Device Security
Use a Tap Interface for DHCP Visibility
Table of Contents
Use a Tap Interface for DHCP Visibility
Use a Tap interface to capture DHCP traffic to send to the data lake for
Device Security to access.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of the following subscriptions:
|
To gain complete visibility of DHCP traffic, deploy a Tap interface on the firewall.
This guide assumes familiarity with PAN-OS configuration, including
Tap configuration. For details on configuring Tap interfaces, see the
PAN-OS Networking Administrator’s Guide.
Considerations
Sending additional traffic to a Tap interface on the firewall results in additional
session load. There are two causes for this:
- Any flow from the DHCP server to the internet, data center, or some other destination that would normally cross the firewall is inspected twice.
- Flows that normally would not be inspected are inspected when the Tap interface receives them; for example, flows bound for other hosts on the local network segment.
The following
configuration section includes options for minimizing performance
impact.
Network Architecture
The figure below
illustrates the general idea of this solution. The actual topology
can vary depending on the location of the DHCP server and the use
of technologies such as RSPAN (Remote Switched Port Analyzer).
The purpose
of this configuration is to gain visibility into DHCP traffic that
the firewall wouldn’t normally see based on its current configuration
and network topology.
Configuration
- Configure a Tap interface and zone.
![]()
Configure policy rules for Tap traffic.![]()
- The first policy rule matches DHCP traffic and uses the same log forwarding profile that the rest of the rule base uses.
- The second rule drops all other traffic, minimizing additional session load on the firewall. Log forwarding profile is not enabled.
- Neither of the rules use security profiles.
Connect the Tap interface to the port mirror on the switch.
