- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Legacy DHCP Relay Services
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Legacy DHCP Relay Services
Has anyone ever followed the SK for changing the legacy DHCP Relay services, (sk104114)?
I'm curious, if the new services need to be in a new rule not including the old bootp/bootps?
I guess I was under the impression the Kernel change would force the firewall to use the new services, ignoring the old ones.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since R77.20 it is recommended that the new DHCP services be used. New services config is found in sk104114 - Configuration of IPv4 BOOTP/DHCP Relay using new services, legacy in sk98839 - Configuration of IPv4 BOOTP/DHCP Relay using legacy services, so it is easy to compare the two solutions. Additionally, sk41515: How to configure BootP/DHCP Relay on Security Gateway running IPSO / Gaia OS includes Allowing DHCP Relay traffic to cross a VPN tunnel.
What about the SMS kernel change, how should that influence DHCO relaying?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the main purpose to have those "new" DHCP Relay Services ? Just to have 2 services (request, reply) instead of 4 ?
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, to have a number of services replaced by only two.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been changing everything over to the new services following an upgrade of several CMAs to R80.10. I like the new way. Makes for a very tidy policy:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so I guess it isn't possible to have the new services along side the old services as you transition?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you could have both old services and new services in the same policy, and even the same rule. But I don't see the need to do so.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just tried it, it still wants to use the old bootp and bootps in the rule even though I change the kernel parameters to fw ctl set int fwx_dhcp_relay_nat 0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not think that this is an supported solution. sk104114 explicitly states:
In the security policy, new DHCP services and legacy DHCP services are mutually exclusive - only one type can be used.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, exactly this is checked if you are going to migrate from R77.30 to R80.x. This situation with "legacy" vs "new" DHCP services is marked as WARNING, which doesnt stop you from creating export. There is just remark that starting from R80.x, the new services were added and should be used instead of Legacy services.
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to export from R77.30 and successfully import into R80.10, but I understood I couldn't go any further until I changed this on all the gateways.
meaning I couldn't manage the firewalls within R80.10 with the legacy DHCP services.
Is this not the case?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I guess my big question is this, Can R80.10 still manage firewalls that have the Legacy DHCP services?
Is it required to change this on all our gateways and rules before I start managing our R77.30 firewalls with R80.10?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't see why not, especially since the SK that talks about it refers to R80.20: Configuration of IPv4 BOOTP/DHCP Relay using legacy services
That said, the recommendation is to use the newer services.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has anyone upgraded from R77.30 to R80.20 with legacy DHCP services left in the policies? Any issues? I too was preparing to switch over to the new services before the upgrade, but I am hoping to avoid this (for now).
Thanks,
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i upgraded from 77.30 to R80.10 without issues with legacy DHCP Relay in place... so no problem