Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server

The primary challenge is that PAN-OS versions before 10.0 do not generate Enhanced Application logs (EALs) when the firewall is the DHCP server, which is common in branch office and retail use cases. When the firewall is also the DHCP server, some reconfiguration of the firewall is required to generate EALs for DHCP traffic. You can do this by introducing a DHCP relay agent into its configuration.

For the rest of this section on DHCP visibility, the firewall is assumed to be running a version of PAN-OS 9.1 or earlier.

Solution: Configure a DHCP Relay Agent on a Physical Interface and a DHCP Serer on a VLAN Interface

Add a DHCP relay agent on the firewall so that unicast DHCP messages go through content scanning and the firewall generates EAL entries for them. Create a VLAN interface on the firewall to host a DHCP server and configure the physical interface of the firewall as a DHCP relay agent.

Analysis

When clients in the diagram above broadcast DHCPDISCOVER messages, the DHCP relay agent configured on ethernet1/1 receives them. You configure the relay agent to unicast the DHCPDISCOVER messages to the IP address of the vlan.1 interface which hosts a DHCP server. Note the following points:

The vlan.1 interface can have an IP address with a 32-bit netmask to use address space efficiently when scaling this solution beyond one physical interface.
The vlan.1 interface is in a separate virtual router. This forces the unicast DHCP messages to go through the data plane, which triggers the firewall to generate EAL entries.
The DHCP server is configured with IP pools consistent with the subnet configured on ethernet1/1.
You use Next-vr host routes to route unicast DHCP messages between ethernet1/1 and vlan.1.

Because this solution uses a virtual interface for the DHCP server, it can be implemented through configuration only without the need to physically reconfigure the network. Additionally, it can be implemented even when all the physical interfaces are in use.

Configuration

Save a snapshot of the current configuration.
Configure a new virtual router.

Configure a VLAN interface. In the VLAN drop-down list, click
New
to create a new VLAN.

Enter a name for the new VLAN and then click
OK
.

The VLAN Interface configuration window appears.
In the Assign Interface To section on the Config tab, select the virtual router you just created and the same security zone that the existing DHCP server is configured on.
If you choose a different zone, or create a new one, you must configure a security policy rule that allows DHCP between the two zones (see Configure an Interzone Policy in Configure Policies for Log Forwarding).
Enable log forwarding.
Log forwarding enables the firewall to send enhanced application logs to the logging service. IoT Security then ingests metadata from there for analysis.
If you use the same security zone, remember to enable logging and log forwarding for the intrazone policy rule.
For more information, see Configure an Intrazone Policy in Configure Policies for Log Forwarding.

On the IPv4 tab, configure a host IP address—that is, an address with a 32-bit netmask—and then click
OK
.

For testing and troubleshooting purposes, assign an interface management profile that allows the VLAN interface to respond to pings. If the VLAN interface and physical interface are in different zones, see details in Configure an Interzone Policy in Configure Policies for Log Forwarding.
Open the existing virtual router and configure a host route to the IP address assigned to the VLAN interface configured above.

When there are multiple DHCP servers, replace the host route with a network route to simplify the configuration. For details, see Plan for Scaling when Your Firewall Serves DHCP.
Leave Interface set as
None
and select
Next VR
as the next hop. In the drop-down list below Next Hop, select the new virtual router you created.
Click
OK
in the Static Route dialog box and then click
OK
in the Virtual Router dialog box.
Open the new virtual router and configure a route to the network that the DHCP server serves.
The configuration is similar to that shown below where the Next Hop settings are Next VR and the name of the existing virtual router.

Creating a network route rather than a host route to the DHCP relay agent enables the probe feature of the DHCP server to function.
Commit these changes.
Test your configuration.
If you assigned an interface management profile allowing ping to the VLAN interface, test your configuration by logging into the CLI and pinging from the physical interface to the VLAN interface:
ping source <phy_interf_ip-addr> host <vlan_interf_ip-addr>
Configure a DHCP server on the VLAN interface.
Include the appropriate IP pools and options such as gateway and DNS servers and then click
OK
.

Configure a DHCP relay agent on the physical interface that connects to the local network and then click
OK
.

Commit the configuration.
Test DHCP release and renew functionality by connecting a client to the local network segment.