Security appliance has detected a rogue DHCP server

Comes here often

Security appliance has detected a rogue DHCP server

Hi there,


Once a week we get an alert:


The security appliance in the Redacted - appliance network has detected a rogue DHCP server in your network.

A rogue DHCP server was found on VLAN 1 serving addresses with the subnet redacted/24. The server has MAC address redacted and IP redacted


The MAC and IP it shows are for a Windows server on the network that is the legitimate DHCP server for the network. The security device itself is set to ignore DHCP requests on VLAN 1. I have checked the DHCP servers & ARP page under switch and the DHCP server is listed there as allowed.


I would like to be able to stop these false positives without turning the rogue DHCP detection off completely. Does anyone know of a way to do this? 

6 Replies 6
Kind of a big deal
Kind of a big deal

Are you sure DHCP (including relay) on the MX is completely disabled on that VLAN?

It doesn't usually falsely alert.

HI @Philip 


You can see a screen grab below:



Kind of a big deal
Kind of a big deal

Does the specified IP really match the IP address? I'd assume that something like teaming is in place that changes the MAC <-> IP binding.

Hi @CptnCrnch 


The DHCP server in question is a VM. Neither the VM or it's host server use NIC teaming. I've confirmed the IP and the MAC address in the alert corresponds to the same on the VM.

Kind of a big deal
Kind of a big deal

Sorry for the dumb question, but is this server listed as "Allowed"?

@CptnCrnch  there are no dumb questions 🙂


I did check this and the server is there with the correct IP, MAC address and hostname.I would post a screenshot but I'd have to redact half of it. 

Get notified when there are additional replies to this discussion.