Configure DHCP in Drop-In Mode

When you use drop-in mode for network configuration, you can optionally configure the Firebox as a DHCP server for the networks it protects, or make the device act as a DHCP relay agent. If you already have a DHCP server, we recommend that you continue to use that server for DHCP.

The features available in WatchGuard System Manager (WSM) can be different for different versions of Fireware. If your Firebox does not run Fireware OS v11.10.x or higher, the content in this Help topic might not apply to your Firebox.

For instructions to complete the procedures in this topic for a Firebox that runs a lower version of Fireware, see:

Configure IPv4 DHCP in Drop-In Mode in WatchGuard System Manager v11.9.4 Help


By default, a Firebox configured as a DHCP server gives out the network (global) DNS/WINS server information. For more information about network DNS and WINS servers, see Configure Network DNS and WINS Servers.

You can also configure DNS and WINS server settings on the DHCP Settings page that override the network DNS/WINS settings.

Configure DHCP Options

DHCP options, also known as vendor extensions, enable you to specify DHCP configuration parameters and other control information, as described in RFC 2132. You can add predefined or custom DHCP options.

The predefined DHCP options are:

DHCP Option Code Name Type Description
150 TFTP Server IP IP address(es) The IP address of the TFTP server where the DHCP client can download the boot configuration.
66 TFTP Server Name Text The name of the TFTP server where the DHCP client can download the boot configuration.
67 TFTP Boot Filename Text The name of the boot file.
2 (deprecated) Time Offset 4 byte integer Time offset in seconds from Coordinated Universal Time (UTC). Option 2 is deprecated. We recommend that you add a custom DHCP option and specify code 100 or 101. These options are described in RFC 4833.
43 Vendor specific information Text This option is used by clients and servers to exchange vendor-specific information.
120 SIP Servers IP address(es) IPv4 addresses of one or more Session Initiation Protocol (SIP) outbound proxy servers. This option is described in RFC 3361.
138 CAPWAP Access Controller IP address(es) IPv4 addresses of one or more CAPWAP Access controllers. This option is described in RFC 5417.
156 DHCP State 1 byte integer (Unsigned) State of the IP address. This option is used by ShoreTel phones for an FTP boot option.

DHCP option codes 1, 6, 15, 28, 44, 46, and 51 are configured in the DHCP settings or interface configuration. To configure DHCP option 15, which is the domain suffix that DHCP clients use, specify a domain name in network DNS settings. For information about the network DNS settings, see Configure Network DNS and WINS Servers.

Some versions of Fireware OS do not support all the predefined options. If the option code you select requires a specific minimum version of Fireware, a notation appears to the right of the selected code in Policy Manager.

Add DHCP Options

In Fireware XTM v11.9.3 or higher, you can add predefined or custom DHCP options.

If the option required by your vendor is not in the list of predefined options, you can add it as a custom option.

If you use the same DHCP option code for more than one interface, the Type must be the same on each interface.

Use DHCP Relay

One way to assign IP addresses to computers on the trusted or optional networks is to use a DHCP server on a separate network. With this feature, the Firebox sends DHCP requests to the IP address of up to three DHCP servers you specify.

Make sure to Add a Static Route to each DHCP server, if necessary.

Specify DHCP Settings for a Single Interface 

You can specify different DHCP settings for each trusted or optional interface in your configuration.

See Also

Drop-In Mode