This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Stefan_Seiler
Participant
‎2018-12-14 08:05 AM

DHCP server configuration on GAIA R80.20

Hi Mates,

I configured two CheckPoint appliances (3200) in a  high availability cluster. I tried to configure a DHCP server on one of the firewalls. On the GAIA everything seems fine but the Firewall doesn't answer any DHCP packages. 

DHCP section of the config:

add dhcp server subnet 10.10.10.48 netmask 28
set dhcp server subnet 10.10.10.48 default-lease 3600
set dhcp server subnet 10.10.10.48 max-lease 7200
set dhcp server subnet 10.10.10.48 domain example.com
set dhcp server subnet 10.10.10.48 dns "10.10.10.4, 10.10.10.5"
set dhcp server subnet 10.10.10.48 default-gateway 10.10.10.49
add dhcp server subnet 10.10.10.48 include-ip-pool start 10.10.10.55 end 10.10.10.58
set dhcp server subnet 10.10.10.48 enable
set dhcp server enable

The Network is on a VLAN interface on a bond. Address spoofing is disabled.

Do you have any tipps?

Thanks for your help!

9 Replies
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-12-14 08:11 AM

Have you configured corresponding firewall rules in the policy? And checked logs

Stefan_Seiler
Participant
‎2018-12-15 04:59 AM
In response to Kaspars_Zibarts

I have an any-service allowed rule for the network the hosts are in. But I don't know if it matches the DHCP requests, because it filters the IP addresses.

I checked the logs. The DHCP requests were blocked by the address spoofing. So I turned it off.

Thanks!

0 Kudos
(1)
Maarten_Sjouw
Champion
Champion
‎2018-12-15 10:27 PM
In response to Stefan_Seiler

Check out the SK about using the new DHCP services, it also contains the rules you need.

Regards, Maarten
AlekseiShelepov
Advisor
‎2018-12-16 01:47 AM
In response to Stefan_Seiler

Do not turn antispoofing off, but configure it properly.

Stefan_Seiler
Participant
‎2018-12-17 12:30 AM
In response to AlekseiShelepov

Of course not! I disabled it just temporarily until the installation is finished. Once everything is in the final state I will configure antispoofing correctly.

0 Kudos
ED
Advisor
‎2018-12-16 11:36 PM
In response to Stefan_Seiler

Hi Stefan,

I believe this is your mistake "I have an any-service allowed rule for the network the hosts are in". If you have a rule with Source 10.10.10.48/28 you will not get a match for that rule. The reason is that the first DHCP request will not have an IP-address in 10.10.10.x network. The destination will be 255.255.255.255. 

You can try this:

In SmartConsole open up gateway cluster properties. Network management -> Network interface for 10.10.10.48 -> Topology -> Modify -> Security Zone -> User defined -> Specify Security Zone -> give it a descriptive name for the zone.  (Turn on anti-spoofing also). 

Define a new rule like this:

Source                                 Destination               Services

(Security zone name)            Any                           dchp-request....

Stefan_Seiler
Participant
‎2018-12-17 01:48 AM
In response to ED

Hi Enis,

Thanks for your comprehensive response! It worked perfectly.

But I ran into another problem. I have multiple Gateways in my management domain, but not on all of the gateways the same zones. If I write a rule with a Zone as a source, it gives me an error on policy install that this zone isn't available on all gateways. Do you know a workaround for this or a solution without zones?

Thanks!

- Stefan

0 Kudos
ED
Advisor
‎2018-12-17 02:30 AM
In response to Stefan_Seiler

In your security policy under column "Install on", what do you have there for your rule? Maybe if you specify only the gateway cluster which have the specific zone it will work. 

0 Kudos
Stefan_Seiler
Participant
‎2018-12-17 04:52 AM
In response to ED

Perfect, selected the specific Gateway, now everything works perfectly! Thanks for your assistance!

- Stefan

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events