dhcp relay

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

dhcp relay

L0 Member

After enabled dhcp relay on a interface the client`s didn`t get a ip address, the strange thing is that de palo denied the packets. So i must create a access rule to enable traffic from the palo interface (with dhcp relay enabled) to the dhcp server.

Is this normal ?

4 REPLIES 4

L6 Presenter

Same zone to zone traffic (dhcp interface & dhcp server in same zone) will need an explicit rule to allow traffic if you have a deny cleanup rule at the bottom of your security rulebase. If they reside in different zones (ie., trust to dmz, you'll need a rule to allow that traffic if it hasn't been explicit allowed already.

But it is not the same zone , the dhcp server is in the server zone , i have enabled dhcp relay on the clients zone en the guest zone.

If they reside in different zones (ie., trust to dmz, you'll need a rule to allow that traffic if it hasn't been explicit allowed already. if you see global counters indicating denied by security policy, that might be indicative of the lack of an explicit rule allowing the dhcp traffic to traverse.     

Not applicable

What version of PAN-OS? Are these VLAN sub-interfaces?

We learned the very hard way earlier this week that DHCP relay is broken on VLAN sub-interfaces (both L2 and L3) for PAN-OS 5.0.3 and 5.0.4. Support suggested rolling back to 5.0.2 (or 4.1.9, which had been working for us) but I switched to DHCP service provided by the firewall itself. We have lost some minor functionality, but I can live with it.

  • 3528 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!