Global Protect DHCP Options

Reply
L1 Bithead

Global Protect DHCP Options

I have a PA-500. I have a basic configuration for Global Protect up and working - certificates, agent settings, etc. All is well. The client can route to internal resources as expected.

 

Now, the next step I need to take for these VPN clients in transitioning from Cisco AnyConnect is that they must receive some custom DHCP options with their VPN IP assignment. The Cisco wasn't able to provide custom options, so I used a DHCP relay on it, but that's not a necessity. So I could solve this in one of two routes:

 

1) DHCP relay for GP clients

I've read some other forum discussions that this isn't possible. At least as of this time last year, this was a feature request: Feature Request ID- 2924. But I can't find any current info - not sure where I can see status of feature requests or vote on them.

But long story short, if the GP gateway could relay the dhcp request to an internal DHCP server, that would solve my problem.

 

or...

2) use the "dhcp server" feature of PANOS for GP clients

In network-> DHCP I can set the firewall up as a dhcp server on a given interface, and it appears I can give it custom DHCP options like I need. Which would be great if I just needed a DHCP server for inside the firewall. So surely there's a way I'm missing where I can set the GP gateway to use the built-in dhcp server instead of using the ip pool configured in network->globalprotect->gateway->(gateway config)->client configuration->network settings->(network config)->network settings> IP pool

L4 Transporter

so far as I know both ideas are not possible or implemented (,yet)...sadly...

But what I would try: GP Version 2.3.X is able to run scripts... I'm pretty sure you can add some DHCP options with using a script.

Please write your solution - I'm also interested

L1 Bithead

My Vendor has recommended I open a support case with Palo Alto to get a definitive answer. If we determine that it's not possible, I'll definitly look into the scripts you mentioned, and I'll be sure to post whatever solution we come up with. Thanks!

L1 Bithead

I developed a powershell script to do what I needed, but found in testing that my software which was looking for DHCP option 160 wouldn't recognize it when I injected it into the registry like this. It could mean that I'm doing something wrong, or that this software is not simply looking for the registry values, or that injecting DHCP options in the registry is not a viable solution in any case. I didn't ever get to trying to have globalprotect run the script for me. But, in the hopes it might help someone else, here's my script:

 

Push-Location
# stores the current working path in memory so we can come back to it


$key="hklm:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces"
$subkeys=Get-ChildItem $key -Name

# each network interface has a key inside of "interfaces" - we use get-childitem to enumerate each subkey name so we can pass it through the foreach.


ForEach ($subkey in $subkeys)
{





if( (Get-ItemProperty -Path $subkey.PsPath) -match “10.12.3”)

# "match" means search for a string, so if any of the sub-keys have the string 10.12.3 (the subnet I'm dealing with), then execute the following code.
{
$matchpath=$subkey.PsPath

Set-Location $matchpath
[string[]]$value=(Get-ItemProperty $matchpath).DhcpInterfaceOptions

# read the hex value of dhcpinterfaceoptions inside the matching key. it's in hex, but PS will read it as a string of decimal values.

[string[]]$newvalue=$value + "160" + "0" + "0" + "0" + "0" + "0" + "0" + "0" + "39" + "0" + "0" + "0" + "0" + "0" + "0" + "0" + "210" + "14" + "205" + "85" + "104" + "116" + "116" + "112" + "58" + "47" + "47" + "112" + "114" + "111" + "118" + "105" + "115" + "105" + "111" + "110" + "46" + "112" + "111" + "108" + "97" + "114" + "105" + "115" + "108" + "97" + "98" + "115" + "46" + "118" + "111" + "105" + "112" + "58" + "56" + "48" + "56" + "56" + "0" + "0"

# append these characters to the end of dhcpinterfaceoptions. The bulk of the work was figuring out how to read dhcpinterfaceoptions. it's written in hex. if you translate each byte to ASCII (from a host that has it properly configured already), you'll see the value you're looking for, but the useable string starts with the option number. To find that, you have to convert each byte from hex to decimal (see mine starts with 160). So between the decimal conversion and the ascii conversion, you can get the string of hex bytes that you need to inject, but in order to inject them with powershell, you have to put them as decimal values.


Set-ItemProperty . DhcpInterfaceOptions $newvalue

# actually set the value from the variable


(Get-ItemProperty $key).DhcpInterfaceOptions

# not sure why this is still here... might be unnecessary.
}


}

Pop-Location

# set the working directory back to what it was before we started.

L4 Transporter

set the dhcp options in the registry would not help. the "true" dhcp options are set deep in "netsh".

Sorry, but my skills on powershell is not good engough to write you an example.

 

But please find here http://www.ingmarverheij.com/read-dhcp-options-received-by-the-client/ a ps showing the DHCP options. may you can do some research with this ps script example and find a set command instead of show...

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!