Use a Tap interface to capture DHCP traffic to send to the data lake for
Device Security to access.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
One of the following subscriptions:
Device Security subscription for an advanced
Device Security product (Enterprise,
OT, or Medical)
Device Security X subscription
|
To gain complete visibility of DHCP traffic, deploy a Tap interface on the firewall.
This guide assumes familiarity with
PAN-OS configuration, including
Tap configuration. For details on configuring Tap interfaces, see the
PAN-OS Networking Administrator’s Guide.
Considerations
Sending additional traffic to a Tap interface on the firewall results in additional
session load. There are two causes for this:
Any flow
from the DHCP server to the internet, data center, or some other
destination that would normally cross the firewall is inspected
twice.
Flows that normally would not be inspected are inspected
when the Tap interface receives them; for example, flows bound for
other hosts on the local network segment.
The following
configuration section includes options for minimizing performance
impact.
Network Architecture
The figure below
illustrates the general idea of this solution. The actual topology
can vary depending on the location of the DHCP server and the use
of technologies such as RSPAN (Remote Switched Port Analyzer).
The purpose
of this configuration is to gain visibility into DHCP traffic that
the firewall wouldn’t normally see based on its current configuration
and network topology.
Configuration
