DHCP trough the PA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DHCP trough the PA

L0 Member

Hi all,

 

I'm having a question about allowing DHCP trough the PA firewall.

The issue I have is the following.

 

- We have a PA deployed between LAN, Internet and WAN

- The LAN has a L3 switch, that performes inter VLAN routing, and uses a transit subnet and a default route to the PA

- DHCP relay is configured on the L3 switch, pointing to the DHCP server

- The DHCP server lives on the WAN

 

- When I have the LAN and WAN interfaces in the same security zone all is well and DHCP works just fine

- When I move the WAN interface to a new security zone, and configure 2 firewall rules 'permit any to WAN from LAN'  and 'permit any from LAN to WAN', DHCP stops working.

No information is visible in the traffic log about DHCP being blocked

 

Is it possible that the PA can't handle this between 2 security zones and requires DHCP relay to be configured on the PA as well?

2 REPLIES 2

L6 Presenter

As soon as your L3 Switch relay the DHCP broadcast it sends a unicast out to the DHCP Server. So relay should only be configured once at your local Layer 3 boundary. What PAN-OS you currently on? Can you please also override default deny policy enabling logging?

Cyber Elite
Cyber Elite

You need to actually allow the traffic to traverse security zones is all. Enable logging on the default inerzone-default rule and see what's actually being blocked. You'll need a new security policy to allow the dhcp request to actually go to your dhcp server. 

  • 2436 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!