{"id":111,"date":"2022-04-25T07:28:57","date_gmt":"2022-04-25T11:28:57","guid":{"rendered":"https:\/\/pressbooks.bccampus.ca\/paloalto\/?post_type=chapter&p=111"},"modified":"2026-02-18T15:22:43","modified_gmt":"2026-02-18T20:22:43","slug":"dora-the-dhcp-provider","status":"publish","type":"chapter","link":"https:\/\/pressbooks.bccampus.ca\/paloalto\/chapter\/dora-the-dhcp-provider\/","title":{"raw":"1.2 DORA the DHCP Provider","rendered":"1.2 DORA the DHCP Provider"},"content":{"raw":"
\r\n

Learning Objectives<\/p>\r\n\r\n<\/header>\r\n

\r\n
    \r\n \t
  • Set up a DHCP server on Palo Alto<\/li>\r\n \t
  • Set up zones<\/li>\r\n \t
  • Connect clients to the Internet<\/span> with Palo Alto<\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n
    \r\n\r\nScenario<\/strong>: In this lab, we are going to configure our friend DORA (Discover Offer Request Acknowledge) the hander of addresses. And we'll also be configuring internet access so that clients may finally browse their precious Internet with SNAT (Source Network Address Translation).\r\n\r\n<\/div>\r\n\r\n[caption id=\"attachment_141\" align=\"aligncenter\" width=\"1078\"]\"main Figure 1.21: main scenario[\/caption]\r\n\r\n\r\n\r\n\r\n\r\n
    Table 1.2: Addressing Table<\/caption>\r\n
    Device<\/th>\r\nConfiguration<\/th>\r\n<\/tr>\r\n
    PaloAlto<\/td>\r\nmanagement: 192.168.0.1\/24\r\nEthernet1\/1: 10.0.0.1\/24\r\nEthernet1\/2: DHCP<\/td>\r\n<\/tr>\r\n
    Client (WebTerm)<\/td>\r\neth0: DHCP<\/td>\r\n<\/tr>\r\n
    Management (WebTerm)<\/td>\r\neth0: 192.168.0.2\/24<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n\r\n\r\n\r\n\r\n
    Table 1.3: Zone Configuration<\/caption>\r\n
    Zones<\/th>\r\nInterfaces<\/th>\r\n<\/tr>\r\n
    Inside<\/td>\r\nEthernet1\/1<\/td>\r\n<\/tr>\r\n
    Outside<\/td>\r\nEthernet1\/2<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n

    Create Zones in the Palo Alto Web Interface<\/h2>\r\nUnder the network tab, click zones, then add on the bottom left of the screen.\r\n\r\n[caption id=\"attachment_356\" align=\"aligncenter\" width=\"1024\"]\"Creating Figure 1.22: Creating zones[\/caption]\r\n\r\nIn here, we just change the name and type of zone. For information's sake. We will only be dealing with (mostly) layer 3 things in Palo Alto for this book. After that, press OK<\/b>. Remember to create Inside and Outside zones (Remember to also commit changes from time to time!)\r\n\r\n[caption id=\"attachment_357\" align=\"aligncenter\" width=\"1026\"]\"Create Figure 1.23: Create a zone Inside as a layer3[\/caption]\r\n\r\n[caption id=\"attachment_501\" align=\"aligncenter\" width=\"1026\"]\"Create Figure 1.24: Create a zone Outside as a layer3[\/caption]\r\n

    Set Up a Static Interface IP Address in Palo Alto<\/h2>\r\nGo under the network tab, and click on ethernet1\/1.\r\n\r\n[caption id=\"attachment_358\" align=\"aligncenter\" width=\"1026\"]\"Select Figure 1.25: Select Ethernet 1\/1[\/caption]\r\n\r\nThe first thing we want to do when configuring an interface is changing the interface type to layer 3, the virtual router to default, and changing the security zone to the desired zone. In this case, we have to change it to inside for ethernet1\/1, and outside for ethernet1\/2.\r\n\r\n[caption id=\"attachment_359\" align=\"aligncenter\" width=\"1026\"]\"Ethernet Figure 1.26: Ethernet 1\/1 Configuration[\/caption]\r\n\r\nNow, under the IPv4 tab of the opened window, click on Add<\/b>, then type in the address and prefix of the interface.\r\n\r\n[caption id=\"attachment_360\" align=\"aligncenter\" width=\"1024\"]\"Set Figure 1.27: Set an IP address for Ethernet 1\/1[\/caption]\r\n

    Ping an Interface in Palo Alto<\/h2>\r\nBy default, a Palo Alto interface is not pingable. In a lab environment, checking if pings are working is a good sanity test. Go to the advanced tab, click the drop-down menu next to the management profile, then click New<\/b>.\r\n\r\n[caption id=\"attachment_361\" align=\"aligncenter\" width=\"1026\"]\"Ethernet Figure 1.28: Ethernet 1\/1 configuration - Advanced Tab[\/caption]\r\n\r\nCall this whatever you want, but make sure to tick the ping option under networking services. Then press OK<\/b>.\r\n\r\n[caption id=\"attachment_362\" align=\"aligncenter\" width=\"1024\"]\"Enable Figure 1.29: Enable Ping under Interface Management Profile[\/caption]\r\n

    Enable DHCP on an Interface in Palo Alto<\/h2>\r\nIt's almost the same thing as setting up a static interface, but you act differently in the IPV4 menu. Instead of typing in an IP address and mask, you just specify that this is a DHCP client.\r\n\r\n[caption id=\"attachment_363\" align=\"aligncenter\" width=\"1024\"]\"Enable Figure 1.30: Enable DHCP Client on Ethernet 1\/2[\/caption]\r\n\r\nDon't forget to commit your changes!\r\n\r\nIf all is well after a commit, you will be able to check your DHCP IP address by clicking \"dynamic DHCP client\" in the main network menu.\r\n\r\n[caption id=\"attachment_364\" align=\"aligncenter\" width=\"1024\"]\" Figure 1.31: Dynamic DHCP Client- Receive an IP address from DHCP Server[\/caption]\r\n\r\nHere is an example of that:\r\n\r\n[caption id=\"attachment_152\" align=\"aligncenter\" width=\"1026\"]\"IP Figure 1.32: IP Address of Interface 1\/2[\/caption]\r\n

    Set Up a DHCP Server in Palo Alto<\/h2>\r\nIn the network tab, click on DHCP<\/strong>, then click Add.<\/b>\r\n\r\n[caption id=\"attachment_365\" align=\"aligncenter\" width=\"1024\"]\"Add Figure 1.33: Add a DHCP Server[\/caption]\r\n\r\nFirst, we need to define the interface, I set that to ethernet1\/1 because it is our LAN. Then, I press Add<\/strong> and define a range that fits the network subnet.\r\n\r\n[caption id=\"attachment_366\" align=\"aligncenter\" width=\"1024\"]\"Set Figure 1.34: Set an IP Pools for Interface 1\/1[\/caption]\r\n\r\nAfter that, we need to configure some DHCP options under the options tab. Here we need to define the gateway, (which is usually the interface IP address) subnet mask (which is usually 255.255.255.0), and a DNS server. I just use Google's DNS server as an example.\r\n\r\n[caption id=\"attachment_367\" align=\"aligncenter\" width=\"1024\"]\"Set Figure 1.35: Set a Gateway and a primary DNS[\/caption]\r\n\r\nAgain, remember to commit your changes!\r\n

    Ping Palo Alto from a LAN Device<\/h2>\r\nWhen opening up your webterm for \"Client\", click the bottom left button, then click terminal.\r\n\r\n[caption id=\"attachment_368\" align=\"aligncenter\" width=\"1026\"]\"Open Figure 1.36: Open Terminal in WebTerm1[\/caption]\r\n\r\nType in ip a<\/code><\/span>\u00a0<\/code>or <\/code>ifconfig<\/code><\/span> <\/code>on the terminal. If you see an IP address under eth0, the DHCP Server worked!\r\n\r\n[caption id=\"attachment_369\" align=\"aligncenter\" width=\"1026\"]\"Check Figure 1.37: Check the IP address in Terminal[\/caption]\r\n\r\nNow, let's ping our Palo Alto device. Type in ping 10.0.0.1<\/span><\/code>. If all works out, you should see this:\r\n\r\n[caption id=\"attachment_370\" align=\"aligncenter\" width=\"1026\"]\"Ping Figure 1.38: Ping 10.0.0.1 in the terminal[\/caption]\r\n\r\nThis means that everything so far worked! Press Ctrl+C<\/strong> to stop pinging the Palo Alto device.\r\n

    Security Profile Basics<\/h2>\r\nIn the policies tab, we want to create a new policy. Click on new in the bottom left of the Palo Alto web interface.\r\n\r\n[caption id=\"attachment_371\" align=\"aligncenter\" width=\"1024\"]\"Add Figure 1.39: Add a Security Policy[\/caption]\r\n\r\nUnder the general tab, we just want to give it a name. We will only be working with universal rules.\r\n\r\n[caption id=\"attachment_372\" align=\"aligncenter\" width=\"1026\"]\"Set Figure 1.40: Set a Name for Security Policy[\/caption]\r\n\r\nUnder the source tab, we specify the inside zone (from). In this case, it will be the \"Inside\" zone.\r\n\r\n[caption id=\"attachment_373\" align=\"aligncenter\" width=\"1024\"]\"Set Figure 1.41: Set a Source Zone for Security Policy[\/caption]\r\n\r\nUnder the outside tab (to). Specify the outside zone.\r\n\r\n[caption id=\"attachment_374\" align=\"aligncenter\" width=\"1026\"]\"Set Figure 1.42: Set a Destination Zone for Security Policy[\/caption]\r\n\r\nAfter that, press OK<\/b> to confirm.\r\n

    SNAT (Source NAT: Access the Internet in Palo Alto)<\/h2>\r\nUnder the policies tab, go to NAT, then click Add<\/b>.\r\n\r\n[caption id=\"attachment_375\" align=\"aligncenter\" width=\"1026\"]\"Set Figure 1.43: Set a NAT[\/caption]\r\n\r\nIn this case, we want to translate packets originating from the Inside to go to the outside zone using the interface address of ethernet1\/2. This would be Port Address Translation Overload. Under the general tab, just change the name.\r\n\r\n[caption id=\"attachment_376\" align=\"aligncenter\" width=\"1026\"]\"Set Figure 1.44: Set a Name for NAT[\/caption]\r\n\r\nUnder the original packet tab, click Add<\/strong> then make the source zone inside. As for the destination zone, make it outside.\r\n\r\n[caption id=\"attachment_377\" align=\"aligncenter\" width=\"1024\"]\"Set Figure 1.45: Set a Source Zone and Destination Zone for NAT[\/caption]\r\n\r\nUnder translated packet on source address translation. Specify the translation type as Dynamic IP and port, the address type as interface address, and the interface as ethernet1\/2(The interface in the outside zone) After that, click OK<\/b>.\r\n\r\n[caption id=\"attachment_378\" align=\"aligncenter\" width=\"1026\"]\"Set Figure 1.46: Set a Translated Packet[\/caption]\r\n\r\nDon't forget to commit!\r\n

    Check Internet Connectivity on Webterm<\/h2>\r\nIn webterm, you could test pinging 8.8.8.8 like so:\r\n\r\n[caption id=\"attachment_167\" align=\"aligncenter\" width=\"1026\"]\"Verify Figure 1.47: Verify your configuration[\/caption]\r\n\r\nOr you can try navigating to a website for example https:\/\/something.com.\r\n\r\n[caption id=\"attachment_168\" align=\"aligncenter\" width=\"1026\"]\"Verify Figure 1.48: Verify your connectivity to the Internet[\/caption]\r\n\r\nIf both of these work. You have successfully configured DHCP and SNAT properly!","rendered":"
    \n
    \n

    Learning Objectives<\/p>\n<\/header>\n

    \n
      \n
    • Set up a DHCP server on Palo Alto<\/li>\n
    • Set up zones<\/li>\n
    • Connect clients to the Internet<\/span> with Palo Alto<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
      \n

      Scenario<\/strong>: In this lab, we are going to configure our friend DORA (Discover Offer Request Acknowledge) the hander of addresses. And we’ll also be configuring internet access so that clients may finally browse their precious Internet with SNAT (Source Network Address Translation).<\/p>\n<\/div>\n

      \"main
      Figure 1.21: main scenario<\/figcaption><\/figure>\n\n\n\n\n\n\n
      Table 1.2: Addressing Table<\/caption>\n
      Device<\/th>\nConfiguration<\/th>\n<\/tr>\n
      PaloAlto<\/td>\nmanagement: 192.168.0.1\/24
      \nEthernet1\/1: 10.0.0.1\/24
      \nEthernet1\/2: DHCP<\/td>\n<\/tr>\n
      Client (WebTerm)<\/td>\neth0: DHCP<\/td>\n<\/tr>\n
      Management (WebTerm)<\/td>\neth0: 192.168.0.2\/24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n\n
      Table 1.3: Zone Configuration<\/caption>\n
      Zones<\/th>\nInterfaces<\/th>\n<\/tr>\n
      Inside<\/td>\nEthernet1\/1<\/td>\n<\/tr>\n
      Outside<\/td>\nEthernet1\/2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      Create Zones in the Palo Alto Web Interface<\/h2>\n

      Under the network tab, click zones, then add on the bottom left of the screen.<\/p>\n

      \"Creating
      Figure 1.22: Creating zones<\/figcaption><\/figure>\n

      In here, we just change the name and type of zone. For information’s sake. We will only be dealing with (mostly) layer 3 things in Palo Alto for this book. After that, press OK<\/b>. Remember to create Inside and Outside zones (Remember to also commit changes from time to time!)<\/p>\n

      \"Create
      Figure 1.23: Create a zone Inside as a layer3<\/figcaption><\/figure>\n
      \"Create
      Figure 1.24: Create a zone Outside as a layer3<\/figcaption><\/figure>\n

      Set Up a Static Interface IP Address in Palo Alto<\/h2>\n

      Go under the network tab, and click on ethernet1\/1.<\/p>\n

      \"Select
      Figure 1.25: Select Ethernet 1\/1<\/figcaption><\/figure>\n

      The first thing we want to do when configuring an interface is changing the interface type to layer 3, the virtual router to default, and changing the security zone to the desired zone. In this case, we have to change it to inside for ethernet1\/1, and outside for ethernet1\/2.<\/p>\n

      \"Ethernet
      Figure 1.26: Ethernet 1\/1 Configuration<\/figcaption><\/figure>\n

      Now, under the IPv4 tab of the opened window, click on Add<\/b>, then type in the address and prefix of the interface.<\/p>\n

      \"Set
      Figure 1.27: Set an IP address for Ethernet 1\/1<\/figcaption><\/figure>\n

      Ping an Interface in Palo Alto<\/h2>\n

      By default, a Palo Alto interface is not pingable. In a lab environment, checking if pings are working is a good sanity test. Go to the advanced tab, click the drop-down menu next to the management profile, then click New<\/b>.<\/p>\n

      \"Ethernet
      Figure 1.28: Ethernet 1\/1 configuration – Advanced Tab<\/figcaption><\/figure>\n

      Call this whatever you want, but make sure to tick the ping option under networking services. Then press OK<\/b>.<\/p>\n

      \"Enable
      Figure 1.29: Enable Ping under Interface Management Profile<\/figcaption><\/figure>\n

      Enable DHCP on an Interface in Palo Alto<\/h2>\n

      It’s almost the same thing as setting up a static interface, but you act differently in the IPV4 menu. Instead of typing in an IP address and mask, you just specify that this is a DHCP client.<\/p>\n

      \"Enable
      Figure 1.30: Enable DHCP Client on Ethernet 1\/2<\/figcaption><\/figure>\n

      Don’t forget to commit your changes!<\/p>\n

      If all is well after a commit, you will be able to check your DHCP IP address by clicking “dynamic DHCP client” in the main network menu.<\/p>\n

      \"Dynamic
      Figure 1.31: Dynamic DHCP Client- Receive an IP address from DHCP Server<\/figcaption><\/figure>\n

      Here is an example of that:<\/p>\n

      \"IP
      Figure 1.32: IP Address of Interface 1\/2<\/figcaption><\/figure>\n

      Set Up a DHCP Server in Palo Alto<\/h2>\n

      In the network tab, click on DHCP<\/strong>, then click Add.<\/b><\/p>\n

      \"Add
      Figure 1.33: Add a DHCP Server<\/figcaption><\/figure>\n

      First, we need to define the interface, I set that to ethernet1\/1 because it is our LAN. Then, I press Add<\/strong> and define a range that fits the network subnet.<\/p>\n

      \"Set
      Figure 1.34: Set an IP Pools for Interface 1\/1<\/figcaption><\/figure>\n

      After that, we need to configure some DHCP options under the options tab. Here we need to define the gateway, (which is usually the interface IP address) subnet mask (which is usually 255.255.255.0), and a DNS server. I just use Google’s DNS server as an example.<\/p>\n

      \"Set
      Figure 1.35: Set a Gateway and a primary DNS<\/figcaption><\/figure>\n

      Again, remember to commit your changes!<\/p>\n

      Ping Palo Alto from a LAN Device<\/h2>\n

      When opening up your webterm for “Client”, click the bottom left button, then click terminal.<\/p>\n

      \"Open
      Figure 1.36: Open Terminal in WebTerm1<\/figcaption><\/figure>\n

      Type in ip a<\/code><\/span>\u00a0<\/code>or <\/code>ifconfig<\/code><\/span> <\/code>on the terminal. If you see an IP address under eth0, the DHCP Server worked!<\/p>\n

      \"Check
      Figure 1.37: Check the IP address in Terminal<\/figcaption><\/figure>\n

      Now, let’s ping our Palo Alto device. Type in ping 10.0.0.1<\/span><\/code>. If all works out, you should see this:<\/p>\n

      \"Ping
      Figure 1.38: Ping 10.0.0.1 in the terminal<\/figcaption><\/figure>\n

      This means that everything so far worked! Press Ctrl+C<\/strong> to stop pinging the Palo Alto device.<\/p>\n

      Security Profile Basics<\/h2>\n

      In the policies tab, we want to create a new policy. Click on new in the bottom left of the Palo Alto web interface.<\/p>\n

      \"Add
      Figure 1.39: Add a Security Policy<\/figcaption><\/figure>\n

      Under the general tab, we just want to give it a name. We will only be working with universal rules.<\/p>\n

      \"Set
      Figure 1.40: Set a Name for Security Policy<\/figcaption><\/figure>\n

      Under the source tab, we specify the inside zone (from). In this case, it will be the “Inside” zone.<\/p>\n

      \"Set
      Figure 1.41: Set a Source Zone for Security Policy<\/figcaption><\/figure>\n

      Under the outside tab (to). Specify the outside zone.<\/p>\n

      \"Set
      Figure 1.42: Set a Destination Zone for Security Policy<\/figcaption><\/figure>\n

      After that, press OK<\/b> to confirm.<\/p>\n

      SNAT (Source NAT: Access the Internet in Palo Alto)<\/h2>\n

      Under the policies tab, go to NAT, then click Add<\/b>.<\/p>\n

      \"Set
      Figure 1.43: Set a NAT<\/figcaption><\/figure>\n

      In this case, we want to translate packets originating from the Inside to go to the outside zone using the interface address of ethernet1\/2. This would be Port Address Translation Overload. Under the general tab, just change the name.<\/p>\n

      \"Set
      Figure 1.44: Set a Name for NAT<\/figcaption><\/figure>\n

      Under the original packet tab, click Add<\/strong> then make the source zone inside. As for the destination zone, make it outside.<\/p>\n

      \"Set
      Figure 1.45: Set a Source Zone and Destination Zone for NAT<\/figcaption><\/figure>\n

      Under translated packet on source address translation. Specify the translation type as Dynamic IP and port, the address type as interface address, and the interface as ethernet1\/2(The interface in the outside zone) After that, click OK<\/b>.<\/p>\n

      \"Set
      Figure 1.46: Set a Translated Packet<\/figcaption><\/figure>\n

      Don’t forget to commit!<\/p>\n

      Check Internet Connectivity on Webterm<\/h2>\n

      In webterm, you could test pinging 8.8.8.8 like so:<\/p>\n

      \"Verify
      Figure 1.47: Verify your configuration<\/figcaption><\/figure>\n

      Or you can try navigating to a website for example https:\/\/something.com.<\/p>\n

      \"Verify
      Figure 1.48: Verify your connectivity to the Internet<\/figcaption><\/figure>\n

      If both of these work. You have successfully configured DHCP and SNAT properly!<\/p>\n","protected":false},"author":1572,"menu_order":2,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-111","chapter","type-chapter","status-publish","hentry"],"part":3,"_links":{"self":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/111","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/users\/1572"}],"version-history":[{"count":25,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/111\/revisions"}],"predecessor-version":[{"id":1336,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/111\/revisions\/1336"}],"part":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/parts\/3"}],"metadata":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/111\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/media?parent=111"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapter-type?post=111"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/contributor?post=111"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/license?post=111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}