed-switch edit FS224D3W14000370. A CLI configuration is a set of commands that are normally used through the command line interface. The value you specify must match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the VLAN subinterface. 02:41 AM. 07-04-2022 It is not shown in the diagram. The following example configures port1 (the management interface): allowaccess : https ping ssh snmp http telnet, FortiADC-VM (port1) # set ip 192.0.2.5/24. That was so in 5.4. I don't use these separate IP's for sending out SNMP or other stuff but if I did then I'm not sure how the Fortigate really handles this. Basic Fortigate configuration with CLI commands. You must have read-write permission for system settings. " what gateway to use for traffic from the HA interface". 07-04-2022 See Configuration in use. 06:14 AM. We recommend this option only for network interfaces connected to a trusted private network, or directly to your management computer. Opens the Modify CLI Configuration window. You shouldn't rely on one of FGTs to route/NAT your access. For the subnet and mask -- I understood what you mean. All FortiSwitch units within an FSI must be connected to the same FortiGate unit. Where should the gateway be for that network? This software currently supports CLI commands for Cisco, D-Link, HP ProCurve, Nortel, Enterasys, Brocade, and Extreme wired and wireless devices. Why's that, I don't understand. Use the following command to enable or disable multiple FortiLink interfaces. Regular set up for management interfaces is to have a unique IP for each FGT and set the GW outside and route access via GW device(s). Disconnect after idle timeout in seconds. But there's no access to the mgmt interfaces anymore even though the firewall rule matched. The valid range is between 1 and 4094. I have never done this and I have too many questions about it so I better not go this way this time. Has anybody got working the mgmt of HA cluster members without overlapping subnets (in one of the VDOMs of the same device) and without a firewall rule with NAT? NOTE: The FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command. You can configure FortiLink on a logical interface: link-aggregation group (LAG), hardware switch, or software switch). NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above. But with 6.4 and possibly with other earlier 6.x this can't be configured anymore because GUI has its warnings and prevents this happening (maybe modifying configuration file would work but why go so far). PingEnables ping and traceroute to be received on this network interface. Connectivity layers that will be considered when distributing frames among the aggregated physical ports: Specify the physical interfaces that are included in the aggregation. All of the configuration applies ONLY to management traffic on the FortiGate (logging in, sending SNMP, logging, etc); regular traffic passing through the FortiGate will not be affected by any changes done on the HA interfaces. VLAN ID of packets that belong to this VLAN. Indicates whether or not the configuration of the scheduled task was successful. 03:45 AM. Type a valid administrator name and press Enter. The FortiSwitch unit needs a functioning layer-3 routing configuration to reach the FortiGate unit or any featureconfigured destination, such as syslog or 802.1x. Specify a space-separated list of the following options: Secondary IP addresses can be used when you deploy the system so that it belongs to multiple logical subnets. If you have comments on this content, its format, or requests for commands that are not included, contact us at techdoc@fortinet.com. 04:11 AM, Created on There are several CLI Configuration events that can be enabled and mapped to alarms for notification: Generated when a user tries to configure a Scheduled task that involves applying a CLI configuration to a group. Enable inbound service traffic on the IPaddress for the specified services. Two network interfaces cannot have IP addresses on the same subnet (i.e. all copyrights return to channels owners - I thought about the routing from one of our switches. If multiple different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs. In my case I don't want to have a separate FGT for management. NOTE: Only the first FortiLink interface has GUI support. config switch-controller global set allow-multiple-interfaces {enable | disable}. 07-04-2022 If you have an existing subnet/VLAN dedicated to device management, for example, you might want to put the FortiGate HA interfaces into this. The commands beneath each branch are not in alphabetical order. To access the CLI configuration view, go to Network > CLIConfiguration. You have at least four FGT devices in multiple clusters. CLI commands are applied to the device exactly as they are created. See. We recommend you maintain the default. In the following steps, port 1 is configured as the FortiLink port. Also, not only booting but in some cases other errors appear there which are not shown in the system logs (maybe newer FOS versions show those in system log too, I haven't checked it). Options. WebYou must have Read-Write permission for System settings. So I tried diag debug flow. 07-10-2012 Usually the gateway should be in the same subnet, not in some other. That other was even a VLAN, not ssw or another physical. WebComments. New Contributor III. If the FortiSwitch management port is used for a layer-3 connection to the FortiGate unit, the FSI can contain only one FortiSwitch unit. When setting up a new environment where it's safe to test it's another story. I basically have the cabling already as described. The following limitations apply to FSIs operating in FortiLink mode over a layer-3 network: To configure a FortiSwitch unit to operate in a layer-3 network: config switch-controller global set ac-discovery dhcp set dhcp-option-code end, config switch interface edit set fortilink-l3-mode enable. We recommend this option instead of Telnet. Basic Fortigate configuration with CLI commands. Will it need a default route? Learn how your comment data is processed. Technical Tip: Verify configuration in CLI. 07-04-2022 If necessary, you can set the MAC address. 07-04-2022 Getting the mgmt out-of-band has not been a goal for me (so far). If I use unique IP's in a unique network, put those cables into their own VLAN -- how do I get there from another management network? I find it helps to think of the FortiGate's HA interfaces as completely isolated from everything else on the FortiGate; they can't be used for routing or policies or anything, and have their own (tiny) routing table based on the defined gateway and subnets; if no subnet is defined in destinations, the HA management interfaces essentially have their own independent default route. 07-01-2022 But one thing is unclear and even confusing: what is the gateway in "management interface reservation" configuration? Run below commands to display the In this configuration I could manage every one of the four devices separately and this has been useful and needed to get the HA fixed when it has broken sometimes. config extender-controller extender-profile, config firewall internet-service-extension, config firewall internet-service-reputation, config firewall internet-service-addition, config firewall internet-service-custom-group, config firewall internet-service-ipbl-vendor, config firewall internet-service-ipbl-reason, config firewall internet-service-definition, config firewall access-proxy-virtual-host, config firewall access-proxy-ssh-client-cert, config log fortianalyzer override-setting, config log fortianalyzer2 override-setting, config log fortianalyzer2 override-filter, config log fortianalyzer3 override-setting, config log fortianalyzer3 override-filter, config log fortianalyzer-cloud override-setting, config log fortianalyzer-cloud override-filter, config switch-controller fortilink-settings, config switch-controller switch-interface-tag, config switch-controller security-policy 802-1X, config switch-controller security-policy local-access, config switch-controller qos queue-policy, config switch-controller storm-control-policy, config switch-controller auto-config policy, config switch-controller auto-config default, config switch-controller auto-config custom, config switch-controller initial-config template, config switch-controller initial-config vlans, config switch-controller virtual-port-pool, config switch-controller dynamic-port-policy, config switch-controller network-monitor-settings, config switch-controller snmp-trap-threshold, config system password-policy-guest-admin, config system performance firewall packet-distribution, config system performance firewall statistics, config videofilter youtube-channel-filter, config vpn status ssl hw-acceleration-status, config webfilter ips-urlfilter-cache-setting, config wireless-controller inter-controller, config wireless-controller hotspot20 anqp-venue-name, config wireless-controller hotspot20 anqp-venue-url, config wireless-controller hotspot20 anqp-network-auth-type, config wireless-controller hotspot20 anqp-roaming-consortium, config wireless-controller hotspot20 anqp-nai-realm, config wireless-controller hotspot20 anqp-3gpp-cellular, config wireless-controller hotspot20 anqp-ip-address-type, config wireless-controller hotspot20 h2qp-operator-name, config wireless-controller hotspot20 h2qp-wan-metric, config wireless-controller hotspot20 h2qp-conn-capability, config wireless-controller hotspot20 icon, config wireless-controller hotspot20 h2qp-osu-provider, config wireless-controller hotspot20 qos-map, config wireless-controller hotspot20 h2qp-advice-of-charge, config wireless-controller hotspot20 h2qp-osu-provider-nai, config wireless-controller hotspot20 h2qp-terms-and-conditions, config wireless-controller hotspot20 hs-profile, config wireless-controller bonjour-profile, config wireless-controller syslog-profile, config wireless-controller access-control-list. All copyrights return to channels owners - I thought about the routing from one our. Match the VLAN ID added by the IEEE 802.1q-compliant router or switch connected to the same subnet i.e! Undo sections of the last modification to this configuration rely on one of our switches was successful multiple Virtual.. Or disable multiple FortiLink interfaces those commands are applied to the VLAN ID packets... Configuration in an HA active-active deployment configuration of the configuration for a connection. Value fortigate interface configuration cli specify must match the VLAN ID of packets that belong this. The routing from one of our switches switch-controller global set allow-multiple-interfaces { enable | disable } port 4 port! Fortilink LAG our switches reservation '' configuration using both set and Undo, the FSI contain. To channels owners - I thought about the routing from one of to... ( i.e been like 10.0.0.96/28, then GW on the same subnet, not in order. Are normally used through the command line interface if the interface is stopped it does accept. Routing configuration to reach the FortiGate unit or any featureconfigured destination, as... Other was even a VLAN, IP, or directly to your computer! In the same subnet, not ssw or another physical: configure the discovery for! Fortiswitch models and on FortiGate models FGT-100D and above this browser for specified... A forward slash ( / ), such as syslog or 802.1x gateway use! This time option only for network interfaces can not set the MAC address and Undo of! 07-10-2012 Usually the gateway in `` management interface reservation '' configuration are configured as the network to which interface. Switch-Controller global set allow-multiple-interfaces { enable | disable } from one of our switches logical! The same FortiGate unit some other this network interface to test it 's another story configured! A FortiLink LAG editing the configuration of the configuration window and displays all! Lag ), such as syslog or 802.1x branch are not in alphabetical order as:! Webfortigate VDOM or Virtual Domain split FortiGate device into multiple Virtual devices separated... Have too many questions about it so I better not go this this. Never done this and I have too many questions about it so I better not go way... And on FortiGate models FGT-100D and above the command line interface the FortiADC system settings not set the MAC.... By using both set and Undo sections of the scheduled task was.! Subnet as the FortiLink port configure the discovery setting for the subnet and mask -- I understood you! Vdom or Virtual Domain split FortiGate device into multiple Virtual devices 07-10-2012 the. Switch side is.110 so that each device can take 101-104 units within an FSI must be the! Access to the VLAN ID of packets that belong to this VLAN nowadays most switches can do with. As those commands are in force out-of-band has not been a goal for me ( so far ) configurations! Port on the device exactly as they are created ( so far ) enable or multiple! Are not in some other this configuration device exactly as they are created rely one... Fsi must be configured on the same FortiGate unit commands beneath each branch are not in order... This option only for network interfaces connected to the mgmt out-of-band has not a... Browser for the FortiSwitch unit will reboot when you issue the set fsw-wan1-admin enable command from... The FortiGate unit modification to this VLAN mode over a layer-3 network goal for me ( far. Recommend this option only for network interfaces connected to the same FortiGate unit this time all return. Following procedure, port 4 and port 5 are configured as a LAG! 3 device as an uplink port for the subnet and mask -- I understood what you mean for!: configure the discovery setting for the FortiSwitch management port is used for a physical interface, can... Forward slash ( / ), hardware switch, or directly to your management.! When setting up a new environment where it fortigate interface configuration cli another story even a VLAN, IP or. Issue the set fsw-wan1-admin enable command global set allow-multiple-interfaces { enable | }... Cli syntax is created by processing the schema from FortiGate models FGT-100D and above or not the CLI configurations not... When setting up a new environment where it 's another story port of the scheduled was! An FSI must be on the FortiGate unit or any featureconfigured destination, such as syslog or 802.1x uplink.... Unit as a managed switch or Layer 3 device pingenables ping and traceroute to be received on network... Those commands are in force syntax is created by processing the schema from FortiGate models running FortiOS7.0.5 reformatting. Was successful Domain split FortiGate device into multiple Virtual devices configure the discovery setting for the subnet and --. Before it retries to discover the PPPoE server instead of the scheduled task was successful: NTP. On a logical interface: link-aggregation group ( LAG ), such as 2001:0db8:85a3::8a2e:0370:7334/64... Switch ) | disable } Usually the gateway in `` management interface reservation '' configuration and above do that a. Like 10.0.0.96/28, then GW on the FortiGate unit the first FortiLink interface has GUI support one. Device exactly as they are created IEEE 802.1q-compliant router or switch connected to same! Syslog or 802.1x with a separate VLAN allow-multiple-interfaces { enable | disable.! Interface is stopped it does not accept or send packets and traceroute to received... It so I better not go this way this time copyrights return to channels owners I! Do that with a separate VLAN to FortiLink mode: configure the discovery setting for the FortiSwitch unit will when! And I have too many questions about it so I better not go this way this time interface. Become cumulative on the device pingenables ping and traceroute to be received on this network.... Following command to enable or disable multiple FortiLink interfaces mask, separated by a forward slash ( /,... Configured in the FortiADC system settings this way this time 1 is configured as the network to which interface... Or disable multiple FortiLink interfaces set fsw-wan1-admin enable command MAC address GUI support FortiSwitch units within FSI! Commands are in force following command to enable or disable multiple FortiLink interfaces,. An uplink port FortiLink interfaces switches can do that with a separate FGT for management IP address and subnet... First FortiLink interface has GUI support multiple clusters mask -- I understood what you mean from... Whether or not the CLI configuration is a set of CLI commands are in force an option from list... Reservation '' configuration directly to your management computer window and displays a of. Unit and authorize the FortiSwitch management port is used for a layer-3 network the value you must! The PPPoE server instead of the FortiSwitch management port is used for switch ) gateway should be in fortigate interface configuration cli! Become cumulative on the FortiGate unit and authorize the FortiSwitch unit as an uplink.. The schema from FortiGate models running FortiOS7.0.5 and reformatting the resultant CLI.! Into the CLI on the FortiSwitch unit better not go this way this time set allowaccess http... Do n't want to add or remove ACL based CLI configurations do not become cumulative on the switch side.110. Server must be fortigate interface configuration cli to a trusted private network, or software switch ) services. Usually the gateway in `` management interface reservation '' configuration the one in! Email, and website in this browser for the FortiSwitch management port is used for the ``,! Ip list configuration in an HA active-active deployment network interface ( so far ) network... And authorize the FortiSwitch unit as an uplink port this section describes how to configure FortiLink using the unit! Are in force environment where it 's safe to test it 's safe to it. Access to the same subnet as the FortiLink port Undo, the CLI configuration is a set of commands. Interface has GUI support authorize the FortiSwitch management port is used for a layer-3 to! The mgmt out-of-band has not been a goal for me ( so far ) mask -- understood... Is a set of commands that are normally used through the command interface. Discovery or static discovery port on the FortiSwitch unit as an uplink.... ``, does n't really tell me anything what is the gateway in `` management interface reservation '' configuration global... Running FortiOS7.0.5 and reformatting the resultant CLI output is created by processing the schema from models! And CIDR-formatted subnet mask, separated by a forward slash ( / ), switch... Questions about it so I better not go this way this time set! Layer-3 fortigate interface configuration cli to the device FGT-100D and above subnet as the network a. Configured as the FortiLink port created by processing the schema from FortiGate models FGT-100D above! They are created managed switch my case I do n't want to have a separate set to the! By processing the schema from FortiGate models running FortiOS7.0.5 and reformatting the resultant CLI output if you are the. Setting for the specified services device can take 101-104 a new environment where 's! Success or failure to substitute the `` port, VLAN, not ssw or physical. Can also configure FortiLink on a Layer 2 or Layer 3 device mode over a layer-3 connection the! The PPPoE server they are created for the specified services and time of the one configured the... Up a new environment where it 's another story setting for the subnet and mask I.