DHCP Relay for GlobalProtect

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
david13holt
L1 Bithead

DHCP Relay for GlobalProtect

I'm trying to setup globalprotect where once a user successfully logs in, they pull an IP from our dedicated, internal DHCP server with all the DHCP options. So essentially, setup Palo Alto for a DHCP relay for the GlobalProtect clients. I was trying to do this, but the Tunnel Interface I'm using for the GlobalProtect network doesn't have an IP and doesn't show up when trying to configure a DHCP relay. Is there anyway to do this? Thank you.


Accepted Solutions
david13holt
L1 Bithead

@reaper So you are saying that DHCP relay, to give a DCHP address to GlobalProtect clients, with the PA forwarding DHCP requests, is not possible at this time? 


If that's the case, is there anyway to provide proxy information for clients who do connect? That's my main reason in trying to create a relay for GlobalProtect clients. We have DHCP option 252 in our scope and have that pushing to clients with AnyConnect and was hoping to do the same with GlobalProtect. Is there anyway to push a configs or dynamically assign proxy settings to GlobalProtect clients? 


Thanks everyone for the help.

View solution in original post

vsys_remo
Cyber Elite

@david13holt What about using DNS for distributing the proxy settings to the vpn clients or GPOs?

(In case your clients are windows based)

View solution in original post

reaper
L7 Applicator

Hi @david13holt

currently the dhcp for GP is not that advanced (make sure to vot e on that feature request)

 

you can have a wpad entry on your DNS that could help distribute the proxy settings, instead of dhcp option 252

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post


All Replies
OtakarKlier
Cyber Elite

Hello,

The IP adress you need is for the actual DHCP server and not the tunnel interface.

 

image.png

In addition to this you will need the policies that allow the DHCP traffic to go betweenthe VPN zone and trust zone if you have them.

 

Hope that helps.

vsys_remo
Cyber Elite

@OtakarKlier

Does this really work for global protect clients? I thought this is not supported ... as you also have to configure an IP pool in the GP gateway configuration...

OtakarKlier
Cyber Elite

Hello @vsys_remo,

I honestly dont know. I was lookign at it from the perspective of the dhcp relay setup. It'll take me some time to set this up in a lab. Maybe @reaper, knows.

 

Regards,

reaper
L7 Applicator

hi guys!

 

Ehm, as far as I know that's not possible at this time. If you have a RADIUS that supports framed-ip, you can pull an IP that way, but it will probably not include all the options you'd like:

 

framed-ip-address.png

 

There are currently 2 outstanding feature requests: FR 2924 and FR 4703 (so please reach out to your sales team and have them add your vote, i already added mine)

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
david13holt
L1 Bithead

@reaper So you are saying that DHCP relay, to give a DCHP address to GlobalProtect clients, with the PA forwarding DHCP requests, is not possible at this time? 


If that's the case, is there anyway to provide proxy information for clients who do connect? That's my main reason in trying to create a relay for GlobalProtect clients. We have DHCP option 252 in our scope and have that pushing to clients with AnyConnect and was hoping to do the same with GlobalProtect. Is there anyway to push a configs or dynamically assign proxy settings to GlobalProtect clients? 


Thanks everyone for the help.

View solution in original post

vsys_remo
Cyber Elite

@david13holt What about using DNS for distributing the proxy settings to the vpn clients or GPOs?

(In case your clients are windows based)

View solution in original post

reaper
L7 Applicator

Hi @david13holt

currently the dhcp for GP is not that advanced (make sure to vot e on that feature request)

 

you can have a wpad entry on your DNS that could help distribute the proxy settings, instead of dhcp option 252

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post

david13holt
L1 Bithead

@vsys_remo @reaper Thanks guys. I'm gonna have to do this for now. I really appreciate the quick response and information provided. 

Shaun.Zielonka
L0 Member

Any fix for this?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!