Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.1 Administration Guide
    7.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Basic configuration

    Basic configuration

    The following contains information on basic configurations.

    Configure a DHCP server on an interface

    A DHCP server can be configured on an interface in the GUI from Network > Interfaces.

    To configure a DHCP server in the GUI:
    1. Go to Network > Interfaces.
    2. Edit an interface.
    3. Enable the DHCP Server option and configure the settings.
    4. Click OK.

    Field

    Description
    Address Range

    By default, the FortiGate unit assigns an address range based on the address of the interface for the complete scope of the address.

    For example, if the interface address is 172.20.120.230, the default range created is 172.20.120.231 to 172.20.120.254.

    Select the range and select Edit to adjust the range or select Create New to add a different range.
    Netmask Enter the netmask of the addresses that the DHCP server assigns.
    Default Gateway Select this to use either Same as Interface IP or select Specify and enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.
    DNS Server Select this to use Same as system DNS, Same as Interface IP or select Specify and enter the IP address of the DNS server.
    Mode Select the type of DHCP server FortiGate will be. By default, it is a Server. Select Relay if needed. When Relay is selected, the above configuration is replaced by a field to enter the DHCP Server IP address.
    DHCP Server IP This appears only when Mode is Relay. Enter the IP address of the DHCP server where FortiGate obtains the requested IP address.
    Type Select this to use the DHCP in Regular or IPsec mode.

    Additional DHCP Options

    Use this to create new DHCP options.
    Add from DHCP Client List If the client is currently connected and using an IP address from the DHCP server, you can select this option to select the client from the list.
    To configure a DHCP server in the CLI:
    config system dhcp server
    edit 1
        set dns-service default
        set default-gateway 192.168.1.2
        set netmask 255.255.255.0
        set interface "port1"
        config ip-range
            edit 1
                set start-ip 192.168.1.1
                set end-ip 192.168.1.1
            next
            edit 2
                set start-ip 192.168.1.3
                set end-ip 192.168.1.254
            next
        end
        set timezone-option default
        set tftp-server "172.16.1.2"
    next
end

    Configure a DHCP relay on an interface

    To configure a DHCP relay in the GUI:
    1. Go to Network > Interfaces.
    2. Edit an interface.
    3. Expand the Advanced section and set Mode to Relay.
    4. Enter the DHCP Server IP.
    5. Click OK.
    To configure a DHCP relay in the CLI:

    1. Configure the interface, making sure to configure set dhcp-relay-ip:

      config system interface
    edit "port2"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 10.1.1.5 255.255.255.0
        set allowaccess ping https ssh fabric
        set type physical
        set snmp-index 4
        set dhcp-relay-ip "192.168.20.10"
    next
end

    Configure a DHCP server and relay on an interface

    A FortiGate interface can be configured to work in DHCP server mode to lease out addresses, and at the same time relay the DHCP packets to another device, such as a FortiNAC to perform device profiling.

    The DHCP message to be forwarded to the relay server under the following conditions:

    • dhcp-relay-request-all-server is enabled

    • Message type is either DHCPDISCOVER or DHCPINFORM

    • Client IP address in client message is 0

    • Server ID is NULL in the client message

    • Server address is a broadcast address (255.255.255.255)

    • Server address is 0

    Note

    Configuring a DHCP server and relay on the same interface is currently only supported in the CLI.
    To configure a DHCP server and relay in the CLI:

    1. Configure the interface:

      config system interface
    edit "port2"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 10.1.1.5 255.255.255.0
        set allowaccess ping https ssh fabric
        set type physical
        set snmp-index 4
        set dhcp-relay-ip "192.168.20.10"
        set dhcp-relay-request-all-server enable
    next
end

    2. Configure the DHCP server settings:

      config system dhcp server
    edit 17
        set status enable
        set dns-service default
        set default-gateway 10.1.1.5
        set netmask 255.255.255.0
        set interface "port2"
        config ip-range
            edit 1
                set start-ip 10.1.1.6
                set end-ip 10.1.1.254
            next
        end
    next
end

    Excluding addresses in DHCP

    If you have a large address range for the DHCP server, you can block a range of addresses that will not be included in the available addresses for the connecting users using the config exclude-range subcommand.

    To exclude addresses in DHCP:
    config system dhcp server
    edit <id>
        config exclude-range
            edit <sequence_number>
                set start-ip <address>
                set end-ip <address>
            next
        end
    next
end

    Viewing information about DHCP server connections

    To view information about DHCP server connections, go to Dashboard > Network and expand the DHCP monitor widget. On this page, you can also add IP addresses to the reserved IP address list.

    Previous
    Next

    Basic configuration

    Basic configuration

    The following contains information on basic configurations.

    Configure a DHCP server on an interface

    A DHCP server can be configured on an interface in the GUI from Network > Interfaces.

    To configure a DHCP server in the GUI:
    1. Go to Network > Interfaces.
    2. Edit an interface.
    3. Enable the DHCP Server option and configure the settings.
    4. Click OK.

    Field

    Description
    Address Range

    By default, the FortiGate unit assigns an address range based on the address of the interface for the complete scope of the address.

    For example, if the interface address is 172.20.120.230, the default range created is 172.20.120.231 to 172.20.120.254.

    Select the range and select Edit to adjust the range or select Create New to add a different range.
    Netmask Enter the netmask of the addresses that the DHCP server assigns.
    Default Gateway Select this to use either Same as Interface IP or select Specify and enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.
    DNS Server Select this to use Same as system DNS, Same as Interface IP or select Specify and enter the IP address of the DNS server.
    Mode Select the type of DHCP server FortiGate will be. By default, it is a Server. Select Relay if needed. When Relay is selected, the above configuration is replaced by a field to enter the DHCP Server IP address.
    DHCP Server IP This appears only when Mode is Relay. Enter the IP address of the DHCP server where FortiGate obtains the requested IP address.
    Type Select this to use the DHCP in Regular or IPsec mode.

    Additional DHCP Options

    Use this to create new DHCP options.
    Add from DHCP Client List If the client is currently connected and using an IP address from the DHCP server, you can select this option to select the client from the list.
    To configure a DHCP server in the CLI:
    config system dhcp server
    edit 1
        set dns-service default
        set default-gateway 192.168.1.2
        set netmask 255.255.255.0
        set interface "port1"
        config ip-range
            edit 1
                set start-ip 192.168.1.1
                set end-ip 192.168.1.1
            next
            edit 2
                set start-ip 192.168.1.3
                set end-ip 192.168.1.254
            next
        end
        set timezone-option default
        set tftp-server "172.16.1.2"
    next
end

    Configure a DHCP relay on an interface

    To configure a DHCP relay in the GUI:
    1. Go to Network > Interfaces.
    2. Edit an interface.
    3. Expand the Advanced section and set Mode to Relay.
    4. Enter the DHCP Server IP.
    5. Click OK.
    To configure a DHCP relay in the CLI:

    1. Configure the interface, making sure to configure set dhcp-relay-ip:

      config system interface
    edit "port2"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 10.1.1.5 255.255.255.0
        set allowaccess ping https ssh fabric
        set type physical
        set snmp-index 4
        set dhcp-relay-ip "192.168.20.10"
    next
end

    Configure a DHCP server and relay on an interface

    A FortiGate interface can be configured to work in DHCP server mode to lease out addresses, and at the same time relay the DHCP packets to another device, such as a FortiNAC to perform device profiling.

    The DHCP message to be forwarded to the relay server under the following conditions:

    • dhcp-relay-request-all-server is enabled

    • Message type is either DHCPDISCOVER or DHCPINFORM

    • Client IP address in client message is 0

    • Server ID is NULL in the client message

    • Server address is a broadcast address (255.255.255.255)

    • Server address is 0

    Note

    Configuring a DHCP server and relay on the same interface is currently only supported in the CLI.
    To configure a DHCP server and relay in the CLI:

    1. Configure the interface:

      config system interface
    edit "port2"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 10.1.1.5 255.255.255.0
        set allowaccess ping https ssh fabric
        set type physical
        set snmp-index 4
        set dhcp-relay-ip "192.168.20.10"
        set dhcp-relay-request-all-server enable
    next
end

    2. Configure the DHCP server settings:

      config system dhcp server
    edit 17
        set status enable
        set dns-service default
        set default-gateway 10.1.1.5
        set netmask 255.255.255.0
        set interface "port2"
        config ip-range
            edit 1
                set start-ip 10.1.1.6
                set end-ip 10.1.1.254
            next
        end
    next
end

    Excluding addresses in DHCP

    If you have a large address range for the DHCP server, you can block a range of addresses that will not be included in the available addresses for the connecting users using the config exclude-range subcommand.

    To exclude addresses in DHCP:
    config system dhcp server
    edit <id>
        config exclude-range
            edit <sequence_number>
                set start-ip <address>
                set end-ip <address>
            next
        end
    next
end

    Viewing information about DHCP server connections

    To view information about DHCP server connections, go to Dashboard > Network and expand the DHCP monitor widget. On this page, you can also add IP addresses to the reserved IP address list.

    Previous
    Next