FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spatni
Staff
Staff
Description
This article explains the feature to add DHCP option 82 (DHCP relay information option).
It can help protect the FortiGate against attacks such as spoofing (or forging) of IP and MAC addresses, and DHCP IP address starvation.


Solution
The following CLI variables are added to or modified in the config system dhcp server > config reserved-address command:

CLI Variable:


To create an IP address assignment rule using option 82 in the GUI:

1) On the FortiGate, go to: Network -> Interfaces

2) Edit and existing port, or create a new one
3) Ensure that the Role is either LAN or Undefined.
4) Enable DHCP Server.
5) Configure address ranges and other settings as needed.



6) In the IP Address Assignment Rules table, click 'Create New'. The Create New IP Address Assignment Rule pane opens.
7) For the Type, select DHCP Relay Agent.


8) Enter the Circuit ID, Remote ID, and the IP address that will be reserved.
9) Click 'OK' to create the rule.


To create an IP address assignment rule using option 82 with the CLI:
#config system dhcp server
    edit 1
        set netmask 255.255.255.0
        set interface "port4"
        config ip-range
            edit 1
                set start-ip 100.100.100.1
                set end-ip 100.100.100.99
            next
            edit 2
                set start-ip 100.100.100.101
                set end-ip 100.100.100.254
            next
        end
        config reserved-address
            edit 1
                set type option82
                set ip 100.100.100.12
                set circuit-id-type hex
                set circuit-id "00010102"
                set remote-id-type hex
                set remote-id "704ca5e477d6"
            next
        end
    next
end



Contributors