Configure Palo Alto With Public DHCP

I’m not sure if any of you have tried to configure a Palo Alto firewall, but if you have then you know it’s kind of a pain in the ass.

Just last night I was setting up a PA-200 I’ve had sitting around in a box for a few months and while going through the setup documentation I was just thinking “What the hell is this?”. Granted I do use Palo Alto’s at work but I do basic configurations and maybe some management here and there, I’ve never set one up from scratch.

After reading guide after guide on how to get this setup both on Palo’s KB and other sites I found from a quick google search. I noticed no one really sets these up or assumes you’re going to be setting them up with your public IPv4 address given via DHCP.  I had to piece together some guides here and there to exactly understand what I was doing and how I was going to do it. So I’m going to outline the process you need to go through (at least on PanOS 8.1.3) to get this working when your public address is given via DHCP.

  1. Configure your zones (Network > Zones)

I have two primary zones configured; trusted and untrusted. These zones are for the LAN/WAN interfaces respectively. Make sure you make these as Layer3 zones as the interfaces we’re going to configure are Layer3.

2. Configure your interfaces (Network > Interfaces)

As you may be able to tell from the image below, ethernet1/3 is my LAN and ethernet1/4 is my WAN (ISP). The key here is having ethernet1/4 set to ‘DHCP Client’ under the IPv4 settings of the interface. Make sure the box ‘Automatically create default route pointing to default gateway provided by server‘ is checked otherwise this process won’t work. After you’ve confirmed that, the virtual router on both interfaces to ‘default’. This will get explained shortly.

3. Configure NAT (Policies > NAT)

We’ll need to make a new NAT policy so our LAN traffic is able to get out to the internet. We want our source to be our trusted zone and our destination to be untrusted since those are the zones we used on our LAN/WAN interfaces respectively. For the translated packet set the type to Dynamic IP and Port, address type to Interface Address, and set interface to your WAN Interface in my example that interface is ethernet1/4.

4. Configure Security Policy (Policies > Security)

Now that we have our zones, interfaces and main NAT policy configured we need to create a security rule that allows us out from the LAN side. Create a new rule, set the source zone to trusted, set the destination zone to untrusted, go to the actions tab and make sure the action is set to Allow. Now go ahead and create that rule and it should look like this.

5. Commit!

Now that we have all of that configured, commit your change by clicking Commit in the top right and then clicking the Commit button. Give it a minute or two and your changes will take effect. You should now have full internet access!

Now you’re probably wondering, why didn’t we configure the virtual router? That’s the key to all this, we don’t touch it. The setting ‘Automatically create default route pointing to default gateway provided by server‘ on the WAN interface takes care of it all for us! We’re now up and running and can play with this as we please. I’ll be making future posts on how to do port forwarding, profile setup and other topics as well for Palo Alto’s so stay tuned!

P.S I couldn’t actually get this working on my own, I kept configuring the virtual router. Big shout out to Jeff at Palo Alto Support who helped me with this and figured out that we don’t configure the virtual router when the WAN address is given via DHCP. Thanks Jeff!