This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Swiftyyyy
Advisor
‎2023-04-15 09:47 AM

Endpoint Firewall Blade

Hi CheckMates!

I've got a question regarding the default policy for the Harmony Endpoint Firewall Blade.
Within the "Inbound Traffic" ruleset, a default rule is one which allows *inbound* UDP on ports 67 and 68, seemingly for purposes of DHCP/BOOTP based IP acquisition.

Why exactly is this rule necessary? I've spent the morning testing and DHCP seems to work just fine as long as I permit outbound UDP 67 broadcasts.

If there's something I'm missing regarding DHCP/BOOTP and general FW blade operation please do tell, I just want to avoid keeping things open unless they have to be.

Thanks!

Labels
0 Kudos
2 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-04-15 05:03 PM

Have you tested both interim renewal and lease expiry workflows in addition to the initial lease acquisition, presume none of the target machines are DHCP servers themselves?

CCSM R77/R80/ELITE
0 Kudos
Swiftyyyy
Advisor
‎2023-04-15 09:50 PM
In response to Chris_Atkinson

The test machine(s) are Windows 10 Pro patched to 22H2, the DHCP server is a Mikrotik hAP series.

The following workflows work

1) DHCP IP acquisition while connected to the network during boot/reboot
This one is rather clear as DHCP seems to occur prior to the Firewall service being up

2) DHCP IP acquisition after fully booting the system and connecting it to the network once on-desktop with CHKP agent services verified to be running

3) DHCP IP forced re-acquisition through ipconfig /release, ipconfig /renew

4) Permitting the client to sit idle on desktop, waiting for DHCP lease expiry
In this instance the lease length is periodically extended without issue.

5) Changing the STATIC DHCP lease IP address on the DHCP server
After a period the IP on the client is automatically retrieved.

Another thing that comes to mind would be RFC 3203 - DHCP reconfigure extension which would allow the DHCP server to force-expire a DHCP lease by sending a Unicast message to the client. But I'm not sure where this option is actually implemented/supported.

My Client & Server are also both on the same network; would the workflow differ if a DHCP relay is configured?

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top