cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Legacy DHCP Relay Services

Has anyone ever followed the SK for changing the legacy DHCP Relay services, (sk104114)?

I'm curious, if the new services need to be in a new rule not including the old bootp/bootps?

I guess I was under the impression the Kernel change would force the firewall to use the new services, ignoring the old ones.

14 Replies

Re: Legacy DHCP Relay Services

Since R77.20 it is recommended that the new DHCP services be used. New services config is found in sk104114 - Configuration of IPv4 BOOTP/DHCP Relay using new services, legacy in sk98839 - Configuration of IPv4 BOOTP/DHCP Relay using legacy services, so it is easy to compare the two solutions. Additionally, sk41515: How to configure BootP/DHCP Relay on Security Gateway running IPSO / Gaia OS includes Allowing DHCP Relay traffic to cross a VPN tunnel.

What about the SMS kernel change, how should that influence DHCO relaying? 

Re: Legacy DHCP Relay Services

What is the main purpose to have those "new" DHCP Relay Services ? Just to have 2 services (request, reply) instead of 4 ?

Kind regards,
Jozko Mrkvicka
0 Kudos

Re: Legacy DHCP Relay Services

Yes, to have a number of services replaced by only two.

Re: Legacy DHCP Relay Services

I've been changing everything over to the new services following an upgrade of several CMAs to R80.10. I like the new way. Makes for a very tidy policy:

Re: Legacy DHCP Relay Services

so I guess it isn't possible to have the new services along side the old services as you transition?

0 Kudos

Re: Legacy DHCP Relay Services

Yes, you could have both old services and new services in the same policy, and even the same rule. But I don't see the need to do so.

0 Kudos

Re: Legacy DHCP Relay Services

I just tried it, it still wants to use the old bootp and bootps in the rule even though I change the kernel parameters to fw ctl set int fwx_dhcp_relay_nat 0

0 Kudos
Oliver_Fink
Nickel

Re: Legacy DHCP Relay Services

I do not think that this is an supported solution. sk104114 explicitly states:

In the security policy, new DHCP services and legacy DHCP services are mutually exclusive - only one type can be used.

0 Kudos

Re: Legacy DHCP Relay Services

By the way, exactly this is checked if you are going to migrate from R77.30 to R80.x. This situation with "legacy" vs "new" DHCP services is marked as WARNING, which doesnt stop you from creating export. There is just remark that starting from R80.x, the new services were added and should be used instead of Legacy services.

Kind regards,
Jozko Mrkvicka
0 Kudos

Re: Legacy DHCP Relay Services

I was able to export from R77.30 and successfully import into R80.10, but I understood I couldn't go any further until I changed this on all the gateways.

meaning I couldn't manage the firewalls within R80.10 with the legacy DHCP services.

Is this not the case?

0 Kudos

Re: Legacy DHCP Relay Services

So I guess my big question is this, Can R80.10 still manage firewalls that have the Legacy DHCP services?

Is it required to change this on all our gateways and rules before I start managing our R77.30 firewalls with R80.10?

0 Kudos
Admin
Admin

Re: Legacy DHCP Relay Services

I don't see why not, especially since the SK that talks about it refers to R80.20: Configuration of IPv4 BOOTP/DHCP Relay using legacy services 

That said, the recommendation is to use the newer services.

0 Kudos

Re: Legacy DHCP Relay Services

Has anyone upgraded from R77.30 to R80.20 with legacy DHCP services left in the policies? Any issues? I too was preparing to switch over to the new services before the upgrade, but I am hoping to avoid this (for now).

Thanks,

Dave

Re: Legacy DHCP Relay Services

i upgraded from 77.30 to R80.10 without issues with legacy DHCP Relay in place... so no problem