Dynamic Host Configuration Protocol (DHCP) is a standardized protocol that provides TCP/IP and link-layer configuration parameters and network addresses to dynamically configured hosts on a TCP/IP network. An interface on a Palo Alto Networks firewall can act as a DHCP server, client, or relay agent. Assigning these roles to different interfaces allows the firewall to perform multiple roles.
What do you want to know? See:
What is DHCP? DHCP Overview
How does a DHCP server allocate addresses? DHCP Addressing
Configure an interface on the firewall to act as a: DHCP Server
DHCP Relay
Network > DNS Proxy
Looking for more? DHCP
DHCP Overview
DHCP uses a client-server model of communication. This model consists of three roles that the firewall can fulfill:
DHCP client —A firewall acting as a DHCP client (host) can request an IP address and other configuration settings from a DHCP server. Users on client firewalls save configuration time and effort, and need not know the addressing plan of the network or other network resources and options inherited from the DHCP server. DHCP server —A firewall acting as a DHCP server can service clients. By using one of the DHCP addressing mechanisms, the administrator saves configuration time and has the benefit of reusing a limited number of IP addresses clients no longer need network connectivity. The server can also deliver IP addressing and DHCP options to multiple clients. DHCP relay agent —A firewall acting as a DHCP relay agent listens for broadcast and unicast DHCP messages and relays them between DHCP clients and servers.
DHCP uses User Datagram Protocol (UDP), RFC 768, as its transport protocol. DHCP messages that a client sends to a server are sent to well-known port 67 (UDP—Bootstrap Protocol and DHCP). DHCP messages that a server sends to a client are sent to port 68.
DHCP Addressing
There are three ways that a DHCP server either assigns or sends an IP address to a client:
Automatic allocation —The DHCP server assigns a permanent IP address to a client from its IP Pools. On the firewall, a Lease specified as Unlimited means the allocation is permanent. Dynamic allocation —The DHCP server assigns a reusable IP address from IP Pools of addresses to a client for a maximum period of time, known as a lease. This method of address allocation is useful when the customer has a limited number of IP addresses; they can be assigned to clients who need only temporary access to the network. Static allocation —The network administrator chooses the IP address to assign to the client and the DHCP server sends it to the client. A static DHCP allocation is permanent; it is done by configuring a DHCP server and choosing a Reserved Address to correspond to the MAC Address of the client firewall. The DHCP assignment remains in place even if the client disconnects (logs off, reboots, has a power outage, etc.).
Static allocation of an IP address is useful, for example, if you have a printer on a LAN and you do not want its IP address to keep changing, because it is associated with a printer name through DNS. Another example is if a client firewall is used for something crucial and must keep the same IP address, even if the firewall is turned off, unplugged, rebooted, or a power outage occurs.
Keep the following points in mind when configuring a Reserved Address:
It is an address from the IP Pools. You can configure multiple reserved addresses. If you configure no Reserved Address, the clients of the server will receive new DHCP assignments from the pool when their leases expire or if they reboot, etc. (unless you specified that a Lease is Unlimited). If you allocate every address in the IP Pools as a Reserved Address, there are no dynamic addresses free to assign to the next DHCP client requesting an address. You may configure a Reserved Address without configuring a MAC Address. In this case, the DHCP server will not assign the Reserved Address to any firewall. You might reserve a few addresses from the pool and statically assign them to a fax and printer, for example, without using DHCP.
DHCP Server
The following section describes each component of the DHCP server. Before you configure a DHCP server, you should already have configured a Layer 3 Ethernet or Layer 3 VLAN interface that is assigned to a virtual router and a zone. You should also know a valid pool of IP addresses from your network plan that can be designated to be assigned by your DHCP server to clients.
When you add a DHCP server, you configure the settings described in the table below.
DHCP Server Settings Configured In Description
Interface DHCP Server Name of the interface that will serve as the DHCP server.
Mode Select enabled or auto mode. Auto mode enables the server and disables it if another DHCP server is detected on the network. The disabled setting disables the server.
Ping IP when allocating new IP DHCP Server > Lease If you click Ping IP when allocating new IP, the server will ping the IP address before it assigns that address to its client. If the ping receives a response, that means a different firewall already has that address, so it is not available for assignment. The server assigns the next address from the pool instead. If you select this option, the Probe IP column in the display will have a check mark.
Lease Specify a lease type. Unlimited causes the server to dynamically choose IP addresses from the IP Pools and assign them permanently to clients. Timeout determines how long the lease will last. Enter the number of Days and Hours, and optionally, the number of Minutes.
IP Pools Specify the stateful pool of IP addresses from which the DHCP server chooses an address and assigns it to a DHCP client. You can enter a single address, an address/<mask length>, such as, or a range of addresses, such as
Reserved Address Optionally specify an IP address (format x.x.x.x) from the IP pools that you do not want dynamically assigned by the DHCP server. If you also specify a MAC Address (format xx:xx:xx:xx:xx:xx), the Reserved Address is assigned to the firewall associated with that MAC address when that firewall requests an IP address through DHCP.
Inheritance Source DHCP Server > Options Select None (default) or select a source DHCP client interface or PPPoE client interface to propagate various server settings to the DHCP server. If you specify an Inheritance Source, select one or more options below that you want inherited from this source. One benefit of specifying an inheritance source is that DHCP options are quickly transferred from the server that is upstream of the source DHCP client. It also keeps the client’s options updated if an option on the inheritance source is changed. For example, if the inheritance source firewall replaces its NTP server (which had been identified as the Primary NTP server), the client will automatically inherit the new address as its Primary NTP server.
Check inheritance source status If you selected an Inheritance Source, click Check inheritance source status to open the Dynamic IP Interface Status window, which displays the options that are inherited from the DHCP client.
Gateway DHCP Server > Options (cont) Specify the IP address of the network gateway (an interface on the firewall) that is used to reach any device not on the same LAN as this DHCP server.
Subnet Mask Specify the network mask that applies to the addresses in the IP Pools.
Options For the following fields, click the drop-down and select None or inherited, or enter the IP address of the remote server that your DHCP server will send to clients for accessing that service. If you select inherited, the DHCP server inherits the values from the source DHCP client specified as the Inheritance Source. The DHCP server sends these settings to its clients. Primary DNS , Secondary DNS —IP address of the preferred and alternate Domain Name System (DNS) servers. Primary WINS , Secondary WINS —IP address of the preferred and alternate Windows Internet Name Service (WINS) servers. Primary NIS , Secondary NIS —IP address of the preferred and alternate Network Information Service (NIS) servers. Primary NTP , Secondary NTP —IP address of the available network time protocol (NTP) servers. POP3 Server —IP address of a Post Office Protocol version 3 (POP3) server. SMTP Server —IP address of a Simple Mail Transfer Protocol (SMTP) server. DNS Suffix —Suffix for the client to use locally when an unqualified hostname is entered that the client cannot resolve.
Custom DHCP options Click Add and enter the Name of the custom option you want the DHCP Server to send to clients. Enter an Option Code (range is 1-254). If Option Code 43 is entered, the Vendor Class Identifier (VCI) field appears. Enter a match criterion that will be compared to the incoming VCI from the client’s Option 60. The firewall looks at the incoming VCI from the client’s Option 60, finds the matching VCI in its own DHCP server table, and returns the corresponding value to the client in Option 43. The VCI match criterion is a string or hex value. A hex value must have a “0x” prefix. Click Inherited from DCHP server inheritance source to have the server inherit the value for that option code from the inheritance source. Alternatively, for Option Type, select IP Address, ASCII, or Hexadecimal to specify the type of data used for the Option Value and, for Option Value, click Add to enter the value for the custom option.
DHCP Relay
Before configuring a firewall interface as a DHCP relay agent , make sure you have configured a Layer 3 Ethernet or Layer 3 VLAN interface and that you assigned the interface to a virtual router and a zone. You want that interface to be able to pass DHCP messages between clients and servers. Each interface can forward messages to a maximum of eight external IPv4 DHCP servers and eight external IPv6 DHCP servers. A client sends a DHCPDISCOVER message to all configured servers, and the firewall relays the DHCPOFFER message of the first server that responds back to the requesting client.
DHCP Relay Setting Description
Interface Name of the interface that will be the DHCP relay agent.
IPv4 / IPv6 Select the type of DHCP server and IP address you will specify.
DHCP Server IP Address Enter the IP address of the DHCP server to and from which you will relay DHCP messages.
Interface If you selected IPv6 as the IP address protocol for the DHCP server and specified a multicast address, you must also specify an outgoing interface.
DHCP Client
Before configuring a firewall interface as a DHCP client , make sure you have configured a Layer 3 Ethernet or Layer 3 VLAN interface and that you assigned the interface to a virtual router and a zone. Perform this task if you need to use DHCP to request an IPv4 address for an interface on your firewall.
DHCP Client Setting Description
Type Select DHCP Client and then Enable to configure the interface as a DHCP client.
Automatically create default route pointing to default gateway provided by server Causes the firewall to create a static route to a default gateway that will be useful when clients are trying to access many destinations that do not need to have routes maintained in a routing table on the firewall.
Default Route Metric Optionally, enter a Default Route Metric (priority level) for the route between the firewall and the DHCP server. A route with a lower number has higher priority during route selection. For example, a route with a metric of 10 is used before a route with a metric of 100 (range is 1-65,535; no default).
Show DHCP Client Runtime Info Displays all settings received from the DHCP server, including DHCP lease status, dynamic IP assignment, subnet mask, gateway, and server settings (DNS, NTP, domain, WINS, NIS, POP3, and SMTP).

Related Documentation