DescriptionRogue DHCP Detection monitors approved DHCP servers operation and detects rogue DHCP servers on the network. Using a dedicated interface on the appliance, a scheduled task is run to search specific VLANs and discover all active entities serving IP addresses.
When the Rogue DHCP Detection task runs, it will switch the port designated as the System DHCP Port to each of the VLANs designated. During the switch to each VLAN, the port admin state is set to down then back to up after the configuration to the new VLAN ID. This task compares the discovered DHCP servers against a list of authorized DHCP servers and triggers corresponding events when there is no match. These are suspected unauthorized DHCP servers and are managed according to the alarms that are mapped to the events.
This article provides an outline of the configuration procedure. Details for each step are provided in the Rogue DHCP Server Detection section of the Administration Guide in the Fortinet Document Library.
ScopeVersion: 8.xSolutionConsiderations
- A dedicated network interface is required.
- If Configuration Wizard is run in the future (to edit DHCP scopes, change IP addresses, etc), the vlanInterfaces file will be overwritten. This will overwrite the required IP address configuration listed below. Contact Support if assistance is needed.
Procedure Overview
1. Set
up a dedicated network interface on the appliance to be used for Rogue
DHCP Detection (installation of an additional Network Card may be
required).
2. Rogue DHCP events and alarms: If desired, map the following events to alarms. - Rogue Host DHCP Server Application - A host is serving IP addresses (i.e., a DHCP response was seen from a host).
- Rogue Device DHCP Server Application - A device is serving IP addresses.
3. Configure an IP Address for a new interface: Configure the new interface with an IP address. This should be an unused IP address from an unused subnet on the network. Configure the IP address through the CLI on the appliance by modifying the vlanInterfaces file in /bsc/siteConfiguration.
Note: It is strongly recommended to back up this file in case Configuration Wizard is run in the future.
4. Configure server detection: Via the Administration UI (System > Settings > Identification > Rogue DHCP Server Detection), do the following:
- Assign the new interface to be used for Rogue DHCP Server Detection.
- Add the list of servers that are authorized to serve DHCP to the Authorized DHCP Servers group.
- Add the port where the new interface is connected to the network in the System DHCP Port group.
- List the VLANs to be scanned.
5. Schedule DHCP server verification: In the same UI view, set up a scheduled task to poll the selected VLANs for rogue DHCP servers.
6. Rogue DHCP server detection with IP helper: If an IP Helper is being utilized on the network, enable the appliance to recognize the returned Authorized DHCP Server IP addresses as valid.
