Use a Tap Interface for DHCP Visibility

Use a Tap interface to capture DHCP traffic to send to the data lake for IoT Security to access.
To gain complete visibility of DHCP traffic, deploy a Tap interface on the firewall. This guide assumes familiarity with PAN-OS configuration, including Tap configuration. For details on configuring Tap interfaces, see the PAN-OS Administrator’s Guide.
Considerations
Sending additional traffic to a Tap interface on the firewall results in additional session load. There are two causes for this:
  • Any flow from the DHCP server to the internet, data center, or some other destination that would normally cross the firewall is inspected twice.
  • Flows that normally would not be inspected are inspected when the Tap interface receives them; for example, flows bound for other hosts on the local network segment.
The following configuration section includes options for minimizing performance impact.
Network Architecture
The figure below illustrates the general idea of this solution. The actual topology can vary depending on the location of the DHCP server and the use of technologies such as RSPAN (Remote Switched Port Analyzer).
The purpose of this configuration is to gain visibility into DHCP traffic that the firewall wouldn’t normally see based on its current configuration and network topology.
Configuration
  1. Configure a Tap interface and zone.
  2. Configure policy rules for Tap traffic.
    • The first policy rule matches DHCP traffic and uses the same log forwarding profile that the rest of the rule base uses.
    • The second rule drops all other traffic, minimizing additional session load on the firewall. Log forwarding profile is not enabled.
    • Neither of the rules use security profiles.
  3. Connect the Tap interface to the port mirror on the switch.

Recommended For You