Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use Network Discovery Polling to Discover Devices
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Network Segments Configuration
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
When the firewall is hosting a DHCP server and is running
a PAN-OS release earlier than PAN-OS 10.0, add a DHCP relay agent.
The primary challenge is that PAN-OS versions
before 10.0 do not generate Enhanced Application logs (EALs) when
the firewall is the DHCP server, which is common in branch office
and retail use cases. When the firewall is also the DHCP server,
some reconfiguration of the firewall is required to generate EALs
for DHCP traffic. You can do this by introducing a DHCP relay agent
into its configuration.
For the rest of this section
on DHCP visibility, the firewall is assumed to be running a version
of PAN-OS 9.1 or earlier.
Solution:
Configure a DHCP Relay Agent on a Physical Interface and a DHCP
Server on a VLAN Interface
Add a DHCP relay agent on the
firewall so that unicast DHCP messages go through content scanning
and the firewall generates EAL entries for them. Create a VLAN interface
on the firewall to host a DHCP server and configure the physical
interface of the firewall as a DHCP relay agent.
Analysis
When
clients in the diagram above broadcast DHCPDISCOVER messages, the DHCP
relay agent configured on ethernet1/1 receives them. You configure
the relay agent to unicast the DHCPDISCOVER messages to the IP address
of the vlan.1 interface which hosts a DHCP server. Note the following
points:
- The vlan.1 interface can have an IP address with a 32-bit netmask to use address space efficiently when scaling this solution beyond one physical interface.
- The vlan.1 interface is in a separate virtual router. This forces the unicast DHCP messages to go through the data plane, which triggers the firewall to generate EAL entries.
- The DHCP server is configured with IP pools consistent with the subnet configured on ethernet1/1.
- You use Next-vr host routes to route unicast DHCP messages between ethernet1/1 and vlan.1.
Because this solution uses
a virtual interface for the DHCP server, it can be implemented through
configuration only without the need to physically reconfigure the
network. Additionally, it can be implemented even when all the physical
interfaces are in use.
Configuration
- Save a snapshot of the current configuration.Configure a new virtual router.Configure a VLAN interface. In the VLAN drop-down list, click New to create a new VLAN.Enter a name for the new VLAN and then click OK.The VLAN Interface configuration window appears.In the Assign Interface To section on the Config tab, select the virtual router you just created and the same security zone that the existing DHCP server is configured on.If you choose a different zone, or create a new one, you must configure a Security policy rule that allows DHCP between the two zones (see Configure an Interzone Policy in Configure Policies for Log Forwarding).Enable log forwarding.Log forwarding enables the firewall to send enhanced application logs to the logging service. IoT Security then ingests metadata from there for analysis.If you use the same security zone, remember to enable logging and log forwarding for the intrazone policy rule.For more information, see Configure an Intrazone Policy in Configure Policies for Log Forwarding.On the IPv4 tab, configure a host IP address—that is, an address with a 32-bit netmask—and then click OK.For testing and troubleshooting purposes, assign an interface management profile that allows the VLAN interface to respond to pings. If the VLAN interface and physical interface are in different zones, see details in Configure an Interzone Policy in Configure Policies for Log Forwarding.Open the existing virtual router and configure a host route to the IP address assigned to the VLAN interface configured above.When there are multiple DHCP servers, replace the host route with a network route to simplify the configuration. For details, see Plan for Scaling when Your Firewall Serves DHCP.Leave Interface set as None and select Next VR as the next hop. In the drop-down list below Next Hop, select the new virtual router you created.Click OK in the Static Route dialog box and then click OK in the Virtual Router dialog box.Open the new virtual router and configure a route to the network that the DHCP server serves.The configuration is similar to that shown below where the Next Hop settings are Next VR and the name of the existing virtual router.Creating a network route rather than a host route to the DHCP relay agent enables the probe feature of the DHCP server to function.Commit these changes.Test your configuration.If you assigned an interface management profile allowing ping to the VLAN interface, test your configuration by logging into the CLI and pinging from the physical interface to the VLAN interface:ping source <phy_interf_ip-addr> host <vlan_interf_ip-addr>Configure a DHCP server on the VLAN interface.Include the appropriate IP pools and options such as gateway and DNS servers and then click OK.Configure a DHCP relay agent on the physical interface that connects to the local network and then click OK.Commit the configuration.Test DHCP release and renew functionality by connecting a client to the local network segment.