Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stlblufan
New Contributor

On-Net / Off-Net

I am running 5.2 on a 60C, with FortiClient 5.2.1 on all clients, all of which are " on-net" . However, on the 60C, all of the clients show up as " off-net" . Is there something that I need to do in order to make them register properly?
1 Solution
rwdorman
New Contributor III

Quick update - AFter getting the suggestion earlier in this thread I setup Option 224 in my DHCP server (Windows 2012 server) to send a single valued string attribute with the serial number of the registered fortigate and on-net/off-net works as I wanted it to. In defense of TAC: this is not a published, documented or supported method of making this work so YMMV.

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

View solution in original post

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
36 REPLIES 36
rwdorman
New Contributor III

Is there another L3 device between your client and your FGT? Also, do you have FCT and discovery enabled on the interface that is internal facing?

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
stlblufan
New Contributor

I do have discovery enabled, and yes here is another L3 device between the FGT and the clients (though I have no VLANs configured). Is that the issue / is it resolvable?
rwdorman
New Contributor III

I" m actually planning to make a feature request for this. If the Fortigate is not the default gateway/L2 domain of the client it shows up as " off net." I' d like to see them allow us to define either a list of subnets that represent " On Net" or a interface flow based setting i.e. any traffic from the downstream interface to the outbound should be considered on net or something like that. If someone else out there knows how to do this or I' ve missed something, please chime in

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
netmin
Contributor II

We haven' t tried it, but maybe a DHCP relay agent on the L3 device pointing to the FGT DHCP server works. http://docs-legacy.fortinet.com/fos50hlp/52/index.html#page/FortiOS%25205.2%2520Help/managingdevices.011.2.html
rwdorman
New Contributor III

@netmin My issue there would be that i' d have to move my DHCP service (I think) to the FGT which i' m not keen to do. Seems that on-net/off-net is a DHCP cookie of some sort..

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
Chris_Lin_FTNT

The on-net/off-net feature requires special FortiClient license. Does your 60C have FortiClient license? It' s a bug when FortiClient shows on-net but FortiGate shows off-net, though.
netmin
Contributor II

It was just an idea - alternatively one could capture FGT DHCP traffic and look for the DHCP option that is used along with the registered FGT serial number(s) and try to add them to the existing DHCP server.
neonbit
Valued Contributor

I' m still confused around how the whole on/off net thing works, from what I' ve read I believe it will only work if the FortiGate is the DHCP server for the clients. I hope I' m wrong through as this feature will then be useless for nearly all our larger clients (since none of them want to manage their DHCP via the FGT).
Christopher_McMullan

I don' t know how much this would be officially supported if you were to open a ticket on it in case of trouble, but... Here is the paragraph from the FortiClient Admin Guide for FCT 5.2 detailing the on-net/off-net determination: VPN auto-connect based on DHCP off-net determination VPN auto-connect ensures that FortiClient creates a VPN connection to the FortiGate when considered to be off-net. A site administrator, who has configured Endpoint Control on their FortiGate, may choose to enable VPN auto-connect in the Endpoint Control profile. Computer endpoints or clients in the network should use the designated DHCP server for IP address assignments. The DHCP server sends a special tag within the protocol to identify if the client is on-net or off-net. The on-net status indicates that the endpoint is within the corporate network protected by the FortiGate. When the client is off-net, FortiClient will automatically attempt to establish a VPN connection to the VPN server indicated in the FortiGate Endpoint Control configuration. When the client is on-net, no VPN connection is required. What I take away from this is that you could sniff the content of the tag, and if it is reproducible (i.e., a known, unchanging or predictable token), you could add it as a VCI parameter or DCHP option on another server. The check seems to be a client-side check, based on the obtained lease containing this token.

Regards, Chris McMullan Fortinet Ottawa

Top Kudoed Authors