Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate-6000 Handbook

    Home FortiGate-6000 7.0.16 FortiGate-6000 Handbook
    7.0.16
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.10
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.10
    6.4.8
    6.4.6
    6.4.2
    6.2.16
    6.2.16
    6.2.15
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.10
    6.0.9
    6.0.8
    6.0.6
    6.0.4
    5.6.14
    5.6.12
    5.6.11
    5.6.7
    5.4.10

    Adding flow rules to support DHCP relay

    Adding flow rules to support DHCP relay

    The FortiGate-6000 default flow rules may not handle DHCP relay traffic correctly.

    The default configuration includes the following flow rules for DHCP traffic:

    config load-balance flow-rule

    edit 7

    set status enable

    set vlan 0

    set ether-type ipv4

    set src-addr-ipv4 0.0.0.0 0.0.0.0

    set dst-addr-ipv4 0.0.0.0 0.0.0.0

    set protocol udp

    set src-l4port 67-67

    set dst-l4port 68-68

    set action forward

    set forward-slot master

    set priority 5

    set comment "dhcpv4 server to client"

    next

    edit 8

    set status enable

    set vlan 0

    set ether-type ipv4

    set src-addr-ipv4 0.0.0.0 0.0.0.0

    set dst-addr-ipv4 0.0.0.0 0.0.0.0

    set protocol udp

    set src-l4port 68-68

    set dst-l4port 67-67

    set action forward

    set forward-slot master

    set priority 5

    set comment "dhcpv4 client to server"

    end

    These flow rules handle traffic when the DHCP client sends requests to a DHCP server using port 68 and the DHCP server responds using port 67. However, if DHCP relay is involved, requests from the DHCP relay to the DHCP server and replies from the DHCP server to the DHCP relay both use port 67. If this DHCP relay traffic passes through the FortiGate-6000 you must add a flow rule similar to the following to support port 67 DHCP traffic in both directions (the following example uses edit 0 to add the DHCP relay flow using the next available flow rule index number):

    config load-balance flow-rule

    edit 0

    set status enable

    set vlan 0

    set ether-type ipv4

    set src-addr-ipv4 0.0.0.0 0.0.0.0

    set dst-addr-ipv4 0.0.0.0 0.0.0.0

    set protocol udp

    set src-l4port 67-67

    set dst-l4port 67-67

    set action forward

    set forward-slot master

    set priority 5

    set comment "dhcpv4 relay"

    next

    The default configuration also includes the following flow rules for IPv6 DHCP traffic:

        edit 13
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 547-547
        set dst-l4port 546-546
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv6 server to client"
    next
    edit 14
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 546-546
        set dst-l4port 547-547
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv6 client to server"
    next

    These flow rules handle traffic when the IPv6 DHCP client sends requests to a DHCP server using port 547 and the DHCP server responds using port 546. However, if DHCP relay is involved, requests from the DHCP relay to the DHCP server and replies from the DHCP server to the DHCP relay both use port 547. If this DHCP relay traffic passes through the FortiGate 6000F you must add a flow rule similar to the following to support port 547 DHCP traffic in both directions (the following example uses edit 0 to add the DHCP relay flow using the next available flow rule index number):

    config load-balance flow-rule

    edit 0

    set status enable

    set vlan 0

    set ether-type ipv6

    set src-addr-ipv6 ::/0

    set dst-addr-ipv6 ::/0

    set protocol udp

    set src-l4port 547-547

    set dst-l4port 547-547

    set action forward

    set forward-slot master

    set priority 5

    set comment "dhcpv6 relay"

    next

    Previous
    Next

    Adding flow rules to support DHCP relay

    Adding flow rules to support DHCP relay

    The FortiGate-6000 default flow rules may not handle DHCP relay traffic correctly.

    The default configuration includes the following flow rules for DHCP traffic:

    config load-balance flow-rule

    edit 7

    set status enable

    set vlan 0

    set ether-type ipv4

    set src-addr-ipv4 0.0.0.0 0.0.0.0

    set dst-addr-ipv4 0.0.0.0 0.0.0.0

    set protocol udp

    set src-l4port 67-67

    set dst-l4port 68-68

    set action forward

    set forward-slot master

    set priority 5

    set comment "dhcpv4 server to client"

    next

    edit 8

    set status enable

    set vlan 0

    set ether-type ipv4

    set src-addr-ipv4 0.0.0.0 0.0.0.0

    set dst-addr-ipv4 0.0.0.0 0.0.0.0

    set protocol udp

    set src-l4port 68-68

    set dst-l4port 67-67

    set action forward

    set forward-slot master

    set priority 5

    set comment "dhcpv4 client to server"

    end

    These flow rules handle traffic when the DHCP client sends requests to a DHCP server using port 68 and the DHCP server responds using port 67. However, if DHCP relay is involved, requests from the DHCP relay to the DHCP server and replies from the DHCP server to the DHCP relay both use port 67. If this DHCP relay traffic passes through the FortiGate-6000 you must add a flow rule similar to the following to support port 67 DHCP traffic in both directions (the following example uses edit 0 to add the DHCP relay flow using the next available flow rule index number):

    config load-balance flow-rule

    edit 0

    set status enable

    set vlan 0

    set ether-type ipv4

    set src-addr-ipv4 0.0.0.0 0.0.0.0

    set dst-addr-ipv4 0.0.0.0 0.0.0.0

    set protocol udp

    set src-l4port 67-67

    set dst-l4port 67-67

    set action forward

    set forward-slot master

    set priority 5

    set comment "dhcpv4 relay"

    next

    The default configuration also includes the following flow rules for IPv6 DHCP traffic:

        edit 13
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 547-547
        set dst-l4port 546-546
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv6 server to client"
    next
    edit 14
        set status enable
        set vlan 0
        set ether-type ipv6
        set src-addr-ipv6 ::/0
        set dst-addr-ipv6 ::/0
        set protocol udp
        set src-l4port 546-546
        set dst-l4port 547-547
        set action forward
        set forward-slot master
        set priority 5
        set comment "dhcpv6 client to server"
    next

    These flow rules handle traffic when the IPv6 DHCP client sends requests to a DHCP server using port 547 and the DHCP server responds using port 546. However, if DHCP relay is involved, requests from the DHCP relay to the DHCP server and replies from the DHCP server to the DHCP relay both use port 547. If this DHCP relay traffic passes through the FortiGate 6000F you must add a flow rule similar to the following to support port 547 DHCP traffic in both directions (the following example uses edit 0 to add the DHCP relay flow using the next available flow rule index number):

    config load-balance flow-rule

    edit 0

    set status enable

    set vlan 0

    set ether-type ipv6

    set src-addr-ipv6 ::/0

    set dst-addr-ipv6 ::/0

    set protocol udp

    set src-l4port 547-547

    set dst-l4port 547-547

    set action forward

    set forward-slot master

    set priority 5

    set comment "dhcpv6 relay"

    next

    Previous
    Next