FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
2) In the above scenario, there is the following IP scheme designed:
- 10.120.0.0/20 -> WAN.
- 10.251.0.0/20 -> DMZ (where the DHCP Server sits).
- 10.253.0.0/20 -> LAN.
- 10.10.10.0/24 -> IPSec users IP.
3) While trying to connect, the user is able to establish a Phase1 connection and FortiGate is acting as the DHCP relay agent to send the DHCP request to the external DHCP server:
4) Packet capture from the DHCP server shows that there are only DHCP Discover packets received, and not being responded to:
5) This is because the DHCP server would only assign an IP address if the relay agent were from the same subnet.
In this case, the IPSec interface is configured with 169.254.3.1 as the interface IP, and there is not respective pool in DHCP Server.
6) Since it is in the design to assign 10.10.10.0/24 IP to the IPSec, it is necessary to ensure that the subnet pool is configured in the DHCP server, and FortiGate IPSec tunnel is configured with an IP within the range:
7) Once the respective is configured, the DHCP Discover message would be responded to with the DHCP offer:
8) It is now possible to see IPSec user is now assigned an IP within the range and access to the LAN network is possible:
9) Is is also possible toverify that the DHCP Server assigns the IP address:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.