Use a Tap interface to capture DHCP traffic to send to
the data lake for IoT Security to access.
To gain complete visibility of DHCP traffic,
deploy a Tap interface on the firewall. This guide assumes familiarity
with PAN-OS configuration, including Tap configuration. For details
on configuring Tap interfaces, see the PAN-OS Administrator’s Guide.
additional traffic to a Tap interface on the firewall results in
additional session load. There are two causes for this:
flow from the DHCP server to the internet, data center, or some
other destination that would normally cross the firewall is inspected twice.
Flows that normally would not be inspected are inspected
when the Tap interface receives them; for example, flows bound for
other hosts on the local network segment.
configuration section includes options for minimizing performance
The figure below
illustrates the general idea of this solution. The actual topology
can vary depending on the location of the DHCP server and the use of
technologies such as RSPAN (Remote Switched Port Analyzer).
of this configuration is to gain visibility into DHCP traffic that
the firewall wouldn’t normally see based on its current configuration
and network topology.
Configure a Tap interface and zone.
Configure policy rules for Tap traffic.
first policy rule matches DHCP traffic and uses the same log forwarding
profile that the rest of the rule base uses.
The second rule drops all other traffic, minimizing additional
session load on the firewall. Log forwarding profile is not enabled.
Neither of the rules use security profiles.
Connect the Tap interface to the port mirror on the switch.