DHCP (Dynamic Host Configuration Protocol):

o DHCP is an abbreviation for the Dynamic Host Configuration Protocol.

o PANOS features known as Easy IP Lease which is full-featured DHCP server.
o DHCP is a client server protocol that automatically provides an IP to hosts.
o DHCP also provide IP, subnet mask, default gateway, DNS server & other config.
o DHCP allows a network device to dynamically receive the IP address parameters.
o DHCP process follows DORA process, Discover, Offer, Request & Acknowledgement.
o DHCP is app layer protocol used by hosts for obtaining network setup information.
o DHCP Server dynamically configures the host or the Network device in the network.
o DHCP is Client server protocol, which uses User Datagram Protocol (UDP) services.
o DHCP port number for server is UDP port 67 and for the client is UDP port no 68.
o DHCP assigned Internet Protocol (IP) address from a pool (range) of addresses.
o Dynamic Host Configuration Protocol (DHCP) is an application layer (7) protocol.
o Palo Alto Firewall can provide DHCP services for multiple interfaces simultaneously.
o DHCP server supports configuration options that sufficient for nearly any environment.
o This includes the ability to assign all the expected values to a client such as IP Address.
o Also, includes, domain name, gateway, subnet mask, WINS servers and DNS servers.
o DNS servers can either be manually configured addresses or addresses currently in use.
o It also supports address reservations and exclusions, as well as custom option fields.
o These custom fields in DHCP are most commonly used for devices like VoIP phones etc.
Dynamic Automatically
Host Any computer that is connected to the network
Configuration To configure a host means to provide network information
Protocol Set of rules and regulation

Advantages of DHCP:
o Primary advantage of DHCP is easier management of IP addresses etc.
o Another advantage of DHCP is centralized the network client configuration.
o DHCP greatly reduce the time required to configure & reconfigure computers.
o DHCP Server assigning IP addresses automatically avoid configuration errors.
o Dynamic Host Configuration Protocol use ease of adding new clients to network.
o The DHCP sever, reuse of IP addresses reducing the total number of IP addresses.
o In Dynamic Host Configuration Protocol, no need to reconfigure each client separately.
o Dynamic Host Configuration Protocol configure the network from a centralized area.
o Using DHCP sever, easy handling of new users and reuse of IP address can be achieved.

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

PANOS DHCP Server:
o Palo Alto devices running PANOS software in which include DHCP server.
o Palo Alto FW can be used as a DHCP server and the various options available.
o The NG Palo Alto Unit Firewall PANOS can be configured as a DHCP server.
o The Palo Alto Unit Firewall DHCP server is a full DHCP server implementation.
o PANOS DHCP assigns and manages IP addresses from specified address pools.
o PANOS DHCP server can be configured to assign additional parameters as well.
o PANOS DHCP server is the one responsible for handing out IPs to the clients.

DHCP Client:
o The DHCP client is a host using DHCP to obtain configuration parameters.
o The endpoint that receives configuration information from a DHCP server.
o DHCP client is anything needing an IP address that is not configured as a static.
o Palo Alto Unit Firewall can be configure as both DHCP servers and DHCP clients.
o DHCP clients use UDP broadcasts to send their initial DHCPDISCOVER messages.
o DHCP Client uses User Datagram Protocol port 67 to send messages to the server.

DHCP Relay:
o DHCP relay agent is any host that forwards DHCP packets between clients & servers.
o DHCP Relay allows clients to obtain DHCP info from a server on a different subnet.
o Relay agents are used to forward requests and replies between clients and servers.
o Relay agents are used to forward request when they are not on same physical subnet.
o The devices that do the forwarding are referred or called it as the DHCP relay agents.
o The DHCP Relay agents forward packets differently than the normal IP forwarding.
o Relay agents receive DHCP message & generate new message out another interface.
o The DHCP Relay agent adds a GIADDR (Gateway Address of Packet) field to packet.
o The DHCP Relay also add the Relay agent information DHCP option 82 if enabled.

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

DHCP Operation:
o DHCP important messages exchanged between a DHCP client and DHCP Server.
o Four phases are required in DHCP operations between DHCP server & DHCP client.
o The DHCP operation process for Internet Protocol (IPv4) is called the DORA process.
DHCP Discover Message:
o First message generated in the communication process between server & client.
o The Client host generated this message to discover DHCP server in the network.
o This message is broadcasted to all devices present in a network to find DHCP server.
o Incase no respond from a DHCP server, MS Windows client assigns itself, an APIPA.
o The DHCP Discover message use broadcast IP address and broadcast MAC address.
o This message is 342 or 576 bytes long & Destination MAC address is FFFFFFFFFFFF.
o Source IP address is 0.0.0.0 because DHCP client has no IP address until this time now.
o In DHCP Discover Message, the Destination IP address is broadcast 255.255.255.255.
DHCP Offer Message:
o DHCP servers receive a DHCP Discover message respond with a DHCP Offer message.
o The DHCP Server response to the client and offers the client an IPv4 address lease.
o DHCP Offer message is broadcasted by Dynamic Host Configuration Protocol server.
o Dynamic Host Configuration Protocol server DHCP Offer size of message is 342 bytes.
o If more than, one DHCP servers then client will accept the first DHCP OFFER message.
o The DHCP Server ID is specified in the packet in order to identify the DHCP server.
o DHCP Offer message is broadcast by the Dynamic Host Configuration Protocol server.
o In DHCP Offer Message destination Internet Protocol address is broadcast IP address.
o In DHCP Offer Message the destination MAC address is broadcast FFFFFFFFFFFF.
o The source IP address is server IP address and MAC address is server MAC address.
DHCP Request Message:
o The clients accept first offer received by broadcasting a DHCP Request message.
o Client receives an offer message & responds by broadcasting a DHCP request message.
o Client produce a gratuitous ARP to find any other host in network with same IP address.
o If there is no reply by other host, then there is no host with same TCP configuration.
o The Broadcast message is send to the server showing the acceptance of IP address.
o In DHCP Request Message source IP address is 0.0.0.0, as the client has no IP right now.
o In DHCP Request Message destination IP address is 255.255.255.255 broadcast IP address.
o Source MAC address is client MAC address & destination MAC address is FFFFFFFFFFFF.
DHCP Acknowledgment Message:
o The Server accepts the client request and DHCP Acknowledgment message send to it.
o Server make entry with specified client ID & bind the IP address offered with lease time.
o Finally, the client have the Internet Protocol (IP) address provided by the DHCP server.
o The DHCP Server will not provide this Internet Protocol (IP) address to any other host.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

DHCP Server Lab Time:
Same topology we will use for DHCP Server and DHCP Relay, we going to enable DHCP Server
on e1/2 to provide DHCP services.

Create Zones:
Let’s configure three zones names Inside , Outside and DMZ. Go to Network> Zone>Add, Give
the name Inside, select Type to be Layer3 and click OK. Create the same way other two Zones

Configure Interfaces:
Go to Network>Interfaces Click on ethernet1/1 interface change Interface Type: Layer3, set
Virtual Router: default, set Security Zone: Outside , Click on IPv4 tab Assign IP Address:
192.168.122.100/24 and Click OK.

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Go to Network>Interfaces Click on ethernet1/2 interface change Interface Type: Layer3, set
Virtual Router: default, set Security Zone: Inside , Click on IPv4 tab Assign IP Address:
192.168.1.100/24 and Click OK.

Go to Network>Interfaces Click on ethernet1/3 interface change Interface Type: Layer3, set

Virtual Router: default, set Security Zone: DMZ , Click on IPv4 tab Assign IP Address:
192.168.2.100/24 and Click OK.

5 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Configure Routing:
Each interface must be given virtual router. Network>Virtual Router>default we will add static
routing. Static Routes>IPv4>Add we will go by choosing interface> ethernet1/1(as Outside), put
192.168.122.2 as the next hop due to our topology.

Configure NAT/PAT:
Let’s configure NAT using Dynamic IP and Port means translate all local LAN to only one IP
address. I will NAT my Inside LAN 192.168.1.0/24 to 192.168.122.100 IP address of WAN.
Policies > NAT > Add Let’s name it Inside-To-Outside.

6 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Go to Original Packet and fill since, traffic coming from Inside(192.168.1.0/24 is in Inside) then
destination zone Outside(since 192.168.122.100 is going to Internet), destination interface is
ethenret1/1 outgoing Interface. Set Service to any.

Then let’s go to Translated Packet, Translation Type: Dynamic IP And Port, Address Type:
Interface Address, Interface: our WAN interface ethernet 1/1 and IP Address: WAN IP. OK

7 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Configure Security Policy:
Now, create a Security Policy to allow access from Inside zone to Outside zone.
Policies>Security>Add, Give the name to your Security Policy (Inside to Outside), Add Source
Zone ( Inside), Add Destination Zone ( Outside), Allow access, in our case allowing all traffic.

8 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

DHCP Server:
Navigate to Network > DHCP > DHCP Server, Click the Add button at the bottom of the window.
DHCP Server configuration window will open and the DHCP server options will be displayed.
Select the interface which will be sourcing DHCP leases. Specify the desired lease range in the
'IP Pools' section.

Specify the default gateway, subnet Mask and primary DNS.

9 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Save Changes:
Commit the Changes by Clicking Commit on top right corner to save the configuration.

Testing and Verification:

Remove the # hash sign form docker PCs in DHCP configuration section to get IP.

Go to Network >DHCP>DHCP Server click on View Allocation to see release IPs

10 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717