Palo Alto Networks Knowledgebase: How to Configure a DHCP Relay on Palo Alto Networks Firewall

How to Configure a DHCP Relay on Palo Alto Networks Firewall

26846
Created On 02/07/19 23:54 PM - Last Updated 02/07/19 23:54 PM
Content Release Deployment
Resolution

Overview

This document describes the steps to configure a DHCP relay on the Palo Alto Networks firewall. The following example scenario will be used in the configuration steps:

Screen Shot 2014-06-23 at 4.39.30 PM.png

Steps

  1. Configure which interface will be acting as DHCP relay (for example, Trust E1/5)
    1. From the Web UI, go to Network > DHCP > DHCP Relay
    2. Click Add and configure the IP address of the DHCP server
      dhcp.JPG
      Note: This can be configured with up to four DHCP Server IP addresses.
  2. Configure security rules to allow DHCP traffic between zones:
    • Trust to Trust - for client to/from DHCP Relay interface communication (broadcast/unicast)
    • Trust to DMZ - for DHCP Relay interface to/from DHCP Server Communication (unicast)
      The following diagram is based on a typical DHCP session. The diagram shows communication between DHCP relay interface and DHCP server are all unicast.
      Screen Shot 2014-06-12 at 4.55.10 PM.png
    • The following screenshot shows a packet capture of a working example on the DHCP server side:
      Screen Shot 2014-06-23 at 12.49.08 PM.png
    • Example of a configured security policy:
      Screen Shot 2014-06-23 at 1.12.02 PM.png
  3. Commit

Verification

Test on a client. For example, a Windows Client:

  • ipconfig /release
  • ipconfig /renew
  • ipconfig /all

Note: The DHCP Server must route the DHCP traffic to the Palo Alto Networks firewall for this configuration to work. Issues will arise if the DHCP server has another default gateway instead of the Palo Alto Networks firewall (or is not directly connected and routing the return traffic somewhere else). The DHCP traffic is then considered asymmetric. If the DHCP server traffic is asymmetric, the session is not setup properly on the firewall and the complete DHCP communication is not complete.

owner: jlunario



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFXCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language