Description

This article describes how to disable NetBIOS over TCP/IP on Microsoft Windows-based clients when the FortiGate is acting as the local DHCP server for the network.

Scope

FortiGate (as a DHCP server); Microsoft Windows (as a DHCP client).

Solution

RFC 2132 (Section 8.4) allows vendors to implement vendor-specific DHCP options, and in Microsoft's case, this option is used to enable/disable NetBIOS over TCP/IP for an interface using DHCP.

With that in mind, administrators can add DHCP Option 43 with a value of 010400000002 to the FortiGate 'Additional DHCP Options' section to disable NetBIOS over TCP/IP on client network adapters:

From GUI.

 

Note for admins with bridge-mode FortiAP SSIDs:

• Bridge-mode SSIDs on FortiAP have a feature called dhcp-option43-insertion that will inject DHCP Option 43 into Client -> Server DHCP messages as they pass through the FortiAP. This feature is enabled by default.
  • Injecting this DHCP Option allows the FortiAP to advertise to the FortiGate that the client is specifically connected to a bridge-mode SSID (as opposed to being connected to the network via wired Ethernet).
  • Crucially, the FortiAP will also strip/remove DHCP Option 43 from Server -> Client DHCP messages before forwarding them to the wireless client.
• While this is useful for informational purposes (the FortiGate can show these bridge-mode clients as wireless users in the GUI), it has a side effect of disrupting the usage of DHCP Option 43 for Windows clients (i.e. it prevents the FortiGate from telling a Windows client to disable NetBIOS over TCP/IP).
• Admins are recommended to disable this feature on their FortiAP-based bridge-mode SSID to avoid this conflict:

config wireless-controller vap