GlobalProtect
DHCP Based IP Address Assignment and Management for GlobalProtect
Table of Contents
DHCP Based IP Address Assignment and Management for GlobalProtect
DHCP Based IP Address Assignment and Management for GlobalProtect
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Starting from PAN-OS
11.2.1, the DHCP Based IP Address Assignment feature is supported for both
VM-Series virtual firewall and hardware next-generation firewall
platforms.
DHCP Based IP Address Assignment feature in PAN OS 11.2.0 release is
supported for VM-Series Virtual Firewalls only. The feature is not supported for
hardware next-generation firewall platforms.
You can configure a DHCP server profile on the GlobalProtect gateway to use an enterprise
DHCP server to manage and assign IP addresses for endpoints that connect remotely
through the GlobalProtect app. This feature enables centralized IP address management
and assignment.
When you enable a DHCP server profile on the GlobalProtect gateway, the gateway
communicates with the DHCP member server to obtain IP addresses instead of assigning
them from its own private IP pool. The gateway then assigns these IP addresses as the
tunnel IP addresses for the connected endpoints. If the DHCP server fails to respond to
the gateway within the configured communication timeout and retry period, the gateway
falls back to the private static IP pool to allocate IP addresses.
To facilitate this request, the GlobalProtect app randomly generates a MAC address that
is not tied to any physical interface. On Windows endpoints, this MAC address resides in
the Windows registry at HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\PanGPS in the mac-addr value.
This value is not preserved across an uninstallation and reinstallation. The client
sends the MAC address to gateway and the gateway uses this address to populate the
chaddr (client hardware address) field in the DHCP request
message. You can use this MAC address on the DHCP server side to uniquely identify the
GlobalProtect app and, if desired, to statically assign the same IP address to the app
every time it connects.
In case of potential MAC address
collisions (for example, if two GlobalProtect apps randomly generate the same
address which can cause a conflict on the DHCP server side), you can delete the
registry key holding the MAC address and restart PanGPS service or your computer for
a new MAC address to be generated.
When the GlobalProtect gateway assigns the DHCP IP addresses to the endpoints, you can
configure their DHCP server to create Dynamic DNS ( Address and Pointer Record) records
for the GlobalProtect connected users. DDNS are useful for endpoint admins to do
troubleshooting on the GlobalProtect connected remote user endpoints. The IP addresses
get registered to the DDNS server only when you configure IP Address Management (IPAM)
on Windows server, DDNS server, or on the Infoblox server.
When you create a DHCP profile on the firewall and
enable the DHCP server on the GlobalProtect gateway, the gateway uses the
DHCP server to manage and assign the IP addresses for the endpoints instead of assigning
the IP addresses from the gateway’s private IP pool. If the DHCP server fails to respond
to the gateway within the set communication timeout and retry time period, the gateway
falls back to the private Static IP pool for the allocation of IP addresses for the
endpoints.
- The DHCP-based IP address assignment feature is only supported for IPv4 address assignment and not for IPv6.
- Configuring a static IP pool on the GlobalProtect gateway is optional when you configure a DHCP-based IP address assignment feature.