Configure the Management Interface as a DHCP Client
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Configure the Management Interface as a DHCP Client
The management interface on the firewall supports
DHCP client for IPv4, which allows the management interface to receive
its IPv4 address from a DHCP server. The management interface also
supports DHCP Option 12 and Option 61, which allow the firewall
to send its hostname and client identifier, respectively, to DHCP
servers.
By default, VM-Series firewalls deployed in AWS and
Azure™ use the management interface as a DHCP client to obtain its IP
address, rather than a static IP address, because cloud deployments
require the automation this feature provides. DHCP on the management
interface is turned off by default for the VM-Series firewall except
for the VM-Series firewall in AWS and Azure. The management interfaces
on WildFire and Panorama models do not support this DHCP functionality.
- For hardware-based firewall models (not VM-Series), configure the management interface with a static IP address when possible.
- If the firewall acquires a management interface address through DHCP, assign a MAC address reservation on the DHCP server that serves that firewall. The reservation ensures that the firewall retains its management IP address after a restart. If the DHCP server is a Palo Alto Networks®firewall, see Step 6 of Configure an Interface as a DHCP Server for reserving an address.
If
you configure the management interface as a DHCP client, the following
restrictions apply:
- You cannot use the management interface in an HA configuration for control link (HA1 or HA1 backup), data link (HA2 or HA2 backup), or packet forwarding (HA3) communication.
- You cannot selectMGTas the Source Interface when you customize service routes (). However, you can selectDeviceSetupServicesService Route ConfigurationCustomizeUse defaultto route the packets via the management interface.
- You cannot use the dynamic IP address of the management interface to connect to a Hardware Security Module (HSM). The IP address on the HSM client firewall must be a static IP address because HSM authenticates the firewall using the IP address, and operations on HSM would stop working if the IP address were to change during runtime.
A prerequisite for this task is that the
management interface must be able to reach a DHCP server.
- Configure the Management interface as a DHCP client so that it can receive its IP address (IPv4), netmask (IPv4), and default gateway from a DHCP server.Optionally, you can also send the hostname and client identifier of the management interface to the DHCP server if the orchestration system you use accepts this information.
- Selectand edit Management Interface Settings.DeviceSetupManagement
- ForIP Type, selectDHCP Client.
- (Optional) Select one or both options for the firewall to send to the DHCP server in DHCP Discover or Request messages:
- Send Hostname—Sends theHostname(as defined in) as part of DHCP Option 12.DeviceSetupManagement
- Send Client ID—Sends the client identifier as part of DHCP Option 61. A client identifier uniquely identifies a DHCP client, and the DHCP Server uses it to index its configuration parameter database.
- ClickOK.
- (Optional) Configure the firewall to accept the host name and domain from the DHCP server.
- Selectand edit General Settings.DeviceSetupManagement
- Select one or both options:
- Accept DHCP server provided Hostname—Allows the firewall to accept the hostname from the DHCP server (if valid). When enabled, the hostname from the DHCP server overwrites any existingHostnamespecified in. Don’t select this option if you want to manually configure a hostname.DeviceSetupManagement
- Accept DHCP server provided Domain—Allows the firewall to accept the domain from the DHCP Server. The domain (DNS suffix) from the DHCP Server overwrites any existingDomainspecified in. Don’t select this option if you want to manually configure a domain.DeviceSetupManagement
- ClickOK.
- Commit your changes.ClickCommit.
- View DHCP client information.
- Selectand Management Interface Settings.DeviceSetupManagement
- ClickShow DHCP Client Runtime Info.
- (Optional) Renew the DHCP lease with the DHCP server, regardless of the lease term.This option is convenient if you are testing or troubleshooting network issues.
- Selectand edit Management Interface Settings.DeviceSetupManagement
- ClickShow DHCP Client Runtime Info.
- ClickRenew.
- (Optional) Release the following DHCP options that came from the DHCP server:
- IP Address
- Netmask
- Default Gateway
- DNS Server (primary and secondary)
- NTP Server (primary and secondary)
- Domain (DNS Suffix)
A release frees the IP address, which drops your network connection and renders the firewall unmanageable if no other interface is configured for management access.Use the CLI operational commandrequest dhcp client management-interface release.