FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to configure and allow DNS name resolution to implement DHCP services.
Solution By design, FortiGate is configured to communicate with FortiGuard NTP servers to provide time synchronization services for DHCP clients. FortiGate will attempt to resolve the following hostnames of FortiGuard before allocating an IP address or binding a lease for DHCP clients. ntp1.fortiguard.com/ntp1.fortinet.net ntp2.fortiguard.com/ntp2.fortinet.net
Default NTP Configuration on FortiGate:
# config system ntp set ntpsync enable set type fortiguard <----- set syncinterval 60 set source-ip 0.0.0.0 set source-ip6 :: set server-mode disable end
DHCP Clients does not receive an IP address and/or an IP binding will not be added to the DHCP lease list when name resolution to these NTP servers is not successful.
Following log messages will be reported by FortiGate when DHCP debugs are enabled in the CLI.
[note]DHCPDISCOVER from xx:xx:xx:xx:xx:xx via internal (ethernet) [debug]Looking up the hostname, ntp1.fortiguard.com. [warn]Failed to look up the hostname, ntp1.fortiguard.com. [debug]Looking up the hostname, ntp2.fortiguard.com. [warn]Failed to look up the hostname, ntp2.fortiguard.com.
Ensure FortiGate has reachability to DNS servers and that the hostnames are resolved successfully without any errors.
To configure a custom/internal NTP server,
# config system ntp set type custom set ntpsync enable # config ntpserver edit 1 set server <ntp-server-ip> next edit 2 set server <other-ntp-server-ip> end