Fortinet white logo
Fortinet white logo

Administration Guide

Additional DHCP options

Additional DHCP options

The FortiGate can be used to provide additional DHCP options that can be useful for different scenarios.

A few of the options are explained below:

To configure the DHCP options in the GUI:
  1. Go to Network > Interfaces, click Create New or Edit the existing interface.

  2. Enable DHCP Server.

  3. Expand the Advanced section and select Create New under Additional DHCP options.

  4. Select a predefined Option code from the list or select Specify to enter a custom Option code.

  5. Configure the rest of the parameters as required and click OK to save the options.

  6. Click OK to save the setting.

To configure the DHCP options in the CLI:
config system dhcp server
    edit <id>
        config options
            edit <integer>
                set code <integer>
                set type {hex | string | ip | fqdn}
                set value <string>
            next
        end
    next
end

Variable

Description

code <integer>

DHCP client option code (0 - 255, default = 0). See Dynamic Host Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP) Parameters for a list of possible options.

type {hex | string | ip | fqdn}

DHCP server option type (default = hex).

value <string>

DHCP server option value.

ip <ip address>

DHCP server option IP address. This option is only available when type is ip.

Example

To configure option 252 with value http://192.168.1.1/wpad.dat:
config system dhcp server
    edit <id>
        config options
            edit <id>
                set code 252 
                set type hex
                set value 687474703a2f2f3139322e3136382e312e312f777061642e646174
            next
        end   
    next 
end
Note

In the example above, 687474703a2f2f3139322e3136382e312e312f777061642e646174 is the hexadecimal equivalent of the ASCII text http://192.168.1.1/wpad.dat.

Option 82

The DHCP relay agent information option (option 82 in RFC 3046) helps protect the FortiGate against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation.

This option is disabled by default. However, when dhcp-relay-service is enabled, dhcp-relay-agent-option becomes enabled.

To configure the DHCP relay agent option:
config system interface
    edit <interface>
        set vdom root
        set dhcp-relay-service enable
        set dhcp-relay-ip <ip>
        set dhcp-relay-agent-option enable
        set vlanid <id>
    next
end

See IP address assignment with relay agent information option for an example.

Option 77

This option can be used for User Class information (UCI) matching. When enabled, only DHCP requests with a matching UCI are served with the specified range.

To configure UCI matching:
config system dhcp server
    edit <id>
        config ip-range
            edit <id>
                set uci-match {enable | disable}
                set uci-string <string>
            next
        end
        config options
            edit <id>
                set uci-match {enable | disable}
                set uci-string <string>
            next
        end
    next
end

uci-match {enable | disable}

Enable/disable User Class information (UCI) matching for option 77.

uci-string <string>

Enter one or more UCI strings in quotation marks separated by spaces.

Additional DHCP options

Additional DHCP options

The FortiGate can be used to provide additional DHCP options that can be useful for different scenarios.

A few of the options are explained below:

To configure the DHCP options in the GUI:
  1. Go to Network > Interfaces, click Create New or Edit the existing interface.

  2. Enable DHCP Server.

  3. Expand the Advanced section and select Create New under Additional DHCP options.

  4. Select a predefined Option code from the list or select Specify to enter a custom Option code.

  5. Configure the rest of the parameters as required and click OK to save the options.

  6. Click OK to save the setting.

To configure the DHCP options in the CLI:
config system dhcp server
    edit <id>
        config options
            edit <integer>
                set code <integer>
                set type {hex | string | ip | fqdn}
                set value <string>
            next
        end
    next
end

Variable

Description

code <integer>

DHCP client option code (0 - 255, default = 0). See Dynamic Host Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP) Parameters for a list of possible options.

type {hex | string | ip | fqdn}

DHCP server option type (default = hex).

value <string>

DHCP server option value.

ip <ip address>

DHCP server option IP address. This option is only available when type is ip.

Example

To configure option 252 with value http://192.168.1.1/wpad.dat:
config system dhcp server
    edit <id>
        config options
            edit <id>
                set code 252 
                set type hex
                set value 687474703a2f2f3139322e3136382e312e312f777061642e646174
            next
        end   
    next 
end
Note

In the example above, 687474703a2f2f3139322e3136382e312e312f777061642e646174 is the hexadecimal equivalent of the ASCII text http://192.168.1.1/wpad.dat.

Option 82

The DHCP relay agent information option (option 82 in RFC 3046) helps protect the FortiGate against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation.

This option is disabled by default. However, when dhcp-relay-service is enabled, dhcp-relay-agent-option becomes enabled.

To configure the DHCP relay agent option:
config system interface
    edit <interface>
        set vdom root
        set dhcp-relay-service enable
        set dhcp-relay-ip <ip>
        set dhcp-relay-agent-option enable
        set vlanid <id>
    next
end

See IP address assignment with relay agent information option for an example.

Option 77

This option can be used for User Class information (UCI) matching. When enabled, only DHCP requests with a matching UCI are served with the specified range.

To configure UCI matching:
config system dhcp server
    edit <id>
        config ip-range
            edit <id>
                set uci-match {enable | disable}
                set uci-string <string>
            next
        end
        config options
            edit <id>
                set uci-match {enable | disable}
                set uci-string <string>
            next
        end
    next
end

uci-match {enable | disable}

Enable/disable User Class information (UCI) matching for option 77.

uci-string <string>

Enter one or more UCI strings in quotation marks separated by spaces.