cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

DHCP server configuration on GAIA R80.20

Hi Mates,

I configured two CheckPoint appliances (3200) in a  high availability cluster. I tried to configure a DHCP server on one of the firewalls. On the GAIA everything seems fine but the Firewall doesn't answer any DHCP packages. 

DHCP section of the config:

add dhcp server subnet 10.10.10.48 netmask 28
set dhcp server subnet 10.10.10.48 default-lease 3600
set dhcp server subnet 10.10.10.48 max-lease 7200
set dhcp server subnet 10.10.10.48 domain example.com
set dhcp server subnet 10.10.10.48 dns "10.10.10.4, 10.10.10.5"
set dhcp server subnet 10.10.10.48 default-gateway 10.10.10.49
add dhcp server subnet 10.10.10.48 include-ip-pool start 10.10.10.55 end 10.10.10.58
set dhcp server subnet 10.10.10.48 enable
set dhcp server enable

The Network is on a VLAN interface on a bond. Address spoofing is disabled.

Do you have any tipps?

Thanks for your help!

Tags (3)
9 Replies

Re: DHCP server configuration on GAIA R80.20

Have you configured corresponding firewall rules in the policy? And checked logs

Re: DHCP server configuration on GAIA R80.20

I have an any-service allowed rule for the network the hosts are in. But I don't know if it matches the DHCP requests, because it filters the IP addresses.

I checked the logs. The DHCP requests were blocked by the address spoofing. So I turned it off.

Thanks!

0 Kudos
Maarten_Sjouw
Platinum

Re: DHCP server configuration on GAIA R80.20

Check out the SK about using the new DHCP services, it also contains the rules you need.

Regards, Maarten

Re: DHCP server configuration on GAIA R80.20

Do not turn antispoofing off, but configure it properly.

Re: DHCP server configuration on GAIA R80.20

Of course not! I disabled it just temporarily until the installation is finished. Once everything is in the final state I will configure antispoofing correctly.

0 Kudos
ED
Silver

Re: DHCP server configuration on GAIA R80.20

Hi Stefan,

I believe this is your mistake "I have an any-service allowed rule for the network the hosts are in". If you have a rule with Source 10.10.10.48/28 you will not get a match for that rule. The reason is that the first DHCP request will not have an IP-address in 10.10.10.x network. The destination will be 255.255.255.255. 

You can try this:

In SmartConsole open up gateway cluster properties. Network management -> Network interface for 10.10.10.48 -> Topology -> Modify -> Security Zone -> User defined -> Specify Security Zone -> give it a descriptive name for the zone.  (Turn on anti-spoofing also). 

Define a new rule like this:

Source                                 Destination               Services

(Security zone name)            Any                           dchp-request....

Re: DHCP server configuration on GAIA R80.20

Hi Enis,

Thanks for your comprehensive response! It worked perfectly.

But I ran into another problem. I have multiple Gateways in my management domain, but not on all of the gateways the same zones. If I write a rule with a Zone as a source, it gives me an error on policy install that this zone isn't available on all gateways. Do you know a workaround for this or a solution without zones?

Thanks!

- Stefan

0 Kudos
ED
Silver

Re: DHCP server configuration on GAIA R80.20

In your security policy under column "Install on", what do you have there for your rule? Maybe if you specify only the gateway cluster which have the specific zone it will work. 

0 Kudos

Re: DHCP server configuration on GAIA R80.20

Perfect, selected the specific Gateway, now everything works perfectly! Thanks for your assistance!

- Stefan

0 Kudos