- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-27-2017 05:21 AM
Hi all,
I'm having a question about allowing DHCP trough the PA firewall.
The issue I have is the following.
- We have a PA deployed between LAN, Internet and WAN
- The LAN has a L3 switch, that performes inter VLAN routing, and uses a transit subnet and a default route to the PA
- DHCP relay is configured on the L3 switch, pointing to the DHCP server
- The DHCP server lives on the WAN
- When I have the LAN and WAN interfaces in the same security zone all is well and DHCP works just fine
- When I move the WAN interface to a new security zone, and configure 2 firewall rules 'permit any to WAN from LAN' and 'permit any from LAN to WAN', DHCP stops working.
No information is visible in the traffic log about DHCP being blocked
Is it possible that the PA can't handle this between 2 security zones and requires DHCP relay to be configured on the PA as well?
06-27-2017 05:52 AM - edited 06-27-2017 05:55 AM
As soon as your L3 Switch relay the DHCP broadcast it sends a unicast out to the DHCP Server. So relay should only be configured once at your local Layer 3 boundary. What PAN-OS you currently on? Can you please also override default deny policy enabling logging?
06-27-2017 09:11 AM
You need to actually allow the traffic to traverse security zones is all. Enable logging on the default inerzone-default rule and see what's actually being blocked. You'll need a new security policy to allow the dhcp request to actually go to your dhcp server.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!