This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sam_huang
Participant
‎2021-12-17 01:48 AM

DHCP service issue on R80.40

Hello everyone, I recently encountered a very strange problem. The version is R80.40 + hotfix 126.In my network, the client cannot reach the DHCP server to obtain the IP through CheckPoint


       Recently, some VLANs cannot obtain IP normally. It is found through zdebug that dhcp is old seesion. Modify the kernel file according to sk123116. Operate and cancel the default dhcp relay and dhcp request, add custom service and Selected “Keep connections open after the policy has been installed”. add the interception record in the enforced Suspicious Activity Rules in and delet rule in tunnel & User Monitoring, and it has been normal for a few days after the policy is issued.

      Today, it happened again that the IP could not be obtained. The enforced Suspicious Activity Rules in tunnel & User Monitoring were blocked again, and after deleting the policy issued, the IP can be obtained normally. Have you encountered and resolved this situation?

tks all

0 Kudos
6 Replies
the_rock
Legend
Legend
‎2021-12-17 06:39 AM

Hm...cant say I had seen that issue myself in R80.40 yet. Did debug show you exact message from that sk you referenced? What do you see if you do fw monitor just filtering for ports 67 and 68. For example

fw monitor -e "accept port(67) or port(68);"

0 Kudos
sam_huang
Participant
‎2021-12-18 11:06 AM
In response to the_rock

Through packet capture, I found that the data belonging to port 67 in my data disappeared after entering the firewall. Use zdebug to find the display dropped by fw_handle_old_conn_recovery Reason: UDP packet that belongs to an old session;

0 Kudos
Wolfgang
Authority
Authority
‎2021-12-18 11:30 AM

@sam_huang it's mandatory to follow Configuration of IPv4 BOOTP/DHCP Relay using new services even if you don't use the gateway as DHCP relay. Don't use the "old" services like "dhcp-relay", only dhcp-request or dhcp-reply has to be used. And you have to check twice that only rules with these services are matched by the DHCP traffic.

In the last years we had several cases with problematic DHCP connections. All are solved following the mentioned knowledgebase article.

0 Kudos
sam_huang
Participant
‎2021-12-19 06:57 AM
In response to Wolfgang

When this failure first appeared, I did try to use the new dhcp service, dhcp_request and dhcp_reply two new services, but I added a new rule double src:any dst:any service:dhcp_request and dhcp_reply, the delivery policy still cannot be obtained To IP. Use zdebug to find that fw_handle_old_conn_recovery is still detected.

This makes me very strange. I don't know how to deal with DHCP traffic.


Or whether CheckPoint has any mechanism for UDP 67 service to solve this problem.
thanks

0 Kudos
Wolfgang
Authority
Authority
‎2021-12-19 12:13 PM
In response to sam_huang

You have to follow exact the mentioned sk.  dhcp-reply and dhcp-request both used in one rule is the wrong way. There is a detailed description how to configure the rulebase. If you follow the description in the sk and the problem still exists you can open a TAC case.

the_rock
Legend
Legend
‎2021-12-19 04:25 PM
In response to sam_huang

@Wolfgang is absolutely correct, You need to follow that article if you have any hope of making this work...its literally like old school sk for VOIP traffic. If rules are wrong, it will not work, thats just how it is.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events