✏️ Edit mode active
Home Networking Palo Alto Networks Firewalls DHCP WAN Interface

Palo Alto Networks · Firewalls

Configuring a DHCP WAN Interface

PAN-OS 11.1 · Ethernet Interface · ISP DHCP · CLI & GUI

🔍 Overview

By configuring the WAN interface to communicate with your ISP via DHCP, the firewall can automatically receive its public IP address, default gateway, and DNS information.

I originally set out to stop paying for static IP addresses at my house because they were expensive and, in my case, completely unnecessary. When I first made the switch, it was surprisingly tricky. I will blame my ISP here and not any naivety on my part.

In my environment, I also have a VPN portal that my family uses regularly to access my server. Because of that, I set up a Raspberry Pi to handle Dynamic DNS updates with my domain provider every five minutes. That way, if my public IP address changes, I can still reliably reach my VPN portal without having to play "guess the new IP address," while keeping downtime to an acceptable minimum.

💡 Side Note: All of these steps are done on PAN version 11.1.13. If you're running a different version, this may vary a bit.

✅ Prerequisites

  • Know the limitations of your ISP. Will they distribute more than one public IP address? Do you need to contact them because your MAC address will change when switching out their equipment?
  • Know which interface is your WAN port (e.g. ethernet1/8)
  • Interface must be assigned to a zone, typically untrust (I use WAN)
  • Local admin access to the firewall (GUI or SSH)
  • PAN-OS 11.1 or later (steps are similar across versions but also painfully different)

⚙️ Configuration

Step 1 — Assign the interface to a Virtual Router and Zone

1

Navigate to Network → Interfaces → Ethernet

2

Click on your WAN interface (e.g. ethernet1/8)

3

Set Interface Type to Layer3

4

Under the Config tab, assign Virtual Router to default and Security Zone to your WAN zone (e.g. WAN or untrust)

5

Click OK

set network interface ethernet ethernet1/8 layer3 ip dhcp-client enable yes
set zone WAN network layer3 ethernet1/8
set network virtual-router default interface ethernet1/8
Step 1 - Assign interface to VR and Zone

Network → Interfaces → Ethernet → Config tab — assign Virtual Router and Zone

Step 2 — Configure the interface as a DHCP client

1

On the interface config page, click the IPv4 tab

2

Set Type to DHCP Client

3

Check Automatically create default route pointing to default gateway provided by server

4

Optionally set a Default Route Metric (useful for dual-WAN setups)

5

Click OK then Commit

set network interface ethernet ethernet1/8 layer3 dhcp-client enable yes
set network interface ethernet ethernet1/8 layer3 dhcp-client create-default-route yes
set network interface ethernet ethernet1/8 layer3 dhcp-client default-route-metric 10
commit
💡 The default-route-metric is optional. Lower value = higher priority. Useful if you have two WAN links.
Step 2 - Configure DHCP client

Interface IPv4 tab — set Type to DHCP Client and enable default route creation

📊 Verification

After committing, verify the firewall received a DHCP lease from the ISP.

Check DHCP client status

1

Go to Network → Interfaces → Ethernet

2

The interface should show a green dot and an IP address in the IP Address column

3

Go to Dashboard → Widgets → Interface to see the assigned IP, gateway, and DNS

# Check DHCP lease info
show dhcp client state interface ethernet1/8

# Check interface IP
show interface ethernet1/8

# Check routing table for default route
show routing route type unicast destination 0.0.0.0/0

# Ping the ISP gateway
ping source ethernet1/8 host <gateway-ip>

Expected output

Interface:    ethernet1/8
State:        client
IP:           x.x.x.x/xx
Gateway:      x.x.x.1
DNS:          8.8.8.8, 8.8.4.4
Lease:        Bound
Lease Expiry: xx days xx hours

🔧 Troubleshooting

No IP address assigned

  • Check physical link — show interface ethernet1/8 should show up/up
  • Verify the ISP modem/ONT is online and passing DHCP
  • Try releasing and renewing the lease
request dhcp client renew interface ethernet1/8

IP assigned but no internet

  • Confirm default route was created: show routing route
  • Check NAT policy — outbound traffic from trust to untrust needs a source NAT rule
  • Check security policy — verify traffic is allowed from trust to untrust
# Ping from dataplane
ping source <dhcp-assigned-ip> host 8.8.8.8

# Check NAT policy hits
show running nat-policy

DHCP lease keeps dropping

  • Check for link flapping: show interface ethernet1/8 — look at input/output errors
  • Check ISP modem logs for disconnects
  • Verify no duplicate MAC address on the ISP network
show counter interface ethernet1/8
show log system direction equal forward match "dhcp"
⚠️ Common gotcha: If you previously had a static IP on this interface, make sure to remove it before switching to DHCP. Having both configured will cause issues.

Useful debug commands

debug dhcp client on
show dhcp client statistics interface ethernet1/8
debug dhcp client off
📝 My Notes

No notes yet — click Edit Notes to add your own observations.

✓ Saved