New Member

Solved

On-Net / Off-Net

Forum|Forum|11 years ago
August 26, 2014
17 replies
57713 views

I am running 5.2 on a 60C, with FortiClient 5.2.1 on all clients, all of which are " on-net" . However, on the 60C, all of the clients show up as " off-net" . Is there something that I need to do in order to make them register properly?

Best answer by rwdorman

Quick update - AFter getting the suggestion earlier in this thread I setup Option 224 in my DHCP server (Windows 2012 server) to send a single valued string attribute with the serial number of the registered fortigate and on-net/off-net works as I wanted it to. In defense of TAC: this is not a published, documented or supported method of making this work so YMMV.

rwdorman

New Member

Is there another L3 device between your client and your FGT? Also, do you have FCT and discovery enabled on the interface that is internal facing?

stlblufanAuthor

New Member

I do have discovery enabled, and yes here is another L3 device between the FGT and the clients (though I have no VLANs configured). Is that the issue / is it resolvable?

rwdorman

New Member

I" m actually planning to make a feature request for this. If the Fortigate is not the default gateway/L2 domain of the client it shows up as " off net." I' d like to see them allow us to define either a list of subnets that represent " On Net" or a interface flow based setting i.e. any traffic from the downstream interface to the outbound should be considered on net or something like that. If someone else out there knows how to do this or I' ve missed something, please chime in

netmin

New Member

We haven' t tried it, but maybe a DHCP relay agent on the L3 device pointing to the FGT DHCP server works. http://docs-legacy.fortinet.com/fos50hlp/52/index.html#page/FortiOS%25205.2%2520Help/managingdevices.011.2.html

rwdorman

New Member

@netmin My issue there would be that i' d have to move my DHCP service (I think) to the FGT which i' m not keen to do. Seems that on-net/off-net is a DHCP cookie of some sort..

Chris_Lin_FTNT

Staff

The on-net/off-net feature requires special FortiClient license. Does your 60C have FortiClient license? It' s a bug when FortiClient shows on-net but FortiGate shows off-net, though.

netmin

New Member

It was just an idea - alternatively one could capture FGT DHCP traffic and look for the DHCP option that is used along with the registered FGT serial number(s) and try to add them to the existing DHCP server.

neonbit

New Member

I' m still confused around how the whole on/off net thing works, from what I' ve read I believe it will only work if the FortiGate is the DHCP server for the clients. I hope I' m wrong through as this feature will then be useless for nearly all our larger clients (since none of them want to manage their DHCP via the FGT).

Christopher_McMullan

Staff

I don' t know how much this would be officially supported if you were to open a ticket on it in case of trouble, but... Here is the paragraph from the FortiClient Admin Guide for FCT 5.2 detailing the on-net/off-net determination: VPN auto-connect based on DHCP off-net determination VPN auto-connect ensures that FortiClient creates a VPN connection to the FortiGate when considered to be off-net. A site administrator, who has configured Endpoint Control on their FortiGate, may choose to enable VPN auto-connect in the Endpoint Control profile. Computer endpoints or clients in the network should use the designated DHCP server for IP address assignments. The DHCP server sends a special tag within the protocol to identify if the client is on-net or off-net. The on-net status indicates that the endpoint is within the corporate network protected by the FortiGate. When the client is off-net, FortiClient will automatically attempt to establish a VPN connection to the VPN server indicated in the FortiGate Endpoint Control configuration. When the client is on-net, no VPN connection is required. What I take away from this is that you could sniff the content of the tag, and if it is reproducible (i.e., a known, unchanging or predictable token), you could add it as a VCI parameter or DCHP option on another server. The check seems to be a client-side check, based on the obtained lease containing this token.

netmin

New Member

There' s still a known issue in 5.2.1 (0248014) and we cannot currently convince FortiClient to display on-net status. The (directly) connected (latest) client either does not use an appropriate VCI string or the FGT simply does not provide the required information in DHCP although this functionality was enabled.

  config system dhcp server   edit <server_index_int>    set forticlient-on-net-status

Christopher_McMullan

Staff

Do you know the age of the FortiClient license that was applied? The issue may have to do with whether the license is specifically for 5.2, or was for FCT 5.0.

netmin

New Member

It is one of the 10 integrated licenses of our 2 fully licensed test FGTs 100D on 5.2.1.

rwdormanAnswer

New Member

Quick update - AFter getting the suggestion earlier in this thread I setup Option 224 in my DHCP server (Windows 2012 server) to send a single valued string attribute with the serial number of the registered fortigate and on-net/off-net works as I wanted it to. In defense of TAC: this is not a published, documented or supported method of making this work so YMMV.

neonbit

New Member

Thanks for the info Ryan, that looks like a winner! I just tested the DHCP 224 option on my FGT running 5.2.1 without the FortiClient license (ie: just the standard 10 freebie ones) and I can now see the win8 computer show up as ' Registered - On-Net' when it never used to before. Unplugged the win8 machine and it then changed to ' Offline' (took about 3 minutes to update). Connected via SSLVPN and it says ' Registered - Off-Net' . Plugged it back into the network and it' s showing ' Registered - On-Net' again. Looks good so far!

Ge96367.jpg

terry_jjr

New Member

Hi neonbit

Could you outline the steps you went through to get this working?

We have a 2008R2 DHCP server and cannot use the fortigate. We also have 2000 forticlient licenses and would really like to get this working. I logged a ticket with TAC, but its gone in to the feature request queue.

Any help would be appreciated.

Thanks,

neonbit wrote:
Thanks for the info Ryan, that looks like a winner! I just tested the DHCP 224 option on my FGT running 5.2.1 without the FortiClient license (ie: just the standard 10 freebie ones) and I can now see the win8 computer show up as ' Registered - On-Net' when it never used to before. Unplugged the win8 machine and it then changed to ' Offline' (took about 3 minutes to update). Connected via SSLVPN and it says ' Registered - Off-Net' . Plugged it back into the network and it' s showing ' Registered - On-Net' again. Looks good so far!

jodros

New Member

Hey Terry, I got this working with DHCP server running on 2008R2. You need to get the serial number that all of the FortiClients are registered and encode as ASCII hex. For instance if you had this is the serial number "FWF60D123456789" it would be this in ASCII hex "465746363044313233343536373839". You would put this value in option 224 on the DHCP scope or at the server level if you want it on all scopes. Let me know if you need more assistance.

rocampo

New Member

Should the string be in Hexadecimal?

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded