Created on 02-13-2024 05:16 AM Edited on 02-13-2024 05:17 AM By Anthony_E
This article describes how FortiGate handles the DHCP Discover packets that have no 'end' option.
FortiGate.
According to RFC2131, 4.1, the last option must always be the 'end' option in DHCP packets.
But in some cases, there is no END option in the received packets (not compliant with the above RFC), as shown in the below packet captured:
Dynamic Host Configuration Protocol (Discover):
[Expert Info (Error/Protocol): End option missing]
[End option missing]
[Severity level: Error]
[Group: Protocol]
The default behavior in this case is to not reply to them (when FortiGate is the DHCP server) or to not forward such packets (to the DHCP server).
Starting with v7.4.4, FortiOS introduced the 'dhcp-relay-allow-no-end-option' command to support the DHCP packets where the End is not specified (end-option missing).
To change this option, the configuration is done through CLI:
config system interface
edit <Port_number>
set dhcp-relay-allow-no-end-option enable <----- Default is 'disable'.
next
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.