Hi all,
We are running external DHCP server and configured Relay from FortiGate VLAN interface.
DHCP is working fine even without adding any policy to allow Client subnets to DHCP server.
When we checked the logs , we saw the user is getting DHCP Address assignment using Implicit Deny Rule.
It's a new setup with version 7.2.2 .We still haven't done license registration yet.
Traffic should be blocked and the user shouldn't get IP address if we didn't specifically allow in the policy and Implicit Deny Rule should block everything right?
I'm very confused now .Even I manually added any any Deny policy, the DHCP still worked.
Please help suggest me , it is a normal flow?
Thank you so much.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I'm not sure if this is 100% correct, nor can I explain why it says the Implicit Deny policy is accepting a flow but here's my thinking:
A DHCP request is a local link broadcast (i.e. it does not get forwarded). Therefore the firewall will accept a DHCP request depending on the Firewall's Local-In policies (policies that dictate which traffic can communicate directly with the Firewall inbound but not for forwarding between interfaces).
If the firewall was acting as a DHCP server local-in policies would dictate the traffic being allowed as nothing is getting forwarded beyond the connected interface.
As a DHCP relay the Firewall is still essentially not forwarding any traffic. It's taking the inbound DHCP request processing it internally and then creating a new flow to unicast the request to the configured DHCP server on a different interface. Now it will be using its Local-Out policies to determine if it can initiate and communicate outbound to the DHCP server.
Again notice in this series of steps there is no packet being forwarded through the firewall so firewall policies would not be dictating whether DHCP will work or not. You need to look at local-in and local-out policies for that.
In summary, the DHCP relay agent receives DHCP messages and then generates a new DHCP message to send out on another interface. The new DHCP packet will be seen as local traffic (generated by the FortiGate). That is why it is not blocked by firewall policy.
I'm not sure if this is 100% correct, nor can I explain why it says the Implicit Deny policy is accepting a flow but here's my thinking:
A DHCP request is a local link broadcast (i.e. it does not get forwarded). Therefore the firewall will accept a DHCP request depending on the Firewall's Local-In policies (policies that dictate which traffic can communicate directly with the Firewall inbound but not for forwarding between interfaces).
If the firewall was acting as a DHCP server local-in policies would dictate the traffic being allowed as nothing is getting forwarded beyond the connected interface.
As a DHCP relay the Firewall is still essentially not forwarding any traffic. It's taking the inbound DHCP request processing it internally and then creating a new flow to unicast the request to the configured DHCP server on a different interface. Now it will be using its Local-Out policies to determine if it can initiate and communicate outbound to the DHCP server.
Again notice in this series of steps there is no packet being forwarded through the firewall so firewall policies would not be dictating whether DHCP will work or not. You need to look at local-in and local-out policies for that.
In summary, the DHCP relay agent receives DHCP messages and then generates a new DHCP message to send out on another interface. The new DHCP packet will be seen as local traffic (generated by the FortiGate). That is why it is not blocked by firewall policy.
Hi , thanks for the information , DHCP server and Client Subnets are in different Zone.
DHCP-Server (Server-Zone) / IP address 172.16.10.109
Clients (User-Network-Zone)/IP address 172.16.21.0/24
Even there is no zone to zone allow policy, i.e no policy between 172.16.21.0/24 and 172.16.10.109 OR even if I manually added deny policy between 172.16.21.0/24 and 172.16.10.109 , the firewall will still assume as local-in/local-out traffic and will not block the request?
Please I need to explain this to my server team.
Thank you so much for your help on this.
Yes. Certain traffic does not get forwarded through the Firewall (where Firewall Policies are used to restrict/allow it).
Some traffic is destined to the Firewall itself or leaves from the Firewall itself.
In this case, we use local-in or local-out policies.
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/363127/local-in-policy
According to the logs and after checking the local-in policy , yes the DHCP service allowed policy was automatically added as soon as I enabled DHCP service on the interface.
Thank you all
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.