https://community.checkpoint.com/t5/Endpoint/Endpoint-Firewall-Blade/m-p/178150#M6839 <P>Hi CheckMates!<BR /><BR />I've got a question regarding the default policy for the Harmony Endpoint Firewall Blade.<BR />Within the "Inbound Traffic" ruleset, a default rule is one which allows *inbound* UDP on ports 67 and 68, seemingly for purposes of DHCP/BOOTP based IP acquisition.</P><P>Why exactly is this rule necessary? I've spent the morning testing and DHCP seems to work just fine as long as I permit outbound UDP 67 broadcasts.</P><P>If there's something I'm missing regarding DHCP/BOOTP and general FW blade operation please do tell, I just want to avoid keeping things open unless they have to be.</P><P>Thanks!</P> Sat, 15 Apr 2023 16:47:44 GMT Swiftyyyy 2023-04-15T16:47:44Z https://community.checkpoint.com/t5/Endpoint/Endpoint-Firewall-Blade/m-p/178150#M6839 <P>Hi CheckMates!<BR /><BR />I've got a question regarding the default policy for the Harmony Endpoint Firewall Blade.<BR />Within the "Inbound Traffic" ruleset, a default rule is one which allows *inbound* UDP on ports 67 and 68, seemingly for purposes of DHCP/BOOTP based IP acquisition.</P><P>Why exactly is this rule necessary? I've spent the morning testing and DHCP seems to work just fine as long as I permit outbound UDP 67 broadcasts.</P><P>If there's something I'm missing regarding DHCP/BOOTP and general FW blade operation please do tell, I just want to avoid keeping things open unless they have to be.</P><P>Thanks!</P> Sat, 15 Apr 2023 16:47:44 GMT https://community.checkpoint.com/t5/Endpoint/Endpoint-Firewall-Blade/m-p/178150#M6839 Swiftyyyy 2023-04-15T16:47:44Z https://community.checkpoint.com/t5/Endpoint/Endpoint-Firewall-Blade/m-p/178156#M6840 <P>Have you tested both interim renewal and lease expiry workflows in addition to the initial lease acquisition, presume none of the target machines are DHCP servers themselves?</P> Sun, 16 Apr 2023 00:03:41 GMT https://community.checkpoint.com/t5/Endpoint/Endpoint-Firewall-Blade/m-p/178156#M6840 Chris_Atkinson 2023-04-16T00:03:41Z https://community.checkpoint.com/t5/Endpoint/Endpoint-Firewall-Blade/m-p/178159#M6841 <P>The test machine(s) are Windows 10 Pro patched to 22H2, the DHCP server is a Mikrotik hAP series.</P><P>The following workflows work</P><P>1) DHCP IP acquisition while connected to the network during boot/reboot<BR />This one is rather clear as DHCP seems to occur prior to the Firewall service being up</P><P>2) DHCP IP acquisition after fully booting the system and connecting it to the network once on-desktop with CHKP agent services verified to be running</P><P>3) DHCP IP forced re-acquisition through ipconfig /release, ipconfig /renew</P><P>4) Permitting the client to sit idle on desktop, waiting for DHCP lease expiry<BR />In this instance the lease length is periodically extended without issue.</P><P>5) Changing the STATIC DHCP lease IP address on the DHCP server<BR />After a period the IP on the client is automatically retrieved.</P><P>Another thing that comes to mind would be RFC 3203 - DHCP reconfigure extension which would allow the DHCP server to force-expire a DHCP lease by sending a Unicast message to the client. But I'm not sure where this option is actually implemented/supported.</P><P>My Client &amp; Server are also both on the same network; would the workflow differ if a DHCP relay is configured?</P><P>&nbsp;</P> Sun, 16 Apr 2023 04:50:24 GMT https://community.checkpoint.com/t5/Endpoint/Endpoint-Firewall-Blade/m-p/178159#M6841 Swiftyyyy 2023-04-16T04:50:24Z