How to Configure DHCP Server and Firewall Policy in FortiGate (Step-by-Step Guide 2026)
🔐 Introduction
Configuring a DHCP server and firewall policy is one of the most essential tasks in any network setup. In Fortinet FortiGate firewalls, this can be done easily through both GUI and CLI.
In this guide, you will learn how to configure a DHCP server and create a firewall policy in FortiGate step by step.
🧠 What is DHCP?
DHCP (Dynamic Host Configuration Protocol) automatically assigns:
-
IP addresses
-
Subnet mask
-
Gateway
-
DNS
👉 This eliminates manual IP configuration.
🛠️ PART 1: Configure DHCP Server in FortiGate
✅ Step 1: Login to FortiGate
-
Open browser
-
Enter firewall IP (e.g.,
192.168.1.1) -
Login with admin credentials
✅ Step 2: Go to Interface Settings
-
Navigate to:
Network → Interfaces -
Select your LAN interface (e.g.,
port2)
✅ Step 3: Enable DHCP Server
-
Edit interface
-
Enable DHCP Server
Configure:
-
IP Range:
192.168.10.10 – 192.168.10.100 -
Subnet Mask:
255.255.255.0 -
Default Gateway:
192.168.10.1 -
DNS Server:
-
Use FortiGate
-
Or set
8.8.8.8
-
✅ Step 4: Save Configuration
Click OK / Apply
👉 Now devices will automatically get IP addresses.
💻 CLI Configuration (DHCP)
config system dhcp server
edit 1
set interface "port2"
set lease-time 86400
config ip-range
edit 1
set start-ip 192.168.10.10
set end-ip 192.168.10.100
next
end
set netmask 255.255.255.0
set default-gateway 192.168.10.1
set dns-service default
next
end
🔥 PART 2: Create Firewall Policy (Allow Internet Access)
✅ Step 1: Go to Policy & Objects
-
Navigate to:
Policy & Objects → Firewall Policy
✅ Step 2: Create New Policy
Configure:
-
Name: LAN_to_WAN
-
Incoming Interface: port2 (LAN)
-
Outgoing Interface: port1 (WAN)
✅ Step 3: Set Source & Destination
-
Source: LAN subnet (
192.168.10.0/24) -
Destination: all
✅ Step 4: Configure Services
-
Service: ALL (or HTTP, HTTPS, DNS)
✅ Step 5: Enable NAT
👉 Must enable NAT for internet access
✅ Step 6: Allow Traffic
-
Action: ACCEPT
-
Enable logging (recommended)
Click OK
💻 CLI Configuration (Firewall Policy)
config firewall policy
edit 1
set name "LAN_to_WAN"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
🚀 Verification Steps
After configuration:
✅ Connect a device to LAN
✅ Check IP assignment
✅ Test internet:
ping 8.8.8.8
⚠️ Common Mistakes (Very Important)
❌ DHCP not enabled on correct interface
❌ Wrong gateway IP
❌ NAT not enabled in policy
❌ DNS not configured
💡 Pro Tip (From Real Experience)
As a network engineer, always:
-
Use separate VLANs
-
Create restricted policies instead of ALL
-
Enable logging for troubleshooting
✅ Conclusion
Configuring DHCP and firewall policies in FortiGate is simple but critical. With the correct setup, you ensure smooth IP allocation and secure internet access for your network.
Join the conversation