Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config system dhcp server

Configure DHCP servers.

config system dhcp server

Description: Configure DHCP servers.

edit <id>

set status [disable|enable]

set lease-time {integer}

set mac-acl-default-action [assign|block]

set forticlient-on-net-status [disable|enable]

set dns-service [local|default|...]

set dns-server1 {ipv4-address}

set dns-server2 {ipv4-address}

set dns-server3 {ipv4-address}

set dns-server4 {ipv4-address}

set wifi-ac-service [specify|local]

set wifi-ac1 {ipv4-address}

set wifi-ac2 {ipv4-address}

set wifi-ac3 {ipv4-address}

set ntp-service [local|default|...]

set ntp-server1 {ipv4-address}

set ntp-server2 {ipv4-address}

set ntp-server3 {ipv4-address}

set domain {string}

set wins-server1 {ipv4-address}

set wins-server2 {ipv4-address}

set default-gateway {ipv4-address}

set next-server {ipv4-address}

set netmask {ipv4-netmask}

set interface {string}

config ip-range

Description: DHCP IP range configuration.

edit <id>

set start-ip {ipv4-address}

set end-ip {ipv4-address}

next

end

set timezone-option [disable|default|...]

set timezone [01|02|...]

set tftp-server <tftp-server1>, <tftp-server2>, ...

set filename {string}

config options

Description: DHCP options.

edit <id>

set code {integer}

set type [hex|string|...]

set value {string}

set ip {user}

next

end

set server-type [regular|ipsec]

set ip-mode [range|usrgrp]

set conflicted-ip-timeout {integer}

set ipsec-lease-hold {integer}

set auto-configuration [disable|enable]

set dhcp-settings-from-fortiipam [disable|enable]

set auto-managed-status [disable|enable]

set ddns-update [disable|enable]

set ddns-update-override [disable|enable]

set ddns-server-ip {ipv4-address}

set ddns-zone {string}

set ddns-auth [disable|tsig]

set ddns-keyname {string}

set ddns-key {user}

set ddns-ttl {integer}

set vci-match [disable|enable]

set vci-string <vci-string1>, <vci-string2>, ...

config exclude-range

Description: Exclude one or more ranges of IP addresses from being assigned to clients.

edit <id>

set start-ip {ipv4-address}

set end-ip {ipv4-address}

next

end

config reserved-address

Description: Options for the DHCP server to assign IP settings to specific MAC addresses.

edit <id>

set type [mac|option82]

set ip {ipv4-address}

set mac {mac-address}

set action [assign|block|...]

set circuit-id-type [hex|string]

set circuit-id {string}

set remote-id-type [hex|string]

set remote-id {string}

set description {var-string}

next

end

next

end

config system dhcp server

Parameter

Description

Type

Size

Default

status

Enable/disable this DHCP configuration.

option

-

enable

 

Option

Description

disable

Do not use this DHCP server configuration.

enable

Use this DHCP server configuration.

lease-time

Lease time in seconds, 0 means unlimited.

integer

Minimum value: 300 Maximum value: 8640000

604800

mac-acl-default-action

MAC access control default action (allow or block assigning IP settings).

option

-

assign

 

Option

Description

assign

Allow the DHCP server to assign IP settings to clients on the MAC access control list.

block

Block the DHCP server from assigning IP settings to clients on the MAC access control list.

forticlient-on-net-status

Enable/disable FortiClient-On-Net service for this DHCP server.

option

-

enable

 

Option

Description

disable

Disable FortiClient On-Net Status.

enable

Enable FortiClient On-Net Status.

dns-service

Options for assigning DNS servers to DHCP clients.

option

-

specify

 

Option

Description

local

IP address of the interface the DHCP server is added to becomes the client's DNS server IP address.

default

Clients are assigned the FortiGate's configured DNS servers.

specify

Specify up to 3 DNS servers in the DHCP server configuration.

dns-server1

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

dns-server3

DNS server 3.

ipv4-address

Not Specified

0.0.0.0

dns-server4

DNS server 4.

ipv4-address

Not Specified

0.0.0.0

wifi-ac-service

Options for assigning WiFi Access Controllers to DHCP clients

option

-

specify

 

Option

Description

specify

Specify up to 3 WiFi Access Controllers in the DHCP server configuration.

local

IP address of the interface the DHCP server is added to becomes the client's WiFi Access Controller IP address.

wifi-ac1

WiFi Access Controller 1 IP address (DHCP option 138, RFC 5417).

ipv4-address

Not Specified

0.0.0.0

wifi-ac2

WiFi Access Controller 2 IP address (DHCP option 138, RFC 5417).

ipv4-address

Not Specified

0.0.0.0

wifi-ac3

WiFi Access Controller 3 IP address (DHCP option 138, RFC 5417).

ipv4-address

Not Specified

0.0.0.0

ntp-service

Options for assigning Network Time Protocol (NTP) servers to DHCP clients.

option

-

specify

 

Option

Description

local

IP address of the interface the DHCP server is added to becomes the client's NTP server IP address.

default

Clients are assigned the FortiGate's configured NTP servers.

specify

Specify up to 3 NTP servers in the DHCP server configuration.

ntp-server1

NTP server 1.

ipv4-address

Not Specified

0.0.0.0

ntp-server2

NTP server 2.

ipv4-address

Not Specified

0.0.0.0

ntp-server3

NTP server 3.

ipv4-address

Not Specified

0.0.0.0

domain

Domain name suffix for the IP addresses that the DHCP server assigns to clients.

string

Maximum length: 35

wins-server1

WINS server 1.

ipv4-address

Not Specified

0.0.0.0

wins-server2

WINS server 2.

ipv4-address

Not Specified

0.0.0.0

default-gateway

Default gateway IP address assigned by the DHCP server.

ipv4-address

Not Specified

0.0.0.0

next-server

IP address of a server (for example, a TFTP sever) that DHCP clients can download a boot file from.

ipv4-address

Not Specified

0.0.0.0

netmask

Netmask assigned by the DHCP server.

ipv4-netmask

Not Specified

0.0.0.0

interface

DHCP server can assign IP configurations to clients connected to this interface.

string

Maximum length: 15

timezone-option

Options for the DHCP server to set the client's time zone.

option

-

disable

 

Option

Description

disable

Do not set the client's time zone.

default

Clients are assigned the FortiGate's configured time zone.

specify

Specify the time zone to be assigned to DHCP clients.

timezone

Select the time zone to be assigned to DHCP clients.

option

-

00

 

Option

Description

01

(GMT-11:00) Midway Island, Samoa

02

(GMT-10:00) Hawaii

03

(GMT-9:00) Alaska

04

(GMT-8:00) Pacific Time (US & Canada)

05

(GMT-7:00) Arizona

81

(GMT-7:00) Baja California Sur, Chihuahua

06

(GMT-7:00) Mountain Time (US & Canada)

07

(GMT-6:00) Central America

08

(GMT-6:00) Central Time (US & Canada)

09

(GMT-6:00) Mexico City

10

(GMT-6:00) Saskatchewan

11

(GMT-5:00) Bogota, Lima,Quito

12

(GMT-5:00) Eastern Time (US & Canada)

13

(GMT-5:00) Indiana (East)

74

(GMT-4:00) Caracas

14

(GMT-4:00) Atlantic Time (Canada)

77

(GMT-4:00) Georgetown

15

(GMT-4:00) La Paz

87

(GMT-4:00) Paraguay

16

(GMT-3:00) Santiago

17

(GMT-3:30) Newfoundland

18

(GMT-3:00) Brasilia

19

(GMT-3:00) Buenos Aires

20

(GMT-3:00) Nuuk (Greenland)

75

(GMT-3:00) Uruguay

21

(GMT-2:00) Mid-Atlantic

22

(GMT-1:00) Azores

23

(GMT-1:00) Cape Verde Is.

24

(GMT) Monrovia

80

(GMT) Greenwich Mean Time

79

(GMT) Casablanca

25

(GMT) Dublin, Edinburgh, Lisbon, London, Canary Is.

26

(GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna

27

(GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague

28

(GMT+1:00) Brussels, Copenhagen, Madrid, Paris

78

(GMT+1:00) Namibia

29

(GMT+1:00) Sarajevo, Skopje, Warsaw, Zagreb

30

(GMT+1:00) West Central Africa

31

(GMT+2:00) Athens, Sofia, Vilnius

32

(GMT+2:00) Bucharest

33

(GMT+2:00) Cairo

34

(GMT+2:00) Harare, Pretoria

35

(GMT+2:00) Helsinki, Riga, Tallinn

36

(GMT+2:00) Jerusalem

37

(GMT+3:00) Baghdad

38

(GMT+3:00) Kuwait, Riyadh

83

(GMT+3:00) Moscow

84

(GMT+3:00) Minsk

40

(GMT+3:00) Nairobi

85

(GMT+3:00) Istanbul

41

(GMT+3:30) Tehran

42

(GMT+4:00) Abu Dhabi, Muscat

43

(GMT+4:00) Baku

39

(GMT+3:00) St. Petersburg, Volgograd

44

(GMT+4:30) Kabul

46

(GMT+5:00) Islamabad, Karachi, Tashkent

47

(GMT+5:30) Kolkata, Chennai, Mumbai, New Delhi

51

(GMT+5:30) Sri Jayawardenepara

48

(GMT+5:45) Kathmandu

45

(GMT+5:00) Ekaterinburg

49

(GMT+6:00) Almaty, Novosibirsk

50

(GMT+6:00) Astana, Dhaka

52

(GMT+6:30) Rangoon

53

(GMT+7:00) Bangkok, Hanoi, Jakarta

54

(GMT+7:00) Krasnoyarsk

55

(GMT+8:00) Beijing, ChongQing, HongKong, Urumgi, Irkutsk

56

(GMT+8:00) Ulaan Bataar

57

(GMT+8:00) Kuala Lumpur, Singapore

58

(GMT+8:00) Perth

59

(GMT+8:00) Taipei

60

(GMT+9:00) Osaka, Sapporo, Tokyo, Seoul

62

(GMT+9:30) Adelaide

63

(GMT+9:30) Darwin

61

(GMT+9:00) Yakutsk

64

(GMT+10:00) Brisbane

65

(GMT+10:00) Canberra, Melbourne, Sydney

66

(GMT+10:00) Guam, Port Moresby

67

(GMT+10:00) Hobart

68

(GMT+10:00) Vladivostok

69

(GMT+10:00) Magadan

70

(GMT+11:00) Solomon Is., New Caledonia

71

(GMT+12:00) Auckland, Wellington

72

(GMT+12:00) Fiji, Kamchatka, Marshall Is.

00

(GMT+12:00) Eniwetok, Kwajalein

82

(GMT+12:45) Chatham Islands

73

(GMT+13:00) Nuku'alofa

86

(GMT+13:00) Samoa

76

(GMT+14:00) Kiritimati

tftp-server <tftp-server>

One or more hostnames or IP addresses of the TFTP servers in quotes separated by spaces.

TFTP server.

string

Maximum length: 63

filename

Name of the boot file on the TFTP server.

string

Maximum length: 127

server-type

DHCP server can be a normal DHCP server or an IPsec DHCP server.

option

-

regular

 

Option

Description

regular

Regular DHCP service.

ipsec

DHCP over IPsec service.

ip-mode

Method used to assign client IP.

option

-

range

 

Option

Description

range

Use range defined by start-ip/end-ip to assign client IP.

usrgrp

Use user-group defined method to assign client IP.

conflicted-ip-timeout

Time in seconds to wait after a conflicted IP address is removed from the DHCP range before it can be reused.

integer

Minimum value: 60 Maximum value: 8640000

1800

ipsec-lease-hold

DHCP over IPsec leases expire this many seconds after tunnel down (0 to disable forced-expiry).

integer

Minimum value: 0 Maximum value: 8640000

60

auto-configuration

Enable/disable auto configuration.

option

-

enable

 

Option

Description

disable

Disable auto configuration.

enable

Enable auto configuration.

dhcp-settings-from-fortiipam

Enable/disable populating of DHCP server settings from FortiIPAM.

option

-

disable

 

Option

Description

disable

Disable populating of DHCP server settings from FortiIPAM.

enable

Enable populating of DHCP server settings from FortiIPAM.

auto-managed-status

Enable/disable use of this DHCP server once this interface has been assigned an IP address from FortiIPAM.

option

-

enable

 

Option

Description

disable

Disable use of this DHCP server once this interface has been assigned an IP address from FortiIPAM.

enable

Enable use of this DHCP server once this interface has been assigned an IP address from FortiIPAM.

ddns-update

Enable/disable DDNS update for DHCP.

option

-

disable

 

Option

Description

disable

Disable DDNS update for DHCP.

enable

Enable DDNS update for DHCP.

ddns-update-override

Enable/disable DDNS update override for DHCP.

option

-

disable

 

Option

Description

disable

Disable DDNS update override for DHCP.

enable

Enable DDNS update override for DHCP.

ddns-server-ip

DDNS server IP.

ipv4-address

Not Specified

0.0.0.0

ddns-zone

Zone of your domain name (ex. DDNS.com).

string

Maximum length: 64

ddns-auth

DDNS authentication mode.

option

-

disable

 

Option

Description

disable

Disable DDNS authentication.

tsig

TSIG based on RFC2845.

ddns-keyname

DDNS update key name.

string

Maximum length: 64

ddns-key

DDNS update key (base 64 encoding).

user

Not Specified

ddns-ttl

TTL.

integer

Minimum value: 60 Maximum value: 86400

300

vci-match

Enable/disable vendor class identifier (VCI) matching. When enabled only DHCP requests with a matching VCI are served.

option

-

disable

 

Option

Description

disable

Disable VCI matching.

enable

Enable VCI matching.

vci-string <vci-string>

One or more VCI strings in quotes separated by spaces.

VCI strings.

string

Maximum length: 255

config ip-range

Parameter

Description

Type

Size

Default

start-ip

Start of IP range.

ipv4-address

Not Specified

0.0.0.0

end-ip

End of IP range.

ipv4-address

Not Specified

0.0.0.0

config options

Parameter

Description

Type

Size

Default

code

DHCP option code.

integer

Minimum value: 0 Maximum value: 255

0

type

DHCP option type.

option

-

hex

 

Option

Description

hex

DHCP option in hex.

string

DHCP option in string.

ip

DHCP option in IP.

fqdn

DHCP option in domain search option format.

value

DHCP option value.

string

Maximum length: 312

ip

DHCP option IPs.

user

Not Specified

config exclude-range

Parameter

Description

Type

Size

Default

start-ip

Start of IP range.

ipv4-address

Not Specified

0.0.0.0

end-ip

End of IP range.

ipv4-address

Not Specified

0.0.0.0

config reserved-address

Parameter

Description

Type

Size

Default

type

DHCP reserved-address type.

option

-

mac

 

Option

Description

mac

Match with MAC address.

option82

Match with DHCP option 82.

ip

IP address to be reserved for the MAC address.

ipv4-address

Not Specified

0.0.0.0

mac

MAC address of the client that will get the reserved IP address.

mac-address

Not Specified

00:00:00:00:00:00

action

Options for the DHCP server to configure the client with the reserved MAC address.

option

-

reserved

 

Option

Description

assign

Configure the client with this MAC address like any other client.

block

Block the DHCP server from assigning IP settings to the client with this MAC address.

reserved

Assign the reserved IP address to the client with this MAC address.

circuit-id-type

DHCP option type.

option

-

string

 

Option

Description

hex

DHCP option in hex.

string

DHCP option in string.

circuit-id

Option 82 circuit-ID of the client that will get the reserved IP address.

string

Maximum length: 312

remote-id-type

DHCP option type.

option

-

string

 

Option

Description

hex

DHCP option in hex.

string

DHCP option in string.

remote-id

Option 82 remote-ID of the client that will get the reserved IP address.

string

Maximum length: 312

description

Description.

var-string

Maximum length: 255

config system dhcp server

Configure DHCP servers.

config system dhcp server

Description: Configure DHCP servers.

edit <id>

set status [disable|enable]

set lease-time {integer}

set mac-acl-default-action [assign|block]

set forticlient-on-net-status [disable|enable]

set dns-service [local|default|...]

set dns-server1 {ipv4-address}

set dns-server2 {ipv4-address}

set dns-server3 {ipv4-address}

set dns-server4 {ipv4-address}

set wifi-ac-service [specify|local]

set wifi-ac1 {ipv4-address}

set wifi-ac2 {ipv4-address}

set wifi-ac3 {ipv4-address}

set ntp-service [local|default|...]

set ntp-server1 {ipv4-address}

set ntp-server2 {ipv4-address}

set ntp-server3 {ipv4-address}

set domain {string}

set wins-server1 {ipv4-address}

set wins-server2 {ipv4-address}

set default-gateway {ipv4-address}

set next-server {ipv4-address}

set netmask {ipv4-netmask}

set interface {string}

config ip-range

Description: DHCP IP range configuration.

edit <id>

set start-ip {ipv4-address}

set end-ip {ipv4-address}

next

end

set timezone-option [disable|default|...]

set timezone [01|02|...]

set tftp-server <tftp-server1>, <tftp-server2>, ...

set filename {string}

config options

Description: DHCP options.

edit <id>

set code {integer}

set type [hex|string|...]

set value {string}

set ip {user}

next

end

set server-type [regular|ipsec]

set ip-mode [range|usrgrp]

set conflicted-ip-timeout {integer}

set ipsec-lease-hold {integer}

set auto-configuration [disable|enable]

set dhcp-settings-from-fortiipam [disable|enable]

set auto-managed-status [disable|enable]

set ddns-update [disable|enable]

set ddns-update-override [disable|enable]

set ddns-server-ip {ipv4-address}

set ddns-zone {string}

set ddns-auth [disable|tsig]

set ddns-keyname {string}

set ddns-key {user}

set ddns-ttl {integer}

set vci-match [disable|enable]

set vci-string <vci-string1>, <vci-string2>, ...

config exclude-range

Description: Exclude one or more ranges of IP addresses from being assigned to clients.

edit <id>

set start-ip {ipv4-address}

set end-ip {ipv4-address}

next

end

config reserved-address

Description: Options for the DHCP server to assign IP settings to specific MAC addresses.

edit <id>

set type [mac|option82]

set ip {ipv4-address}

set mac {mac-address}

set action [assign|block|...]

set circuit-id-type [hex|string]

set circuit-id {string}

set remote-id-type [hex|string]

set remote-id {string}

set description {var-string}

next

end

next

end

config system dhcp server

Parameter

Description

Type

Size

Default

status

Enable/disable this DHCP configuration.

option

-

enable

 

Option

Description

disable

Do not use this DHCP server configuration.

enable

Use this DHCP server configuration.

lease-time

Lease time in seconds, 0 means unlimited.

integer

Minimum value: 300 Maximum value: 8640000

604800

mac-acl-default-action

MAC access control default action (allow or block assigning IP settings).

option

-

assign

 

Option

Description

assign

Allow the DHCP server to assign IP settings to clients on the MAC access control list.

block

Block the DHCP server from assigning IP settings to clients on the MAC access control list.

forticlient-on-net-status

Enable/disable FortiClient-On-Net service for this DHCP server.

option

-

enable

 

Option

Description

disable

Disable FortiClient On-Net Status.

enable

Enable FortiClient On-Net Status.

dns-service

Options for assigning DNS servers to DHCP clients.

option

-

specify

 

Option

Description

local

IP address of the interface the DHCP server is added to becomes the client's DNS server IP address.

default

Clients are assigned the FortiGate's configured DNS servers.

specify

Specify up to 3 DNS servers in the DHCP server configuration.

dns-server1

DNS server 1.

ipv4-address

Not Specified

0.0.0.0

dns-server2

DNS server 2.

ipv4-address

Not Specified

0.0.0.0

dns-server3

DNS server 3.

ipv4-address

Not Specified

0.0.0.0

dns-server4

DNS server 4.

ipv4-address

Not Specified

0.0.0.0

wifi-ac-service

Options for assigning WiFi Access Controllers to DHCP clients

option

-

specify

 

Option

Description

specify