|
#fortigate #networking #troubleshooting #cli

How to Restart the DHCP Service on a FortiGate Firewall

A practical guide to restarting the FortiGate DHCP daemon (dhcpd) via CLI to resolve hangs or failures without rebooting the firewall or interrupting traffic.

When troubleshooting connectivity issues on a FortiGate, you may occasionally encounter a scenario where the DHCP daemon (dhcpd) hangs or fails to issue new leases.

In a production environment, rebooting the entire firewall to resolve a single service interruption is rarely a viable option. It causes unnecessary downtime for all routing and security policies. Instead, the most efficient approach is to manually restart the specific dhcpd process via the CLI.

Because FortiOS utilizes a built-in crash monitor, killing the hung process will prompt the system to immediately spawn a fresh instance. Here is the exact CLI procedure to identify, terminate, and verify the restart of the DHCP service.

Step 1: Find the Process ID (PID)

To target the service, you first need to locate its current Process ID. While you can use fnsysctl ps to dump all running processes and manually search for /bin/dhcpd, it is much more efficient to query the PID directly.

Run the following command to ask the firewall specifically for the dhcpd PID:

# Get the PID for the DHCP daemon
FIREWALL # diagnose sys process pidof dhcpd

Output Example: 251

Note the returned integer. You will need this PID for the next step.

Step 2: Kill the Process

Next, you will force the process to terminate. By sending a kill 11 command, you are essentially forcing a segmentation fault on that specific PID. The FortiOS crash daemon detects this failure and immediately spins up a new instance of the service.

Execute the diagnose sys kill command followed by signal 11 and your PID:

# Force the process to restart (Signal 11)
FIREWALL # diagnose sys kill 11 251

Note: The CLI will simply return to the prompt without a confirmation message. This is expected behavior.

Step 3: Verify the Restart

To ensure the service successfully restarted rather than remaining dead, repeat the query from Step 1.

# Verify the service is running with a new PID
FIREWALL # diagnose sys process pidof dhcpd

Output Example: 27907

If the command returns a completely new PID (in this example, 27907 instead of 251), the procedure was successful. The old process was terminated, a fresh DHCP daemon is actively running, and the firewall should immediately resume issuing IP addresses to clients.

Summary

Restarting services manually is a core skill for any network security engineer. By targeting the specific daemon rather than the entire system, you maintain maximum uptime while resolving isolated service failures.