How to verify the DHCP Server Log Ingestion function
3805
Created On 06/14/23 07:54 AM - Last Modified 08/01/23 17:22 PM
Objective
By using the DHCP Server Log Ingestion function, IoT Security can identify devices with IP and MAC address mapping information by forwarding DHCP IP allocation logs to Firewall.
This method describes how to test the DHCP Server Log Ingestion function.
Environment
- PA-Series Next-Generation Firewall
- IoT Security
- PAN-OS 11.0
Procedure
[DHCP server]
OS: Ubuntu 20.04.2 LTS Package: isc-dhcp-server, rsyslog IP used for syslog: x.x.x.207
- DHCP settings.
Interface to receive DHCP requests.
File:/etc/default/isc-dhcp-server INTERFACESv4="ens3131"
DHCP log facility and scope.
File:/etc/dhcp/dhcpd.conf log-facility local7; subnet 172.16.1.0 netmask 255.255.255.0 { option routers 172.16.1.222; option subnet-mask 255.255.255.0; range dynamic-bootp 172.16.1.200 172.16.1.210; }
- DHCP logging and forwarding settings.
File:/etc/rsyslog.conf local7.* /var/log/dhcpd.log local7.* @x.x.x.192:10514
[Firewall]
model: PA-VM sw-version: 11.0.1 management ip: x.x.x.192
DHCP Syslog Server settings are below.
admin@vm-suponly# show | match DHCPServer set deviceconfig setting dhcp-syslog-server DHCPServerTest enabled yes set deviceconfig setting dhcp-syslog-server DHCPServerTest ip-address x.x.x.207 set deviceconfig setting dhcp-syslog-server DHCPServerTest protocol UDP
Check the connection status of DHCP Server with "show iot dhcp-server status" command.
admin@vm-suponly> show iot dhcp-server status > all Show all > server Show DHCP server info for UI
Example: State before log transfer.
admin@vm-suponly> show iot dhcp-server status all Server Name Port number Status ---------------------------------------------------- DHCPServerTest 10514 admin@vm-suponly> show iot dhcp-server status server DHCPServerTest Address: x.x.x.207 Port: 10514 Status: not connected Received Packets: 0 Received Bytes: 0 Last activity: Total SSL connections: 0 Total SSL rejections: 0 Total TCP connections: 0 Total TCP rejections: 0 Total UDP connections: 1 Total UDP rejections: 0 Total Logs received: 10 Total Logs dropped: 0
The log when assigning IP to the client is as follows.
In this example, 172.16.1.201 was assigned to the host named ubu4.
/var/log/dhcpd.log Jun 16 13:50:39 ubu1 dhcpd[124680]: DHCPREQUEST for 172.16.1.201 from 00:50:56:b8:a3:25 (ubu4) via ens3131 Jun 16 13:50:40 ubu1 dhcpd[124680]: ns1.hash.com: host unknown. Jun 16 13:50:40 ubu1 dhcpd[124680]: DHCPACK on 172.16.1.201 to 00:50:56:b8:a3:25 (ubu4) via ens3131Firewall can also determine that syslog has been received.
admin@vm-suponly> show iot dhcp-server status all Server Name Port number Status ---------------------------------------------------- DHCPServerTest 10514 connected admin@vm-suponly> show iot dhcp-server status server DHCPServerTest Address: x.x.x.207 Port: 10514 Status: connected Received Packets: 3 Received Bytes: 283 Last activity: 2023-06-16 13:50:40 +0900 JST Total SSL connections: 0 Total SSL rejections: 0 Total TCP connections: 0 Total TCP rejections: 0 Total UDP connections: 2 Total UDP rejections: 0 Total Logs received: 13 Total Logs dropped: 0
Once the EAL logs are transferred to the cloud, the device will be recognized on the IoT Security Portal.