Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Stefan_Seiler
Participant

DHCP server configuration on GAIA R80.20

Hi Mates,

I configured two CheckPoint appliances (3200) in a  high availability cluster. I tried to configure a DHCP server on one of the firewalls. On the GAIA everything seems fine but the Firewall doesn't answer any DHCP packages. 

DHCP section of the config:

add dhcp server subnet 10.10.10.48 netmask 28
set dhcp server subnet 10.10.10.48 default-lease 3600
set dhcp server subnet 10.10.10.48 max-lease 7200
set dhcp server subnet 10.10.10.48 domain example.com
set dhcp server subnet 10.10.10.48 dns "10.10.10.4, 10.10.10.5"
set dhcp server subnet 10.10.10.48 default-gateway 10.10.10.49
add dhcp server subnet 10.10.10.48 include-ip-pool start 10.10.10.55 end 10.10.10.58
set dhcp server subnet 10.10.10.48 enable
set dhcp server enable

The Network is on a VLAN interface on a bond. Address spoofing is disabled.

Do you have any tipps?

Thanks for your help!

9 Replies
Kaspars_Zibarts
Employee Employee
Employee

Have you configured corresponding firewall rules in the policy? And checked logs

Stefan_Seiler
Participant

I have an any-service allowed rule for the network the hosts are in. But I don't know if it matches the DHCP requests, because it filters the IP addresses.

I checked the logs. The DHCP requests were blocked by the address spoofing. So I turned it off.

Thanks!

0 Kudos
(1)
Maarten_Sjouw
Champion
Champion

Check out the SK about using the new DHCP services, it also contains the rules you need.

Regards, Maarten
AlekseiShelepov
Advisor

Do not turn antispoofing off, but configure it properly.

Stefan_Seiler
Participant

Of course not! I disabled it just temporarily until the installation is finished. Once everything is in the final state I will configure antispoofing correctly.

0 Kudos
ED
Advisor

Hi Stefan,

I believe this is your mistake "I have an any-service allowed rule for the network the hosts are in". If you have a rule with Source 10.10.10.48/28 you will not get a match for that rule. The reason is that the first DHCP request will not have an IP-address in 10.10.10.x network. The destination will be 255.255.255.255. 

You can try this:

In SmartConsole open up gateway cluster properties. Network management -> Network interface for 10.10.10.48 -> Topology -> Modify -> Security Zone -> User defined -> Specify Security Zone -> give it a descriptive name for the zone.  (Turn on anti-spoofing also). 

Define a new rule like this:

Source                                 Destination               Services

(Security zone name)            Any                           dchp-request....

Stefan_Seiler
Participant

Hi Enis,

Thanks for your comprehensive response! It worked perfectly.

But I ran into another problem. I have multiple Gateways in my management domain, but not on all of the gateways the same zones. If I write a rule with a Zone as a source, it gives me an error on policy install that this zone isn't available on all gateways. Do you know a workaround for this or a solution without zones?

Thanks!

- Stefan

0 Kudos
ED
Advisor

In your security policy under column "Install on", what do you have there for your rule? Maybe if you specify only the gateway cluster which have the specific zone it will work. 

0 Kudos
Stefan_Seiler
Participant

Perfect, selected the specific Gateway, now everything works perfectly! Thanks for your assistance!

- Stefan

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events