DHCP snooping configuration on USG firewalls

You can configure the DHCP snooping on USG firewalls as follows:
The DHCP snooping is a DHCP security feature. It can protect devices against DHCP DoS attack, DHCP server spoofing, ARP man-in-the-middle attack, and IP/MAC spoofing attack when using the DHCP.

The most commonly used function of the DHCP server snooping is to protect devices against the DHCP DoS attack. It can prevent users from obtaining IP addresses from other DHCP servers (such as private routers) except for the firewall. However, the firewall does not restrict private routers.
The key configuration is as follows:
1. Enable the global and interface DHCP snooping.
[USG] dhcp snooping enable
[USG] interface GigabitEthernet 0/0/1
[USG-GigabitEthernet0/0/1] dhcp snooping enable
[USG-GigabitEthernet0/0/1] quit
[USG] interface GigabitEthernet 0/0/2
[USG-GigabitEthernet0/0/2] dhcp snooping enable
[USG-GigabitEthernet0/0/2] quit
2. Configure the Trusted interface to prevent DHCP server spoofing.
Set the interface connected to the DHCP server to the Trusted mode and the interface connected to the DHCP client to the Untrusted mode (after the DHCP snooping is enabled for the interfaces, the interfaces are in Untrusted mode by default).
[USG] interface GigabitEthernet 0/0/2
[USG-GigabitEthernet0/0/2] dhcp snooping trusted
[USG-GigabitEthernet0/0/2] quit

Note: The DHCP snooping takes effect only when the firewall serves as the DHCP server or the upper-level device of the firewall is the DHCP server. If the lower-level switch interconnected to the USG firewall serves as the DHCP server, DHCP packets do not pass through the firewall. This configuration is invalid. Therefore, the DHCP snooping must be configured on the switch.

For specific configurations, click DHCP Snooping Configuration on USG Firewalls.

Scroll to top