Fortinet black logo

Administration Guide

Rogue DHCP server detection

Copy Link
Copy Doc ID 2cb222d1-3405-11ea-9384-00505692583a:687820
Download PDF

Rogue DHCP server detection

Rogue DHCP Detection monitors approved DHCP servers operation and detects rogue DHCP servers on the network. This feature uses a dedicated interface on the FortiNAC appliance. It defines a scheduled task to run and search specific VLANs and discover all active entities serving IP addresses. When the Rogue DHCP Detection task runs, it will switch the port designated as the System DHCP Port to each of the VLANs designated. During the switch to each VLAN, the port admin state is set to down then back to up after the configuration to the new VLAN ID. This task compares the discovered DHCP servers against a list of authorized DHCP servers and triggers corresponding events when there is no match. These are suspected unauthorized DHCP servers and are managed according to the alarms that are mapped to the events.

Implementation
  • To perform Rogue DHCP Server Detection with FortiNACa dedicated network interface is required. Installation of an additional Network Card may be required.
  • The interface on the FortiNAC appliance used for Rogue DHCP Server Detection must be configured with an IP address. This should be an unused IP address from an unused subnet on your network. Configure the IP address through the CLI by modifying the vlanInterfaces file in /bsc/siteConfiguration. If you are unfamiliar with this file, contact Customer Support for assistance.
  • The interface on the FortiNAC appliance used for Rogue DHCP Server Detection must be configured in FortiNAC.
  • The Authorized DHCP Servers must be added to the Authorized DHCP Servers group.
  • The DHCP Port must be indicated in the System DHCP Port group.
  • Polling VLANs for Rogue DHCP servers must be scheduled.

    Note

    If IP Helper is being utilized on the network an additional configuration step will be required to make FortiNAC aware of the Authorized DHCP Servers.

Rogue DHCP events and alarms

Event

Definition

Rogue Host DHCP Server
Application

A host is serving IP addresses (i.e., a DHCP response was seen from a host).

Rogue Device DHCP Server
Application

A device is serving IP addresses.

These events can be mapped to alarms. Alarms can be set to notify an administrator when they are triggered. Alarms can also be viewed on the Alarms Panel in the dashboard. For more information on events and alarms, e-mail notifications, SMS notifications, and how to map events to alarms see Map events to alarms.

Configure an IP address for a new interface

Note

To modify an IP address for the eth0 or eth1 interface, use the Configuration Wizard.

To add an IP to an interface (other than the eth0 and eth1 interface), add an entry to the appropriate interface in the vlanInterfaces file and run the network restart command as follows:

  1. Access the CLI on the FortiNAC Server or Application Server.
  2. Navigate to the siteConfiguration directory.

    cd /bsc/siteConfiguration

  3. Edit the vlanInterfaces file.
  4. Add the new IP address to the appropriate interface. The following example adds IPADDR_1 to eth2:

    ifcfg-eth2|IPADDR='188.11.32.2', NETMASK='

    255.255.255.0',STARTMODE='onboot',BOOTPROTO='static',

    IPADDR_1='188.11.32.3',NETMASK_1='255.255.255.0',LABEL_1='1'

  5. Run the following command(s).

    service bsc-network start

    service network restart

Server detection configuration

Rogue DHCP Server Detection Configuration allows you to indicate which interface on the appliance is used for scanning VLANS. The interface used varies depending on the configuration of your FortiNAC environment.

All FortiNAC appliances

The eth0 interface is always used for management and cannot be used for rogue DHCP detection.

FortiNAC Server

On a FortiNAC, eth1 is typically used for the captive portal, leaving eth2 for Rogue DHCP Server Detection.

FortiNAC Control Server/Application Server Pair

On a FortiNAC Application Server and FortiNAC Control Server pair, the captive portal is typically on eth1 on the Application Server. You could use could use eth1 on the Control Server for Rogue DHCP Server Detection. You may need to add a network card to your server to provide an interface for Rogue DHCP Server Detection.

Once you have determined the interface to use for Rogue DHCP Server Detection, it must be configured with an IP address. The IP address should be an unused address from an unused subnet on your network. To configure the IP address go to the CLI on the server and modify the vlanInterfaces file in /bsc/siteConfiguration. When the interface has been configured, enter it on this view.

Note

If you are using Rogue DHCP Server Detection in a high availability environment, both the primary and secondary servers must have the same Interface setting. In addition, the ports to which the Interfaces connect must be added to the System DHCP Port group. See Modify a group for details.

In the event of a failover, it is important that these fields be setup correctly or DHCP monitoring will not run.

Settings

Field

Definition

Interface

Ethernet interface used by the FortiNAC appliance for Rogue DHCP Server Configuration, such as eth2.

Authorized DHCP Servers

Device group containing the list of servers that are authorized to serve DHCP. The Authorized DHCP Servers group can be modified here or on the Groups View.

System DHCP Ports

Port group containing the port where the FortiNAC interface is connected to the network. The System DHCP Ports group can be modified here or on the Groups View.

VLANs To Scan For Rogue DHCP Servers

ID and Name of the VLANs that should be scanned for Rogue DHCP servers.

If a VLAN is not entered in the list, it is not scanned for Rogue DHCP servers. Only the VLANs entered here are scanned.

Schedule DHCP Server Verification

Use a scheduled task to set the poll interval and scheduled time to poll the selected VLANs for rogue DHCP servers.

Configure server detection
  1. Click System > Settings.
  2. Expand the Identification folder.
  3. Select Rogue DHCP Server Detection from the tree.
  4. In the Interface field enter the ethernet interface used by the FortiNAC appliance for Rogue DHCP Server Configuration.
  5. Click Modify next to Authorized DHCP Servers to add the servers that are allowed to serve DHCP into the Authorized DHCP Server group.
  6. On the Modify Group dialog click the Container where the servers are located to expand the list. Mark each server with a check mark and click the right arrow in the center of the screen to move the selected servers to the Selected Members column.
  7. Click OK to save the changes to the group.
  8. Click Modify next to System DHCP Ports to update the System DHCP Ports group with the port where the FortiNAC interface is connected to the network.
  9. On the Modify Group dialog click the Container where the switch is located.
  10. Click the switch where the FortiNAC Rogue DHCP Detection Server interface is connected. A list of the ports on the selected switch appears below the switch.

    Note

    Select the switch and port where the FortiNAC network card is connected, such as eth1 or eth2. This is the connection that will handle the scanning for Rogue DHCP Servers. Do NOT select the DHCP Server itself or the port the DHCP Server is connected to. Do NOT select the switch or port where the FortiNAC eth0 network card is connected.

  11. Select the Port where the Rogue DHCP Detection server is connected and click the right arrow to move the port to the Selected Members column.
  12. Click OK to save the changes to the group.
  13. In the VLANs To Scan For Rogue DHCP Servers section, click Add.
  14. In the Add dialog enter the ID and Name of the VLANs that should be scanned for Rogue DHCP servers and click OK.

    Note

    If a VLAN is not entered in the list, it is not scanned for Rogue DHCP servers. Only the VLANs entered here are scanned.

  15. Click Save Settings.
Schedule DHCP server verification

Use the Schedule option to set the poll interval and scheduled time to poll the selected VLANs for rogue DHCP servers.

  1. Click System > Settings.
  2. Expand the Identification folder.
  3. Select Rogue DHCP Server Detection from the tree.
  4. Click Modify Schedule.
  5. Select the Enabled check box.
  6. Enter a name for the task in the Name field.
  7. The Description field is optional. Enter a description of the task.
  8. Action type and Action are pre-configured based on the task and cannot be modified.
  9. From the Schedule Type drop down list, select either Fixed Day or Repetitive and set the day and time that the task is to be performed.
  10. A Fixed Day Task is one in which you schedule a task to run on a combination of days of the week and times of the day, such as Mondays at 1:00 pm and Fridays at 10:00 am. Select the day(s) and time to run the task.
    1. Click the box next to the day(s) to select the day.
    2. Click the down arrows and select the hour, minutes, and AM or PM from the drop-down list for each day.
    3. To enter days/times more quickly, select Set Multiple Days to set multiple days with the same time.
    4. To remove all settings, click Clear All.
  11. A Repetitive Task is one that you schedule to start on a given day, at a certain time, for the number of times you specify, such as every 10 days starting today. The repetition rate can be set to any number of minutes, hours, or days.

    1. Enter the Repetition Rate using whole numbers.

      Note

      A repetition rate of zero causes the task to run only once.

    2. Click the down arrow and select Minutes, Hours, or Days from the drop-down list.
    3. Enter the date and time for the task to run in the Next Scheduled Time field using the format MM/DD/YY hh:mm AM/PM Time Zone.

      Note

      The new Repetition Rate does not take effect immediately. It starts the next time the scheduled task runs. For the new Repetition Rate take effect immediately, click Update.

    4. Click Update to update the Next Scheduled Time field or change the Repetition Rate.
  12. Click OK.
  13. Click Save Settings.
Schedule settings

Field

Definition

Remove local backups older than

Number of days for which you would like to keep backups. Anything older than the number of days entered, is removed the next time the scheduled task for backups runs. This setting removes backup files created on the FortiNAC server before they are copied to the remote server. Backups on the remote server are not removed.

The timing of the scheduled backup task and the age of the files that are to be removed must be thought out carefully or you will remove all of your backups. For example, if the remove option is set to 5 days and your backup task runs every 15 days, you may inadvertently remove all of your backups. However, if the remove option is set to 15 days and the backup task runs every 5 days, then you would always have backup files.

Status

Indicates whether the task is enabled or disabled.

Schedule Interval

How often the scheduled task runs.

Next Scheduled Time

The next date and time the scheduled synchronization task will run. Entered in the format MM/DD/YY HH:MM AM/PM

Modify Schedule

Allows you to modify the scheduled activity.

Run Now

Runs the scheduled task immediately.

Rogue DHCP server detection with IP helper

When IP Helper is in use, an IP address for the Authorized DHCP Server is returned to FortiNAC for each VLAN. This IP address has a MAC address associated with it. FortiNAC compares the IP address it receives with the list of valid Authorized DHCP Server IP addresses. If the FortiNAC list does not contain the IP and the related MAC address, it does not recognize the DHCP Server as authorized.

The following procedure must be completed to enable FortiNAC to recognize the returned Authorized DHCP Server IP addresses as valid.

  1. Create a Pingable model in the Topology for each IP Helper Address.
    1. In the Topology, click the container where devices are located.
    2. Right-click and select Add Pingable Device.
    3. Enter the Device Name, IP address, Protocol (set to Pingable), and select the Device Type of Pingable.
    4. Click Apply.
  2. Ensure that the Pingable model has a MAC address.
    1. Click the Pingable model in the Topology to select it.
    2. Right-click and select Properties.
    3. Enter the MAC address associated with the IP address.
    4. Click Apply.
    5. Close the Device Properties window.
  3. Place the Pingable model in the Authorized DHCP Server group.
    1. Select System > Groups.
    2. Click the Authorized DHCP Servers group to select it.
    3. Right-click and select Modify.
    4. Click the container where the Pingable models were created. A list of the devices in the container will be displayed in the below the container.
    5. Click the Pingable model(s) to mark them with a check mark.
    6. Click the right arrow to move your selections to the Selected Members column.
    7. Click OK.
    8. Select System > Groups and click Show Members and verify that all the pingable models are listed.

Rogue DHCP server detection

Rogue DHCP Detection monitors approved DHCP servers operation and detects rogue DHCP servers on the network. This feature uses a dedicated interface on the FortiNAC appliance. It defines a scheduled task to run and search specific VLANs and discover all active entities serving IP addresses. When the Rogue DHCP Detection task runs, it will switch the port designated as the System DHCP Port to each of the VLANs designated. During the switch to each VLAN, the port admin state is set to down then back to up after the configuration to the new VLAN ID. This task compares the discovered DHCP servers against a list of authorized DHCP servers and triggers corresponding events when there is no match. These are suspected unauthorized DHCP servers and are managed according to the alarms that are mapped to the events.

Implementation
  • To perform Rogue DHCP Server Detection with FortiNACa dedicated network interface is required. Installation of an additional Network Card may be required.
  • The interface on the FortiNAC appliance used for Rogue DHCP Server Detection must be configured with an IP address. This should be an unused IP address from an unused subnet on your network. Configure the IP address through the CLI by modifying the vlanInterfaces file in /bsc/siteConfiguration. If you are unfamiliar with this file, contact Customer Support for assistance.
  • The interface on the FortiNAC appliance used for Rogue DHCP Server Detection must be configured in FortiNAC.
  • The Authorized DHCP Servers must be added to the Authorized DHCP Servers group.
  • The DHCP Port must be indicated in the System DHCP Port group.
  • Polling VLANs for Rogue DHCP servers must be scheduled.

    Note

    If IP Helper is being utilized on the network an additional configuration step will be required to make FortiNAC aware of the Authorized DHCP Servers.

Rogue DHCP events and alarms

Event

Definition

Rogue Host DHCP Server
Application

A host is serving IP addresses (i.e., a DHCP response was seen from a host).

Rogue Device DHCP Server
Application

A device is serving IP addresses.

These events can be mapped to alarms. Alarms can be set to notify an administrator when they are triggered. Alarms can also be viewed on the Alarms Panel in the dashboard. For more information on events and alarms, e-mail notifications, SMS notifications, and how to map events to alarms see Map events to alarms.

Configure an IP address for a new interface

Note

To modify an IP address for the eth0 or eth1 interface, use the Configuration Wizard.

To add an IP to an interface (other than the eth0 and eth1 interface), add an entry to the appropriate interface in the vlanInterfaces file and run the network restart command as follows:

  1. Access the CLI on the FortiNAC Server or Application Server.
  2. Navigate to the siteConfiguration directory.

    cd /bsc/siteConfiguration

  3. Edit the vlanInterfaces file.
  4. Add the new IP address to the appropriate interface. The following example adds IPADDR_1 to eth2:

    ifcfg-eth2|IPADDR='188.11.32.2', NETMASK='

    255.255.255.0',STARTMODE='onboot',BOOTPROTO='static',

    IPADDR_1='188.11.32.3',NETMASK_1='255.255.255.0',LABEL_1='1'

  5. Run the following command(s).

    service bsc-network start

    service network restart

Server detection configuration

Rogue DHCP Server Detection Configuration allows you to indicate which interface on the appliance is used for scanning VLANS. The interface used varies depending on the configuration of your FortiNAC environment.

All FortiNAC appliances

The eth0 interface is always used for management and cannot be used for rogue DHCP detection.

FortiNAC Server

On a FortiNAC, eth1 is typically used for the captive portal, leaving eth2 for Rogue DHCP Server Detection.

FortiNAC Control Server/Application Server Pair

On a FortiNAC Application Server and FortiNAC Control Server pair, the captive portal is typically on eth1 on the Application Server. You could use could use eth1 on the Control Server for Rogue DHCP Server Detection. You may need to add a network card to your server to provide an interface for Rogue DHCP Server Detection.

Once you have determined the interface to use for Rogue DHCP Server Detection, it must be configured with an IP address. The IP address should be an unused address from an unused subnet on your network. To configure the IP address go to the CLI on the server and modify the vlanInterfaces file in /bsc/siteConfiguration. When the interface has been configured, enter it on this view.

Note

If you are using Rogue DHCP Server Detection in a high availability environment, both the primary and secondary servers must have the same Interface setting. In addition, the ports to which the Interfaces connect must be added to the System DHCP Port group. See Modify a group for details.

In the event of a failover, it is important that these fields be setup correctly or DHCP monitoring will not run.

Settings

Field

Definition

Interface

Ethernet interface used by the FortiNAC appliance for Rogue DHCP Server Configuration, such as eth2.

Authorized DHCP Servers

Device group containing the list of servers that are authorized to serve DHCP. The Authorized DHCP Servers group can be modified here or on the Groups View.

System DHCP Ports

Port group containing the port where the FortiNAC interface is connected to the network. The System DHCP Ports group can be modified here or on the Groups View.

VLANs To Scan For Rogue DHCP Servers

ID and Name of the VLANs that should be scanned for Rogue DHCP servers.

If a VLAN is not entered in the list, it is not scanned for Rogue DHCP servers. Only the VLANs entered here are scanned.

Schedule DHCP Server Verification

Use a scheduled task to set the poll interval and scheduled time to poll the selected VLANs for rogue DHCP servers.

Configure server detection
  1. Click System > Settings.
  2. Expand the Identification folder.
  3. Select Rogue DHCP Server Detection from the tree.
  4. In the Interface field enter the ethernet interface used by the FortiNAC appliance for Rogue DHCP Server Configuration.
  5. Click Modify next to Authorized DHCP Servers to add the servers that are allowed to serve DHCP into the Authorized DHCP Server group.
  6. On the Modify Group dialog click the Container where the servers are located to expand the list. Mark each server with a check mark and click the right arrow in the center of the screen to move the selected servers to the Selected Members column.
  7. Click OK to save the changes to the group.
  8. Click Modify next to System DHCP Ports to update the System DHCP Ports group with the port where the FortiNAC interface is connected to the network.
  9. On the Modify Group dialog click the Container where the switch is located.
  10. Click the switch where the FortiNAC Rogue DHCP Detection Server interface is connected. A list of the ports on the selected switch appears below the switch.

    Note

    Select the switch and port where the FortiNAC network card is connected, such as eth1 or eth2. This is the connection that will handle the scanning for Rogue DHCP Servers. Do NOT select the DHCP Server itself or the port the DHCP Server is connected to. Do NOT select the switch or port where the FortiNAC eth0 network card is connected.

  11. Select the Port where the Rogue DHCP Detection server is connected and click the right arrow to move the port to the Selected Members column.
  12. Click OK to save the changes to the group.
  13. In the VLANs To Scan For Rogue DHCP Servers section, click Add.
  14. In the Add dialog enter the ID and Name of the VLANs that should be scanned for Rogue DHCP servers and click OK.

    Note

    If a VLAN is not entered in the list, it is not scanned for Rogue DHCP servers. Only the VLANs entered here are scanned.

  15. Click Save Settings.
Schedule DHCP server verification

Use the Schedule option to set the poll interval and scheduled time to poll the selected VLANs for rogue DHCP servers.

  1. Click System > Settings.
  2. Expand the Identification folder.
  3. Select Rogue DHCP Server Detection from the tree.
  4. Click Modify Schedule.
  5. Select the Enabled check box.
  6. Enter a name for the task in the Name field.
  7. The Description field is optional. Enter a description of the task.
  8. Action type and Action are pre-configured based on the task and cannot be modified.
  9. From the Schedule Type drop down list, select either Fixed Day or Repetitive and set the day and time that the task is to be performed.
  10. A Fixed Day Task is one in which you schedule a task to run on a combination of days of the week and times of the day, such as Mondays at 1:00 pm and Fridays at 10:00 am. Select the day(s) and time to run the task.
    1. Click the box next to the day(s) to select the day.
    2. Click the down arrows and select the hour, minutes, and AM or PM from the drop-down list for each day.
    3. To enter days/times more quickly, select Set Multiple Days to set multiple days with the same time.
    4. To remove all settings, click Clear All.
  11. A Repetitive Task is one that you schedule to start on a given day, at a certain time, for the number of times you specify, such as every 10 days starting today. The repetition rate can be set to any number of minutes, hours, or days.

    1. Enter the Repetition Rate using whole numbers.

      Note

      A repetition rate of zero causes the task to run only once.

    2. Click the down arrow and select Minutes, Hours, or Days from the drop-down list.
    3. Enter the date and time for the task to run in the Next Scheduled Time field using the format MM/DD/YY hh:mm AM/PM Time Zone.

      Note

      The new Repetition Rate does not take effect immediately. It starts the next time the scheduled task runs. For the new Repetition Rate take effect immediately, click Update.

    4. Click Update to update the Next Scheduled Time field or change the Repetition Rate.
  12. Click OK.
  13. Click Save Settings.
Schedule settings

Field

Definition

Remove local backups older than

Number of days for which you would like to keep backups. Anything older than the number of days entered, is removed the next time the scheduled task for backups runs. This setting removes backup files created on the FortiNAC server before they are copied to the remote server. Backups on the remote server are not removed.

The timing of the scheduled backup task and the age of the files that are to be removed must be thought out carefully or you will remove all of your backups. For example, if the remove option is set to 5 days and your backup task runs every 15 days, you may inadvertently remove all of your backups. However, if the remove option is set to 15 days and the backup task runs every 5 days, then you would always have backup files.

Status

Indicates whether the task is enabled or disabled.

Schedule Interval

How often the scheduled task runs.

Next Scheduled Time

The next date and time the scheduled synchronization task will run. Entered in the format MM/DD/YY HH:MM AM/PM

Modify Schedule

Allows you to modify the scheduled activity.

Run Now

Runs the scheduled task immediately.

Rogue DHCP server detection with IP helper

When IP Helper is in use, an IP address for the Authorized DHCP Server is returned to FortiNAC for each VLAN. This IP address has a MAC address associated with it. FortiNAC compares the IP address it receives with the list of valid Authorized DHCP Server IP addresses. If the FortiNAC list does not contain the IP and the related MAC address, it does not recognize the DHCP Server as authorized.

The following procedure must be completed to enable FortiNAC to recognize the returned Authorized DHCP Server IP addresses as valid.

  1. Create a Pingable model in the Topology for each IP Helper Address.
    1. In the Topology, click the container where devices are located.
    2. Right-click and select Add Pingable Device.
    3. Enter the Device Name, IP address, Protocol (set to Pingable), and select the Device Type of Pingable.
    4. Click Apply.
  2. Ensure that the Pingable model has a MAC address.
    1. Click the Pingable model in the Topology to select it.
    2. Right-click and select Properties.
    3. Enter the MAC address associated with the IP address.
    4. Click Apply.
    5. Close the Device Properties window.
  3. Place the Pingable model in the Authorized DHCP Server group.
    1. Select System > Groups.
    2. Click the Authorized DHCP Servers group to select it.
    3. Right-click and select Modify.
    4. Click the container where the Pingable models were created. A list of the devices in the container will be displayed in the below the container.
    5. Click the Pingable model(s) to mark them with a check mark.
    6. Click the right arrow to move your selections to the Selected Members column.
    7. Click OK.
    8. Select System > Groups and click Show Members and verify that all the pingable models are listed.