https://community.checkpoint.com/t5/Firewall-and-Security-Management/CAUTION-when-configuring-DHCP-options/m-p/113534#M15842 <P>Hello community,</P><P>for my first post, I would like to share with you my experience concerning the DHCP option configuration.<BR />According to sk92473, after configuring the range via the Gaia clish (that will automatically populate the /etc/dhcpd.conf file), I manually edited the /etc/dhcpd.conf file in order to add the specific option.<BR />I finally locked the DHCP configuration file (setting the immutable status) in order to avoid configuration override.</P><P>But, some time after I tried to configure a new range, forgotting to unset the "immutable" attribute on this file.<BR />Even if I didn't received any error message from the Gaia clish when setting this new range, we hit an unexpected DHCP daemon behaviour.</P><P>Since the file was "locked", the Gaia daemon was not able to update the /etc/dhcpd.con file.<BR />Moreover, the DHCP daemon unexpectedly stopped to listen on UDP67 on all interfaces) :<BR /><FONT face="courier new,courier">[Expert@GW01:0]# netstat -anu | grep 67</FONT><BR /><FONT face="courier new,courier">udp 0 0 &lt;relay_interface_IP&gt;:67 0.0.0.0:*</FONT><BR /><FONT face="courier new,courier">udp 0 0 255.255.255.255:67 0.0.0.0:*</FONT></P><P>Instead of having the following (before the change) :<BR /><FONT face="courier new,courier">[Expert@GW01:0]# netstat -anu | grep 67</FONT><BR /><FONT face="courier new,courier">udp 0 0 &lt;relay_interface_IP&gt;:67 0.0.0.0:*</FONT><BR /><FONT face="courier new,courier">udp 0 0 255.255.255.255:67 0.0.0.0:*</FONT><BR /><FONT face="courier new,courier" color="#339966">udp 0 0 0.0.0.0:67 0.0.0.0:*</FONT><BR /><FONT face="courier new,courier" color="#339966">udp 0 0 0.0.0.0:67 0.0.0.0:*</FONT><BR /><FONT face="courier new,courier" color="#339966">udp 0 0 0.0.0.0:67 0.0.0.0:*</FONT></P><P>When I remembered I set the immutable attribute, and in order to make it work back correctly, I did the following :<BR />- removed the Gaia DHCP new configuration<BR />- removed the immutable attribute<BR />- disabled the DHCP (using Gaia clish) (at this time I lost the specific option configured manually, the file has been overriden by Gaia mechanism)<BR />- configured the DHCP new range<BR />- added the DHCP option manually again<BR />- set the immutable attribute</P><P>Is there anyone that also met this kind of issue ?<BR />May I ask Checkpoint (as an RFE) to add the option configuration directly in Gaia in order to avoid this misconfiguration issue ?</P><P>Thank you very much,</P><P>Kind regards,</P><P>Greg</P> Mon, 15 Mar 2021 10:25:49 GMT Gregory_Muller 2021-03-15T10:25:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/CAUTION-when-configuring-DHCP-options/m-p/113534#M15842 <P>Hello community,</P><P>for my first post, I would like to share with you my experience concerning the DHCP option configuration.<BR />According to sk92473, after configuring the range via the Gaia clish (that will automatically populate the /etc/dhcpd.conf file), I manually edited the /etc/dhcpd.conf file in order to add the specific option.<BR />I finally locked the DHCP configuration file (setting the immutable status) in order to avoid configuration override.</P><P>But, some time after I tried to configure a new range, forgotting to unset the "immutable" attribute on this file.<BR />Even if I didn't received any error message from the Gaia clish when setting this new range, we hit an unexpected DHCP daemon behaviour.</P><P>Since the file was "locked", the Gaia daemon was not able to update the /etc/dhcpd.con file.<BR />Moreover, the DHCP daemon unexpectedly stopped to listen on UDP67 on all interfaces) :<BR /><FONT face="courier new,courier">[Expert@GW01:0]# netstat -anu | grep 67</FONT><BR /><FONT face="courier new,courier">udp 0 0 &lt;relay_interface_IP&gt;:67 0.0.0.0:*</FONT><BR /><FONT face="courier new,courier">udp 0 0 255.255.255.255:67 0.0.0.0:*</FONT></P><P>Instead of having the following (before the change) :<BR /><FONT face="courier new,courier">[Expert@GW01:0]# netstat -anu | grep 67</FONT><BR /><FONT face="courier new,courier">udp 0 0 &lt;relay_interface_IP&gt;:67 0.0.0.0:*</FONT><BR /><FONT face="courier new,courier">udp 0 0 255.255.255.255:67 0.0.0.0:*</FONT><BR /><FONT face="courier new,courier" color="#339966">udp 0 0 0.0.0.0:67 0.0.0.0:*</FONT><BR /><FONT face="courier new,courier" color="#339966">udp 0 0 0.0.0.0:67 0.0.0.0:*</FONT><BR /><FONT face="courier new,courier" color="#339966">udp 0 0 0.0.0.0:67 0.0.0.0:*</FONT></P><P>When I remembered I set the immutable attribute, and in order to make it work back correctly, I did the following :<BR />- removed the Gaia DHCP new configuration<BR />- removed the immutable attribute<BR />- disabled the DHCP (using Gaia clish) (at this time I lost the specific option configured manually, the file has been overriden by Gaia mechanism)<BR />- configured the DHCP new range<BR />- added the DHCP option manually again<BR />- set the immutable attribute</P><P>Is there anyone that also met this kind of issue ?<BR />May I ask Checkpoint (as an RFE) to add the option configuration directly in Gaia in order to avoid this misconfiguration issue ?</P><P>Thank you very much,</P><P>Kind regards,</P><P>Greg</P> Mon, 15 Mar 2021 10:25:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/CAUTION-when-configuring-DHCP-options/m-p/113534#M15842 Gregory_Muller 2021-03-15T10:25:49Z