Configure the Management Interface as a DHCP Client
Focus
Focus

Configure the Management Interface as a DHCP Client

Table of Contents
End-of-Life (EoL)

Configure the Management Interface as a DHCP Client

The management interface on the firewall supports DHCP client for IPv4, which allows the management interface to receive its IPv4 address from a DHCP server. The management interface also supports DHCP Option 12 and Option 61, which allow the firewall to send its hostname and client identifier, respectively, to DHCP servers.
By default, VM-Series firewalls deployed in AWS and Azure™ use the management interface as a DHCP client to obtain its IP address, rather than a static IP address, because cloud deployments require the automation this feature provides. DHCP on the management interface is turned off by default for the VM-Series firewall except for the VM-Series firewall in AWS and Azure. The management interfaces on WildFire and Panorama models do not support this DHCP functionality.
  • For hardware-based firewall models (not VM-Series), configure the management interface with a static IP address when possible.
  • If the firewall acquires a management interface address through DHCP, assign a MAC address reservation on the DHCP server that serves that firewall. The reservation ensures that the firewall retains its management IP address after a restart. If the DHCP server is a Palo Alto Networks firewall, see Step 6 of Configure an Interface as a DHCP Server for reserving an address.
If you configure the management interface as a DHCP client, the following restrictions apply:
  • You cannot use the management interface in an HA configuration for control link (HA1 or HA1 backup), data link (HA2 or HA2 backup), or packet forwarding (HA3) communication.
  • You cannot select
    MGT
    as the Source Interface when you customize service routes (
    Device
    Setup
    Services
    Service Route Configuration
    Customize
    ). However, you can select
    Use default
    to route the packets via the management interface.
  • You cannot use the dynamic IP address of the management interface to connect to a Hardware Security Module (HSM). The IP address on the HSM client firewall must be a static IP address because HSM authenticates the firewall using the IP address, and operations on HSM would stop working if the IP address were to change during runtime.
A prerequisite for this task is that the management interface must be able to reach a DHCP server.
  1. Configure the Management interface as a DHCP client so that it can receive its IP address (IPv4), netmask (IPv4), and default gateway from a DHCP server.
    Optionally, you can also send the hostname and client identifier of the management interface to the DHCP server if the orchestration system you use accepts this information.
    1. Select
      Device
      Setup
      Management
      and edit Management Interface Settings.
    2. For
      IP Type
      , select
      DHCP Client
      .
    3. (
      Optional
      ) Select one or both options for the firewall to send to the DHCP server in DHCP Discover or Request messages:
      • Send Hostname
        —Sends the
        Hostname
        (as defined in
        Device
        Setup
        Management
        ) as part of DHCP Option 12.
      • Send Client ID
        —Sends the client identifier as part of DHCP Option 61. A client identifier uniquely identifies a DHCP client, and the DHCP Server uses it to index its configuration parameter database.
    4. Click
      OK
      .
  2. (
    Optional
    ) Configure the firewall to accept the host name and domain from the DHCP server.
    1. Select
      Device
      Setup
      Management
      and edit General Settings.
    2. Select one or both options:
      • Accept DHCP server provided Hostname
        —Allows the firewall to accept the hostname from the DHCP server (if valid). When enabled, the hostname from the DHCP server overwrites any existing
        Hostname
        specified in
        Device
        Setup
        Management
        . Don’t select this option if you want to manually configure a hostname.
      • Accept DHCP server provided Domain
        —Allows the firewall to accept the domain from the DHCP Server. The domain (DNS suffix) from the DHCP Server overwrites any existing
        Domain
        specified in
        Device
        Setup
        Management
        . Don’t select this option if you want to manually configure a domain.
    3. Click
      OK
      .
  3. Commit your changes.
    Click
    Commit
    .
  4. View DHCP client information.
    1. Select
      Device
      Setup
      Management
      and Management Interface Settings.
    2. Click
      Show DHCP Client Runtime Info
      .
  5. (
    Optional
    ) Renew the DHCP lease with the DHCP server, regardless of the lease term.
    This option is convenient if you are testing or troubleshooting network issues.
    1. Select
      Device
      Setup
      Management
      and edit Management Interface Settings.
    2. Click
      Show DHCP Client Runtime Info
      .
    3. Click
      Renew
      .
  6. (
    Optional
    ) Release the following DHCP options that came from the DHCP server:
    • IP Address
    • Netmask
    • Default Gateway
    • DNS Server (primary and secondary)
    • NTP Server (primary and secondary)
    • Domain (DNS Suffix)
    A release frees the IP address, which drops your network connection and renders the firewall unmanageable if no other interface is configured for management access.
    Use the CLI operational command
    request dhcp client management-interface release
    .

Recommended For You