The management interface on the firewall supports
DHCP client for IPv4, which allows the management interface to receive
its IPv4 address from a DHCP server. The management interface also
supports DHCP Option 12 and Option 61, which allow the firewall
to send its hostname and client identifier, respectively, to DHCP
servers.
By default, VM-Series firewalls deployed in AWS and
Azure™ use the management interface as a DHCP client to obtain its IP
address, rather than a static IP address, because cloud deployments
require the automation this feature provides. DHCP on the management
interface is turned off by default for the VM-Series firewall except
for the VM-Series firewall in AWS and Azure. The management interfaces
on WildFire and Panorama models do not support this DHCP functionality.
- For hardware-based firewall models
(not VM-Series), configure the management interface with a static
IP address when possible.
- If the firewall acquires a management interface address through
DHCP, assign a MAC address reservation on the DHCP server that serves
that firewall. The reservation ensures that the firewall retains
its management IP address after a restart. If the DHCP server is
a Palo Alto Networks® firewall, see Step 6 of Configure
an Interface as a DHCP Server for reserving an address.
If
you configure the management interface as a DHCP client, the following
restrictions apply:
You cannot use the management
interface in an HA configuration for control link (HA1 or HA1 backup),
data link (HA2 or HA2 backup), or packet forwarding (HA3) communication.
You cannot select MGT as the Source
Interface when you customize service routes ().
However, you can select Use default to route
the packets via the management interface.
You cannot use the dynamic IP address of the management interface
to connect to a Hardware Security Module (HSM). The IP address on
the HSM client firewall must be a static IP address because HSM
authenticates the firewall using the IP address, and operations
on HSM would stop working if the IP address were to change during
runtime.
A prerequisite for this task is that the
management interface must be able to reach a DHCP server.