>
    Configure the Management Interface as a DHCP Client
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Networking
    4. DHCP
    5. Configure the Management Interface as a DHCP Client
    Download PDF

    Configure the Management Interface as a DHCP Client

    Table of Contents
    End-of-Life (EoL)

    Configure the Management Interface as a DHCP Client

    The management interface on the firewall supports DHCP client for IPv4, which allows the management interface to receive its IPv4 address from a DHCP server. The management interface also supports DHCP Option 12 and Option 61, which allow the firewall to send its hostname and client identifier, respectively, to DHCP servers.
    By default, VM-Series firewalls deployed in AWS and Azure™ use the management interface as a DHCP client to obtain its IP address, rather than a static IP address, because cloud deployments require the automation this feature provides. DHCP on the management interface is turned off by default for the VM-Series firewall except for the VM-Series firewall in AWS and Azure. The management interfaces on WildFire and Panorama models do not support this DHCP functionality.
    • For hardware-based firewall models (not VM-Series), configure the management interface with a static IP address when possible.
    • If the firewall acquires a management interface address through DHCP, assign a MAC address reservation on the DHCP server that serves that firewall. The reservation ensures that the firewall retains its management IP address after a restart. If the DHCP server is a Palo Alto Networks firewall, see Step 6 of Configure an Interface as a DHCP Server for reserving an address.
    If you configure the management interface as a DHCP client, the following restrictions apply:
    • You cannot use the management interface in an HA configuration for control link (HA1 or HA1 backup), data link (HA2 or HA2 backup), or packet forwarding (HA3) communication.
    • You cannot select MGT as the Source Interface when you customize service routes (DeviceSetupServicesService Route ConfigurationCustomize). However, you can select Use default to route the packets via the management interface.
    • You cannot use the dynamic IP address of the management interface to connect to a Hardware Security Module (HSM). The IP address on the HSM client firewall must be a static IP address because HSM authenticates the firewall using the IP address, and operations on HSM would stop working if the IP address were to change during runtime.
    A prerequisite for this task is that the management interface must be able to reach a DHCP server.
    1. Configure the Management interface as a DHCP client so that it can receive its IP address (IPv4), netmask (IPv4), and default gateway from a DHCP server.
      Optionally, you can also send the hostname and client identifier of the management interface to the DHCP server if the orchestration system you use accepts this information.
      1. Select DeviceSetupManagement and edit Management Interface Settings.
      2. For IP Type, select DHCP Client.
      3. (Optional) Select one or both options for the firewall to send to the DHCP server in DHCP Discover or Request messages:
        • Send Hostname—Sends the Hostname (as defined in DeviceSetupManagement) as part of DHCP Option 12.
        • Send Client ID—Sends the client identifier as part of DHCP Option 61. A client identifier uniquely identifies a DHCP client, and the DHCP Server uses it to index its configuration parameter database.
      4. Click OK.
    2. (Optional) Configure the firewall to accept the host name and domain from the DHCP server.
      1. Select DeviceSetupManagement and edit General Settings.
      2. Select one or both options:
        • Accept DHCP server provided Hostname—Allows the firewall to accept the hostname from the DHCP server (if valid). When enabled, the hostname from the DHCP server overwrites any existing Hostname specified in DeviceSetupManagement. Don’t select this option if you want to manually configure a hostname.
        • Accept DHCP server provided Domain—Allows the firewall to accept the domain from the DHCP Server. The domain (DNS suffix) from the DHCP Server overwrites any existing Domain specified in DeviceSetupManagement. Don’t select this option if you want to manually configure a domain.
      3. Click OK.
    3. Commit your changes.
      Click Commit.
    4. View DHCP client information.
      1. Select DeviceSetupManagement and Management Interface Settings.
      2. Click Show DHCP Client Runtime Info.
    5. (Optional) Renew the DHCP lease with the DHCP server, regardless of the lease term.
      This option is convenient if you are testing or troubleshooting network issues.
      1. Select DeviceSetupManagement and edit Management Interface Settings.
      2. Click Show DHCP Client Runtime Info.
      3. Click Renew.
    6. (Optional) Release the following DHCP options that came from the DHCP server:
      • IP Address
      • Netmask
      • Default Gateway
      • DNS Server (primary and secondary)
      • NTP Server (primary and secondary)
      • Domain (DNS Suffix)
      A release frees the IP address, which drops your network connection and renders the firewall unmanageable if no other interface is configured for management access.
      Use the CLI operational command request dhcp client management-interface release.

    © 2024 Palo Alto Networks, Inc. All rights reserved.