: Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
Focus
Focus

Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server

Table of Contents

Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server

When a firewall is running a PAN-OS release earlier than PAN-OS 10.0 and there’s a local DHCP server, configure the firewall as a DHCP relay agent.
When the firewall is not receiving unicast DHCP packets—either as a DHCP server or relay agent—you must arrange for it to generate or receive them. Instructions for doing this to provide DHCP traffic visibility in PAN-OS 8.1, PAN-OS 9.0, and PAN-OS 9.1 are provided in this section.
In the example below, there is a DHCP server on the local network segment. The firewall receives the DHCPDISCOVER messages that DHCP clients broadcast, but it is not configured as a DHCP server.
Solution 1: Move the DHCP Server to a Different Zone
This solution involves moving the DHCP server to a different zone on the firewall and configuring a DHCP relay agent on the firewall interface that connects to the clients. This forces the generation of unicast DHCP traffic, which the firewall can then use to generate Enhanced Application logs (EALs).
Solution 2: Place the DHCP Server behind a Virtual Wire
Placing the DHCP server behind a Virtual Wire interface enables the firewall to generate EALs for all packets in the exchange. After proper configuration and physical network changes, the network looks similar to the illustration below: