Handbook

What's new
- Fortinet Security Fabric
- Manageability
- Networking
- Security
  - SSH MITM deep inspection
Getting started
- Installation
- Using the GUI
- Using the CLI
- FortiExplorer for iOS
- LED specifications
- Inspection mode
- Basic administration
- Firmware
- FortiGuard
- FortiCloud
- Troubleshooting your installation
- Resources
Fortinet Security Fabric
- Overview
  - Benefits
  - Components
- Configuration
- Using the Fortinet Security Fabric
- Automation stitches
- Fabric Connectors
SD-WAN
- Configuring SD-WAN
  - SD-WAN requirements
  - Configuring a basic SD-WAN deployment
- Monitoring SD-WAN
- Applying traffic shaping to SD-WAN traffic
- Viewing SD-WAN information in the Fortinet Security Fabric
High availability
- HA solutions
- FGCP HA
- FGCP HA examples
- Virtual clustering
- Full mesh HA
  - Full mesh HA example
  - Troubleshooting full mesh HA
- Operating a cluster
- Failover protection
- Session failover
- HA and load balancing
- FortiGate-VM and third-party HA
- VRRP
- FGSP
- Standalone configuration sync
Firewall
- Firewall concepts
- IPv6
- Network defense
- Policies
- Addresses
- Virtual IPs
- IP pools
- Services
- Schedules
- WAN optimization, proxies, web caching, and WCCP
- Example topologies
- WAN optimization
- Transparent and explicit proxies
- Explicit web proxy
- Explicit FTP proxy
- Web caching
- WCCP
- WAN optimization diagnose commands
Security Profiles
- Overview
- Inside FortiOS
- Inspection modes
- AntiVirus
- Web filtering
- DNS filter
  - FortiGuard botnet protection
- Application control
- Intrusion prevention
- Anti-spam filter
- Data leak prevention
- ICAP support
- FortiClient Compliance Profiles
- Proxy options
- SSL/SSH inspection
- Other considerations
Authentication
- Introduction to authentication
- Authentication servers
- Users and user groups
- FortiToken Mobile user instructions
- Managing guest access
- Configuring authenticated access
- Captive portals
- Certificate-based authentication
- Single sign-on using a FortiAuthenticator unit
- Single sign-on to Windows AD
- Agent-based FSSO
- SSO using RADIUS accounting records
- Monitoring authenticated users
- Examples and troubleshooting
IPsec VPN
- IPsec VPN concepts
  - VPN tunnels
  - VPN gateways
  - Clients, servers, and peers
  - Encryption
  - Authentication
  - Phase 1 and Phase 2 settings
  - Security Association
  - IKE and IPsec packet processing
- IPsec VPN overview
  - Types of VPNs
  - Planning your VPN
  - General preparation steps
  - How to use this guide to configure an IPsec VPN
- IPsec VPN from the GUI
  - Phase 1 configuration
  - Concentrator
  - IPsec Monitor
- Phase 1 parameters
  - Overview
  - Defining the tunnel ends
  - Choosing Main mode or Aggressive mode
  - Authenticating the FortiGate unit
  - Authenticating remote peers and clients
  - Defining IKE negotiation parameters
  - Using XAuth authentication
  - Dynamic IPsec route control
- Phase 2 parameters
  - Phase 2 settings
  - Configuring Phase 2 parameters
- Defining VPN security policies
  - Defining policy addresses
  - Defining security policies
- Gateway-to-gateway configuration
  - Gateway-to-gateway configuration
  - Testing
- Hub-and-spoke configuration
  - Configuration overview
  - Configure the hub
  - Configure the spokes
  - Dynamic spokes configuration example
- One-Click VPN (OCVPN)
  - General configuration
  - Key exchange
  - Device polling and controller information
  - System states
  - Debugging and logging
- Dynamic DNS configuration
  - Configuration overview
- FortiClient dialup-client configuration
  - Configuration overview
- FortiGate dialup-client configuration
  - Configuration overview
- Supporting IKE Mode Config clients
  - Automatic configuration overview
- Internet-browsing configuration
  - Configuration overview
- Redundant VPN configuration
  - Configuration overview
- Transparent-mode VPN configuration
  - Configuration overview
- IPv6 IPsec VPNs
  - Configuration examples
- L2TP and IPsec (Microsoft VPN)
  - Configuration overview
- GRE over IPsec (Cisco VPN)
  - Configuration overview
- Protecting OSPF with IPsec
  - Configuration overview
- Redundant OSPF routing over IPsec
  - Configuration
- BGP over dynamic IPsec
- IPsec Auto-Discovery VPN (ADVPN)
  - Example ADVPN configuration
- Logging and monitoring
  - Monitoring VPN connections
  - VPN event logs
- Troubleshooting
  - General troubleshooting tips
  - Troubleshooting L2TP and IPsec
  - Troubleshooting GRE over IPsec
SSL VPN
- Overview
- SSL VPN best practices
- Basic configuration
- SSL VPN client
  - FortiClient
  - Tunnel mode client configuration
- SSL VPN web portal
- Setup examples
- Troubleshooting
Networking
- Interfaces
- DNS
- Advanced static routing
- Dynamic routing
- Multicast forwarding
- Modems
- Troubleshooting
Transparent mode
- Overview
  - What is transparent mode?
  - Transparent mode features
- Installation
- Networking in transparent mode
- Firewalls and security in transparent mode
- IPsec VPN in transparent mode
- Using FortiManager and FortiAnalyzer
- High availability in transparent mode
  - Virtual clustering
  - MAC address assignment
- Best practices
VoIP Solutions: SIP
- Inside FortiOS: Voice over IP (VoIP) protection
- Common SIP VoIP configurations
  - Peer to peer configuration
  - SIP proxy server configuration
  - SIP redirect server configuration
  - SIP registrar configuration
  - SIP with a FortiGate
- SIP messages and media protocols
  - Hardware accelerated RTP processing
  - SIP request messages
  - SIP response messages
  - SIP message start line
  - SIP headers
  - The SIP message body and SDP session profiles
  - Example SIP messages
- The SIP session helper
  - SIP session helper configuration overview
  - Viewing, removing, and adding the SIP session helper configuration
  - Changing the port numbers that the SIP session helper listens on
  - Configuration example: SIP session helper in transparent mode
  - SIP session helper diagnose commands
- The SIP ALG
  - Enabling VoIP support from the GUI
  - SIP ALG configuration overview
  - VoIP profiles
  - Changing the port numbers that the SIP ALG listens on
  - Disabling the SIP ALG in a VoIP profile
  - SIP ALG diagnose commands
- Conflicts between the SIP ALG and the session helper
- Stateful SIP tracking, call termination, and session inactivity timeout
  - Adding a media stream timeout for SIP calls
  - Adding an idle dialog setting for SIP calls
  - Changing how long to wait for call setup to complete
- SIP and RTP/RTCP
- How the SIP ALG creates RTP pinholes
- Configuration example: SIP in transparent mode
- RTP enable/disable (RTP bypass)
- Opening and closing SIP register, contact, via and record-route pinholes
- Accepting SIP register responses
- How the SIP ALG performs NAT
  - SIP ALG source address translation
  - SIP ALG destination address translation
  - SIP call re-invite messages
  - How the SIP ALG translates IP addresses in SIP headers
  - How the SIP ALG translates IP addresses in the SIP body
  - SIP NAT scenario: source address translation (source NAT)
  - SIP NAT scenario: destination address translation (destination NAT)
  - SIP NAT configuration example: source address translation (source NAT)
  - SIP NAT configuration example: destination address translation (destination NAT)
  - SIP and RTP source NAT
  - SIP and RTP destination NAT
  - Source NAT with an IP pool
  - Different source and destination NAT for SIP and RTP
  - NAT with IP address conservation
  - Controlling how the SIP ALG NATs SIP contact header line addresses
  - Controlling NAT for addresses in SDP lines
  - Translating SIP session destination ports
  - Translating SIP sessions to multiple destination ports
  - Adding the original IP address and port to the SIP message header after NAT
- Enhancing SIP pinhole security
- Hosted NAT traversal
  - Configuration example: Hosted NAT traversal for calls between SIP Phone A and SIP Phone B
  - Hosted NAT traversal for calls between SIP Phone A and SIP Phone C
  - Restricting the RTP source IP
- SIP over IPv6
- Deep SIP message inspection
  - Actions taken when a malformed message line is found
  - Logging and statistics
  - Deep SIP message inspection best practices
  - Configuring deep SIP message inspection
- Blocking SIP request messages
- SIP rate limiting
  - Limiting the number of SIP dialogs accepted by a security policy
- SIP logging
- Inspecting SIP over SSL/TLS (secure SIP)
  - Adding the SIP server and client certificates
  - Adding SIP over SSL/TLS support to a VoIP profile
- SIP and HA–session failover and geographic redundancy
  - SIP geographic redundancy
  - Supporting geographic redundancy when blocking OPTIONS messages
  - Support for RFC 2543-compliant branch parameters
- SIP and IPS
- SIP debugging
  - SIP debug log format
  - SIP-proxy filter per VDOM
  - SIP-proxy filter command
  - SIP debug setting
  - Display SIP rate-limit data
Best practices
- General considerations
- Customer service and technical support
- Fortinet Knowledge Base
- System and performance
  - Performance
  - Shutting down
- Migration
- Environmental specifications
  - Grounding
  - Rack mounting
- Firmware
- Security Profiles (AV, Web Filtering etc.)
- Networking
- FGCP high availability
  - Heartbeat interfaces
  - Interface monitoring (port monitoring)
- WAN Optimization
- Virtual Domains (VDOMs)
- Explicit proxy
- Wireless
- Logging and reporting
  - Log management
  - System memory and hard disks
Managing devices
- Managing “bring your own device”
- Managing Fortinet devices
Server load balancing
- Inside FortiOS: server load balancing
- Basic load balancing configuration example
- Configuring load balancing
- HTTP and HTTPS load balancing, multiplexing, and persistence
- SSL/TLS load balancing
- IP, TCP, and UDP load balancing
- Example HTTP load balancing to three real web servers
- Example Basic IP load balancing configuration
- Example Adding a server load balance port forwarding virtual IP
- Example Weighted load balancing configuration
- Example HTTP and HTTPS persistence configuration
System administration
- Administrators
- Monitoring
- Replacement messages
- Administration for schools
- PPTP and L2TP
  - Configuring L2TP VPNs
  - L2TP configuration overview
- Session helpers
- Advanced concepts
Traffic shaping
- Overview
- Configuring traffic shaping
- Monitoring traffic shaping
- Traffic shaping examples
- Traffic shaping priority queueing (PRIQ)
- Troubleshooting traffic shaping
Virtual Domains
- VDOMs overview
  - Benefits
  - Configurations
- Configuring VDOMs
- Example configurations
  - Example 1: NAT mode
  - Example 2: NAT and transparent mode
- Troubleshooting VDOMs
FortiWifi and FortiAP Configuration
- Introduction to wireless networking
- Captive portals
- WiFi LAN configuration
- Access point deployment
- Remote AP setup
- Wireless mesh
  - Configuring a meshed WiFi network
  - Configuring a point-to-point bridge
- Hotspot 2.0
- Combining WiFi and wired networks with a software switch
  - FortiAP local bridging (private cloud-managed AP)
  - Using bridged FortiAPs to increase scalability
- Using remote WLAN FortiAPs
- Features for high-density deployments
- Wireless network protection
- Wireless network monitoring
- Wireless network client configuration
- Wireless network examples
  - Basic wireless network example
  - Complex wireless network example
- Managing a FortiAP with FortiCloud
  - FortiCloud-managed FortiAP WiFi
  - FortiCloud-managed FortiAP WiFi without a key
- Using a FortiWiFi unit as a client
  - Using a FortiWiFi unit in the client mode
  - Configuring a FortiAP unit as a WiFi Client in client mode
- Support for location-based services
  - Configuring location tracking
  - Viewing device location data on the FortiGate unit
- Troubleshooting
- Reference
FortiSwitch devices managed by FortiOS
- Connecting FortiLink ports
- Using the FortiGate GUI
- Using the FortiGate CLI
- Network topologies
- Optional setup tasks
- FortiSwitch port features
- FortiSwitch port security policy
- Additional capabilities
- Troubleshooting
FortiOS Carrier
- Overview of FortiOS Carrier features
  - MMS
  - GTP
- MMS Concepts
- MMS Configuration
- GTP basic concepts
- GTP Configuration
- SCTP Concepts
  - SCTP Firewall
- Troubleshooting
Sandbox inspection
- Using FortiSandbox with a FortiGate
  - Connecting a FortiGate to FortiSandbox
  - FortiSandbox console
- Sandbox integration
  - Overview
  - Example configuration
- Sandbox inspection FAQ
FortiView
- Overview
  - Enabling FortiView
  - FortiView interface
- FortiView consoles
- Reference
- Troubleshooting
Logging and reporting
- Logging and reporting overview
- Logging and reporting for small networks
- Logging and reporting for large networks
- Advanced logging
- Troubleshooting and logging
Troubleshooting
- Troubleshooting methodologies
- Troubleshooting tools
- Troubleshooting tips
- Troubleshooting resources

Home FortiGate / FortiOS 6.0.0 Handbook

6.0.0

DHCP servers and relays

A DHCP server provides an address, from a defined address range, to a client on the network that requests it.

An interface can't provide both a server and a relay for connections of the same type (regular or IPsec). However, you can configure a regular DHCP server on an interface only if the interface is a physical interface with a static IP address. You can configure an IPsec DHCP server on an interface that has either a static or a dynamic IP address.

You can configure one or more DHCP servers on any FortiGate interface. A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP addresses using DHCP.

If an interface is connected to multiple networks through routers, you can add a DHCP server for each network. The IP range of each DHCP server must match the network address range. The routers must be configured for DHCP relay.

You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the unit.

DHCP server options aren't available in transparent mode.

Configuring DHCP servers

To add a DHCP server, go to Network > Interfaces. Edit the interface, and select DHCP in the addressing mode.

Field	Description
Address Range	By default, the FortiGate unit assigns an address range based on the address of the interface for the complete scope of the address. For example, if the interface address is 172.20.120.230, the default range created is 172.20.120.231 to 172.20.120.254. Select the range and select Edit to adjust the range or select Create New to add a different range.
Netmask	Enter the netmask of the addresses that the DHCP server assigns.
Default Gateway	Select this to use either Same as Interface IP or select Specify and enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.
DNS Server	Select this to use Same as system DNS, Same as Interface IP or select Specify and enter the IP address of the DNS server.
Mode	Select the type of DHCP server FortiGate will be. By default, it is a Server. Select Relay if needed. When Relay is selected, the above configuration is replaced by a field to enter the DHCP Server IP address.
DHCP Server IP	This appears only when Mode is Relay. Enter the IP address of the DHCP server where FortiGate obtains the requested IP address.
Type	Select this to use the DHCP in Regular or IPsec mode.
Additional DHCP Options	Use this to create new DHCP options.
MAC Address + Access Control	Select this to match an IP address from the DHCP server to a specific client or device using its MAC address. In a typical situation, an IP address is assigned ad hoc to a client, and that assignment times out after a specific time of inactivity from the client, known as the lease time. To ensure a client or device always has the same IP address (there is no lease time), use IP reservation.
Add from DHCP Client List	If the client is currently connected and using an IP address from the DHCP server, you can select this option to select the client from the list.

Configuring the DHCP relay agent option

You can configure the DHCP relay agent option (option 82 in RFC 3046). This option is disabled by default. However, when you enable dhcp-relay-service, dhcp-relay-agent-option is enabled.

To configure the DHCP relay agent option, use the following CLI commands:

config system interface

edit <interface>

set vdom root

set dhcp-relay-service enable

set dhcp-relay-ip <ip>

set dhcp-relay-agent-option enable

set vlanid <id>

end

For more information about the DHCP relay option, see RFC 3046 (DHCP Relay Agent Information Option).

Configuring DHCP with IPv6

You can use DHCP with IPv6, using the CLI. To configure DHCP, ensure IPv6 is enabled by going to System > Feature Visibility and enable IPv6 under Basic Features. Use the following CLI command:

config system dhcp6 server

For more information about the configuration options, see the FortiOS CLI Reference.

DHCPv6 prefix delegation

FortiGate supports prefix delegation for DHCP for IPv6 addressing. It’s not practical to manually provision networks on a large scale in IPv6 networking. You can use DHCPv6 prefix delegation to assign a network address prefix, and automate the configuration and provisioning of the public routable addresses for the network.

To enable the prefix delegation - CLI:

config system interface

edit "wan1"

config ipv6

set ip6-mode dhcp

set ip6-allowaccess ping

set dhcp6-prefix-delegation enable

end

Range for DHCPv6 prefix delegation

You can configure a range for DHCPv6 server prefix delegation. You can add a prefix range (starting and ending prefixes) and a prefix length. The prefix length determines the length of the prefix that the FortiGate sends downstream.

To configure a range for DHCPv6 prefix delegation – CLI:

config system dhcp6 server

edit <id>

config prefix-range

edit <id>

set start-prefix <prefix>

set end-prefix <prefix>

set prefix-length <length>

end

DHCPv6 prefix hint

This feature is used to "hint" to upstream DCHPv6 servers a desired prefix length for their subnet to be assigned in response to its request.

There is a possibility of duplicate prefixes being sent by ISP when using a /64 bit subnet because the first 64 bits of the address are derived from the MAC address of the interface. This could cause an issue if the system administrator wishes to divide the host networks into 2 /64 bit subnets.

By receiving a /60 bit (for example) network address, the administrator can then divide the internal host works without the danger of creating duplicate subnets.

Also included in the new feature, are preferred times for the life and valid life of the DHCP lease.

DHCPv6 hint for the prefix length:

set dhcp6-prefix-hint <DHCPv6 prefix that will be used as a hint to the upstream DHCPv6 server>

DHCPv6 hint for the preferred life time:

set dhcp6-prefix-hint-plt <integer> 1 ~ 4294967295 seconds or "0" for unlimited lease time

DHCPv6 hint for the valid life time:

set dhcp6-prefix-hint-vlt <integer> 1 ~ 4294967295 seconds or "0" for unlimited lease time

Service

On low-end FortiGate units, a DHCP server is configured on the internal interface, by default, with the following values:

Field	Value
Address Range	192.168.1.110 to 192.168.1.210
Netmask	255.255.255.0
Default Gateway	192.168.1.99
Lease Time	7 days
DNS Server 1	192.168.1.99

These settings are appropriate for the default internal interface IP address of 192.168.1.99. If you change this address to a different network, you need to change the DHCP server settings to match.

Alternatively, after the FortiGate unit assigns an address, you can go to Monitor > DHCP Monitor and locate the specific user. Right-click and select Create/Edit IP Reservation.

Configuring the lease time

The lease time determines the length of time an IP address remains assigned to a client. Once the lease expires, the address is released for allocation to the next client that requests an IP address.

To configure the lease time, use the following CLI commands:

config system dhcp server

edit <server_entry_number>

set lease-time <seconds>

end

The default lease time is seven days. To have an unlimited lease time, set the value to zero.

Configuring TFTP servers

You can configure multiple Trivial File Transfer Protocol (TFTP) servers for a Dynamic Host Configuration Protocol (DHCP) server. For example, you may want to configure a main TFTP server and a backup TFTP server.

The tftp-server command allows you to configure the TFTP servers, using either their hostnames or IP addresses. Separate multiple server entries with spaces.

To configure TFTP servers - CLI:

config system dhcp server

edit <server ID>

set tftp-server <hostname/IP address> <hostname/IP address>

end

Configuring the DHCP renew time

You can set a minimum DHCP renew time. This option is available only when mode is set to dhcp.

To set the DHCP renew time - CLI:

config system interface

edit <name>

set mode dhcp

set dhcp-renew-time <seconds>

end

The possible values for dhcp-renew-time are 300 to 605800 seconds (five minutes to seven days). To use the renew time that the server provides, set this entry to 0.

DHCP options

When you add a DHCP server, you can include DHCP codes and options. The DHCP options are BOOTP vendor information fields that provide additional vendor‑independent configuration parameters to manage the DHCP server. For example, you may need to configure a FortiGate DHCP server that gives out a separate option, as well as an IP address, such as an environment that needs to support PXE boot with Windows images.

The option numbers and codes are specific to a particular application. The documentation for the application should provide the values you should use. Option codes are represented in option value and HEX value pairs. The option is a value between 1 and 255.

You can add up to three DHCP code/option pairs per DHCP server.

To configure option 252 with value http://192.168.1.1/wpad.dat - CLI:

config system dhcp server

edit <server_entry_number>

set option1 252 687474703a2f2f3139322e3136382e312e312f777061642e646174

end

For more information about DHCP options, see RFC 2132 (DHCP Options and BOOTP Vendor Extensions).

FortiGate DHCP works with DDNS to allow FQDN connectivity to leased IP addresses

As clients are assigned IP addresses, they send back information that would be found in an A record to the FortiGate DHCP server, which can take this information and pass it back to a corporate DNS server so that even devices using leased IP address can be reached using FQDNs. You can configure the settings for this feature using the ddns-update CLI command and some other ddns related options.

DHCP server option fields

In place of specific fields, the DHCP server maintains a table for the potential options. The FortiOS DHCP server supports up to a maximum of 30 custom options.These optional fields are set in the CLI.

To get to the DHCP server - CLI:

config system dhcp server

edit <integer - ID of the specific DHCP server>

To configure the options, use the following CLI command:

config options

Once you are in the options context, create an ID for the table entry, using the following CLI commands:

edit <integer>

set code <integer between 0 - 4294967295 to determine the DHCP option>

set type [ hex | string | ip ]

set value <option content for DHCP option types hex and string>

set ip <option content for DHCP option type ip>

end

Excluding addresses in DHCP

If you have a large address range for the DHCP server, you can block a range of addresses that won't be included in the available addresses for the connecting users.

To exclude addresses in DHCP - CLI:

config system dhcp server

edit <server_entry_number>

config exclude-range

edit <sequence_number>

set start-ip <address>

set end-ip <address>

end

Viewing information about DHCP server connections

To view information about DHCP server connections, go to Monitor > DHCP Monitor. On this page, you can also add IP addresses to the reserved IP address list.

Breaking an address lease

If you need to end an IP address lease, you can break the lease. This is useful if you have limited addresses and longer lease times when some leases are no longer necessary, for example, with corporate visitors.

To break a lease - CLI:

execute dhcp lease-clear <ip_address>