CLI command for Palo Alto to set a DHCP Reservation for the management port? Anyone?

Reply
Highlighted
L1 Bithead

CLI command for Palo Alto to set a DHCP Reservation for the management port? Anyone?

Anyone know the command for this?

 

Also we made the mistake of setting our Palo Alto to an IP address that is already taken so when we tried to access the GUI via the web we realized the mistake..... So how do we change the IP address to something else? Do we need to reset our Palo Alto? Or is there a PuTTY CLI command that we can easily change this? Please help!


Accepted Solutions
Highlighted
Cyber Elite

@stoyota,

So when you create a DHCP reservation on your DHCP server and set any management interface to utilize DHCP, you are now reliant on DHCP being accessible at all times to manage your network devices without needing to physically access the device via the console port. 

 

Think about it in this scenario:

Something on the network is preventing communication to your DHCP servers and the traffic is being reset. With this on-going issue the decision is made to reload one of these pieces of network gear you are relying on DHCP reservations to get the same address, but they can't actually pull an address because they can't talk to the DHCP servers. You now don't have a way to manage these devices remotely and need to access them physically via the console port.

In this situation a simple static address configuration would prevent any question about what will happen if you reload a piece of equipment. The static address will always be accessible and your networking equipment is in no way reliant on another piece of infrastructure being online to maintain full functionality.  

 

Now if your co-workers are strict about the DHCP reservation being in place because they don't want to adjust the DHCP scopes, you simply change the reservation to an exclusion and static the information in on the device in question. The exclusion will tell the DHCP server to not hand out the address, but it will be notated on the DHCP server that an address is in use (because it's excluded from distribution). 

 

If you have a device with a static assignment and you go ahead and create a DHCP reservation nothing adverse will happen, but someone looking at your DHCP server will think that the device is set to DHCP when it isn't and if they ever attempt to modify it's IP address by updating the reservation it could cause some confusion. An exclusion essentially tells anyone looking at the server that the client device isn't set for DHCP, while a reservation would tell me it is set for DHCP. 

View solution in original post


All Replies
Highlighted
L3 Networker

Highlighted
L1 Bithead

@VincentPresognahow do I find the MAC address so that I can create a DHCP reservation for the IP address I set via the Console CLI?

Highlighted
Cyber Elite

@stoyota,

You would need to know what the MAC is already, or temporarily allow it to grab a DHCP address so that you can gather its MAC and build out the reservation. 

Highlighted
L1 Bithead

Sorry what do you mean I should already know the MAC? I want to make sure our console port has an IP address reservation on our active directory. 

 

how do I allow our Palo Alto to grab one? Someone mentioned to do a show system info command. And we saw a MAC ADDRESS. Is that not what we use to create a reservation? Totally confused. 

Could you please give us some guidance?

Highlighted
Cyber Elite

I would recommend to use a static IP vs reservation for the mgmt port.

In the end, you are doing the same thing, right???.... guaranteeing that the FW will consistently have the same IP

 

configure

#

set deviceconfig system ip-address <IP>
set deviceconfig system netmask <mask>

set deviceconfig system default-gateway <gw IP>

 

#commit

 

Help the community: Like helpful comments and mark solutions
Highlighted
L4 Transporter

> show interface management 

This provides the mac address.

Highlighted
Cyber Elite

@stoyota,

Okay I completely misread what you were trying to achieve, I thought we were talking about creating a DHCP reservation for a client device and setting the management IP again so you had access to the device outside of the console port. 

As @SteveCantwell mentioned don't use a reservation for your management interface. If you use a reservation your still reliant on the DHCP being available for the management interface to get/maintain its IP information; it becomes a point of failure that you absolutely don't want or need on your firewall. 

Highlighted
L1 Bithead

@BPry We saw that the IP-assignment was already set to static. So we should remove our reservation from our AD? Sorry, could you please explain why it would become a port of failure if we create a DHCP reservation on our AD? >_< That way I could explain this to my colleagues as to why. Because I know they're gonna ask because we normally create an IP reservation for items on our network that are important. We did this with our Fortigate but we are transitioning to the Palo Alto

Highlighted
Cyber Elite

@stoyota,

So when you create a DHCP reservation on your DHCP server and set any management interface to utilize DHCP, you are now reliant on DHCP being accessible at all times to manage your network devices without needing to physically access the device via the console port. 

 

Think about it in this scenario:

Something on the network is preventing communication to your DHCP servers and the traffic is being reset. With this on-going issue the decision is made to reload one of these pieces of network gear you are relying on DHCP reservations to get the same address, but they can't actually pull an address because they can't talk to the DHCP servers. You now don't have a way to manage these devices remotely and need to access them physically via the console port.

In this situation a simple static address configuration would prevent any question about what will happen if you reload a piece of equipment. The static address will always be accessible and your networking equipment is in no way reliant on another piece of infrastructure being online to maintain full functionality.  

 

Now if your co-workers are strict about the DHCP reservation being in place because they don't want to adjust the DHCP scopes, you simply change the reservation to an exclusion and static the information in on the device in question. The exclusion will tell the DHCP server to not hand out the address, but it will be notated on the DHCP server that an address is in use (because it's excluded from distribution). 

 

If you have a device with a static assignment and you go ahead and create a DHCP reservation nothing adverse will happen, but someone looking at your DHCP server will think that the device is set to DHCP when it isn't and if they ever attempt to modify it's IP address by updating the reservation it could cause some confusion. An exclusion essentially tells anyone looking at the server that the client device isn't set for DHCP, while a reservation would tell me it is set for DHCP. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!