- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-15-2018 09:44 AM - edited 03-15-2018 09:45 AM
I'm trying to setup globalprotect where once a user successfully logs in, they pull an IP from our dedicated, internal DHCP server with all the DHCP options. So essentially, setup Palo Alto for a DHCP relay for the GlobalProtect clients. I was trying to do this, but the Tunnel Interface I'm using for the GlobalProtect network doesn't have an IP and doesn't show up when trying to configure a DHCP relay. Is there anyway to do this? Thank you.
03-16-2018 03:02 PM
@reaper So you are saying that DHCP relay, to give a DCHP address to GlobalProtect clients, with the PA forwarding DHCP requests, is not possible at this time?
If that's the case, is there anyway to provide proxy information for clients who do connect? That's my main reason in trying to create a relay for GlobalProtect clients. We have DHCP option 252 in our scope and have that pushing to clients with AnyConnect and was hoping to do the same with GlobalProtect. Is there anyway to push a configs or dynamically assign proxy settings to GlobalProtect clients?
Thanks everyone for the help.
03-17-2018 02:09 AM
@david13holt What about using DNS for distributing the proxy settings to the vpn clients or GPOs?
(In case your clients are windows based)
03-19-2018 02:58 AM
Hi @david13holt
currently the dhcp for GP is not that advanced (make sure to vot e on that feature request)
you can have a wpad entry on your DNS that could help distribute the proxy settings, instead of dhcp option 252
03-15-2018 10:13 AM
Hello,
The IP adress you need is for the actual DHCP server and not the tunnel interface.
In addition to this you will need the policies that allow the DHCP traffic to go betweenthe VPN zone and trust zone if you have them.
Hope that helps.
03-15-2018 10:30 AM
Does this really work for global protect clients? I thought this is not supported ... as you also have to configure an IP pool in the GP gateway configuration...
03-16-2018 02:55 AM
hi guys!
Ehm, as far as I know that's not possible at this time. If you have a RADIUS that supports framed-ip, you can pull an IP that way, but it will probably not include all the options you'd like:
There are currently 2 outstanding feature requests: FR 2924 and FR 4703 (so please reach out to your sales team and have them add your vote, i already added mine)
03-16-2018 03:02 PM
@reaper So you are saying that DHCP relay, to give a DCHP address to GlobalProtect clients, with the PA forwarding DHCP requests, is not possible at this time?
If that's the case, is there anyway to provide proxy information for clients who do connect? That's my main reason in trying to create a relay for GlobalProtect clients. We have DHCP option 252 in our scope and have that pushing to clients with AnyConnect and was hoping to do the same with GlobalProtect. Is there anyway to push a configs or dynamically assign proxy settings to GlobalProtect clients?
Thanks everyone for the help.
03-17-2018 02:09 AM
@david13holt What about using DNS for distributing the proxy settings to the vpn clients or GPOs?
(In case your clients are windows based)
03-19-2018 02:58 AM
Hi @david13holt
currently the dhcp for GP is not that advanced (make sure to vot e on that feature request)
you can have a wpad entry on your DNS that could help distribute the proxy settings, instead of dhcp option 252
04-03-2021 08:10 PM
No and that's kinda 😞
03-20-2023 05:53 AM
OtakarKlier,
Were you able to integrate this with AD DHCP (In your Lab) or is Reaper Right, that this has not been fixed yet, because of FR 2924 and FR 4703 not being implemented? I do not see 4703 in the Feature Request now. Only 2924.
Thank You,
03-20-2023 05:59 AM
Hello,
I have not set this up in a lab. For VPN clients, I would suggest using the Global Protect DHCP configuration.
Regards,
02-16-2024 11:02 AM
For anyone else that comes across this, it's now 2024, nearly a full six years after the original post, and Palo still simply does not have an answer. It's always the same, "Just put in a FR".
Well, do you know who does have this? Fortinet.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!