I am running 5.2 on a 60C, with FortiClient 5.2.1 on all clients, all of which are " on-net" . However, on the 60C, all of the clients show up as " off-net" . Is there something that I need to do in order to make them register properly?
Quick update - AFter getting the suggestion earlier in this thread I setup Option 224 in my DHCP server (Windows 2012 server) to send a single valued string attribute with the serial number of the registered fortigate and on-net/off-net works as I wanted it to.
In defense of TAC: this is not a published, documented or supported method of making this work so YMMV.
I" m actually planning to make a feature request for this. If the Fortigate is not the default gateway/L2 domain of the client it shows up as " off net." I' d like to see them allow us to define either a list of subnets that represent " On Net" or a interface flow based setting i.e. any traffic from the downstream interface to the outbound should be considered on net or something like that.
If someone else out there knows how to do this or I' ve missed something, please chime in
We haven' t tried it, but maybe a DHCP relay agent on the L3 device pointing to the FGT DHCP server works.
It was just an idea - alternatively one could capture FGT DHCP traffic and look for the DHCP option that is used along with the registered FGT serial number(s) and try to add them to the existing DHCP server.
I' m still confused around how the whole on/off net thing works, from what I' ve read I believe it will only work if the FortiGate is the DHCP server for the clients.
I hope I' m wrong through as this feature will then be useless for nearly all our larger clients (since none of them want to manage their DHCP via the FGT).
I don' t know how much this would be officially supported if you were to open a ticket on it in case of trouble, but...
Here is the paragraph from the FortiClient Admin Guide for FCT 5.2 detailing the on-net/off-net determination:
VPN auto-connect based on DHCP off-net determination
VPN auto-connect ensures that FortiClient creates a VPN connection to the FortiGate when considered to be off-net. A site administrator, who has configured Endpoint Control on their FortiGate, may choose to enable VPN auto-connect in the Endpoint Control profile.
Computer endpoints or clients in the network should use the designated DHCP server for IP address assignments. The DHCP server sends a special tag within the protocol to identify if the client is on-net or off-net. The on-net status indicates that the endpoint is within the corporate network protected by the FortiGate.
When the client is off-net, FortiClient will automatically attempt to establish a VPN connection to the VPN server indicated in the FortiGate Endpoint Control configuration. When the client is on-net, no VPN connection is required.
What I take away from this is that you could sniff the content of the tag, and if it is reproducible (i.e., a known, unchanging or predictable token), you could add it as a VCI parameter or DCHP option on another server.
The check seems to be a client-side check, based on the obtained lease containing this token.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.