Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stlblufan
New Contributor

On-Net / Off-Net

I am running 5.2 on a 60C, with FortiClient 5.2.1 on all clients, all of which are " on-net" . However, on the 60C, all of the clients show up as " off-net" . Is there something that I need to do in order to make them register properly?
1 Solution
rwdorman
New Contributor III

Quick update - AFter getting the suggestion earlier in this thread I setup Option 224 in my DHCP server (Windows 2012 server) to send a single valued string attribute with the serial number of the registered fortigate and on-net/off-net works as I wanted it to. In defense of TAC: this is not a published, documented or supported method of making this work so YMMV.

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

View solution in original post

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
36 REPLIES 36
jodros

Hey Terry, I got this working with DHCP server running on 2008R2.  You need to get the serial number that all of the FortiClients are registered and encode as ASCII hex.  For instance if you had this is the serial number "FWF60D123456789" it would be this in ASCII hex "465746363044313233343536373839".  You would put this value in option 224 on the DHCP scope or at the server level if you want it on all scopes.  Let me know if you need more assistance.

terry_jjr

Thanks VERY VERY much.  This is a great help.  Did you use any specific software to convert the hex?

I take it you added the option manually under IPv4, gave it a generic name,  data type as string, then the hex in code and that should be all?  Do I call the name something like 224 Forticlient Status?  My server doesnt have 224 as standard.

 

Thanks again,

 

Terry

 

jodros wrote:

Hey Terry, I got this working with DHCP server running on 2008R2.  You need to get the serial number that all of the FortiClients are registered and encode as ASCII hex.  For instance if you had this is the serial number "FWF60D123456789" it would be this in ASCII hex "465746363044313233343536373839".  You would put this value in option 224 on the DHCP scope or at the server level if you want it on all scopes.  Let me know if you need more assistance.

rocampo
New Contributor

Should the string be in Hexadecimal?

 

 

Christopher_McMullan

I was just chatting with one of my colleagues, who was mentioning Option 224. He tested regular text to work in Windows Server 2012, but that hex is required in 2008R2 and below.

It jogged my Rain Man memory about this post, so I decided to answer your question.

If you need to use hex, and don't want to manually run the conversion, set the FortiGate as the DHCP server and sniff a DHCP request to retrieve the proper hex string for the serial number.

Otherwise, if you have a 2012 instance, capture the string using Wireshark.

Regards, Chris McMullan Fortinet Ottawa

jodros
New Contributor

How does option 224 with a serial number work in a clustered environment?  I need to get this configured as we cannot have our fortigates running as our corporate DHCP servers.  They are in a cluster.  Do I need to enter both in option 224?  Do I only need to enter the master?

 

Thanks

terry_jjr
New Contributor

So I configured a predifined option on our 200R2 DHCP server IPv4 as follows: name - forticlient status, data type - String, code - 224, no description.  Clicked OK and then added the HEX string in which I got by converting the serial number to HEX here http://www.asciitohex.com/  I then configured the new DHCP option on the single scope and I am testing now.

 

Its worth mentioning that I am running 5.2.3 firewall firmware and 5.2.3 forticlient.  The status shows registered-online whether I am connected internally or via vpn.  The only thing that changes is the interface that I am connected to on the firewall (port1 or vpn_0). 

 

The problem I have is that I do not have the DHCP option enabled in the fortigate which means the tick box for the client on-net/off-net status is not available or enabled.  How do you guys that have this working deal with this?

jodros

I am glad you have this working.  Yes you will see different interfaces if your fortigate is also terminating a VPN.  I am assuming that the 2008R2 server is providing DHCP for VPN users?

 

As far as your problem, I am confused.  Do you need a way to monitor which FortiClients are showing on/off net?  If so you can under monitoring.

terry_jjr

Hi Jodros,

 

as per my screenshot, in order for the fortigate to register what a client is doing and whether it is on-net (internal) or off-net (external), you need to have that option ticked.  This option is only available if all three options are ticked as per the screenshot.

 

My problem is that the clients appear to be working, but when the VPN is established, the still appear on-net according to the monitoring tab in the fortigate GUI.

 

thanks,

 

jodros wrote:

I am glad you have this working.  Yes you will see different interfaces if your fortigate is also terminating a VPN.  I am assuming that the 2008R2 server is providing DHCP for VPN users?

 

As far as your problem, I am confused.  Do you need a way to monitor which FortiClients are showing on/off net?  If so you can under monitoring.

jodros

Hey Terry.  Thanks for the picture.  I am familiar with the option you are referencing.  However I need to know what is the source of DHCP for VPN connected users?  Is it your winOS DHCP server or the Fortigate?

terry_jjr

sorry, I forgot that.  The fortigate issues addresses to the vpn clients.

Our dhcp server does everything else.

 

jodros wrote:

Hey Terry.  Thanks for the picture.  I am familiar with the option you are referencing.  However I need to know what is the source of DHCP for VPN connected users?  Is it your winOS DHCP server or the Fortigate?

Top Kudoed Authors