Configure a Network Interface

An interface is any port (physical or virtual) on the FortiGate. Each interface has a role (WAN, LAN, DMZ), an IP address, and access settings (HTTPS, SSH, ping). Interface configuration is the foundation of everything — firewall policies, routing, VPNs all reference interfaces.

Before You Start

• Know which physical port the cable is plugged into (e.g. wan1, port1, internal).
• Know what role the interface should play (WAN / LAN / DMZ).
• Know the IP scheme — static IP or DHCP from upstream.

Steps

1. Network → Interfaces.
2. Click the interface name (or the edit icon next to it).
3. Interface Name is locked (it's the physical port label).
4. Set Alias — a friendly label like Internet-Primary or Office-LAN. Optional but recommended; reduces confusion.
5. Role — pick:
   • WAN for internet-facing.
   • LAN for internal trusted networks.
   • DMZ for semi-trusted (public-facing servers).
   • Undefined for special cases.
6. Addressing mode:
   • Manual — set static IP/Netmask (e.g. 203.0.113.10/24).
   • DHCP — let upstream router/ISP assign.
   • PPPoE — for DSL connections.
   • One-Arm Sniffer — for IDS-only deployments.

7. Administrative Access — check which admin services should answer on this interface:

   • HTTPS — admin GUI access.
   • SSH — CLI access.
   • PING — responds to ICMP echo.
   • FMG-Access — FortiManager management.
   • CAPWAP — for managed FortiAPs.
   • FCT-Access — for FortiClient.
   • Security Fabric Connection — for Fabric topology.

   Warning

   NEVER enable HTTPS / SSH on a WAN interface unless you have strong protections (Trusted Hosts list, MFA, geo-block). Public admin exposure is the #1 cause of compromised FortiGates.

   1. DHCP Server — enable on LAN interfaces if this FortiGate should hand out IPs to clients. See Set Up a DHCP Server.
   2. Device Detection — Enabled for LAN interfaces lets FortiGate fingerprint connected devices.
   3. Status — Up to enable the interface, Down to disable.
   4. Click OK to save.

CLI Equivalent

config system interface
edit wan1
    set alias "Internet-Primary"
    set role wan
    set ip 203.0.113.10/24
    set allowaccess ping
    set status up
next
end

Verify

get system interface

Look for your interface in the list — status should be up, IP should match what you set.

Test connectivity:

execute ping 8.8.8.8                  # from a WAN with internet route
execute ping-options source 192.168.1.99  # ping from a specific interface IP
execute ping 192.168.1.1              # to upstream gateway

Common Issues

• Interface won't come up. Cable issue, duplex mismatch, or SFP not recognized. Check Network → Interfaces for link status icon (green = up, red = down). On CLI: get system interface physical.
• Can't reach the FortiGate via the interface. Administrative Access doesn't include HTTPS/SSH/PING. Add via console if you're locked out.
• DHCP didn't get an IP. ISP isn't actually serving DHCP on that VLAN, or wrong MAC/handshake. Try static if you know the IP.
• Got an IP but no internet. Default route missing. See Add a Static Route — set 0.0.0.0/0 via the upstream gateway.
• Two interfaces in the same subnet. FortiGate will refuse. Each interface needs its own subnet.

Related Pages

• Add a VLAN Sub-Interface
• Add a Static Route
• Set Up a DHCP Server
• Add a Firewall Policy