To configure the security device as a
DHCP ClientDynamic Host Configuration Protocol (DHCP) was designed to reduce the demands on network administrators by automatically assigning the TCP/IP settings for the hosts on a network. Instead of requiring administrators to assign, configure, track, and change (when necessary) all the TCP/IP settings for every machine on a network, DHCP does it all automatically. Furthermore, DHCP ensures that duplicate addresses are not used, reassigns unused addresses, and automatically assigns IP addresses appropriate for the subnet on which a host is connected.
Note: While some security devices can act as a DHCP server, DHCP relay agent, or a DHCP client at the same time, you cannot configure more than one DHCP role on a single interface. Note also that some security device models do not support DHCP Server or DHCP Client. For more information, refer to the product specification sheet that shipped with your security device.
When acting as a DHCP client, the security device receives an IP address dynamically from a DHCP server for any physical interface in any security zone. If there are multiple interfaces bound to a single security zone, you can configure a DHCP client for each interface as long as each interface is not connected to the same network segment.
If you configure a DHCP client for two interfaces that are connected to the same network segment, the first address assigned by a DHCP server is used. (If the DHCP client receives an address update to the same IP address, IKE is not rekeyed.)
To configure the security device as a
DHCP Client
In the WebUI, go to Network, select Interfaces, and then click Edit for the interface you want to set to DHCP Client.
Select Obtain IP using DHCP.
Click OK to save your settings.
Go back to the DHCP Edit page (Network > DHCP > Edit (for the interface you want to set to DHCP Client.
Update DHCP Server: You can select this option if the security device acts both as a DHCP client and a DHCP server simultaneously. Selecting this option enables the security device to transfer the TCP/IP settings learned through its DHCP client module to its default DHCP server module. TCP/IP settings include the IP address of the default gateway and a subnet mask, and IP addresses for any or all of the following servers: DNS (3), WINS (2), NetInfo (2), SMTP (1), POP3 (1), and News (1).
Click Apply to save your settings.
When acting as a Dynamic Host Configuration Protocol (DHCP) relay agent, the security device forwards DHCP requests and assignments between hosts in the Trust zone and a DHCP server in the Untrust zone. The DHCP messages between the security device and the DHCP server can be transmitted in the open or through a VPN tunnel.
You can configure up to three DHCP servers for the DHCP relay agent. The relay agent unicasts an address request from a DHCP client to all configured DHCP servers. The relay agent then forwards all responses from the DHCP server. This allows ScreenOS to support Pre-Boot Execution Environment (PXE) scenarios.
In common PXE cases, at least two DHCP servers serve clients. When the DHCP servers receive a request from the DHCP client, one of the servers DHCP Server#1 (such as MS RIS) provides PXE information and the other (DHCP Server#2) provides DHCP address information to the client; therefore, the security device forwards all DHCP packets to the client.
You can configure the DHCP relay agent on any physical or VLAN interface.
Note: When a security device functions as a DHCP relay agent, its interfaces must be in Route mode. Also, no status reports are generated because the remote DHCP server controls all the IP address allocations.
To
configure the security device as a DHCP Relay AgentSelect the DHCP Relay Agent option.
Enter the IP Addresses or Domain Names of the Relay Agent Servers. You can have up to three servers.
Select the Use Untrust Zone Interface as Source IP for VPN option if you want to protect the relayed requests and responses between the security device and the DHCP server by encrypting them and then transmitting them through a VPN tunnel.
Click Apply to save your settings.
The security device supports DHCP relay in different vsys and in all VLAN interfaces.
DHCP consists of two components: a protocol for delivering host-specific TCP/IP configuration settings, and a mechanism for allocating IP addresses. When the security device functions as a DHCP server, it provides certain TCP/IP settings to each host when that host starts up.
Default gateway IP address of the router—if there is one—that connects a subnet to the Trust zone interface.
The IP addresses of the following servers:
WINS servers (2): A Windows® Internet Naming Service (WINS) server maps a NetBIOS name used in a Windows NT network environment to an IP address used on an IP-based network.
NetInfo Server (2): NetInfo® is an Apple® network service used for the distribution of administrative data within a LAN.
NetInfo Tag (1): The identifying tag used by the Apple NetInfo database.
DNS servers (3): A Domain Name System (DNS) server maps a uniform resource locator (URL) to an IP address.
SMTP server (1): A Simple Mail Transfer Protocol (SMTP) server delivers SMTP messages to a mail server, such as a POP3 server, which stores the incoming mail.
POP3 server (1): A Post Office Protocol version 3 (POP3) server stores incoming mail. A POP3 server must work conjointly with an SMTP server.
News server (1): A news server receives and stores postings for news groups
Domain Name: Enter the registered domain name of the network.
Note:If a DHCP client to which the security device is passing the above parameters has a specified IP address, that address overrides all the dynamic information received from the DHCP server.
To
configure the security device as a DHCP ServerSelect the DHCP Server option.
If the security device is acting as a DHCP client and a DHCP server, you can enable it to forward TCP settings received by the DHCP client module to the DHCP server module. The DHCP server module in turn forwards those settings to its DHCP clients. Note that any TCP settings that the DHCP server module receives in this manner are overridden by other settings that you configure in the DHCP server module.
Enter the necessary information:
Server Mode: ScreenOS can check for the presence of an existing DHCP server on the network before starting the DHCP server on the security device.
Auto (Probing): Select this option to cause ScreenOS to check to see if there is an existing DHCP server on the network. If there is an existing DHCP server on the network, the DHCP server on the security device is disabled. If a DHCP server does not exist on the network, the DHCP server on the security device is enabled.
Enable: Select this option to have the DHCP server on the security device always start. ScreenOS does not check to see if there is an existing DHCP server on the network.
Disable: Select this option to have the DHCP server on the security device never start.
Lease: An IP address supplied by the DHCP server is either Unlimited or leased for a limited period of time. If the lease is limited, you must specify the limitation in days, hours, and minutes.
days: Enter the number of days before the IP address expires.
hours: Enter the number of hours before the IP address expires.
minutes: Enter the number of minutes before the IP address expires.
Update: Enable this option if you want to update the security device with information from upstream DHCP clients.
If a DHCP client service is bound to an interface on the security device, the DHCP client can get it’s own IP address, gateway, DNS information, and so on. The pull-down menu lists the interfaces that configure a DHCP client; if you choose an interface, the public information that you get from the DHCP client's interface is used for the DHCP server. For example, the DHCP server’s DNS value can be accessed from the DHCP client.
Gateway: Enter the IP address of the default gateway used by clients.
Netmask: Enter the netmask of the default gateway of the router, if there is one, that connects the protected network to the Trust zone interface.
DNS#1: Enter the IP address of a primary Domain Name System (DNS) server.
WINS#1: Enter the IP address of a primary Windows Internet Naming Service (WINS) server.
Next Server IP: Select one of the following options to define the siaddr field in the DHCP header. The siaddr defines the IP address of the next server to use in Bootstrap.
None: siaddr = 0.0.0.0 (default)
From Interface: siaddr = the IP interface bound to the DHCP server
From Option66: siaddr = option66 IP (identifies the TFTP server for supporting PXE devices)
From Input: siaddr = custom IP address
Click Apply to save your settings.
Four options appear below the DHCP Server configuration box—Advanced Options, Addresses, Status Report, and Custom Options.
Click AdvancedOptions to open the DHCP Advanced Options Configuration page. For information on how to configure advanced options, see the DHCP Advanced Options Configuration page.
Click Addresses to open the DHCP Server Address List page. For information on how to add an address or an address range, see the DHCP Server Address Allocation page.
Click Status Report to view the status of the DHCP address binding. For more information, see DHCP Status Report.
Click Custom Options to open the Custom Options List page. For more information, see Custom Options List page.