Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dave_Taylor1
Collaborator

Legacy DHCP Relay Services

Has anyone ever followed the SK for changing the legacy DHCP Relay services, (sk104114)?

I'm curious, if the new services need to be in a new rule not including the old bootp/bootps?

I guess I was under the impression the Kernel change would force the firewall to use the new services, ignoring the old ones.

14 Replies
G_W_Albrecht
Legend
Legend

Since R77.20 it is recommended that the new DHCP services be used. New services config is found in sk104114 - Configuration of IPv4 BOOTP/DHCP Relay using new services, legacy in sk98839 - Configuration of IPv4 BOOTP/DHCP Relay using legacy services, so it is easy to compare the two solutions. Additionally, sk41515: How to configure BootP/DHCP Relay on Security Gateway running IPSO / Gaia OS includes Allowing DHCP Relay traffic to cross a VPN tunnel.

What about the SMS kernel change, how should that influence DHCO relaying? 

JozkoMrkvicka
Leader
Leader

What is the main purpose to have those "new" DHCP Relay Services ? Just to have 2 services (request, reply) instead of 4 ?

Kind regards,
Jozko Mrkvicka
0 Kudos
G_W_Albrecht
Legend
Legend

Yes, to have a number of services replaced by only two.

Jesse
Contributor

I've been changing everything over to the new services following an upgrade of several CMAs to R80.10. I like the new way. Makes for a very tidy policy:

Dave_Taylor1
Collaborator

so I guess it isn't possible to have the new services along side the old services as you transition?

0 Kudos
Jesse
Contributor

Yes, you could have both old services and new services in the same policy, and even the same rule. But I don't see the need to do so.

0 Kudos
Dave_Taylor1
Collaborator

I just tried it, it still wants to use the old bootp and bootps in the rule even though I change the kernel parameters to fw ctl set int fwx_dhcp_relay_nat 0

0 Kudos
Oliver_Fink
Collaborator

I do not think that this is an supported solution. sk104114 explicitly states:

In the security policy, new DHCP services and legacy DHCP services are mutually exclusive - only one type can be used.

0 Kudos
JozkoMrkvicka
Leader
Leader

By the way, exactly this is checked if you are going to migrate from R77.30 to R80.x. This situation with "legacy" vs "new" DHCP services is marked as WARNING, which doesnt stop you from creating export. There is just remark that starting from R80.x, the new services were added and should be used instead of Legacy services.

Kind regards,
Jozko Mrkvicka
0 Kudos
Dave_Taylor1
Collaborator

I was able to export from R77.30 and successfully import into R80.10, but I understood I couldn't go any further until I changed this on all the gateways.

meaning I couldn't manage the firewalls within R80.10 with the legacy DHCP services.

Is this not the case?

0 Kudos
Dave_Taylor1
Collaborator

So I guess my big question is this, Can R80.10 still manage firewalls that have the Legacy DHCP services?

Is it required to change this on all our gateways and rules before I start managing our R77.30 firewalls with R80.10?

0 Kudos
PhoneBoy
Admin
Admin

I don't see why not, especially since the SK that talks about it refers to R80.20: Configuration of IPv4 BOOTP/DHCP Relay using legacy services 

That said, the recommendation is to use the newer services.

0 Kudos
David_Charnon
Collaborator

Has anyone upgraded from R77.30 to R80.20 with legacy DHCP services left in the policies? Any issues? I too was preparing to switch over to the new services before the upgrade, but I am hoping to avoid this (for now).

Thanks,

Dave

Gerald_Haider
Participant

i upgraded from 77.30 to R80.10 without issues with legacy DHCP Relay in place... so no problem