DHCP Relay for GlobalProtect

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

DHCP Relay for GlobalProtect

I'm trying to setup globalprotect where once a user successfully logs in, they pull an IP from our dedicated, internal DHCP server with all the DHCP options. So essentially, setup Palo Alto for a DHCP relay for the GlobalProtect clients. I was trying to do this, but the Tunnel Interface I'm using for the GlobalProtect network doesn't have an IP and doesn't show up when trying to configure a DHCP relay. Is there anyway to do this? Thank you.


Accepted Solutions
Highlighted
L1 Bithead

@reaper So you are saying that DHCP relay, to give a DCHP address to GlobalProtect clients, with the PA forwarding DHCP requests, is not possible at this time? 


If that's the case, is there anyway to provide proxy information for clients who do connect? That's my main reason in trying to create a relay for GlobalProtect clients. We have DHCP option 252 in our scope and have that pushing to clients with AnyConnect and was hoping to do the same with GlobalProtect. Is there anyway to push a configs or dynamically assign proxy settings to GlobalProtect clients? 


Thanks everyone for the help.

View solution in original post

Highlighted
Cyber Elite

@david13holt What about using DNS for distributing the proxy settings to the vpn clients or GPOs?

(In case your clients are windows based)

View solution in original post

Highlighted
L7 Applicator

Hi @david13holt

currently the dhcp for GP is not that advanced (make sure to vot e on that feature request)

 

you can have a wpad entry on your DNS that could help distribute the proxy settings, instead of dhcp option 252

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post


All Replies
Highlighted
Cyber Elite

Hello,

The IP adress you need is for the actual DHCP server and not the tunnel interface.

 

image.png

In addition to this you will need the policies that allow the DHCP traffic to go betweenthe VPN zone and trust zone if you have them.

 

Hope that helps.

Highlighted
Cyber Elite

@OtakarKlier

Does this really work for global protect clients? I thought this is not supported ... as you also have to configure an IP pool in the GP gateway configuration...

Highlighted
Cyber Elite

Hello @vsys_remo,

I honestly dont know. I was lookign at it from the perspective of the dhcp relay setup. It'll take me some time to set this up in a lab. Maybe @reaper, knows.

 

Regards,

Highlighted
L7 Applicator

hi guys!

 

Ehm, as far as I know that's not possible at this time. If you have a RADIUS that supports framed-ip, you can pull an IP that way, but it will probably not include all the options you'd like:

 

framed-ip-address.png

 

There are currently 2 outstanding feature requests: FR 2924 and FR 4703 (so please reach out to your sales team and have them add your vote, i already added mine)

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
Highlighted
L1 Bithead

@reaper So you are saying that DHCP relay, to give a DCHP address to GlobalProtect clients, with the PA forwarding DHCP requests, is not possible at this time? 


If that's the case, is there anyway to provide proxy information for clients who do connect? That's my main reason in trying to create a relay for GlobalProtect clients. We have DHCP option 252 in our scope and have that pushing to clients with AnyConnect and was hoping to do the same with GlobalProtect. Is there anyway to push a configs or dynamically assign proxy settings to GlobalProtect clients? 


Thanks everyone for the help.

View solution in original post

Highlighted
Cyber Elite

@david13holt What about using DNS for distributing the proxy settings to the vpn clients or GPOs?

(In case your clients are windows based)

View solution in original post

Highlighted
L7 Applicator

Hi @david13holt

currently the dhcp for GP is not that advanced (make sure to vot e on that feature request)

 

you can have a wpad entry on your DNS that could help distribute the proxy settings, instead of dhcp option 252

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post

Highlighted
L1 Bithead

@vsys_remo @reaper Thanks guys. I'm gonna have to do this for now. I really appreciate the quick response and information provided. 

Highlighted
L0 Member

Any fix for this?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!