Technical Tip: Workaround to get IP from the DHCP server when using software switch interfaces and the FortiGate in policy-based mode

epinheiro · ‎10-26-2023

Description

This article describes a workaround where the DHCP client can get an IP address from the DHCP server (upstream device) when the FortiGate is in policy-based mode, and a software switch is being used to aggregate interfaces to interconnect the client and the DHCP server.

Topology:

Laptop (DHCP Client) -> Switch -> FortiGate Software Switch interfaces -> Router (DHCP Server)

When configuring the software switch interface, there are two intra-switch policy options:

Implicit: Basically, it will allow connectivity between the interface members without any additional configurations, such as firewall policy, SSL Inspection profile, NAT, etc.
Explicit: Connectivity between the interfaces is denied by default, and according to your setup, you need to configure firewall policy, SSL Inspection profile, NAT, etc.

If the implicit option is chosen, everything will work fine. Otherwise, stumble on the following issue:

The DHCP client will 'Discover' the DHCP server.
The DHCP server will 'Offer' an IP address.
The DHCP client will 'Request' the offered IP, but will not have 'ACK' from the DHCP server.

Scope

FortiGate v5.6 and above.

Solution

The current workaround is choosing the implicit intra-switch policy, instead of the explicit policy.

When the software switch interface is already created, the intra-policy mode cannot be changed. So, it is necessary to remove all the references from the software switch interface, delete it, and then set the option 'Implicit' while re-creating it.

Checking the references before trying to delete the software switch interface:

Creating a new software switch interface:

After creating the software switch interface using implicit intra-policy mode, it is time to test the DHCP Server:

mauromarme · ‎10-26-2023

Very Useful information! Great job.