This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dave_Taylor1
Collaborator
‎2018-10-02 03:17 PM

Legacy DHCP Relay Services

Has anyone ever followed the SK for changing the legacy DHCP Relay services, (sk104114)?

I'm curious, if the new services need to be in a new rule not including the old bootp/bootps?

I guess I was under the impression the Kernel change would force the firewall to use the new services, ignoring the old ones.

14 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-10-03 12:43 AM

Since R77.20 it is recommended that the new DHCP services be used. New services config is found in sk104114 - Configuration of IPv4 BOOTP/DHCP Relay using new services, legacy in sk98839 - Configuration of IPv4 BOOTP/DHCP Relay using legacy services, so it is easy to compare the two solutions. Additionally, sk41515: How to configure BootP/DHCP Relay on Security Gateway running IPSO / Gaia OS includes Allowing DHCP Relay traffic to cross a VPN tunnel.

What about the SMS kernel change, how should that influence DHCO relaying? 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
JozkoMrkvicka
Authority
Authority
‎2018-10-03 02:03 AM

What is the main purpose to have those "new" DHCP Relay Services ? Just to have 2 services (request, reply) instead of 4 ?

Kind regards,
Jozko Mrkvicka
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-10-03 03:25 AM
In response to JozkoMrkvicka

Yes, to have a number of services replaced by only two.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Jesse
Contributor
‎2018-10-03 06:23 AM

I've been changing everything over to the new services following an upgrade of several CMAs to R80.10. I like the new way. Makes for a very tidy policy:

Dave_Taylor1
Collaborator
‎2018-10-03 08:21 AM

so I guess it isn't possible to have the new services along side the old services as you transition?

0 Kudos
Jesse
Contributor
‎2018-10-03 08:39 AM
In response to Dave_Taylor1

Yes, you could have both old services and new services in the same policy, and even the same rule. But I don't see the need to do so.

0 Kudos
Dave_Taylor1
Collaborator
‎2018-10-03 10:02 AM
In response to Jesse

I just tried it, it still wants to use the old bootp and bootps in the rule even though I change the kernel parameters to fw ctl set int fwx_dhcp_relay_nat 0

0 Kudos
Oliver_Fink
Advisor
Advisor
‎2019-04-30 03:41 AM
In response to Jesse

I do not think that this is an supported solution. sk104114 explicitly states:

In the security policy, new DHCP services and legacy DHCP services are mutually exclusive - only one type can be used.

JozkoMrkvicka
Authority
Authority
‎2018-10-03 09:59 AM

By the way, exactly this is checked if you are going to migrate from R77.30 to R80.x. This situation with "legacy" vs "new" DHCP services is marked as WARNING, which doesnt stop you from creating export. There is just remark that starting from R80.x, the new services were added and should be used instead of Legacy services.

Kind regards,
Jozko Mrkvicka
0 Kudos
Dave_Taylor1
Collaborator
‎2018-10-03 10:11 AM
In response to JozkoMrkvicka

I was able to export from R77.30 and successfully import into R80.10, but I understood I couldn't go any further until I changed this on all the gateways.

meaning I couldn't manage the firewalls within R80.10 with the legacy DHCP services.

Is this not the case?

0 Kudos
Dave_Taylor1
Collaborator
‎2018-10-03 02:45 PM

So I guess my big question is this, Can R80.10 still manage firewalls that have the Legacy DHCP services?

Is it required to change this on all our gateways and rules before I start managing our R77.30 firewalls with R80.10?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-10-03 05:47 PM
In response to Dave_Taylor1

I don't see why not, especially since the SK that talks about it refers to R80.20: Configuration of IPv4 BOOTP/DHCP Relay using legacy services 

That said, the recommendation is to use the newer services.

0 Kudos
David_C1
Advisor
‎2018-12-02 06:18 PM
In response to Dave_Taylor1

Has anyone upgraded from R77.30 to R80.20 with legacy DHCP services left in the policies? Any issues? I too was preparing to switch over to the new services before the upgrade, but I am hoping to avoid this (for now).

Thanks,

Dave

GHaider
Contributor
‎2019-03-08 08:33 AM

i upgraded from 77.30 to R80.10 without issues with legacy DHCP Relay in place... so no problem

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events