Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Firewallteam_DE
Explorer

Legacy DHCP Relay services vs R80.x - gw not configured as relay

Hello Mates

We are preparing Migration of MDS to R80 and following is the example pre-check warning:

 

Two possible options to solve the problem: 1). Remove legacy DHCP Relay services and add new DHCP Relay services. See sk104114 for instructions. This is the recommended action if managing only R77.20 gateways and above. 2). Keep legacy DHCP Relay services and make changes to the Gateways and the Security Management Servers. See sk98839 for instructions. Do this if managing any gateways which are older than R77.20. Legacy DHCP Relay service(s): bootp, dhcp-relay, dhcp-rep-localmodule, dhcp-req-localmodule   Some of the legacy DHCP Relay service(s) are members of the following rulebase(s): Policy skibidabdab_Prod, rules: XY. For more information, see sk104114 or sk98839.

 

We have plenty of gateways managed by CMAs which policies have Legacy DHCP relay services objects in its rules. Current GW batch has all R70.20 and above.

 

The article mentions that in case the gateways are not configured as DHCP agents (none are, as I checked on GWs: RTGRTG0019  BOOTP: Feature is not enabled ), then we should follow all sections except "DHCP Relay Configuration":

 

“If Gaia OS will not be configured as a DHCP Relay Agent and will only be used to secure DHCP relay traffic between a separate DHCP Relay Agent and a DHCP Server, follow all instructions except for the "DHCP Relay Configuration" section, and modify the security policy with the correct IPs for the DHCP Relay and DHCP server.”

 

According to initial error we should only change the Services in policies to newer ones (those in right replace with those in left - attached):

 

 

BUT SK article discusses all other configurations in its sections (excluding DHCP Relay Configuration part) like Hotfix, fwx_dhcp_relay_nat parameter, dhcp_objects create, table.def modifications, global properties and various precautions in rules related to DHCP traffic handling…. Many times referring to gateway as relay agent which is not our case.

 

How should we interpret that information? Is it enough to just replace the objects in the policies or do we have to go through all other mentioned configurations? Gateways are only securing the DHCP traffic, they are not acting as relays.

 

I searched forum for posts related to this and although there are plenty, following one seems as relevant to the case:

https://community.checkpoint.com/t5/Policy-Management/Need-to-change-bootp-config-to-dhcp-request-wh...

Can somebody confirm this is safe to assume?

0 Kudos
3 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events