DHCP when swapping out firewall? Will PC's keep their addresses?

So I have an old sonicwall I am replacing with a fortigate.  The PC's have 7 day DHCP leases... The Fortigate will be set up to be the same IP as the sonicwall was and it will have the same DHCP range... But of course when I make the swap the fortigates lease list will be empty... Im curious - as PC's check in with the firewall, will they keep their addresses?  Or will they wind up getting reset the lowest available address at the time?

Any other concerns to think about with swapping the firewalls?  

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Windows PCs should request a lease with the same IP, and the DHCP should say if it's not available (already been leased to another client), in which case Windows will say, "give me whatever".  I believe this is the standard way for DHCP clients to behave, but I'm not so sure on other platforms.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
XetroximynAuthor Commented:
Ah yea - I should have mentioned, we do have windows but also many Ubuntu PC's.  

If they behave as you describe I think it should be OK, because the new firewall will have nothing leased out so when it gets a request like "can I keep address xyz" it should say yes, and record the lease.  

Can anyone confirm if this is standard behavior on Ubuntu?

Questions about the firewall pretty much all have to do with the existing setup, and really just the same concerns as setting up a firewall in a new environment.  What's needed and what's not.  Right now I think the question's overly broad to give any good advice.

Sorry I can't confirm the specific info for Ubuntu right now.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

XetroximynAuthor Commented:
@footech - OK please ignore my last sentence (the broad question).  The first paragraph is a very specific question :-)

I have an old sonicwall I am replacing with a fortigate.  The PC's (windows and ubuntu) have 7 day DHCP leases... The Fortigate will be set up to be the same IP as the sonicwall was and it will have the same DHCP range... But of course when I make the swap the fortigates lease list will be empty... Im curious - as PC's check in with the firewall, will they keep their addresses?  Or will they wind up getting reset the lowest available address at the time?
Blue Street TechLast KnightCommented:
Hi Xetroximyn,

What is managing your DHCP...Windows or the security appliance? I would assume you are managing DHCP in the security appliance because otherwise there would be no need for this question if you are simply swapping out a security appliance, but please confirm.

If you have DHCP Statics (SonicWALL) equivalent to Windows DHCP Reservations obviously you need to make sure those are setup first. After that I would refresh the DHCP inventory regardless - if the rest of the machines are DHCP assigned let the Fortigate manage them completely (handing out whatever IPs it thinks are adequate within its defined scope). THis is also beneficial if you should have different IPs for the DHCP servers/create new sub-Interfaces/subnets where the previous clients will not identify the newly created DHCP server in the new subnet, etc. If you were managing DHCP from the security appliance (SonicWALL or Fortigate) all the ARP cache (not to mention the previous DHCP assignments) will be wiped out so I wouldn't necessarily bank on the clients getting the identical IPs as before. Therefore it will send out all its ARP requests to see where things lay (weeding out any conflicts).

Regarding your Ubuntu question, it is overall handled in the same way as any other DHCP client/server, the DHCP assignment will assign an IP address from a pool of addresses for a period of time or lease, that is configured on the server or until the client informs the server that it doesn't need the address anymore. This way, the clients will be receiving their configuration properties dynamically and on a "first come, first served" basis. When a DHCP client is no longer on the network for a specified period, the configuration is expired and released back to the address pool for use by other DHCP Clients. This way, an address can be leased or used for a period of time. After this period, the client has to renegotiate the lease with the server to maintain use of the address.

Let me know if you have any other questions!
Use the best practise and create reservation in to the DHCP for those devices that will have dedicated rules in your new firewall. Do not count on theory in the first answer, because one new device on the network might create you a big stress.
Mal OsborneAlpha GeekCommented:

Windows machines with an existing lease will attempt to renew their old lease with the DHCP server on the same IP address. If it is free, they will succeed. The new DHCP server, however will allocate these IPs if the original owner does not "claim" them in time.

For instance, imagine a PC used by the CEO had an IP of on Wednesday afternoon allocated by the SonicWALL. The SonicWALL gets swapped out for the Fortigate that night. Next morning, a salesman connects his smartphone via WIFI. It requests an IP via DHCP. The old SoncWALL had a list of allocated IPs, however the Fortigate does not. It allocates to the phone, and records this as a 7 day lease. Now, when the CEOs machine requests an IP it will NOT get that one, as the Fortigate has already marked it as in use. The CEOs machine might be given, which in turn could have been allocated to some other machine.

Differing DHCP servers and clients work in subtly different ways. Apple Mac for instance, when shutting down "release" their IP so that the DHCP server can reallocate it, while Windows PCs don't.  (Both can be reconfigured). DHCP servers also differ in which IP they decide to dole out; some go for the lowest available number, others allocate the next available one after the last one allocated, so if the CEOs machine above had just been given, and was free, it would use that next. Some DHCP servers seem almost random.

Generally, a lot of machines will end up with the same IP address, but not always. It depends on the exact implementation of the DHCP clients and servers, the lease length, the proportion of the lease in use, and the exact sequence that the clients are fired up.
Tom CieslikIT EngineerCommented:
If your move time is quite short (shorten than lease time) I would advice you to keep this computers ON without shutting them down for all amount of time needed to run new DHCP server.
If they'll be ON all the time they'll keep IP they've got from OLD DHCP server. If you going to be ready, just ask people to restart computers or refresh IP manually and all should work OK
Generally speaking you should be alright for most of your machines. Obviously not a pure guarantee. Part of what comes into play are when each lease runs out... if some happen to expire around switchover time, then they won't necessarily keep that same address.
XetroximynAuthor Commented:
Blue Street TechLast KnightCommented:
Glad we could help...thanks for the points!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.