This document describes the steps to configure a DHCP relay on the Palo Alto Networks firewall. The following example scenario will be used in the configuration steps:
Configure which interface will be acting as DHCP relay (for example, Trust E1/5)
From the Web UI, go to Network > DHCP > DHCP Relay
Click Add and configure the IP address of the DHCP server
Note: This can be configured with up to four DHCP Server IP addresses.
Configure security rules to allow DHCP traffic between zones:
Trust to Trust - for client to/from DHCP Relay interface communication (broadcast/unicast)
Trust to DMZ - for DHCP Relay interface to/from DHCP Server Communication (unicast) The following diagram is based on a typical DHCP session. The diagram shows communication between DHCP relay interface and DHCP server are all unicast.
The following screenshot shows a packet capture of a working example on the DHCP server side:
Example of a configured security policy:
Test on a client. For example, a Windows Client:
Note: The DHCP Server must route the DHCP traffic to the Palo Alto Networks firewall for this configuration to work. Issues will arise if the DHCP server has another default gateway instead of the Palo Alto Networks firewall (or is not directly connected and routing the return traffic somewhere else). The DHCP traffic is then considered asymmetric. If the DHCP server traffic is asymmetric, the session is not setup properly on the firewall and the complete DHCP communication is not complete.