FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpalli
Staff
Staff
Description
This article describes how to configure and allow DNS name resolution to implement DHCP services.

Solution
By design, FortiGate is configured to communicate with FortiGuard NTP servers to provide time synchronization services for DHCP clients.
FortiGate will attempt to resolve the following hostnames of FortiGuard before allocating an IP address or binding a lease for DHCP clients.

ntp1.fortiguard.com/ntp1.fortinet.net
ntp2.fortiguard.com/ntp2.fortinet.net


Default NTP Configuration on FortiGate:
# config system ntp
    set ntpsync enable
    set type fortiguard   <-----
    set syncinterval 60
    set source-ip 0.0.0.0
    set source-ip6 ::
    set server-mode disable
end
DHCP Clients does not receive an IP address and/or an IP binding will not be added to the DHCP lease list when name resolution to these NTP servers is not successful.

Following log messages will be reported by FortiGate when DHCP debugs are enabled in the CLI.
#diagnose debug application dhcps -1
#diagnose debug enable
[note]DHCPDISCOVER from xx:xx:xx:xx:xx:xx via internal (ethernet)
[debug]Looking up the hostname, ntp1.fortiguard.com.
[warn]Failed to look up the hostname, ntp1.fortiguard.com.
[debug]Looking up the hostname, ntp2.fortiguard.com.
[warn]Failed to look up the hostname, ntp2.fortiguard.com.
Ensure FortiGate has reachability to DNS servers and that the hostnames are resolved successfully without any errors.

To configure a custom/internal NTP server,
# config system ntp
    set type custom
    set ntpsync enable
# config ntpserver
    edit 1
        set server <ntp-server-ip>
    next
        edit 2
            set server <other-ntp-server-ip>
        end

Contributors