Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.2.4 Administration Guide
    7.2.4
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Additional DHCP options

    Additional DHCP options

    The FortiGate can be used to provide additional DHCP options that can be useful for different scenarios.

    A few of the options are explained below:

    To configure the DHCP options in the GUI:

    1. Go to Network > Interfaces, click Create New or Edit the existing interface.

    2. Enable DHCP Server.

    3. Expand the Advanced section and select Create New under Additional DHCP options.

    4. Select a predefined Option code from the list or select Specify to enter a custom Option code.

    5. Configure the rest of the parameters as required and click OK to save the options.

    6. Click OK to save the setting.

    To configure the DHCP options in the CLI:
    config system dhcp server
    edit <id>
        config options
            edit <integer>
                set code <integer>
                set type {hex | string | ip | fqdn}
                set value <string>
            next
        end
    next
end

    Variable

    Description
    code <integer> DHCP client option code (0 - 255, default = 0). See Dynamic Host Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP) Parameters for a list of possible options.
    type {hex | string | ip | fqdn} DHCP server option type (default = hex).
    value <string> DHCP server option value.
    ip <ip address> DHCP server option IP address. This option is only available when type is ip.

    Example

    To configure option 252 with value http://192.168.1.1/wpad.dat:
    config system dhcp server
    edit <id>
        config options
            edit <id>
                set code 252 
                set type hex
                set value 687474703a2f2f3139322e3136382e312e312f777061642e646174
            next
        end   
    next 
end
    Note

    In the example above, 687474703a2f2f3139322e3136382e312e312f777061642e646174 is the hexadecimal equivalent of the ASCII text http://192.168.1.1/wpad.dat.

    Option 82

    The DHCP relay agent information option (option 82 in RFC 3046) helps protect the FortiGate against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation.

    This option is disabled by default. However, when dhcp-relay-service is enabled, dhcp-relay-agent-option becomes enabled.

    To configure the DHCP relay agent option:
    config system interface
    edit <interface>
        set vdom root
        set dhcp-relay-service enable
        set dhcp-relay-ip <ip>
        set dhcp-relay-agent-option enable
        set vlanid <id>
    next
end

    See IP address assignment with relay agent information option for an example.

    Option 77

    This option can be used for User Class information (UCI) matching. When enabled, only DHCP requests with a matching UCI are served with the specified range.

    To configure UCI matching:
    config system dhcp server
    edit <id>
        config ip-range
            edit <id>
                set uci-match {enable | disable}
                set uci-string <string>
            next
        end
        config options
            edit <id>
                set uci-match {enable | disable}
                set uci-string <string>
            next
        end
    next
end

    uci-match {enable | disable}

    Enable/disable User Class information (UCI) matching for option 77.

    uci-string <string>

    Enter one or more UCI strings in quotation marks separated by spaces.
    Previous
    Next

    Additional DHCP options

    Additional DHCP options

    The FortiGate can be used to provide additional DHCP options that can be useful for different scenarios.

    A few of the options are explained below:

    To configure the DHCP options in the GUI:

    1. Go to Network > Interfaces, click Create New or Edit the existing interface.

    2. Enable DHCP Server.

    3. Expand the Advanced section and select Create New under Additional DHCP options.

    4. Select a predefined Option code from the list or select Specify to enter a custom Option code.

    5. Configure the rest of the parameters as required and click OK to save the options.

    6. Click OK to save the setting.

    To configure the DHCP options in the CLI:
    config system dhcp server
    edit <id>
        config options
            edit <integer>
                set code <integer>
                set type {hex | string | ip | fqdn}
                set value <string>
            next
        end
    next
end

    Variable

    Description
    code <integer> DHCP client option code (0 - 255, default = 0). See Dynamic Host Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP) Parameters for a list of possible options.
    type {hex | string | ip | fqdn} DHCP server option type (default = hex).
    value <string> DHCP server option value.
    ip <ip address> DHCP server option IP address. This option is only available when type is ip.

    Example

    To configure option 252 with value http://192.168.1.1/wpad.dat:
    config system dhcp server
    edit <id>
        config options
            edit <id>
                set code 252 
                set type hex
                set value 687474703a2f2f3139322e3136382e312e312f777061642e646174
            next
        end   
    next 
end
    Note

    In the example above, 687474703a2f2f3139322e3136382e312e312f777061642e646174 is the hexadecimal equivalent of the ASCII text http://192.168.1.1/wpad.dat.

    Option 82

    The DHCP relay agent information option (option 82 in RFC 3046) helps protect the FortiGate against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation.

    This option is disabled by default. However, when dhcp-relay-service is enabled, dhcp-relay-agent-option becomes enabled.

    To configure the DHCP relay agent option:
    config system interface
    edit <interface>
        set vdom root
        set dhcp-relay-service enable
        set dhcp-relay-ip <ip>
        set dhcp-relay-agent-option enable
        set vlanid <id>
    next
end

    See IP address assignment with relay agent information option for an example.

    Option 77

    This option can be used for User Class information (UCI) matching. When enabled, only DHCP requests with a matching UCI are served with the specified range.

    To configure UCI matching:
    config system dhcp server
    edit <id>
        config ip-range
            edit <id>
                set uci-match {enable | disable}
                set uci-string <string>
            next
        end
        config options
            edit <id>
                set uci-match {enable | disable}
                set uci-string <string>
            next
        end
    next
end

    uci-match {enable | disable}

    Enable/disable User Class information (UCI) matching for option 77.

    uci-string <string>

    Enter one or more UCI strings in quotation marks separated by spaces.
    Previous
    Next