Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use Network Discovery Polling to Discover Devices
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Network Segments Configuration
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
When a firewall is running a PAN-OS release earlier than
PAN-OS 10.0 and there’s a local DHCP server, configure the firewall
as a DHCP relay agent.
When the firewall is not receiving unicast
DHCP packets—either as a DHCP server or relay agent—you must arrange
for it to generate or receive them. Instructions for doing this
to provide DHCP traffic visibility in PAN-OS 8.1, PAN-OS 9.0, and
PAN-OS 9.1 are provided in this section.
In the example below, there is a DHCP server on the local network
segment. The firewall receives the DHCPDISCOVER messages that DHCP
clients broadcast, but it is not configured as a DHCP server.
Solution 1: Move the DHCP Server to a Different Zone
This solution involves moving the DHCP server to a different
zone on the firewall and configuring a DHCP relay agent on the firewall
interface that connects to the clients. This forces the generation
of unicast DHCP traffic, which the firewall can then use to generate
Enhanced Application logs (EALs).
Solution 2: Place the DHCP Server behind a Virtual Wire
Placing the DHCP server behind a Virtual Wire interface enables
the firewall to generate EALs for all packets in the exchange. After
proper configuration and physical network changes, the network looks
similar to the illustration below: