Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
-rd 2x 200D Clusters 1x 100D
1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
Hey Terry, I got this working with DHCP server running on 2008R2. You need to get the serial number that all of the FortiClients are registered and encode as ASCII hex. For instance if you had this is the serial number "FWF60D123456789" it would be this in ASCII hex "465746363044313233343536373839". You would put this value in option 224 on the DHCP scope or at the server level if you want it on all scopes. Let me know if you need more assistance.
Thanks VERY VERY much. This is a great help. Did you use any specific software to convert the hex?
I take it you added the option manually under IPv4, gave it a generic name, data type as string, then the hex in code and that should be all? Do I call the name something like 224 Forticlient Status? My server doesnt have 224 as standard.
Thanks again,
Terry
jodros wrote:Hey Terry, I got this working with DHCP server running on 2008R2. You need to get the serial number that all of the FortiClients are registered and encode as ASCII hex. For instance if you had this is the serial number "FWF60D123456789" it would be this in ASCII hex "465746363044313233343536373839". You would put this value in option 224 on the DHCP scope or at the server level if you want it on all scopes. Let me know if you need more assistance.
Should the string be in Hexadecimal?
I was just chatting with one of my colleagues, who was mentioning Option 224. He tested regular text to work in Windows Server 2012, but that hex is required in 2008R2 and below.
It jogged my Rain Man memory about this post, so I decided to answer your question.
If you need to use hex, and don't want to manually run the conversion, set the FortiGate as the DHCP server and sniff a DHCP request to retrieve the proper hex string for the serial number.
Otherwise, if you have a 2012 instance, capture the string using Wireshark.
Regards, Chris McMullan Fortinet Ottawa
How does option 224 with a serial number work in a clustered environment? I need to get this configured as we cannot have our fortigates running as our corporate DHCP servers. They are in a cluster. Do I need to enter both in option 224? Do I only need to enter the master?
Thanks
So I configured a predifined option on our 200R2 DHCP server IPv4 as follows: name - forticlient status, data type - String, code - 224, no description. Clicked OK and then added the HEX string in which I got by converting the serial number to HEX here http://www.asciitohex.com/ I then configured the new DHCP option on the single scope and I am testing now.
Its worth mentioning that I am running 5.2.3 firewall firmware and 5.2.3 forticlient. The status shows registered-online whether I am connected internally or via vpn. The only thing that changes is the interface that I am connected to on the firewall (port1 or vpn_0).
The problem I have is that I do not have the DHCP option enabled in the fortigate which means the tick box for the client on-net/off-net status is not available or enabled. How do you guys that have this working deal with this?
I am glad you have this working. Yes you will see different interfaces if your fortigate is also terminating a VPN. I am assuming that the 2008R2 server is providing DHCP for VPN users?
As far as your problem, I am confused. Do you need a way to monitor which FortiClients are showing on/off net? If so you can under monitoring.
Hi Jodros,
as per my screenshot, in order for the fortigate to register what a client is doing and whether it is on-net (internal) or off-net (external), you need to have that option ticked. This option is only available if all three options are ticked as per the screenshot.
My problem is that the clients appear to be working, but when the VPN is established, the still appear on-net according to the monitoring tab in the fortigate GUI.
thanks,
jodros wrote:I am glad you have this working. Yes you will see different interfaces if your fortigate is also terminating a VPN. I am assuming that the 2008R2 server is providing DHCP for VPN users?
As far as your problem, I am confused. Do you need a way to monitor which FortiClients are showing on/off net? If so you can under monitoring.
Hey Terry. Thanks for the picture. I am familiar with the option you are referencing. However I need to know what is the source of DHCP for VPN connected users? Is it your winOS DHCP server or the Fortigate?
sorry, I forgot that. The fortigate issues addresses to the vpn clients.
Our dhcp server does everything else.
jodros wrote:Hey Terry. Thanks for the picture. I am familiar with the option you are referencing. However I need to know what is the source of DHCP for VPN connected users? Is it your winOS DHCP server or the Fortigate?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.