Details
DHCP Relay is a feature that is used when the DHCP server is not in the same L2 broadcast domain as the DHCP clients.
Note: To configure the DHCP relay on the Palo Alto Networks firewall review the following link: How to Configure a DHCP Relay on Palo Alto Networks Firewall
If on an High Availability Active/Active environment, be aware that only the Active-Primary device will function as a DHCP Relay. If DHCP broadcast packets are received on the Active-Secondary firewall, they will be dropped.
In the pan_packet_diag log, a similar error message will be shown:
Packet received at ingress stage
Packet info: len 346 port 51 interface 266 vsys 3
...
Packet decoded dump:
L2: xx:xx:xx:xx:xx:xx->ff:ff:ff:ff:ff:ff, VLAN x (), type 0x0800
IP: 0.0.0.0->255.255.255.255, protocol 17
version 4, ihl 5, tos 0x00, len 328,
id 23777, frag_off 0x0000, ttl 128, checksum 56516
UDP: sport 68, dport 67, len 308, checksum 65503
No flow lookup for packet, continue with forwarding
Forwarding lookup, ingress interface 266
L3 mode, virtual-router 4
dhcpd packet
Packet dropped, control plane service not allowed
owner: rvanderveken