Technical Tip: Changing FortiGate interface from DHCP server to relay mode in the GUI does not deactivate DHCP server (Known Issue)

Description

This article describes a known issue in which changing a FortiGate interface with an existing DHCP server configuration to relay mode via the GUI will result in both modes being active for that interface. This results in conflicts in which users receive DHCP leases from the FortiGate rather than the remote DHCP server.

Note: this issue impacts FortiOS v7.4 and v7.6 but not v7.2 or earlier.

Scope

FortiOS v7.4.9, v7.6.5, and all earlier.

Solution

In the FortiOS GUI, DHCP settings are configured on a per-interface basis, but in the CLI, these settings are actually stored in separate locations:

• DHCP relay is enabled/disabled in the interface entry under config system interface.

• DHCP server settings are created and then enabled/disabled under the config system dhcp server.

When changing the DHCP mode from server to relay, the expected outcome is that the FortiGate should a) make an API call to disable the corresponding entry under config system dhcp server (via /api/v2/cmdb/system.dhcp/server/<ID>) and b) enable/set dhcp-relay-service and dhcp-relay-ip for that interface under config system interface.

However, due to a GUI/API issue, the disable action does not take place, and so the DHCP server entry is still active at the same time that DHCP relay functionality has been enabled for the interface. In this situation, it is possible for the FortiGate to still hand out DHCP leases even when administrators are expecting DHCP to be relayed to the remote DHCP server.

Resolution:

This issue was identified as part of Issue #1199029 and has since been resolved as of FortiOS v7.4.10, v7.6.5, and v8.0.0 (see also: Release Notes).

Workarounds:

The following GUI and the CLI-based workarounds are available for this issue:

GUI method:

• Disable/toggle off the DHCP Server functionality on the interface, save the change, then re-edit the interface to enable it and change it to relay mode.

• This works because toggling off the DHCP server functionality on the interface results in the entry under config system dhcp server being deleted, rather than just being disabled. Re-enabling the DHCP server function in the GUI and immediately setting it to DHCP relay mode ensures that a new config entry is not created that can interfere with DHCP relay mode.

• Reminder: this issue only impacts interfaces that already had a DHCP server configuration and are being switched over to DHCP relay mode. Interfaces that did not already have DHCP servers configured are not impacted.

CLI method:

• Alternatively, navigate to config system dhcp server in the CLI, locate the entry ID that corresponds to the FortiGate interface in question, then manually add set status disable to disable the entry.

• This preserves the DHCP server entry for later usage while still disabling it so that it does not impact DHCP relay functionality, and the DHCP relay mode can be set freely from the GUI before or after this operation.

• The command show system dhcp server | grep -f <interface_name> can be useful for locating the correct DHCP server entry.

FortiGate # show system dhcp server | grep -f MyInterfaceName
config system dhcp server
    edit 19
        set dns-service local
        set default-gateway 192.168.100.1
        set netmask 255.255.255.0
        set interface "MyInterfaceName" <---
        config ip-range
            edit 1
                set start-ip 192.168.100.2
                set end-ip 192.168.100.254
            next
        end
    next
end

FortiGate # config system dhcp server
FortiGate (server) # edit 19
FortiGate (19) # set status disable
FortiGate (19) # end
FortiGate #