topic Re: DHCP rant in Firewall and Security Management

DHCP rant

Viktor_Steinman — Thu, 18 Jan 2018 07:35:24 GMT

So I upgraded some 5xxx appliances from R77.30 to R80.10 using CPUSE. I didn't read the upgrade instructions, like I did in the old days with IPSO. Partially because Check Point makes it very easy to upgrade with CPUSE, partially because I did not expect the thing to happen, that happened to my DHCP configuration.

You see - as soon as you need any DHCP Option other than DNS, Router or Domain, you're forced to manually craft your own little dhcpd.conf.

During the automated upgrade, this dhcpd.conf is overwritten and the original state is lost, ignoring the fact, that you have set this file to immutable (chattr +i) before.

We're in 2018. Free and open source firewalls such as pfSense have a GUI which allows the creation of custom DHCP options for more than 10 years now. But Check Point? Buy some crazy snake oil threat prevention thingy! New and shiny! Software Blades! Woooop! But a simple thing, such as custom DHCP options? Rocket science.

Sorry for the rant. I had to.

And no worries: I had a backup of the dhcpd.conf.

Re: DHCP rant

Kaspars_Zibarts — Thu, 18 Jan 2018 08:12:07 GMT

Hahaha, you made me laugh but point is valid 100%! Can't agree more

Re: DHCP rant

PhoneBoy — Fri, 19 Jan 2018 23:32:23 GMT

Files you modify outside of Gaia/WebUI may not be preserved on an upgrade.

What things were you adding to your dhcpd.conf?

Re: DHCP rant

Viktor_Steinman — Sat, 20 Jan 2018 08:32:26 GMT

Files that are set to +i (immutable) should not be overwritten or at least automatically backed up by an upgrade process.

Options we use include 186 (WYSE WDM Server), 043, 066 120, 160 (all needed for Skype for Business with Hardware phones by Polycom).