FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
epinheiro
Staff
Staff
Article Id 281112
Description

This article describes two workarounds where the DHCP client can get an IP address from the DHCP server (upstream device) when the FortiGate is in policy-based mode, and a virtual-wire pair interface is being used to aggregate interfaces to interconnect the client and the DHCP server.

 

Topology:

 

Laptop (DHCP Client) -> Switch -> FortiGate Virtual-Wire Pair -> Router (DHCP Server)

 

VWP_7.jpg

 

Only a few steps are necessary to configure the virtual-wire pair interface:

 

  1. On the left side, select Interfaces -> Create New -> Virtual Wire Pair.

 

VWP_1.jpg

 

  1. Select the interface members:

 

VWP_3.jpg

 

  1.  Check the newly created interface:

 

VWP_4.jpg

 

  • After creating the VWP interface, it is necessary to configure the policy. Instead of 'Security Policy', for virtual-wire pair interfaces, there is a dedicated option called 'Security Virtual Pair Policy' where it is possible to allow/deny traffic, also security profiles and logging, as shown in the image below:

 

VWP_8.jpg

 

  •  For the SSL Inspection Profile & Inspection, it is necessary to select the option 'Virtual Wire Pair SSL Inspection & Authentication:

VWP_10.jpg

 

Note:

NAT is not available for Virtual Wire Pair interfaces when the firewall is in policy-based mode.

 

When the DHCP client is trying to get an IP address from the DHCP server (upstream device) through the virtual-wire pair interface,  the following issues will appear:

  • The DHCP client will 'Discover' the DHCP server.
  • The DHCP server will 'Offer' an IP address.
  • The DHCP client will 'Request' the offered IP, but will not have 'ACK' from the DHCP server.

 

No_ACK.jpg

 

Scope FortiGate v5.2 and above.
Solution

As a workaround, use the FortiGate in profile-based mode. When in profile-based mode, the DHCP will not present any issues, as shown in the image below:

 

ACK.jpg

 

As a second workaround, a software switch interface can be used in implicit intra-switch policy mode. If the software switch interface is in explicit intra-switch policy mode, it is possible to stumble on the issue stated in the documentation below:

Technical Tip: Workaround to get IP from the DHCP server when using software switch interfaces and t...