- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and B...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking
We updated our FortiGates to 6.0.5 a little while back and are now starting the upgrade to 6.0.x with our FortiSwitches.
I used our secondary location, which only has a single FortiGate and FortiSwitch 124E-POE to test this, and upgraded the FortiSwitch from 3.6.9 to 6.0.4.
Seemed to work okay, then saw no DHCP responses were getting back to clients. The FortiSwitch appeared to be blocking them.
Logging in directly through a management port and checking the vlan interface GUI page showed DHCP Snooping On/Enabled for each vlan interface (with switch port is listed as untrusted) and a warning label saying "DHCP Server(s) have been blocked".
Turning off DHCP snooping for the vlan interface allowed normal DHCP requests and responses.
Note that DHCP had been working fine with the switch on 3.6.9 (when managed by a FortiGate on 6.0.5).
Release notes for FortiSwitch 6.0.4 says DHCP Snooping is supported for 1xxE devices, but not DHCP Blocking.
Admin guide for Managed FortiSwitch 6.0.4 says 1xxE switches DON'T support DHCP Snooping nor Blocking.
Admin guide for Standalone FortiSwitch 6.0.3 says 1xxE switches DO support DHCP Snooping, but not Blocking.
For a switch that isn't able to DHCP Blocking it seemed to be doing it a bit too well. If the switch (when managed) doesn't support DHCP Snooping, then why is it enabled? Upgraded config issue?
Anybody know whether DHCP Snooping and DHCP Blocking are actually supported, currently broken, not supported, or something else for a 6.0.4 124E-POE FortiSwitch managed by a 6.0.5 FortiGate?
I'd like to understand what's happening with this switch before updating our other location which has 248E and 108E switches, along with non-Fortinet switches.
Labels:
- Labels:
-
6.0
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Additional detail: The FortiGate GUI for the 124E-POE switch ports shows the "DHCP Snooping" column with Trusted or Untrusted. EDIT: The 124E-POE shows a blank cell for DHCP Snooping on the FortiLink interface ports.
My 108E-POE on 3.6.9 (which doesn't support DHCP snooping) shows that field as blank.
Any ideas before I call TAC?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: Called TAC and they looked at 124E-POE config
Turns out that:
1. A FortiGate managed FortiSwitch 124E *does* support DHCP Snooping on the 6.0.x firmware
2. Upgrading from the 3.6.9 firmware on which the 124E does not support DHCP Snooping to 6.0.4 incorrectly set its FortiLink interface as an untrusted port within the FortiSwitch (not visible from the FortiGate)
3. Solution: ssh to the FortiSwitch, config switch interface, edit "FortiLinkInterfaceName", set dhcp-snooping trusted, end
Hopefully this helps out someone else if they get burned by this.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for investigating this, and sharing!
Seems the doc department was outpaced (again)...
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Related update. I upgraded a 248E-FPOE and some 108E-POE switches from 3.6.9 to 6.0.4.
Unlike the 124E-POE they all correctly set the FortiLink interfaces as dhcp-snooping trusted after the upgrade.
Although the docs say that the 1xxE switches don't support DHCP snooping, the 108Es appear to have all the settings in 6.0.4, and show "Untrusted" in the GUI for untrusted ports. I'll have to set up a "rogue" DHCP server and test it.
One thing I did have to clean up after the upgrade was my discard-mode settings for the ports (only possible to set through the switch cli in 3.6.9 if managed).
In 6.0.4 the discard-mode is accessible from config switch-controller managed-switches, which is nice. Unfortunately, the upgrade overwrote all my previous discard-mode settings, allowing tagged and untagged frames on all ports. Annoying to go back and fix up. A possible security hole if somebody upgrades and doesn't realize this has happened.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just got bit by this with a FortiGate on 6.0.5 and a 124E. The 124E had 3.6.6 and was connected in FortiLink. I upgraded to 6.0.5 and the FortiLink interface to the 124E (named "__FoRtI1LiNk0__") had dhcp snooping set to untrusted.
Did TAC say if this issue is specific to certain firmware versions between FortiGate and FortiSwitch, or specific to certain model of switches? I wonder if this is strictly an issue in going 3.6.x -> 6.0 when FortiLink is already in place, or it's just a total logic issue that it will set wrong in any situation and it's a bug they have to fix.
The 1xxE switches doy support DHCP snooping. They added a number of features in 6.0.0 that previously were not supported on 1xxE including DHCP snooping, stick MAC addresses, and MAC/IP/Protocol based VLAN assignment. Check out the release notes for that detail. The admin guides for 6.0.x still say it's not supported, but you can clearly set these in GUI/CLI. I think it's just documentation discrepancies.
There seems to also be some discrepancy in the terms snooping and blocking. Even in the 6.2.1 release notes they are listed separately but as far as I see, they are exactly the same thing. Anything I find across versions that talks about DHCP snooping OR DHCP blocking references CLI commands of "set dhcp-snooping <trusted | untrusted>". I've seen screenshots of the GUI that show it as "DHCP Blocking" but my 1xxE list it as "DHCP Snooping". I don't have a 200 series to look at, but I suspect they may have just changed the language from "blocking" to "snooping" at some point and never updated the feature tables, or they still have some switches using the word "blocking" and other "snooping".
PS - They also added support for Access (private) VLAN's to the 1xxE switches in 6.2.1, another feature that was previous 200 series and up only.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TAC basically told me 3.6.x is old with "hardly anybody using it" so they didn't think it was an issue. I strongly said it was an issue. The ticket got closed, without a bug being reported. I contacted my supplier and asked them to pass along the issue as a bug. Haven't contacted my SE regarding this yet.
I would guess this is an issue (bug) when upgrading FortiSwitch 1xxE models from 3.6.x to 6.0.x. I didn't see the same issue when I upgraded a 2xxE switch that was already using FortiLink.
Glad to hear they finally added pvlan support to the 1xxE switches in 6.2.1.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An additional note on firmware updates for the 124E-POE breaking stuff. I just upgraded a 124E-POE FortiSwitch from firmware 6.0.4 to 6.0.5. The upgrade changed the switch from FortiGate managed to independent, and reset the interface IP (used for direct web access) to the default but kept all my vlans and port settings. Thus totally unreachable except by console cable, since its new IP didn't match to any of my port or vlan settings. Hooked up to console, changed a switch port to a vlan matching the default IP for access, switched it back to managed mode (wiping its config) and the FortiGate saw it again and used its saved config to properly update the switch. This 124E-POE has had more problems than most when upgrading for us. Makes me think the 124E line is not part of their regular testing.
Related Posts
- VRRP MAC pointed to wrong port 399 Views
- DHCP-Snooping blocking for other Vlans 758 Views
- VLAN issue on FG-80F with FAP-433F... 1356 Views
- Routing on layer 3 Fortiswitch 2210 Views
- FortiGate Blocking traffic from FortiSwitch (Link... 3073 Views
Labels
-
FortiGate
6,483 -
FortiClient
1,294 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
330 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
86 -
FortiCloud Products
82 -
FortiToken
69 -
IPsec
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSL SSH inspection
5 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.