Skip to main content
Robin_Svanberg
Robin_Svanberg
New Member
September 26, 2018
Question

Fortigate and Bitlocker Network Unlock

  • September 26, 2018
  • 1 reply
  • 15087 views

Hi,

 

have an issue with Bitlocker Network Unlock and a Fortigate.

 

We have configured DHCP relays to both the DHCP server and WDS where the Bitlocker Network Unlock role is installed and can see that traffic to both relays work fine.

 

But when the client sends the actual Bitlocker boot request the packet isn´t being forwarded by the Fortigate. We can see the broadcast but nothing happens to it :( The packet looks OK so not really sure why it isn´t forwarded.

 

Anyone running Bitlocker Network Unlock and Fortigates or have any idea why the packets aren´t being forwarded? 

 

 

BR Robin

    1 reply

    Hultis
    Hultis
    New Member
    January 31, 2019

    Hello,

     

    I have the same problem. Have you solved it?

     

    Robin_Svanberg
    Robin_SvanbergAuthor
    New Member
    February 7, 2019

    Hultis wrote:

    Hello,

     

    I have the same problem. Have you solved it?

     

    We haven´t solved the root cause but did a workaround with a multicast policy which only forwards broadcasts for port 67-68 UDP to be proceed with the Bitlocker Network Unlock POC. 

     

    config system interface edit "Clients" set broadcast-forward enable next end

     

    config firewall multicast-policy edit 1 set srcintf "Clients" set dstintf "Servers" set srcaddr "all" set dstaddr "broadcast" set protocol 17 set start-port 67 set end-port 68 next end

     

     

    ndDallasDan
    ndDallasDan
    New Member
    March 7, 2019

    I have the exact same issue, I've been struggling with it now for what seems like forever.  I was planning on testing your suggestion actually before I found it.  I did implement that change, however what I've found is that the traffic does indeed appear on the correct network when I sniff the interface on the fortigate (which it wasn't doing before) but when I take a packet capture on the server it isn't seeing JUST the BOOTP packet (even though it appears to being forwarded from the FGT packet capture dump on the firewall).  

     

    Used in conjunction with the dhcp-relay on the interface what appears to happen is that DHCP packets are being rebroadcast in the correct (server) network, but the microsoft DHCP server is completely ignoring them and only responding to the fortigate ip-helper-fixed (via the dhcp-relay agent) packets--those packets are being 'fixed' by the FortiGate with a relay-ip address.

     

    Were you successfully able to get your WDS server to 'see' the incoming bitlocker BOOTP packet with this method?  FWIW I checked the windows firewall rules and added an appropriate rule for ports 67-68 on the WDS server...no dice.

     

    It seems like the easiest solution would be for the FGT to 'fix' these packets like it does for the other DHCP packets; I'm on 5.6.7 and I can confirm it still doesn't do so.  Did you ever get this to work, either through the broadcast forwarding or through another novel method?

    Terms & ConditionsAccessibility statement