Configure GlobalProtect Portal

Create DHCP Profiles on the Firewall

1. To create a DHCP profile, do one of the following:

   • On Panorama, select NetworkGlobalProtectDHCP Profile.
   • On Strata Cloud Manager (NGFW), select ConfigurationNGFW and Prisma AccessDeviceGlobalProtectProfilesDHCP Profiles and then Add Profile.
2. Enter a descriptive Name for the DHCP profile.

   You can create a maximum of five DHCP profiles.
3. Specify the IP address of the DHCP server that you want to configure on the GlobalProtect gateway.
4. Select the range of DHCP IP addresses that you want the GlobalProtect gateway to use and assign to the endpoints.

   The DHCP IP address pool you configure on the GlobalProtect gateway should match the IP pool in the DHCP server. If you configure DHCP IP addresses incorrectly on the GlobalProtect gateway, the traffic will not flow as expected.

5. Click OK to save the DHCP profile.

Configure the GlobalProtect Gateway

Enable DHCP Server on the GlobalProtect Gateway

1. To enable DHCP server on the GlobalProtect gateway, do one of the following:

   • On Strata Cloud Manager (NGFW), select ConfigurationNGFW and Prisma AccessDeviceGlobalProtectPortals and GatewaysAdd Gateway. On the Add Gateway page, under Client IP Pool, enable DHCP.
   • On Panorama, select NetworksGlobalProtectGateways<gateway config>AgentClient IP Pool.
2. On the Client Pool tab, enable DHCP.
3. Specify the Communication Timeout (in seconds) to set the number of seconds the GlobalProtect gateway and the DHCP server take to communicate and the process the IP address assignments. The default value is 5 seconds. The TCP Receive Timeout (sec) that you configure on the app settings of the GlobalProtect portal configuraion must be equal or greater than the DHCP Communication timeout.
4. Specify the number of times the GlobalProtect gateway should retry to connect to the DHCP server when the communication timeout happens between the gateway and the DHCP server. The default value is 0.
5. DHCP Server Circuit ID is autopopulated to configure the GlobalProtect gateway as the relay agent and to enable the gateway to receive IP addresses from the DHCP server and forward them to the endpoints when connected to the GlobalProtect app. The DHCP Server Circuit ID is the hexadecimal format of the current GlobalProtect gateway name.

   The DHCP Server Circuit ID should be configured as the Circuit ID while setting the DHCP server policy configuration.

   The DHCP Server Circuit ID should be configured as the Circuit ID while setting the DHCP server policy configuration.

6. Select the DHCP server type from the displayed list of DHCP servers that you have configured. You can select servers as Primary and Secondary.When you set a DHCP server as secondary, it will act as the standby server for the primary DHCP server. If the primary server fails, the secondary will be used for DHCP requests after communication timeout and retry counts. If both the DHCP servers are primary, then the DHCP request will be sent to both the servers and the reply that received first will be taken into account.
7. Click OK and commit the changes.

View and Verify the DHCP-based IP Address Assignment Logs

View the GlobalProtect logs ( MonitorLogsGlobalProtect page) to verify and troubleshoot the IP address assignment of the GlobalProtect gateway using the DHCP server.

You can see the following logs for DHCP using Command Line Interface.

• less mp-log gpsvc.log
• less mp-log rasmgr.log
• less mp-log gp_broker.log

Configure Service Routes for DHCP Requests

1. Go to DeviceSetupServices.

2. Click on the Services Route Configuration link.

3. Select Gp IP Mgmt and click OK. The Service Route Source pop-up window displays the default values.

4. Specify the Source Interface and Source IP Address you want to configure for sending the DHCP requests if you do not want to use the management interface. For example, you can specify the source interface as Ethernet and related IP addresses as the interface.

   You cannot select Any as the source interface while configuring service routes for DHCP requests.
5. Click OK to save the configuration.
6. Commit the changes.