How to Configure a DHCP Relay on Palo Alto Networks Firewall

How to Configure a DHCP Relay on Palo Alto Networks Firewall

Created On 09/25/18 17:27 PM - Last Modified 06/15/23 22:06 PM


This document describes the steps to configure a DHCP relay on the Palo Alto Networks firewall.


  • Palo Alto Firewall
  • Supported PAN-OS
  • DHCP Relay


The following example scenario will be used in the configuration. Steps are also documented at Configure DHCP relay

Screen Shot 2014-06-23 at 4.39.30 PM.png


  1. Configure which interface will be acting as DHCP relay (for example, Trust E1/5)
    • From the Web UI, go to Network > DHCP > DHCP Relay
    • Click Add and configure the IP address of the DHCP server
    • Up to four DHCP Server IP addresses can be configured.
  1. Configure security rules to allow DHCP traffic between zones:
    • Trust to Trust - for client to/from DHCP Relay interface communication (broadcast/unicast)
    • Trust to DMZ - for DHCP Relay interface to/from DHCP Server Communication (unicast)
      Example of a configured security policy:
      Screen Shot 2014-06-23 at 1.12.02 PM.png
  2. Commit

Note: Using a Palo Alto Networks firewall for DHCP relay requires that the DHCP session must symmetrically traverse the firewall


Test on a client. For example, a Windows Client:

ipconfig /release
ipconfig /renew
ipconfig /all



Additional Information

Information of DHCP Relay (external link)

  • Print
  • Copy Link

Choose Language