CLI Reference

alertemail
- alertemail setting
antivirus
- antivirus heuristic
- antivirus profile
- antivirus quarantine
- antivirus settings
application
- application custom
- application group
- application list
- application name
- application rule-settings
authentication
- authentication rule
- authentication scheme
- authentication setting
certificate
- certificate ca
- certificate crl
- certificate local
- certificate remote
cifs
- cifs domain-controller
- cifs profile
dlp
- dlp filepattern
- dlp fp-doc-source
- dlp sensitivity
- dlp sensor
- dlp settings
dnsfilter
- dnsfilter domain-filter
- dnsfilter profile
emailfilter
- emailfilter bwl
- emailfilter bword
- emailfilter dnsbl
- emailfilter fortishield
- emailfilter iptrust
- emailfilter mheader
- emailfilter options
- emailfilter profile
endpoint-control
- endpoint-control fctems
- endpoint-control settings
extender-controller
- extender-controller extender
firewall
- firewall DoS-policy
- firewall DoS-policy6
- firewall acl
- firewall acl6
- firewall address
- firewall address6
- firewall address6-template
- firewall addrgrp
- firewall addrgrp6
- firewall auth-portal
- firewall central-snat-map
- firewall consolidated policy
- firewall dnstranslation
- firewall identity-based-route
- firewall interface-policy
- firewall interface-policy6
- firewall internet-service
- firewall internet-service-addition
- firewall internet-service-append
- firewall internet-service-custom
- firewall internet-service-custom-group
- firewall internet-service-definition
- firewall internet-service-extension
- firewall internet-service-group
- firewall internet-service-ipbl-reason
- firewall internet-service-ipbl-vendor
- firewall internet-service-list
- firewall internet-service-owner
- firewall internet-service-reputation
- firewall internet-service-sld
- firewall ip-translation
- firewall ipmacbinding setting
- firewall ipmacbinding table
- firewall ippool
- firewall ippool6
- firewall ldb-monitor
- firewall local-in-policy
- firewall local-in-policy6
- firewall multicast-address
- firewall multicast-address6
- firewall multicast-policy
- firewall multicast-policy6
- firewall policy
- firewall policy46
- firewall policy6
- firewall policy64
- firewall profile-group
- firewall profile-protocol-options
- firewall proxy-address
- firewall proxy-addrgrp
- firewall proxy-policy
- firewall schedule group
- firewall schedule onetime
- firewall schedule recurring
- firewall security-policy
- firewall service category
- firewall service custom
- firewall service group
- firewall shaper per-ip-shaper
- firewall shaper traffic-shaper
- firewall shaping-policy
- firewall shaping-profile
- firewall sniffer
- firewall ssh host-key
- firewall ssh local-ca
- firewall ssh local-key
- firewall ssh setting
- firewall ssl setting
- firewall ssl-server
- firewall ssl-ssh-profile
- firewall traffic-class
- firewall ttl-policy
- firewall vip
- firewall vip46
- firewall vip6
- firewall vip64
- firewall vipgrp
- firewall vipgrp46
- firewall vipgrp6
- firewall vipgrp64
- firewall wildcard-fqdn custom
- firewall wildcard-fqdn group
ftp-proxy
- ftp-proxy explicit
icap
- icap profile
- icap server
ips
- ips custom
- ips decoder
- ips global
- ips rule
- ips rule-settings
- ips sensor
- ips settings
- ips view-map
log
- log custom-field
- log disk filter
- log disk setting
- log eventfilter
- log fortianalyzer filter
- log fortianalyzer override-filter
- log fortianalyzer override-setting
- log fortianalyzer setting
- log fortianalyzer-cloud filter
- log fortianalyzer-cloud override-filter
- log fortianalyzer-cloud override-setting
- log fortianalyzer-cloud setting
- log fortianalyzer2 filter
- log fortianalyzer2 override-filter
- log fortianalyzer2 override-setting
- log fortianalyzer2 setting
- log fortianalyzer3 filter
- log fortianalyzer3 override-filter
- log fortianalyzer3 override-setting
- log fortianalyzer3 setting
- log fortiguard filter
- log fortiguard override-filter
- log fortiguard override-setting
- log fortiguard setting
- log gui-display
- log memory filter
- log memory global-setting
- log memory setting
- log null-device filter
- log null-device setting
- log setting
- log syslogd filter
- log syslogd override-filter
- log syslogd override-setting
- log syslogd setting
- log syslogd2 filter
- log syslogd2 override-filter
- log syslogd2 override-setting
- log syslogd2 setting
- log syslogd3 filter
- log syslogd3 override-filter
- log syslogd3 override-setting
- log syslogd3 setting
- log syslogd4 filter
- log syslogd4 override-filter
- log syslogd4 override-setting
- log syslogd4 setting
- log threat-weight
- log webtrends filter
- log webtrends setting
monitoring
- monitoring np6-ipsec-engine
report
- report chart
- report dataset
- report layout
- report setting
- report style
- report theme
router
- router access-list
- router access-list6
- router aspath-list
- router auth-path
- router bfd
- router bfd6
- router bgp
- router community-list
- router isis
- router key-chain
- router multicast
- router multicast-flow
- router multicast6
- router ospf
- router ospf6
- router policy
- router policy6
- router prefix-list
- router prefix-list6
- router rip
- router ripng
- router route-map
- router setting
- router static
- router static6
ssh-filter
- ssh-filter profile
switch-controller
- switch-controller auto-config custom
- switch-controller auto-config default
- switch-controller auto-config policy
- switch-controller custom-command
- switch-controller lldp-profile
- switch-controller lldp-settings
- switch-controller location
- switch-controller managed-switch
- switch-controller poe
- switch-controller qos dot1p-map
- switch-controller qos ip-dscp-map
- switch-controller qos qos-policy
- switch-controller qos queue-policy
- switch-controller remote-log
- switch-controller security-policy 802-1X
- switch-controller security-policy local-access
- switch-controller snmp-community
- switch-controller snmp-user
- switch-controller storm-control-policy
- switch-controller stp-instance
- switch-controller stp-settings
- switch-controller switch-group
- switch-controller switch-interface-tag
- switch-controller switch-profile
- switch-controller traffic-policy
- switch-controller virtual-port-pool
system
- system 3g-modem custom
- system accprofile
- system admin
- system alarm
- system alias
- system api-user
- system arp-table
- system auto-install
- system auto-script
- system automation-action
- system automation-destination
- system automation-stitch
- system automation-trigger
- system autoupdate push-update
- system autoupdate schedule
- system autoupdate tunneling
- system central-management
- system cluster-sync
- system console
- system csf
- system custom-language
- system ddns
- system dedicated-mgmt
- system dhcp server
- system dhcp6 server
- system dns
- system dns-database
- system dns-server
- system dscp-based-priority
- system email-server
- system external-resource
- system fips-cc
- system fortiguard
- system fortimanager
- system fortisandbox
- system fsso-polling
- system ftm-push
- system geneve
- system geoip-country
- system geoip-override
- system global
- system gre-tunnel
- system ha
- system ha-monitor
- system interface
- system ipip-tunnel
- system ips-urlfilter-dns
- system ips-urlfilter-dns6
- system ipsec-aggregate
- system ipv6-neighbor-cache
- system ipv6-tunnel
- system isf-queue-profile
- system link-monitor
- system lldp network-policy
- system lte-modem
- system mac-address-table
- system mobile-tunnel
- system modem
- system nat64
- system nd-proxy
- system netflow
- system network-visibility
- system np6
- system npu
- system ntp
- system object-tagging
- system password-policy
- system password-policy-guest-admin
- system pppoe-interface
- system probe-response
- system proxy-arp
- system ptp
- system replacemsg admin
- system replacemsg alertmail
- system replacemsg auth
- system replacemsg device-detection-portal
- system replacemsg fortiguard-wf
- system replacemsg ftp
- system replacemsg http
- system replacemsg icap
- system replacemsg mail
- system replacemsg nac-quar
- system replacemsg nntp
- system replacemsg spam
- system replacemsg sslvpn
- system replacemsg traffic-quota
- system replacemsg utm
- system replacemsg webproxy
- system replacemsg-group
- system replacemsg-image
- system resource-limits
- system saml
- system sdn-connector
- system session-helper
- system session-ttl
- system settings
- system sflow
- system sit-tunnel
- system sms-server
- system snmp community
- system snmp sysinfo
- system snmp user
- system speed-test-server
- system sso-admin
- system storage
- system switch-interface
- system tos-based-priority
- system vdom
- system vdom-dns
- system vdom-exception
- system vdom-link
- system vdom-netflow
- system vdom-property
- system vdom-radius-server
- system vdom-sflow
- system virtual-wan-link
- system virtual-wire-pair
- system vxlan
- system wccp
- system zone
user
- user adgrp
- user domain-controller
- user exchange
- user fortitoken
- user fsso
- user fsso-polling
- user group
- user krb-keytab
- user ldap
- user local
- user password-policy
- user peer
- user peergrp
- user pop3
- user radius
- user saml
- user security-exempt-list
- user setting
- user tacacs+
voip
- voip profile
vpn
- vpn certificate ca
- vpn certificate crl
- vpn certificate local
- vpn certificate ocsp-server
- vpn certificate remote
- vpn certificate setting
- vpn ipsec concentrator
- vpn ipsec forticlient
- vpn ipsec manualkey
- vpn ipsec manualkey-interface
- vpn ipsec phase1
- vpn ipsec phase1-interface
- vpn ipsec phase2
- vpn ipsec phase2-interface
- vpn l2tp
- vpn ocvpn
- vpn pptp
- vpn ssl settings
- vpn ssl web host-check-software
- vpn ssl web portal
- vpn ssl web realm
- vpn ssl web user-bookmark
- vpn ssl web user-group-bookmark
waf
- waf main-class
- waf profile
- waf signature
- waf sub-class
wanopt
- wanopt auth-group
- wanopt cache-service
- wanopt content-delivery-network-rule
- wanopt peer
- wanopt profile
- wanopt remote-storage
- wanopt settings
- wanopt webcache
web-proxy
- web-proxy debug-url
- web-proxy explicit
- web-proxy forward-server
- web-proxy forward-server-group
- web-proxy global
- web-proxy profile
- web-proxy url-match
- web-proxy wisp
webfilter
- webfilter content
- webfilter content-header
- webfilter fortiguard
- webfilter ftgd-local-cat
- webfilter ftgd-local-rating
- webfilter ips-urlfilter-cache-setting
- webfilter ips-urlfilter-setting
- webfilter ips-urlfilter-setting6
- webfilter override
- webfilter profile
- webfilter search-engine
- webfilter urlfilter
wireless-controller
- wireless-controller address
- wireless-controller addrgrp
- wireless-controller ap-status
- wireless-controller ble-profile
- wireless-controller bonjour-profile
- wireless-controller global
- wireless-controller hotspot20 anqp-3gpp-cellular
- wireless-controller hotspot20 anqp-ip-address-type
- wireless-controller hotspot20 anqp-nai-realm
- wireless-controller hotspot20 anqp-network-auth-type
- wireless-controller hotspot20 anqp-roaming-consortium
- wireless-controller hotspot20 anqp-venue-name
- wireless-controller hotspot20 h2qp-conn-capability
- wireless-controller hotspot20 h2qp-operator-name
- wireless-controller hotspot20 h2qp-osu-provider
- wireless-controller hotspot20 h2qp-wan-metric
- wireless-controller hotspot20 hs-profile
- wireless-controller hotspot20 icon
- wireless-controller hotspot20 qos-map
- wireless-controller inter-controller
- wireless-controller log
- wireless-controller qos-profile
- wireless-controller region
- wireless-controller setting
- wireless-controller snmp
- wireless-controller timers
- wireless-controller utm-profile
- wireless-controller vap
- wireless-controller vap-group
- wireless-controller wag-profile
- wireless-controller wids-profile
- wireless-controller wtp
- wireless-controller wtp-group
- wireless-controller wtp-profile

Home FortiGate / FortiOS 6.2.4 CLI Reference

6.2.4

system dhcp server

Configure DHCP servers.

  config system dhcp server
      Description: Configure DHCP servers.
      edit <id>
          set status [disable|enable]
          set lease-time {integer}
          set mac-acl-default-action [assign|block]
          set forticlient-on-net-status [disable|enable]
          set dns-service [local|default|...]
          set dns-server1 {ipv4-address}
          set dns-server2 {ipv4-address}
          set dns-server3 {ipv4-address}
          set dns-server4 {ipv4-address}
          set wifi-ac-service [specify|local]
          set wifi-ac1 {ipv4-address}
          set wifi-ac2 {ipv4-address}
          set wifi-ac3 {ipv4-address}
          set ntp-service [local|default|...]
          set ntp-server1 {ipv4-address}
          set ntp-server2 {ipv4-address}
          set ntp-server3 {ipv4-address}
          set domain {string}
          set wins-server1 {ipv4-address}
          set wins-server2 {ipv4-address}
          set default-gateway {ipv4-address}
          set next-server {ipv4-address}
          set netmask {ipv4-netmask}
          set interface {string}
          config ip-range
              Description: DHCP IP range configuration.
              edit <id>
                  set start-ip {ipv4-address}
                  set end-ip {ipv4-address}
              next
          end
          set timezone-option [disable|default|...]
          set timezone [01|02|...]
          set tftp-server <tftp-server1>, <tftp-server2>, ...
          set filename {string}
          config options
              Description: DHCP options.
              edit <id>
                  set code {integer}
                  set type [hex|string|...]
                  set value {string}
                  set ip {user}
              next
          end
          set server-type [regular|ipsec]
          set ip-mode [range|usrgrp]
          set conflicted-ip-timeout {integer}
          set ipsec-lease-hold {integer}
          set auto-configuration [disable|enable]
          set ddns-update [disable|enable]
          set ddns-update-override [disable|enable]
          set ddns-server-ip {ipv4-address}
          set ddns-zone {string}
          set ddns-auth [disable|tsig]
          set ddns-keyname {string}
          set ddns-key {user}
          set ddns-ttl {integer}
          set vci-match [disable|enable]
          set vci-string <vci-string1>, <vci-string2>, ...
          config exclude-range
              Description: Exclude one or more ranges of IP addresses from being assigned to clients.
              edit <id>
                  set start-ip {ipv4-address}
                  set end-ip {ipv4-address}
              next
          end
          config reserved-address
              Description: Options for the DHCP server to assign IP settings to specific MAC addresses.
              edit <id>
                  set type [mac|option82]
                  set ip {ipv4-address}
                  set mac {mac-address}
                  set action [assign|block|...]
                  set circuit-id-type [hex|string]
                  set circuit-id {string}
                  set remote-id-type [hex|string]
                  set remote-id {string}
                  set description {var-string}
              next
          end
      next
  end

config system dhcp server

Parameter Name	Description	Type	Size
status	Enable/disable this DHCP configuration. disable: Do not use this DHCP server configuration. enable: Use this DHCP server configuration.	option	-
lease-time	Lease time in seconds, 0 means unlimited.	integer	Minimum value: 300 Maximum value: 8640000
mac-acl-default-action	MAC access control default action (allow or block assigning IP settings). assign: Allow the DHCP server to assign IP settings to clients on the MAC access control list. block: Block the DHCP server from assigning IP settings to clients on the MAC access control list.	option	-
forticlient-on-net-status	Enable/disable FortiClient-On-Net service for this DHCP server. disable: Disable FortiClient On-Net Status. enable: Enable FortiClient On-Net Status.	option	-
dns-service	Options for assigning DNS servers to DHCP clients. local: IP address of the interface the DHCP server is added to becomes the client's DNS server IP address. default: Clients are assigned the FortiGate's configured DNS servers. specify: Specify up to 3 DNS servers in the DHCP server configuration.	option	-
dns-server1	DNS server 1.	ipv4-address	Not Specified
dns-server2	DNS server 2.	ipv4-address	Not Specified
dns-server3	DNS server 3.	ipv4-address	Not Specified
dns-server4	DNS server 4.	ipv4-address	Not Specified
wifi-ac-service	Options for assigning WiFi Access Controllers to DHCP clients specify: Specify up to 3 WiFi Access Controllers in the DHCP server configuration. local: IP address of the interface the DHCP server is added to becomes the client's WiFi Access Controller IP address.	option	-
wifi-ac1	WiFi Access Controller 1 IP address (DHCP option 138, RFC 5417).	ipv4-address	Not Specified
wifi-ac2	WiFi Access Controller 2 IP address (DHCP option 138, RFC 5417).	ipv4-address	Not Specified
wifi-ac3	WiFi Access Controller 3 IP address (DHCP option 138, RFC 5417).	ipv4-address	Not Specified
ntp-service	Options for assigning Network Time Protocol (NTP) servers to DHCP clients. local: IP address of the interface the DHCP server is added to becomes the client's NTP server IP address. default: Clients are assigned the FortiGate's configured NTP servers. specify: Specify up to 3 NTP servers in the DHCP server configuration.	option	-
ntp-server1	NTP server 1.	ipv4-address	Not Specified
ntp-server2	NTP server 2.	ipv4-address	Not Specified
ntp-server3	NTP server 3.	ipv4-address	Not Specified
domain	Domain name suffix for the IP addresses that the DHCP server assigns to clients.	string	Maximum length: 35
wins-server1	WINS server 1.	ipv4-address	Not Specified
wins-server2	WINS server 2.	ipv4-address	Not Specified
default-gateway	Default gateway IP address assigned by the DHCP server.	ipv4-address	Not Specified
next-server	IP address of a server (for example, a TFTP sever) that DHCP clients can download a boot file from.	ipv4-address	Not Specified
netmask	Netmask assigned by the DHCP server.	ipv4-netmask	Not Specified
interface	DHCP server can assign IP configurations to clients connected to this interface.	string	Maximum length: 15
timezone-option	Options for the DHCP server to set the client's time zone. disable: Do not set the client's time zone. default: Clients are assigned the FortiGate's configured time zone. specify: Specify the time zone to be assigned to DHCP clients.	option	-
timezone
tftp-server `<tftp-server>`	One or more hostnames or IP addresses of the TFTP servers in quotes separated by spaces. TFTP server.	string	Maximum length: 63
filename	Name of the boot file on the TFTP server.	string	Maximum length: 127
server-type	DHCP server can be a normal DHCP server or an IPsec DHCP server. regular: Regular DHCP service. ipsec: DHCP over IPsec service.	option	-
ip-mode	Method used to assign client IP. range: Use range defined by start-ip/end-ip to assign client IP. usrgrp: Use user-group defined method to assign client IP.	option	-
conflicted-ip-timeout	Time in seconds to wait after a conflicted IP address is removed from the DHCP range before it can be reused.	integer	Minimum value: 60 Maximum value: 8640000
ipsec-lease-hold	DHCP over IPsec leases expire this many seconds after tunnel down (0 to disable forced-expiry).	integer	Minimum value: 0 Maximum value: 8640000
auto-configuration	Enable/disable auto configuration. disable: Disable auto configuration. enable: Enable auto configuration.	option	-
ddns-update	Enable/disable DDNS update for DHCP. disable: Disable DDNS update for DHCP. enable: Enable DDNS update for DHCP.	option	-
ddns-update-override	Enable/disable DDNS update override for DHCP. disable: Disable DDNS update override for DHCP. enable: Enable DDNS update override for DHCP.	option	-
ddns-server-ip	DDNS server IP.	ipv4-address	Not Specified
ddns-zone	Zone of your domain name (ex. DDNS.com).	string	Maximum length: 64
ddns-auth	DDNS authentication mode. disable: Disable DDNS authentication. tsig: TSIG based on RFC2845.	option	-
ddns-keyname	DDNS update key name.	string	Maximum length: 64
ddns-key	DDNS update key (base 64 encoding).	user	Not Specified
ddns-ttl	TTL.	integer	Minimum value: 60 Maximum value: 86400
vci-match	Enable/disable vendor class identifier (VCI) matching. When enabled only DHCP requests with a matching VCI are served. disable: Disable VCI matching. enable: Enable VCI matching.	option	-
vci-string `<vci-string>`	One or more VCI strings in quotes separated by spaces. VCI strings.	string	Maximum length: 255

config ip-range

Parameter Name	Description	Type	Size
start-ip	Start of IP range.	ipv4-address	Not Specified
end-ip	End of IP range.	ipv4-address	Not Specified

config options

Parameter Name	Description	Type	Size
code	DHCP option code.	integer	Minimum value: 0 Maximum value: 255
type	DHCP option type. hex: DHCP option in hex. string: DHCP option in string. ip: DHCP option in IP. fqdn: DHCP option in domain search option format.	option	-
value	DHCP option value.	string	Maximum length: 312
ip	DHCP option IPs.	user	Not Specified

config exclude-range

Parameter Name	Description	Type	Size
start-ip	Start of IP range.	ipv4-address	Not Specified
end-ip	End of IP range.	ipv4-address	Not Specified

config reserved-address

Parameter Name	Description	Type	Size
type	DHCP reserved-address type. mac: Match with MAC address. option82: Match with DHCP option 82.	option	-
ip	IP address to be reserved for the MAC address.	ipv4-address	Not Specified
mac	MAC address of the client that will get the reserved IP address.	mac-address	Not Specified
action	Options for the DHCP server to configure the client with the reserved MAC address. assign: Configure the client with this MAC address like any other client. block: Block the DHCP server from assigning IP settings to the client with this MAC address. reserved: Assign the reserved IP address to the client with this MAC address.	option	-
circuit-id-type	DHCP option type. hex: DHCP option in hex. string: DHCP option in string.	option	-
circuit-id	Option 82 circuit-ID of the client that will get the reserved IP address.	string	Maximum length: 312
remote-id-type	DHCP option type. hex: DHCP option in hex. string: DHCP option in string.	option	-
remote-id	Option 82 remote-ID of the client that will get the reserved IP address.	string	Maximum length: 312
description	Description.	var-string	Maximum length: 255

Configure DHCP servers.

config system dhcp server Description: Configure DHCP servers. edit <id> set status [disable|enable] set lease-time {integer} set mac-acl-default-action [assign|block] set forticlient-on-net-status [disable|enable] set dns-service [local|default|...] set dns-server1 {ipv4-address} set dns-server2 {ipv4-address} set dns-server3 {ipv4-address} set dns-server4 {ipv4-address} set wifi-ac-service [specify|local] set wifi-ac1 {ipv4-address} set wifi-ac2 {ipv4-address} set wifi-ac3 {ipv4-address} set ntp-service [local|default|...] set ntp-server1 {ipv4-address} set ntp-server2 {ipv4-address} set ntp-server3 {ipv4-address} set domain {string} set wins-server1 {ipv4-address} set wins-server2 {ipv4-address} set default-gateway {ipv4-address} set next-server {ipv4-address} set netmask {ipv4-netmask} set interface {string} config ip-range Description: DHCP IP range configuration. edit <id> set start-ip {ipv4-address} set end-ip {ipv4-address} next end set timezone-option [disable|default|...] set timezone [01|02|...] set tftp-server <tftp-server1>, <tftp-server2>, ... set filename {string} config options Description: DHCP options. edit <id> set code {integer} set type [hex|string|...] set value {string} set ip {user} next end set server-type [regular|ipsec] set ip-mode [range|usrgrp] set conflicted-ip-timeout {integer} set ipsec-lease-hold {integer} set auto-configuration [disable|enable] set ddns-update [disable|enable] set ddns-update-override [disable|enable] set ddns-server-ip {ipv4-address} set ddns-zone {string} set ddns-auth [disable|tsig] set ddns-keyname {string} set ddns-key {user} set ddns-ttl {integer} set vci-match [disable|enable] set vci-string <vci-string1>, <vci-string2>, ... config exclude-range Description: Exclude one or more ranges of IP addresses from being assigned to clients. edit <id> set start-ip {ipv4-address} set end-ip {ipv4-address} next end config reserved-address Description: Options for the DHCP server to assign IP settings to specific MAC addresses. edit <id> set type [mac|option82] set ip {ipv4-address} set mac {mac-address} set action [assign|block|...] set circuit-id-type [hex|string] set circuit-id {string} set remote-id-type [hex|string] set remote-id {string} set description {var-string} next end next end

config system dhcp server

Parameter Name

Description

Type

Size

status

Enable/disable this DHCP configuration.
disable: Do not use this DHCP server configuration.
enable: Use this DHCP server configuration.

option

lease-time

Lease time in seconds, 0 means unlimited.

integer

Minimum value: 300 Maximum value: 8640000

mac-acl-default-action

MAC access control default action (allow or block assigning IP settings).
assign: Allow the DHCP server to assign IP settings to clients on the MAC access control list.
block: Block the DHCP server from assigning IP settings to clients on the MAC access control list.

option

forticlient-on-net-status

Enable/disable FortiClient-On-Net service for this DHCP server.
disable: Disable FortiClient On-Net Status.
enable: Enable FortiClient On-Net Status.

option

dns-service

Options for assigning DNS servers to DHCP clients.
local: IP address of the interface the DHCP server is added to becomes the client's DNS server IP address.
default: Clients are assigned the FortiGate's configured DNS servers.
specify: Specify up to 3 DNS servers in the DHCP server configuration.

option

dns-server1

DNS server 1.

ipv4-address

Not Specified

dns-server2

DNS server 2.

ipv4-address

Not Specified

dns-server3

DNS server 3.

ipv4-address

Not Specified

dns-server4

DNS server 4.

ipv4-address

Not Specified

wifi-ac-service

Options for assigning WiFi Access Controllers to DHCP clients
specify: Specify up to 3 WiFi Access Controllers in the DHCP server configuration.
local: IP address of the interface the DHCP server is added to becomes the client's WiFi Access Controller IP address.

option

wifi-ac1

WiFi Access Controller 1 IP address (DHCP option 138, RFC 5417).

ipv4-address

Not Specified

wifi-ac2

WiFi Access Controller 2 IP address (DHCP option 138, RFC 5417).

ipv4-address

Not Specified

wifi-ac3

WiFi Access Controller 3 IP address (DHCP option 138, RFC 5417).

ipv4-address

Not Specified

ntp-service

Options for assigning Network Time Protocol (NTP) servers to DHCP clients.
local: IP address of the interface the DHCP server is added to becomes the client's NTP server IP address.
default: Clients are assigned the FortiGate's configured NTP servers.
specify: Specify up to 3 NTP servers in the DHCP server configuration.

option

ntp-server1

NTP server 1.

ipv4-address

Not Specified

ntp-server2

NTP server 2.

ipv4-address

Not Specified

ntp-server3

NTP server 3.

ipv4-address

Not Specified

domain

Domain name suffix for the IP addresses that the DHCP server assigns to clients.

string

Maximum length: 35

wins-server1

WINS server 1.

ipv4-address

Not Specified

wins-server2

WINS server 2.

ipv4-address

Not Specified

default-gateway

Default gateway IP address assigned by the DHCP server.

ipv4-address

Not Specified

next-server

IP address of a server (for example, a TFTP sever) that DHCP clients can download a boot file from.

ipv4-address

Not Specified

netmask

Netmask assigned by the DHCP server.

ipv4-netmask

Not Specified

interface

DHCP server can assign IP configurations to clients connected to this interface.

string

Maximum length: 15

timezone-option

Options for the DHCP server to set the client's time zone.
disable: Do not set the client's time zone.
default: Clients are assigned the FortiGate's configured time zone.
specify: Specify the time zone to be assigned to DHCP clients.

option

timezone

tftp-server <tftp-server>

One or more hostnames or IP addresses of the TFTP servers in quotes separated by spaces.
TFTP server.

string

Maximum length: 63

filename

Name of the boot file on the TFTP server.

string

Maximum length: 127

server-type

DHCP server can be a normal DHCP server or an IPsec DHCP server.
regular: Regular DHCP service.
ipsec: DHCP over IPsec service.

option

ip-mode

Method used to assign client IP.
range: Use range defined by start-ip/end-ip to assign client IP.
usrgrp: Use user-group defined method to assign client IP.

option

conflicted-ip-timeout

Time in seconds to wait after a conflicted IP address is removed from the DHCP range before it can be reused.

integer

Minimum value: 60 Maximum value: 8640000

ipsec-lease-hold

DHCP over IPsec leases expire this many seconds after tunnel down (0 to disable forced-expiry).

integer

Minimum value: 0 Maximum value: 8640000

auto-configuration

Enable/disable auto configuration.
disable: Disable auto configuration.
enable: Enable auto configuration.

option

ddns-update

Enable/disable DDNS update for DHCP.
disable: Disable DDNS update for DHCP.
enable: Enable DDNS update for DHCP.

option

ddns-update-override

Enable/disable DDNS update override for DHCP.
disable: Disable DDNS update override for DHCP.
enable: Enable DDNS update override for DHCP.

option

ddns-server-ip

DDNS server IP.

ipv4-address

Not Specified

ddns-zone

Zone of your domain name (ex. DDNS.com).

string

Maximum length: 64

ddns-auth

DDNS authentication mode.
disable: Disable DDNS authentication.
tsig: TSIG based on RFC2845.

option

ddns-keyname

DDNS update key name.

string

Maximum length: 64

ddns-key

DDNS update key (base 64 encoding).

user

Not Specified

ddns-ttl

TTL.

integer

Minimum value: 60 Maximum value: 86400

vci-match

Enable/disable vendor class identifier (VCI) matching. When enabled only DHCP requests with a matching VCI are served.
disable: Disable VCI matching.
enable: Enable VCI matching.

option

vci-string <vci-string>

One or more VCI strings in quotes separated by spaces.
VCI strings.

string

Maximum length: 255

Parameter Name

Description

Type

Size

start-ip

Start of IP range.

ipv4-address

Not Specified

end-ip

End of IP range.

ipv4-address

Not Specified

config options

Parameter Name

Description

Type

Size

code

DHCP option code.

integer

Minimum value: 0 Maximum value: 255

type

DHCP option type.
hex: DHCP option in hex.
string: DHCP option in string.
ip: DHCP option in IP.
fqdn: DHCP option in domain search option format.

option

value

DHCP option value.

string

Maximum length: 312

DHCP option IPs.

user

Not Specified

Parameter Name

Description

Type

Size

start-ip

Start of IP range.

ipv4-address

Not Specified

end-ip

End of IP range.

ipv4-address

Not Specified

config reserved-address

Parameter Name

Description

Type

Size

type

DHCP reserved-address type.
mac: Match with MAC address.
option82: Match with DHCP option 82.

option

IP address to be reserved for the MAC address.

ipv4-address

Not Specified

mac

MAC address of the client that will get the reserved IP address.

mac-address

Not Specified

action

Options for the DHCP server to configure the client with the reserved MAC address.
assign: Configure the client with this MAC address like any other client.
block: Block the DHCP server from assigning IP settings to the client with this MAC address.
reserved: Assign the reserved IP address to the client with this MAC address.

option

circuit-id-type

DHCP option type.
hex: DHCP option in hex.
string: DHCP option in string.

option

circuit-id

Option 82 circuit-ID of the client that will get the reserved IP address.

string

Maximum length: 312

remote-id-type

DHCP option type.
hex: DHCP option in hex.
string: DHCP option in string.

option

remote-id

Option 82 remote-ID of the client that will get the reserved IP address.

string

Maximum length: 312

description

Description.

var-string

Maximum length: 255

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

system dhcp server

Configure DHCP servers.

config system dhcp server

config ip-range

config options

config exclude-range

config reserved-address

system dhcp server

Configure DHCP servers.

config system dhcp server

config ip-range

config options

config exclude-range