https://community.checkpoint.com/t5/Firewall-and-Security-Management/quick-question-about-bootp/m-p/48676#M3605 <P>hi chaps</P> <P>&nbsp;</P> <P>quick question:</P> <P>&nbsp;</P> <P>when you do bootp, you change your "relay-to" IP address and ...</P> <P>do you really have to push FW policy even though you've made already "save config" with immediate effect on Gaia?</P> <P>&nbsp;</P> <P>I found this little bit odd but it turnes out that Install Policy (via SC) is really not needed at all.</P> <P>Just wanted to make sure you've had similar things on your side in a past. Some people claim that whatever you chage via clish/shell or gaia you need to "push" from SC - I strongly disagreed to that knowing that routing require that "push" but dhcp-relay not necessarily.</P> <P>what do you think?</P> Tue, 26 Mar 2019 15:10:46 GMT Jerry 2019-03-26T15:10:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/quick-question-about-bootp/m-p/48676#M3605 <P>hi chaps</P> <P>&nbsp;</P> <P>quick question:</P> <P>&nbsp;</P> <P>when you do bootp, you change your "relay-to" IP address and ...</P> <P>do you really have to push FW policy even though you've made already "save config" with immediate effect on Gaia?</P> <P>&nbsp;</P> <P>I found this little bit odd but it turnes out that Install Policy (via SC) is really not needed at all.</P> <P>Just wanted to make sure you've had similar things on your side in a past. Some people claim that whatever you chage via clish/shell or gaia you need to "push" from SC - I strongly disagreed to that knowing that routing require that "push" but dhcp-relay not necessarily.</P> <P>what do you think?</P> Tue, 26 Mar 2019 15:10:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/quick-question-about-bootp/m-p/48676#M3605 Jerry 2019-03-26T15:10:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/quick-question-about-bootp/m-p/48716#M3606 Certainly for a new bootp/dhcp relay configuration, a policy install makes sense. Changing the "relay to" IP, not 100% sure on that. Tue, 26 Mar 2019 18:04:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/quick-question-about-bootp/m-p/48716#M3606 PhoneBoy 2019-03-26T18:04:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/quick-question-about-bootp/m-p/48745#M3607 When you setup your policy properly, in DHCP relay youhave a rule allowing the gateway to send the DHCP requests to the DHCP server, so when that server IP changes, the rule changes as well.<BR />So as long as you don have a rule that will allow the traffic anyway, you should indeed push policy with the updated DHCP server. Tue, 26 Mar 2019 19:06:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/quick-question-about-bootp/m-p/48745#M3607 Maarten_Sjouw 2019-03-26T19:06:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/quick-question-about-bootp/m-p/48750#M3608 <P>In case everything is already allowed within rulebase&nbsp;(new relay-to IP), there is no need to install policy. Tested. Confirmed.</P> <P>The best is to have all DHCP servers in 1 group.</P> <P>In case some new DHCP server is needed, just add the new host (or network) to this particular group and push the policy.<BR />Another case is <STRONG>new VLAN</STRONG> and DHCP on top of this new VLAN. In case you are creating new VLAN together with bootp, policy push is still needed (to fetch Primary Address).</P> Tue, 26 Mar 2019 20:24:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/quick-question-about-bootp/m-p/48750#M3608 JozkoMrkvicka 2019-03-26T20:24:32Z