Description
This article describes how to disable NetBIOS over TCP/IP on Microsoft Windows-based clients when the FortiGate is acting as the local DHCP server for the network.
Scope
FortiGate (as a DHCP server); Microsoft Windows (as a DHCP client)
Solution
RFC 2132 (Section 8.4) allows vendors to implement vendor-specific DHCP options, and in Microsoft's case, this option is used to enable/disable NetBIOS over TCP/IP for an interface using DHCP.
With that in mind, administrators can add DHCP Option 43 with a value of 010400000002 to the FortiGate 'Additional DHCP Options' section to disable NetBIOS over TCP/IP on client network adapters:
From GUI.
From CLI.
config system dhcp server
edit <dhcp server id>
config options
edit 0
set code 43
set value "010400000002"
next
end
next
end
config options
edit 0
set code 43
set value "010400000002"
next
end
next
end
Note for admins with bridge-mode FortiAP SSIDs:
- Bridge-mode SSIDs on FortiAP have a feature called dhcp-option43-insertion that will inject DHCP Option 43 into Client -> Server DHCP messages as they pass through the FortiAP. This feature is enabled by default.
- Injecting this DHCP Option allows the FortiAP to advertise to the FortiGate that the client is specifically connected to a bridge-mode SSID (as opposed to being connected to the network via wired Ethernet).
- Crucially, the FortiAP will also strip/remove DHCP Option 43 from Server -> Client DHCP messages before forwarding them to the wireless client.
- While this is useful for informational purposes (the FortiGate can show these bridge-mode clients as wireless users in the GUI), it has a side effect of disrupting the usage of DHCP Option 43 for Windows clients (i.e. it prevents the FortiGate from telling a Windows client to disable NetBIOS over TCP/IP)
- Admins are recommended to disable this feature on their FortiAP-based bridge-mode SSID to avoid this conflict:
config wireless-controller vap
edit <name of bridge-mode SSID>
set dhcp-option43-insertion disable
end
set dhcp-option43-insertion disable
end
