https://live.paloaltonetworks.com/t5/general-topics/policy-rules-for-bfd-ospf-dhcp-and-dhcp-relay/m-p/203304#M59909 <P>Hello,</P><P>I'll do my best here:</P><P>&nbsp;</P><P>So do I have to setup policy rules to allow OSPF, I have OSPF on the PA . But when i don't have the rules in place OSPF fails, when i have them it doesn't log anything&nbsp;</P><P>&nbsp;</P><P>Do you have logging enabled on the policy?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 547px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14096i6F23E374B8DC7382/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>DHCP, do I need it if the PA is running DHCP. what is the source and destination ?</P><P>&nbsp;</P><P>If you are using the builtin 'Intrazone' policy, then no. If you are like some and have a DENY ALL policy above those predefined policies, then possibly.</P><P>&nbsp;</P><P>DHCP-relay, source is the input zone and the destination is the dhcp server I am relaying to.&nbsp; But it looks like I have to have 2 polies 1 for request and 1 for replies</P><P>&nbsp;</P><P>Correct, this is how DHCP works since its not a tcp conection and the traffic gets generated both ways. ie the Clients send traffic to request and IP, the DHCP server then sends traffic with the IP info. This should not be required if the client and server are in the same zone.</P><P>&nbsp;</P><P>Hope that helps.</P> Fri, 02 Mar 2018 16:36:23 GMT OtakarKlier 2018-03-02T16:36:23Z https://live.paloaltonetworks.com/t5/general-topics/policy-rules-for-bfd-ospf-dhcp-and-dhcp-relay/m-p/203203#M59884 <P>Hi</P><P>&nbsp;</P><P>So do I have to setup policy rules to allow OSPF, I have OSPF on the PA . But when i don't have the rules in place OSPF fails, when i have them it doesn't log anything&nbsp;</P><P>&nbsp;</P><P>DHCP, do I need it if the PA is running DHCP. what is the source and destination ?</P><P>&nbsp;</P><P>DHCP-relay, source is the input zone and the destination is the dhcp server I am relaying to.&nbsp; But it looks like I have to have 2 polies 1 for request and 1 for replies</P><P>&nbsp;</P><P>&nbsp;</P><P>BGP, is it the same i policy rules in place even if its that PA ?</P> Fri, 02 Mar 2018 05:46:47 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-rules-for-bfd-ospf-dhcp-and-dhcp-relay/m-p/203203#M59884 Alex_Samad 2018-03-02T05:46:47Z https://live.paloaltonetworks.com/t5/general-topics/policy-rules-for-bfd-ospf-dhcp-and-dhcp-relay/m-p/203304#M59909 <P>Hello,</P><P>I'll do my best here:</P><P>&nbsp;</P><P>So do I have to setup policy rules to allow OSPF, I have OSPF on the PA . But when i don't have the rules in place OSPF fails, when i have them it doesn't log anything&nbsp;</P><P>&nbsp;</P><P>Do you have logging enabled on the policy?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 547px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/14096i6F23E374B8DC7382/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>DHCP, do I need it if the PA is running DHCP. what is the source and destination ?</P><P>&nbsp;</P><P>If you are using the builtin 'Intrazone' policy, then no. If you are like some and have a DENY ALL policy above those predefined policies, then possibly.</P><P>&nbsp;</P><P>DHCP-relay, source is the input zone and the destination is the dhcp server I am relaying to.&nbsp; But it looks like I have to have 2 polies 1 for request and 1 for replies</P><P>&nbsp;</P><P>Correct, this is how DHCP works since its not a tcp conection and the traffic gets generated both ways. ie the Clients send traffic to request and IP, the DHCP server then sends traffic with the IP info. This should not be required if the client and server are in the same zone.</P><P>&nbsp;</P><P>Hope that helps.</P> Fri, 02 Mar 2018 16:36:23 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-rules-for-bfd-ospf-dhcp-and-dhcp-relay/m-p/203304#M59909 OtakarKlier 2018-03-02T16:36:23Z https://live.paloaltonetworks.com/t5/general-topics/policy-rules-for-bfd-ospf-dhcp-and-dhcp-relay/m-p/203383#M59921 <P>Yep I have my own intrazone drop rule</P><P>Yes I have logging on OSPF policy start and end</P><P>I don't see anything nor in monitor session</P><P>&nbsp;</P><P>dhcp/dhcprelay .... so my issue with this is ... it supposed to be a new firewall with smarts. it should be expecting a reply..</P><P>&nbsp;</P><P><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>So I know on my old cisco's once for example once I turned on snmp service i didn't need to allow access via acl it just worked.</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Sat, 03 Mar 2018 01:51:06 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-rules-for-bfd-ospf-dhcp-and-dhcp-relay/m-p/203383#M59921 Alex_Samad 2018-03-03T01:51:06Z