Use DHCP relay with GlobalProtect

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
MarcelST
L3 Networker

Use DHCP relay with GlobalProtect

Hi,

I've been doing some research on the option of using DHCP relay on Palo Alto for all the GlobalProtect gateways, and i'ts not clear to me if it's possible or not.

 

The thing is, we want to enable Secure DNS records registration for the GlobalProtect IP network pools, but because currently the Palo Altos are the ones providing the IP, instead of doing DHCP relay to our internal DHCP servers, we can't enable it.


Accepted Solutions
OwenFuller
L4 Transporter

I don't think GP supports giving addresses to clients via DHCP.  When clients connect to the gateway, they're forming a point-to-point tunnel.  This tunnel has an IP address and a subnet mask of 255.255.255.255 that the client uses to identify the tunnel, and the tunnel interface on the firewall may not even have an IP address to use as a default gateway.  It's not quite the same as just handing the client an address, subnet mask, gateway, etc. from DHCP in a traditional layer 3 network.

These forum posts, while older, seem to support this, and I have never seen any documentation about using DHCP instead of IP pools on GP.

https://live.paloaltonetworks.com/t5/general-topics/dhcp-relay-for-globalprotect/td-p/205699
https://live.paloaltonetworks.com/t5/general-topics/global-protect-dhcp-config/td-p/228635

View solution in original post


All Replies
OwenFuller
L4 Transporter

I don't think GP supports giving addresses to clients via DHCP.  When clients connect to the gateway, they're forming a point-to-point tunnel.  This tunnel has an IP address and a subnet mask of 255.255.255.255 that the client uses to identify the tunnel, and the tunnel interface on the firewall may not even have an IP address to use as a default gateway.  It's not quite the same as just handing the client an address, subnet mask, gateway, etc. from DHCP in a traditional layer 3 network.

These forum posts, while older, seem to support this, and I have never seen any documentation about using DHCP instead of IP pools on GP.

https://live.paloaltonetworks.com/t5/general-topics/dhcp-relay-for-globalprotect/td-p/205699
https://live.paloaltonetworks.com/t5/general-topics/global-protect-dhcp-config/td-p/228635

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!