Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
EvanRaci
New Contributor III

Implicit Deny Rule Not Blocking DHCP Service Port 67,68

DHCP Issue.JPGHi all,

We are running external DHCP server and configured Relay from FortiGate VLAN interface.
DHCP is working fine even without adding any policy to allow Client subnets to DHCP server.
When we checked the logs , we saw the user is getting DHCP Address assignment using Implicit Deny Rule.
It's a new setup with version 7.2.2 .We still haven't done license registration yet.
Traffic should be blocked and the user shouldn't get IP address if we didn't specifically allow in the policy and Implicit Deny Rule should block everything right?
I'm very confused now .Even I manually added any any Deny policy, the DHCP still worked.
Please help suggest me , it is a normal flow?

Thank you so much.

2 Solutions
gfleming
Staff
Staff

I'm not sure if this is 100% correct, nor can I explain why it says the Implicit Deny policy is accepting a flow but here's my thinking:

 

A DHCP request is a local link broadcast (i.e. it does not get forwarded). Therefore the firewall will accept a DHCP request depending on the Firewall's Local-In policies (policies that dictate which traffic can communicate directly with the Firewall inbound but not for forwarding between interfaces).

 

If the firewall was acting as a DHCP server local-in policies would dictate the traffic being allowed as nothing is getting forwarded beyond the connected interface.

 

As a DHCP relay the Firewall is still essentially not forwarding any traffic. It's taking the inbound DHCP request processing it internally and then creating a new flow to unicast the request to the configured DHCP server on a different interface. Now it will be using its Local-Out policies to determine if it can initiate and communicate outbound to the DHCP server.


Again notice in this series of steps there is no packet being forwarded through the firewall so firewall policies would not be dictating whether DHCP will work or not. You need to look at local-in and local-out policies for that.

Cheers,
Graham

View solution in original post

nweckel
Staff
Staff

In summary, the DHCP relay agent receives DHCP messages and then generates a new DHCP message to send out on another interface. The new DHCP packet will be seen as local traffic (generated by the FortiGate). That is why it is not blocked by firewall policy.

View solution in original post

5 REPLIES 5
gfleming
Staff
Staff

I'm not sure if this is 100% correct, nor can I explain why it says the Implicit Deny policy is accepting a flow but here's my thinking:

 

A DHCP request is a local link broadcast (i.e. it does not get forwarded). Therefore the firewall will accept a DHCP request depending on the Firewall's Local-In policies (policies that dictate which traffic can communicate directly with the Firewall inbound but not for forwarding between interfaces).

 

If the firewall was acting as a DHCP server local-in policies would dictate the traffic being allowed as nothing is getting forwarded beyond the connected interface.

 

As a DHCP relay the Firewall is still essentially not forwarding any traffic. It's taking the inbound DHCP request processing it internally and then creating a new flow to unicast the request to the configured DHCP server on a different interface. Now it will be using its Local-Out policies to determine if it can initiate and communicate outbound to the DHCP server.


Again notice in this series of steps there is no packet being forwarded through the firewall so firewall policies would not be dictating whether DHCP will work or not. You need to look at local-in and local-out policies for that.

Cheers,
Graham
nweckel
Staff
Staff

In summary, the DHCP relay agent receives DHCP messages and then generates a new DHCP message to send out on another interface. The new DHCP packet will be seen as local traffic (generated by the FortiGate). That is why it is not blocked by firewall policy.

EvanRaci
New Contributor III

Hi , thanks for the information , DHCP server and Client Subnets are in different Zone.

 

DHCP-Server (Server-Zone) / IP address 172.16.10.109

Clients (User-Network-Zone)/IP address 172.16.21.0/24

 

Even there is no zone to zone allow policy, i.e no policy between 172.16.21.0/24 and 172.16.10.109 OR even if I manually added deny policy between 172.16.21.0/24 and 172.16.10.109 , the firewall will still assume as local-in/local-out traffic and will not block the request?

Please I need to explain this to my server team.

Thank you so much for your help on this.

 

 

gfleming

Yes. Certain traffic does not get forwarded through the Firewall (where Firewall Policies are used to restrict/allow it).


Some traffic is destined to the Firewall itself or leaves from the Firewall itself. 

 

In this case, we use local-in or local-out policies.

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/363127/local-in-policy

Cheers,
Graham
EvanRaci
New Contributor III

According to the logs and after checking the local-in policy , yes the DHCP service allowed policy was automatically added as soon as I enabled DHCP service on the interface.

 

Thank you all

Labels
Top Kudoed Authors