After enabled dhcp relay on a interface the client`s didn`t get a ip address, the strange thing is that de palo denied the packets. So i must create a access rule to enable traffic from the palo interface (with dhcp relay enabled) to the dhcp server.
Is this normal ?
Same zone to zone traffic (dhcp interface & dhcp server in same zone) will need an explicit rule to allow traffic if you have a deny cleanup rule at the bottom of your security rulebase. If they reside in different zones (ie., trust to dmz, you'll need a rule to allow that traffic if it hasn't been explicit allowed already.
If they reside in different zones (ie., trust to dmz, you'll need a rule to allow that traffic if it hasn't been explicit allowed already. if you see global counters indicating denied by security policy, that might be indicative of the lack of an explicit rule allowing the dhcp traffic to traverse.
What version of PAN-OS? Are these VLAN sub-interfaces?
We learned the very hard way earlier this week that DHCP relay is broken on VLAN sub-interfaces (both L2 and L3) for PAN-OS 5.0.3 and 5.0.4. Support suggested rolling back to 5.0.2 (or 4.1.9, which had been working for us) but I switched to DHCP service provided by the firewall itself. We have lost some minor functionality, but I can live with it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!