I've reserved specific IP addresses for our company machines based on their MAC addresses in FortiGate's Network > Interfaces > LAN > DHCP > Advanced > Reservations. However, these reserved entries aren't showing up in the DHCP Monitor tool.
Key Points:
Why are reserved IPs for company machines not showing up in the FortiGate DHCP Monitor? Any suggestions for troubleshooting? Does it even matter when they have connectivity? What does it mean?
I appreciate any insights and assistance you can offer. Thank you in advance for your time and expertise!
Sincerely,
Solved! Go to Solution.
1- these hosts use static IPs
or
2- these hosts obtain their IPs from a different DHCP server on the network
As DHCP uses broadcasts for detection you might find a (rogue/second) DHCP server by sniffing:
in CLI: "diag sniffer packet any 'port 67 or port 68' " 6 0 a l (lowercase "L")
If the clients have static IP they will not appear in DHCP monitor even if they are reserved.
They will be displayed only if they are dynamic.
DHCP monitor shows only non-expired clients. Once lease time expires for a client it is not shown anymore even if it has reserved IP.
@AEK
But some of the machines are up, and I can even ping them and access their web interfaces.
I am confused as DHCP monitor does not even show them as leased out.
I have the same and all DHCP clients are displayed correctly in DHCP monitor as shown below (FortiOS 6.2.15).
Which FortiOS do you have?
It also possible that you have another DHCP server in your network. In that case FG will not show the clients that acquire IP from a DHCP server other than FG.
1- these hosts use static IPs
or
2- these hosts obtain their IPs from a different DHCP server on the network
As DHCP uses broadcasts for detection you might find a (rogue/second) DHCP server by sniffing:
in CLI: "diag sniffer packet any 'port 67 or port 68' " 6 0 a l (lowercase "L")
If the clients have static IP they will not appear in DHCP monitor even if they are reserved.
They will be displayed only if they are dynamic.
That's not a problem at all.
Just before a DHCP server offers an IP address lease, it sends out an arp request to learn the MAC address (or just the existence) of a host with the offered IP address. If somehost answers, the server offers the next available address. If not, all is good, and the address is offered.
So, in order to protect your statically assigned addresses, you don't need to do anything. The DHCP server will respect any existing address. CAVEAT: that is, as long as that host is online. Usually not a problem with servers, but might be with, for instance, printers.
Therefore, a best practice that I follow is to use the one-digit host addresses for static assignment, and to start the DHCP range at .20 (and not at .1 which ALWAYS is the firewall's port).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.