01-27-2023 04:41 AM
I have a couple of questions about DHCP Relay, multi-hop, sessions and IoT Security.
This is the situation I am dealing with:
Clients are configured for DHCP. Their gateway is a Cisco L3 Switch acting as a DHCP relay.
Red situation: the L3 switch points to the DHCP server. If I do this, I run into troubles: PAN firewall consider ALL the relayed queries as a single session, between the relay and the server. Also, since the session is udp, whenever a threat (or a false positive) is seen by the firewall, that single session is dropped without notification to the endpoints (relay and server), and no client gets an IP anymore.
Green situation: as a workaround, I set up a multi-hop configuration, with the PAN firewall acting as a further relay between the two, and reconfigured the L3 switch to point its relay to the closest firewall interface. Now all the DHCP sessions are dealt individually, and only those with threats are dropped.
In both cases dhcp traffic is configured to be allowed and inspected (L7 policies).
Question 1: is the green configuration ok? Did I miss some guideline/rfc/best practice when I implemented the previous configuration (red)?
Question 2: since now the firewall has full visibility of the DHCP conversation, is there any way I can take advantage of it? Log enrichment and IoT Security / DeviceID come to mind first. My firewall doesn't see any client at L2.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!