Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to verify the DHCP Server Log Ingestion function - Knowledge Base - Palo Alto Networks

How to verify the DHCP Server Log Ingestion function

3805
Created On 06/14/23 07:54 AM - Last Modified 08/01/23 17:22 PM


Objective


By using the DHCP Server Log Ingestion function, IoT Security can identify devices with IP and MAC address mapping information by forwarding DHCP IP allocation logs to Firewall.

This method describes how to test the DHCP Server Log Ingestion function.


Environment


  • PA-Series Next-Generation Firewall
  • IoT Security
  • PAN-OS 11.0


Procedure



[DHCP server]
OS: Ubuntu 20.04.2 LTS
Package: isc-dhcp-server, rsyslog
IP used for syslog: x.x.x.207
  • DHCP settings.
Interface to receive DHCP requests.
File:/etc/default/isc-dhcp-server
INTERFACESv4="ens3131"
DHCP log facility and scope.
File:/etc/dhcp/dhcpd.conf
log-facility local7;

subnet 172.16.1.0 netmask 255.255.255.0 {
        option routers 172.16.1.222;
        option subnet-mask 255.255.255.0;
        range dynamic-bootp 172.16.1.200 172.16.1.210;
}
  • DHCP logging and forwarding settings.
File:/etc/rsyslog.conf
local7.* /var/log/dhcpd.log
local7.* @x.x.x.192:10514


[Firewall]
model: PA-VM
sw-version: 11.0.1
management ip: x.x.x.192

DHCP Syslog Server settings are below.
admin@vm-suponly# show | match DHCPServer
set deviceconfig setting dhcp-syslog-server DHCPServerTest enabled yes
set deviceconfig setting dhcp-syslog-server DHCPServerTest ip-address x.x.x.207
set deviceconfig setting dhcp-syslog-server DHCPServerTest protocol UDP
 

Check the connection status of DHCP Server with "show iot dhcp-server status" command.
admin@vm-suponly> show iot dhcp-server status
> all      Show all
> server   Show DHCP server info for UI

Example: State before log transfer.
admin@vm-suponly> show iot dhcp-server status all

 Server Name               Port number     Status
 ----------------------------------------------------
 DHCPServerTest            10514

admin@vm-suponly> show iot dhcp-server status server DHCPServerTest

Address: x.x.x.207 Port: 10514     Status: not connected

Received Packets:           0
Received Bytes:             0
Last activity:

Total SSL connections:      0
Total SSL rejections:       0
Total TCP connections:      0
Total TCP rejections:       0
Total UDP connections:      1
Total UDP rejections:       0
Total Logs received:        10
Total Logs dropped:         0

The log when assigning IP to the client is as follows.
In this example, 172.16.1.201 was assigned to the host named ubu4.
/var/log/dhcpd.log
Jun 16 13:50:39 ubu1 dhcpd[124680]: DHCPREQUEST for 172.16.1.201 from 00:50:56:b8:a3:25 (ubu4) via ens3131
Jun 16 13:50:40 ubu1 dhcpd[124680]: ns1.hash.com: host unknown.
Jun 16 13:50:40 ubu1 dhcpd[124680]: DHCPACK on 172.16.1.201 to 00:50:56:b8:a3:25 (ubu4) via ens3131
Firewall can also determine that syslog has been received.
admin@vm-suponly> show iot dhcp-server status all

 Server Name               Port number     Status
 ----------------------------------------------------
 DHCPServerTest            10514           connected

admin@vm-suponly> show iot dhcp-server status server DHCPServerTest

Address: x.x.x.207 Port: 10514     Status: connected

Received Packets:           3
Received Bytes:             283
Last activity:              2023-06-16 13:50:40 +0900 JST

Total SSL connections:      0
Total SSL rejections:       0
Total TCP connections:      0
Total TCP rejections:       0
Total UDP connections:      2
Total UDP rejections:       0
Total Logs received:        13
Total Logs dropped:         0

Once the EAL logs are transferred to the cloud, the device will be recognized on the IoT Security Portal.
devices.png


 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kI6ACAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail