FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 272064
Description This article describes how to configure ISP IPv4 WAN on VLAN (Layer 3).
Scope FortiGate v6.0.0 and above.

For GUI:

Go to Network -> Interfaces.


  1. Create a VLAN interface over the WAN interface:
  • Select Type: VLAN.
  • Select the VLAN ID (number provided by the ISP).
  • Define the Role: WAN
  • Enter the IP address with the correct subnet mask (or leave DHCP if that is the case).
  • Define the Administrative Access for this VLAN, remember that this works similarly as a physical interface.
  • Select 'OK'.




Remember that this information is provided by the ISP: 


  1. After creation, set the static IP, pointing to this new VLAN interface.


Go to Network -> static routes.

  • Create New.
  • Define the Gateway address.
  • Left the as this is the default.
  • Select the interface ISP_L3.
  • Left the Default config for Administrative Distance and Priority.
  • Select 'OK'.




  1. After creating the objects above steps, it is necessary to modify the LAN to WAN policy and ALL policies that mentioned this interface as a principal to allow traffic to the internet:
  • Select the Outgoing interface: The VLAN is created.
  • Select 'OK'.




Configure the Interface by CLI console:


config system interface

    edit "ISP_L3"

        set vdom "root"

        set ip

        set allowaccess ping https http

        set role wan

        set snmp-index 19

        set interface "port2"

        set vlanid 100




Configure the static route by CLI console:


FGTAWS (3) # show

config router static

    edit 3

        set gateway

        set device "ISP_L3"




Modify the Policy by CLI console:


config firewall policy

    edit 7

        set status enable

        set name "To_INTERNET"

        set uuid 3730360e-4b5f-51ee-66bd-1481a21243de

        set srcintf "port3"

        set dstintf "ISP_L3" <----- This will be the new interface, the name may change by the configuration.

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set ssl-ssh-profile "certificate-inspection"

        set logtraffic all

        set nat enable





If there is any doubt about how to create a VLAN, check the document:

Configure the VLAN interfaces on FortiVoice and FortiGate
Technical Tip: How to create a VLAN tagged interface (802.1q) on a FortiGate - tagged/untagged traff...