Fortinet black logo

CLI Reference

system dhcp server

Configure DHCP servers.

  config system dhcp server
      Description: Configure DHCP servers.
      edit <id>
          set status [disable|enable]
          set lease-time {integer}
          set mac-acl-default-action [assign|block]
          set forticlient-on-net-status [disable|enable]
          set dns-service [local|default|...]
          set dns-server1 {ipv4-address}
          set dns-server2 {ipv4-address}
          set dns-server3 {ipv4-address}
          set wifi-ac1 {ipv4-address}
          set wifi-ac2 {ipv4-address}
          set wifi-ac3 {ipv4-address}
          set ntp-service [local|default|...]
          set ntp-server1 {ipv4-address}
          set ntp-server2 {ipv4-address}
          set ntp-server3 {ipv4-address}
          set domain {string}
          set wins-server1 {ipv4-address}
          set wins-server2 {ipv4-address}
          set default-gateway {ipv4-address}
          set next-server {ipv4-address}
          set netmask {ipv4-netmask}
          set interface {string}
          config ip-range
              Description: DHCP IP range configuration.
              edit <id>
                  set start-ip {ipv4-address}
                  set end-ip {ipv4-address}
              next
          end
          set timezone-option [disable|default|...]
          set timezone [01|02|...]
          set tftp-server <tftp-server1>, <tftp-server2>, ...
          set filename {string}
          config options
              Description: DHCP options.
              edit <id>
                  set code {integer}
                  set type [hex|string|...]
                  set value {string}
                  set ip {user}
              next
          end
          set server-type [regular|ipsec]
          set ip-mode [range|usrgrp]
          set conflicted-ip-timeout {integer}
          set ipsec-lease-hold {integer}
          set auto-configuration [disable|enable]
          set ddns-update [disable|enable]
          set ddns-update-override [disable|enable]
          set ddns-server-ip {ipv4-address}
          set ddns-zone {string}
          set ddns-auth [disable|tsig]
          set ddns-keyname {string}
          set ddns-key {user}
          set ddns-ttl {integer}
          set vci-match [disable|enable]
          set vci-string <vci-string1>, <vci-string2>, ...
          config exclude-range
              Description: Exclude one or more ranges of IP addresses from being assigned to clients.
              edit <id>
                  set start-ip {ipv4-address}
                  set end-ip {ipv4-address}
              next
          end
          config reserved-address
              Description: Options for the DHCP server to assign IP settings to specific MAC addresses.
              edit <id>
                  set type [mac|option82]
                  set ip {ipv4-address}
                  set mac {mac-address}
                  set action [assign|block|...]
                  set circuit-id-type [hex|string]
                  set circuit-id {string}
                  set remote-id-type [hex|string]
                  set remote-id {string}
                  set description {var-string}
              next
          end
      next
  end

config system dhcp server

Parameter Name Description Type Size
status Enable/disable this DHCP configuration.
disable: Do not use this DHCP server configuration.
enable: Use this DHCP server configuration.
option -
lease-time Lease time in seconds, 0 means unlimited. integer Minimum value: 300 Maximum value: 8640000
mac-acl-default-action MAC access control default action (allow or block assigning IP settings).
assign: Allow the DHCP server to assign IP settings to clients on the MAC access control list.
block: Block the DHCP server from assigning IP settings to clients on the MAC access control list.
option -
forticlient-on-net-status Enable/disable FortiClient-On-Net service for this DHCP server.
disable: Disable FortiClient On-Net Status.
enable: Enable FortiClient On-Net Status.
option -
dns-service Options for assigning DNS servers to DHCP clients.
local: IP address of the interface the DHCP server is added to becomes the client's DNS server IP address.
default: Clients are assigned the FortiGate's configured DNS servers.
specify: Specify up to 3 DNS servers in the DHCP server configuration.
option -
dns-server1 DNS server 1. ipv4-address Not Specified
dns-server2 DNS server 2. ipv4-address Not Specified
dns-server3 DNS server 3. ipv4-address Not Specified
wifi-ac1 WiFi Access Controller 1 IP address (DHCP option 138, RFC 5417). ipv4-address Not Specified
wifi-ac2 WiFi Access Controller 2 IP address (DHCP option 138, RFC 5417). ipv4-address Not Specified
wifi-ac3 WiFi Access Controller 3 IP address (DHCP option 138, RFC 5417). ipv4-address Not Specified
ntp-service Options for assigning Network Time Protocol (NTP) servers to DHCP clients.
local: IP address of the interface the DHCP server is added to becomes the client's NTP server IP address.
default: Clients are assigned the FortiGate's configured NTP servers.
specify: Specify up to 3 NTP servers in the DHCP server configuration.
option -
ntp-server1 NTP server 1. ipv4-address Not Specified
ntp-server2 NTP server 2. ipv4-address Not Specified
ntp-server3 NTP server 3. ipv4-address Not Specified
domain Domain name suffix for the IP addresses that the DHCP server assigns to clients. string Maximum length: 35
wins-server1 WINS server 1. ipv4-address Not Specified
wins-server2 WINS server 2. ipv4-address Not Specified
default-gateway Default gateway IP address assigned by the DHCP server. ipv4-address Not Specified
next-server IP address of a server (for example, a TFTP sever) that DHCP clients can download a boot file from. ipv4-address Not Specified
netmask Netmask assigned by the DHCP server. ipv4-netmask Not Specified
interface DHCP server can assign IP configurations to clients connected to this interface. string Maximum length: 15
timezone-option Options for the DHCP server to set the client's time zone.
disable: Do not set the client's time zone.
default: Clients are assigned the FortiGate's configured time zone.
specify: Specify the time zone to be assigned to DHCP clients.
option -
timezone
tftp-server <tftp-server> One or more hostnames or IP addresses of the TFTP servers in quotes separated by spaces.
TFTP server.
string Maximum length: 63
filename Name of the boot file on the TFTP server. string Maximum length: 127
server-type DHCP server can be a normal DHCP server or an IPsec DHCP server.
regular: Regular DHCP service.
ipsec: DHCP over IPsec service.
option -
ip-mode Method used to assign client IP.
range: Use range defined by start-ip/end-ip to assign client IP.
usrgrp: Use user-group defined method to assign client IP.
option -
conflicted-ip-timeout Time in seconds to wait after a conflicted IP address is removed from the DHCP range before it can be reused. integer Minimum value: 60 Maximum value: 8640000
ipsec-lease-hold DHCP over IPsec leases expire this many seconds after tunnel down (0 to disable forced-expiry). integer Minimum value: 0 Maximum value: 8640000
auto-configuration Enable/disable auto configuration.
disable: Disable auto configuration.
enable: Enable auto configuration.
option -
ddns-update Enable/disable DDNS update for DHCP.
disable: Disable DDNS update for DHCP.
enable: Enable DDNS update for DHCP.
option -
ddns-update-override Enable/disable DDNS update override for DHCP.
disable: Disable DDNS update override for DHCP.
enable: Enable DDNS update override for DHCP.
option -
ddns-server-ip DDNS server IP. ipv4-address Not Specified
ddns-zone Zone of your domain name (ex. DDNS.com). string Maximum length: 64
ddns-auth DDNS authentication mode.
disable: Disable DDNS authentication.
tsig: TSIG based on RFC2845.
option -
ddns-keyname DDNS update key name. string Maximum length: 64
ddns-key DDNS update key (base 64 encoding). user Not Specified
ddns-ttl TTL. integer Minimum value: 60 Maximum value: 86400
vci-match Enable/disable vendor class identifier (VCI) matching. When enabled only DHCP requests with a matching VCI are served.
disable: Disable VCI matching.
enable: Enable VCI matching.
option -
vci-string <vci-string> One or more VCI strings in quotes separated by spaces.
VCI strings.
string Maximum length: 255

config ip-range

Parameter Name Description Type Size
start-ip Start of IP range. ipv4-address Not Specified
end-ip End of IP range. ipv4-address Not Specified

config options

Parameter Name Description Type Size
code DHCP option code. integer Minimum value: 0 Maximum value: 255
type DHCP option type.
hex: DHCP option in hex.
string: DHCP option in string.
ip: DHCP option in IP.
fqdn: DHCP option in domain search option format.
option -
value DHCP option value. string Maximum length: 312
ip DHCP option IPs. user Not Specified

config exclude-range

Parameter Name Description Type Size
start-ip Start of IP range. ipv4-address Not Specified
end-ip End of IP range. ipv4-address Not Specified

config reserved-address

Parameter Name Description Type Size
type DHCP reserved-address type.
mac: Match with MAC address.
option82: Match with DHCP option 82.
option -
ip IP address to be reserved for the MAC address. ipv4-address Not Specified
mac MAC address of the client that will get the reserved IP address. mac-address Not Specified
action Options for the DHCP server to configure the client with the reserved MAC address.
assign: Configure the client with this MAC address like any other client.
block: Block the DHCP server from assigning IP settings to the client with this MAC address.
reserved: Assign the reserved IP address to the client with this MAC address.
option -
circuit-id-type DHCP option type.
hex: DHCP option in hex.
string: DHCP option in string.
option -
circuit-id Option 82 circuit-ID of the client that will get the reserved IP address. string Maximum length: 312
remote-id-type DHCP option type.
hex: DHCP option in hex.
string: DHCP option in string.
option -
remote-id Option 82 remote-ID of the client that will get the reserved IP address. string Maximum length: 312
description Description. var-string Maximum length: 255

Configure DHCP servers.

  config system dhcp server
      Description: Configure DHCP servers.
      edit <id>
          set status [disable|enable]
          set lease-time {integer}
          set mac-acl-default-action [assign|block]
          set forticlient-on-net-status [disable|enable]
          set dns-service [local|default|...]
          set dns-server1 {ipv4-address}
          set dns-server2 {ipv4-address}
          set dns-server3 {ipv4-address}
          set wifi-ac1 {ipv4-address}
          set wifi-ac2 {ipv4-address}
          set wifi-ac3 {ipv4-address}
          set ntp-service [local|default|...]
          set ntp-server1 {ipv4-address}
          set ntp-server2 {ipv4-address}
          set ntp-server3 {ipv4-address}
          set domain {string}
          set wins-server1 {ipv4-address}
          set wins-server2 {ipv4-address}
          set default-gateway {ipv4-address}
          set next-server {ipv4-address}
          set netmask {ipv4-netmask}
          set interface {string}
          config ip-range
              Description: DHCP IP range configuration.
              edit <id>
                  set start-ip {ipv4-address}
                  set end-ip {ipv4-address}
              next
          end
          set timezone-option [disable|default|...]
          set timezone [01|02|...]
          set tftp-server <tftp-server1>, <tftp-server2>, ...
          set filename {string}
          config options
              Description: DHCP options.
              edit <id>
                  set code {integer}
                  set type [hex|string|...]
                  set value {string}
                  set ip {user}
              next
          end
          set server-type [regular|ipsec]
          set ip-mode [range|usrgrp]
          set conflicted-ip-timeout {integer}
          set ipsec-lease-hold {integer}
          set auto-configuration [disable|enable]
          set ddns-update [disable|enable]
          set ddns-update-override [disable|enable]
          set ddns-server-ip {ipv4-address}
          set ddns-zone {string}
          set ddns-auth [disable|tsig]
          set ddns-keyname {string}
          set ddns-key {user}
          set ddns-ttl {integer}
          set vci-match [disable|enable]
          set vci-string <vci-string1>, <vci-string2>, ...
          config exclude-range
              Description: Exclude one or more ranges of IP addresses from being assigned to clients.
              edit <id>
                  set start-ip {ipv4-address}
                  set end-ip {ipv4-address}
              next
          end
          config reserved-address
              Description: Options for the DHCP server to assign IP settings to specific MAC addresses.
              edit <id>
                  set type [mac|option82]
                  set ip {ipv4-address}
                  set mac {mac-address}
                  set action [assign|block|...]
                  set circuit-id-type [hex|string]
                  set circuit-id {string}
                  set remote-id-type [hex|string]
                  set remote-id {string}
                  set description {var-string}
              next
          end
      next
  end

config system dhcp server

Parameter Name Description Type Size
status Enable/disable this DHCP configuration.
disable: Do not use this DHCP server configuration.
enable: Use this DHCP server configuration.
option -
lease-time Lease time in seconds, 0 means unlimited. integer Minimum value: 300 Maximum value: 8640000
mac-acl-default-action MAC access control default action (allow or block assigning IP settings).
assign: Allow the DHCP server to assign IP settings to clients on the MAC access control list.
block: Block the DHCP server from assigning IP settings to clients on the MAC access control list.
option -
forticlient-on-net-status Enable/disable FortiClient-On-Net service for this DHCP server.
disable: Disable FortiClient On-Net Status.
enable: Enable FortiClient On-Net Status.
option -
dns-service Options for assigning DNS servers to DHCP clients.
local: IP address of the interface the DHCP server is added to becomes the client's DNS server IP address.
default: Clients are assigned the FortiGate's configured DNS servers.
specify: Specify up to 3 DNS servers in the DHCP server configuration.
option -
dns-server1 DNS server 1. ipv4-address Not Specified
dns-server2 DNS server 2. ipv4-address Not Specified
dns-server3 DNS server 3. ipv4-address Not Specified
wifi-ac1 WiFi Access Controller 1 IP address (DHCP option 138, RFC 5417). ipv4-address Not Specified
wifi-ac2 WiFi Access Controller 2 IP address (DHCP option 138, RFC 5417). ipv4-address Not Specified
wifi-ac3 WiFi Access Controller 3 IP address (DHCP option 138, RFC 5417). ipv4-address Not Specified
ntp-service Options for assigning Network Time Protocol (NTP) servers to DHCP clients.
local: IP address of the interface the DHCP server is added to becomes the client's NTP server IP address.
default: Clients are assigned the FortiGate's configured NTP servers.
specify: Specify up to 3 NTP servers in the DHCP server configuration.
option -
ntp-server1 NTP server 1. ipv4-address Not Specified
ntp-server2 NTP server 2. ipv4-address Not Specified
ntp-server3 NTP server 3. ipv4-address Not Specified
domain Domain name suffix for the IP addresses that the DHCP server assigns to clients. string Maximum length: 35
wins-server1 WINS server 1. ipv4-address Not Specified
wins-server2 WINS server 2. ipv4-address Not Specified
default-gateway Default gateway IP address assigned by the DHCP server. ipv4-address Not Specified
next-server IP address of a server (for example, a TFTP sever) that DHCP clients can download a boot file from. ipv4-address Not Specified
netmask Netmask assigned by the DHCP server. ipv4-netmask Not Specified
interface DHCP server can assign IP configurations to clients connected to this interface. string Maximum length: 15
timezone-option Options for the DHCP server to set the client's time zone.
disable: Do not set the client's time zone.
default: Clients are assigned the FortiGate's configured time zone.
specify: Specify the time zone to be assigned to DHCP clients.
option -
timezone
tftp-server <tftp-server> One or more hostnames or IP addresses of the TFTP servers in quotes separated by spaces.
TFTP server.
string Maximum length: 63
filename Name of the boot file on the TFTP server. string Maximum length: 127
server-type DHCP server can be a normal DHCP server or an IPsec DHCP server.
regular: Regular DHCP service.
ipsec: DHCP over IPsec service.
option -
ip-mode Method used to assign client IP.
range: Use range defined by start-ip/end-ip to assign client IP.
usrgrp: Use user-group defined method to assign client IP.
option -
conflicted-ip-timeout Time in seconds to wait after a conflicted IP address is removed from the DHCP range before it can be reused. integer Minimum value: 60 Maximum value: 8640000
ipsec-lease-hold DHCP over IPsec leases expire this many seconds after tunnel down (0 to disable forced-expiry). integer Minimum value: 0 Maximum value: 8640000
auto-configuration Enable/disable auto configuration.
disable: Disable auto configuration.
enable: Enable auto configuration.
option -
ddns-update Enable/disable DDNS update for DHCP.
disable: Disable DDNS update for DHCP.
enable: Enable DDNS update for DHCP.
option -
ddns-update-override Enable/disable DDNS update override for DHCP.
disable: Disable DDNS update override for DHCP.
enable: Enable DDNS update override for DHCP.
option -
ddns-server-ip DDNS server IP. ipv4-address Not Specified
ddns-zone Zone of your domain name (ex. DDNS.com). string Maximum length: 64
ddns-auth DDNS authentication mode.
disable: Disable DDNS authentication.
tsig: TSIG based on RFC2845.
option -
ddns-keyname DDNS update key name. string Maximum length: 64
ddns-key DDNS update key (base 64 encoding). user Not Specified
ddns-ttl TTL. integer Minimum value: 60 Maximum value: 86400
vci-match Enable/disable vendor class identifier (VCI) matching. When enabled only DHCP requests with a matching VCI are served.
disable: Disable VCI matching.
enable: Enable VCI matching.
option -
vci-string <vci-string> One or more VCI strings in quotes separated by spaces.
VCI strings.
string Maximum length: 255

config ip-range

Parameter Name Description Type Size
start-ip Start of IP range. ipv4-address Not Specified
end-ip End of IP range. ipv4-address Not Specified

config options

Parameter Name Description Type Size
code DHCP option code. integer Minimum value: 0 Maximum value: 255
type DHCP option type.
hex: DHCP option in hex.
string: DHCP option in string.
ip: DHCP option in IP.
fqdn: DHCP option in domain search option format.
option -
value DHCP option value. string Maximum length: 312
ip DHCP option IPs. user Not Specified

config exclude-range

Parameter Name Description Type Size
start-ip Start of IP range. ipv4-address Not Specified
end-ip End of IP range. ipv4-address Not Specified

config reserved-address

Parameter Name Description Type Size
type DHCP reserved-address type.
mac: Match with MAC address.
option82: Match with DHCP option 82.
option -
ip IP address to be reserved for the MAC address. ipv4-address Not Specified
mac MAC address of the client that will get the reserved IP address. mac-address Not Specified
action Options for the DHCP server to configure the client with the reserved MAC address.
assign: Configure the client with this MAC address like any other client.
block: Block the DHCP server from assigning IP settings to the client with this MAC address.
reserved: Assign the reserved IP address to the client with this MAC address.
option -
circuit-id-type DHCP option type.
hex: DHCP option in hex.
string: DHCP option in string.
option -
circuit-id Option 82 circuit-ID of the client that will get the reserved IP address. string Maximum length: 312
remote-id-type DHCP option type.
hex: DHCP option in hex.
string: DHCP option in string.
option -
remote-id Option 82 remote-ID of the client that will get the reserved IP address. string Maximum length: 312
description Description. var-string Maximum length: 255