Use a Tap Interface for DHCP Visibility
Table of Contents
Expand all | Collapse all
-
- Firewall and PAN-OS Support of IoT Security
- IoT Security Prerequisites
- Onboard IoT Security
- Onboard IoT Security on VM-Series with Software NGFW Credits
-
- DHCP Data Collection by Traffic Type
- Firewall Deployment Options for IoT Security
- Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server
- Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use Network Discovery Polling to Discover Devices
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Plan for Scaling when Your Firewall Serves DHCP
- Prepare Your Firewall for IoT Security
- Configure Policies for Log Forwarding
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
- IoT Security Integration with Prisma Access
- IoT Security Licenses
- Offboard IoT Security Subscriptions
-
- Introduction to IoT Security
- IoT Security Integration with Next-generation Firewalls
- IoT Security Portal
- Vertical-themed Portals
- Device-to-Site Mapping
- Sites and Site Groups
- Networks
- Network Segments Configuration
- Reports
- IoT Security Integration Status with Firewalls
- IoT Security Integration Status with Prisma Access
- Data Quality Diagnostics
- Authorize On-demand PCAP
- IoT Security Integrations with Third-party Products
- IoT Security and FedRAMP
Use a Tap Interface for DHCP Visibility
Use a Tap interface to capture DHCP traffic to send to
the data lake for IoT Security to access.
To gain complete visibility of DHCP traffic,
deploy a Tap interface on the firewall. This guide assumes familiarity
with PAN-OS configuration, including Tap configuration. For details
on configuring Tap interfaces, see the PAN-OS Networking Administrator’s
Guide.
Considerations
Sending additional
traffic to a Tap interface on the firewall results in additional
session load. There are two causes for this:
- Any flow from the DHCP server to the internet, data center, or some other destination that would normally cross the firewall is inspected twice.
- Flows that normally would not be inspected are inspected when the Tap interface receives them; for example, flows bound for other hosts on the local network segment.
The following
configuration section includes options for minimizing performance
impact.
Network Architecture
The figure below
illustrates the general idea of this solution. The actual topology
can vary depending on the location of the DHCP server and the use
of technologies such as RSPAN (Remote Switched Port Analyzer).
The purpose
of this configuration is to gain visibility into DHCP traffic that
the firewall wouldn’t normally see based on its current configuration
and network topology.
Configuration
- Configure a Tap interface and zone.Configure policy rules for Tap traffic.
- The first policy rule matches DHCP traffic and uses the same log forwarding profile that the rest of the rule base uses.
- The second rule drops all other traffic, minimizing additional session load on the firewall. Log forwarding profile is not enabled.
- Neither of the rules use security profiles.
Connect the Tap interface to the port mirror on the switch.