DHCP Server on Palo Alto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DHCP Server on Palo Alto

L2 Linker

The DHCP server on Palo Alto does not clear the Expired sessions, its stays and we have to manually go and clear the sessions.

 

Can you please help.

10 REPLIES 10

Cyber Elite
Cyber Elite

@Denis,

Can you elaborate on the model and firmware version you are running. It appears that on older software versions this was/is a semi regular issue.

I have the same issue on 8.0.1

 

Capture.JPG

 

 

 

 

--
CCNA Security, PCNSE7

Model is PA-500

 

Software Version is 7.1.7

Did anyone from palo alto support revert back to you on this issue.  I've raised a support ticket and waiting for the to revert back.

I never reported it. I suppose I should, but I just sort of accepted it for what it was. There's a lot about the DHCP server that I don't care for. It seems like an afterthought, but it's really not even the primary function of the firewall, so I cut it some slack in that respect.

 

--
CCNA Security, PCNSE7

For us its critical as we've used it as the DHCP for all our WIFI's so its quiete inconvinient after each hour to manually clear ou the expired sessions.

 

hoping to find some solution or workaround to this...

You wouldn't actually need to do so manually as the request can be scripted with relative ease. Not that it fixes the issue but it can clear the expired sessions on a set schedule.

Can you show me how to schedule the clear expired sessions. Powershell or Windows task scheduler

 

I've done the script but need to paste it each time on browser

 

 

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$wc = New-Object System.Net.WebClient
$src=$wc.DownloadString("https://MGMTIP/api/?type=commit&cmd=<commit></commit>&key=APIKEY")

 

Replace the address with whatever you are pasting into your browser currently; make sure that you are utilizing the API key as you won't be authenticated if you don't.

@Denis

Specifically it would look like the following if I didn't specify an interface; then you just need to schedule it with task sheduler to actually run the powershell command at a set interval.

 

$netAssembly = [Reflection.Assembly]::GetAssembly([System.Net.Configuration.SettingsSection])

if($netAssembly)
{
    $bindingFlags = [Reflection.BindingFlags] "Static,GetProperty,NonPublic"
    $settingsType = $netAssembly.GetType("System.Net.Configuration.SettingsSectionInternal")

    $instance = $settingsType.InvokeMember("Section", $bindingFlags, $null, $null, @())

    if($instance)
    {
        $bindingFlags = "NonPublic","Instance"
        $useUnsafeHeaderParsingField = $settingsType.GetField("useUnsafeHeaderParsing", $bindingFlags)

        if($useUnsafeHeaderParsingField)
        {
          $useUnsafeHeaderParsingField.SetValue($instance, $true)
        }
    }
}
$OutputFile = "$($env:USERPROFILE)\Desktop\CommandStatus.xml"
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$wc = New-Object System.Net.WebClient
$src=$wc.DownloadString("https://10.191.136.7/api/?type=op&cmd=<clear><dhcp><lease><all><expired-only></expired-only></all></...REPLACEWITHYOURKEY| Out-File $OutputFile

  • 3814 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!