Thank you for your reply. Maybe the hint was there when I felt that it was inconvenient that you cannot add a comment on DHCP server on each interface, and on each reservation for that matter for hostname for examlple. Are you aware of specific limitations of the builtin DHCP server function of Palo Alto firewall?
... View more
Hi, I'm currently doing DHCP server migration from Windows server's DHCP server function to Palo Alto PA-3200 series, with PAN-OS 9.1 series. I copied over all the configurations from Windows server to Palo Alto including the IP address reservation. After migration, what happened was that, for an IP scope that corresponds to a VLAN with 802.1X dynamic VLAN allocation configured, the workstations whose MAC address is mapped to reserved IP address on Palo Alto could be allocated the reserved IP address for the first time, BUT, after signing out and signing in to the machine, the machines could not be allocated any IP address, therefore the users could not log in to the workstations. In the same VLAN, other workstations with no IP address reserved could be assigned an IP address properly from the pool; first sign in to the machine will assign an available IP address from the pool, and, if the user signs out and signs in again, the same IP address gets assigned to the machine as the first sign in. Has anyone else experienced an issue like this? I can't imagine there is an issue with the configuration of DHCP server. This issue persisted with or without "Ping before allocating new IP address" setting, we made sure the reserved IP addresses are not used by anything else, and we also tried changing the IP pool range to not include the reserved IP addresses. We deleted the IP reservation for one machine, then the user could log in to that machine and an IP address was assigned, so we're convinced that the issue is with the Palo Alto's behavior when IP address is reserved for the machine. I'll appreciate any information. Thanks! NGFW
... View more