Configure an Interface as a DHCP Server
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure an Interface as a DHCP Server
The prerequisites for this task are:
- Configure a Layer 3 Ethernet or Layer 3 VLAN interface.
- Assign the interface to a virtual router and a zone.
- Determine a valid pool of IP addresses from your network plan that you can designate to be assigned by your DHCP server to clients.
- Collect the DHCP options, values, and Vendor Class Identifiers you plan to configure.
Capacities are as follows:
- For firewall models other than PA-5200 Series and PA-7000 Series firewalls, see the Product Selection tool.
- On PA-5220 firewalls, you can configure a maximum of 500 DHCP servers and a maximum of 2,048 DHCP relay agents minus the number of DHCP servers configured. For example, if you configure 500 DHCP servers, you can configure 1,548 DHCP relay agents.
- On PA-5250, PA-5260, and PA-7000 Series firewalls, you can configure a maximum of 500 DHCP servers, and a maximum of 4,096 DHCP relay agents minus the number of DHCP servers configured. For example, if you configure 500 DHCP servers, you can configure 3,596 DHCP relay agents.
Perform the following task to configure
an interface on the firewall to act as a DHCP server.
- Select an interface to be a DHCP Server.
- Select NetworkDHCPDHCP Server and Add an Interface name or select one.
- For Mode, select enabled or auto mode. Auto mode enables the server and disables it if another DHCP server is detected on the network. The disabled setting disables the server.
- (Optional) Select Ping IP when
allocating new IP if you want the server to ping the
IP address before it assigns that address to its client.If the ping receives a response, that means a different device already has that address, so it is not available. The server assigns the next address from the pool instead. This behavior is similar to Optimistic Duplicate Address Detection (DAD)forIPv6,RFC 4429.After you set options and return to the DHCP server tab, the Probe IP column for the interface indicates if Ping IP when allocating new IP was selected.
- Configure the predefined DHCP
Options that the server sends to its clients.
- In the Options section, select a Lease type:
- Unlimited causes the server to dynamically choose IP addresses from the IP Pools and assign them permanently to clients.
- Timeout determines how long the lease will last. Enter the number of Days and Hours, and optionally the number of Minutes.
- Inheritance Source—Leave None or select a source DHCP client interface or PPPoE client interface to propagate various server settings into the DHCP server. If you specify an Inheritance Source, select one or more options below that you want inherited from this source.
Specifying an inheritance source allows the firewall to quickly add DHCP options from the upstream server received by the DHCP client. It also keeps the client options updated if the source changes an option. For example, if the source replaces its NTP server (which had been identified as the Primary NTP server), the client will automatically inherit the new address as its Primary NTP server.When inheriting DHCP option(s) that contain multiple IP addresses, the firewall uses only the first IP address contained in the option to conserve cache memory. If you require multiple IP addresses for a single option, configure the DHCP options directly on that firewall rather than configure inheritance.- Check inheritance source status—If you selected an Inheritance Source, clicking this link opens the Dynamic IP Interface Status window, which displays the options that were inherited from the DHCP client.
- Gateway—IP address of the network gateway (an interface on the firewall) that is used to reach any device not on the same LAN as this DHCP server.
- Subnet Mask—Network mask used with the addresses in the IP Pools.
For the following fields, click the down arrow and select None, or inherited, or enter a remote server’s IP address that your DHCP server will send to clients for accessing that service. If you select inherited, the DHCP server inherits the values from the source DHCP client specified as the Inheritance Source.- Primary DNS, Secondary DNS—IP address of the preferred and alternate Domain Name System (DNS) servers.
- Primary WINS, Secondary WINS—IP address of the preferred and alternate Windows Internet Naming Service (WINS) servers.
- Primary NIS, Secondary NIS—IP address of the preferred and alternate Network Information Service (NIS) servers.
- Primary NTP, Secondary NTP—IP address of the available Network Time Protocol servers.
- POP3 Server—IP address of Post Office Protocol (POP3) server.
- SMTP Server—IP address of a Simple Mail Transfer Protocol (SMTP) server.
- DNS Suffix—Suffix for the client to use locally when an unqualified hostname is entered that it cannot resolve.
- (Optional)
Configure a vendor-specific or custom DHCP option that the DHCP
server sends to its clients.
- In the Custom DHCP Options section, Add a descriptive Name to identify the DHCP option.
- Enter the Option Code you want to configure the server to offer (range is 1-254). (See RFC 2132 for option codes.)
- If the Option Code is 43, the Vendor Class Identifier field appears. Enter a VCI, which is a string or hexadecimal value (with 0x prefix) used as a match against a value that comes from the client Request containing option 60. The server looks up the incoming VCI in its table, finds it, and returns Option 43 and the corresponding option value.
- Inherit from DHCP server inheritance source—Select it only if you specified an Inheritance Source for the DHCP Server predefined options and you want the vendor-specific and custom options also to be inherited from this source.
- Check inheritance source status—If you selected an Inheritance Source, clicking this link opens Dynamic IP Interface Status, which displays the options that were inherited from the DHCP client.
- If you did not select Inherit from DHCP server inheritance source, select an Option Type: IP Address, ASCII, or Hexadecimal. Hexadecimal values must start with the 0x prefix.
- Enter the Option Value you want the DHCP server to offer for that Option Code. You can enter multiple values on separate lines.
- Click OK.
- (Optional) Add another vendor-specific or custom
DHCP option.
- Repeat the prior step to enter another custom
DHCP Option.
- You can enter multiple option values for an Option Code with the same Option Name, but all values for an Option Code must be the same type (IP Address, ASCII, or Hexadecimal). If one type is inherited or entered and a different type is entered for the same Option Code and the same Option Name, the second type will overwrite the first type.When entering multiple values for an option, enter the values in the order of preference, or else move the Custom DHCP Options to achieve the preferred order in the list. Select an option and click Move Up or Move Down.
- You can enter an Option Code more than once by using a different Option Name. In this case, the Option Type for the Option Code can differ among the multiple option names.
- Click OK.
- Repeat the prior step to enter another custom
DHCP Option.
- Identify the stateful pool of IP addresses from which
the DHCP server chooses an address and assigns it to a DHCP client.If you are not the network administrator for your network, ask the network administrator for a valid pool of IP addresses from the network plan that can be designated to be assigned by your DHCP server.
- In
the IP Pools field, Add the
range of IP addresses from which this server assigns an address
to a client. Enter an IP subnet and subnet mask (for example, 192.168.1.0/24)
or a range of IP addresses (for example, 192.168.1.10-192.168.1.20).
- An IP Pool or a Reserved Address is mandatory for dynamic IP address assignment.
- An IP Pool is optional for static IP address assignment as long as the static IP addresses that you assign fall into the subnet that the firewall interface services.
- (Optional) Repeat this step to specify another IP address pool.
- In
the IP Pools field, Add the
range of IP addresses from which this server assigns an address
to a client. Enter an IP subnet and subnet mask (for example, 192.168.1.0/24)
or a range of IP addresses (for example, 192.168.1.10-192.168.1.20).
- (Optional) Specify an IP address from the IP
pools that will not be assigned dynamically. If you also specify
a MAC Address, the Reserved Address is
assigned to that device when the device requests an IP address through
DHCP.See the DHCP Addressing section for an explanation of allocation of a Reserved Address.
- In the Reserved Address field, click Add.
- Enter an IP address from the IP Pools (format x.x.x.x) that you do not want to be assigned dynamically by the DHCP server.
- (Optional) Specify the MAC Address (format xx:xx:xx:xx:xx:xx) of the device to which you want to permanently assign the IP address you just specified.
- (Optional) Repeat the prior two steps to reserve another address.
- Commit your changes.Click OK and Commit.