DHCP Relay for GlobalProtect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DHCP Relay for GlobalProtect

L1 Bithead

I'm trying to setup globalprotect where once a user successfully logs in, they pull an IP from our dedicated, internal DHCP server with all the DHCP options. So essentially, setup Palo Alto for a DHCP relay for the GlobalProtect clients. I was trying to do this, but the Tunnel Interface I'm using for the GlobalProtect network doesn't have an IP and doesn't show up when trying to configure a DHCP relay. Is there anyway to do this? Thank you.

3 accepted solutions

Accepted Solutions

@reaper So you are saying that DHCP relay, to give a DCHP address to GlobalProtect clients, with the PA forwarding DHCP requests, is not possible at this time? 


If that's the case, is there anyway to provide proxy information for clients who do connect? That's my main reason in trying to create a relay for GlobalProtect clients. We have DHCP option 252 in our scope and have that pushing to clients with AnyConnect and was hoping to do the same with GlobalProtect. Is there anyway to push a configs or dynamically assign proxy settings to GlobalProtect clients? 


Thanks everyone for the help.

View solution in original post

@david13holt What about using DNS for distributing the proxy settings to the vpn clients or GPOs?

(In case your clients are windows based)

View solution in original post

Hi @david13holt

currently the dhcp for GP is not that advanced (make sure to vot e on that feature request)

 

you can have a wpad entry on your DNS that could help distribute the proxy settings, instead of dhcp option 252

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

13 REPLIES 13

Cyber Elite
Cyber Elite

Hello,

The IP adress you need is for the actual DHCP server and not the tunnel interface.

 

image.png

In addition to this you will need the policies that allow the DHCP traffic to go betweenthe VPN zone and trust zone if you have them.

 

Hope that helps.

@OtakarKlier

Does this really work for global protect clients? I thought this is not supported ... as you also have to configure an IP pool in the GP gateway configuration...

Hello @Remo,

I honestly dont know. I was lookign at it from the perspective of the dhcp relay setup. It'll take me some time to set this up in a lab. Maybe @reaper, knows.

 

Regards,

hi guys!

 

Ehm, as far as I know that's not possible at this time. If you have a RADIUS that supports framed-ip, you can pull an IP that way, but it will probably not include all the options you'd like:

 

framed-ip-address.png

 

There are currently 2 outstanding feature requests: FR 2924 and FR 4703 (so please reach out to your sales team and have them add your vote, i already added mine)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper So you are saying that DHCP relay, to give a DCHP address to GlobalProtect clients, with the PA forwarding DHCP requests, is not possible at this time? 


If that's the case, is there anyway to provide proxy information for clients who do connect? That's my main reason in trying to create a relay for GlobalProtect clients. We have DHCP option 252 in our scope and have that pushing to clients with AnyConnect and was hoping to do the same with GlobalProtect. Is there anyway to push a configs or dynamically assign proxy settings to GlobalProtect clients? 


Thanks everyone for the help.

@david13holt What about using DNS for distributing the proxy settings to the vpn clients or GPOs?

(In case your clients are windows based)

Hi @david13holt

currently the dhcp for GP is not that advanced (make sure to vot e on that feature request)

 

you can have a wpad entry on your DNS that could help distribute the proxy settings, instead of dhcp option 252

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@Remo @reaper Thanks guys. I'm gonna have to do this for now. I really appreciate the quick response and information provided. 

Any fix for this?

No and that's kinda 😞

OtakarKlier,

Were you able to integrate this with AD DHCP (In your Lab) or is Reaper Right, that this has not been fixed  yet, because of FR 2924 and FR 4703 not being implemented?   I do not see 4703  in the Feature Request now.  Only 2924.  

Thank You,

Cyber Elite
Cyber Elite

Hello,

I have not set this up in a lab. For VPN clients, I would suggest using the Global Protect DHCP configuration. 

Regards,

L4 Transporter

For anyone else that comes across this, it's now 2024, nearly a full six years after the original post, and Palo still simply does not have an answer.  It's always the same, "Just put in a FR".

 

Well, do you know who does have this?  Fortinet.

  • 3 accepted solutions
  • 24502 Views
  • 13 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!