DHCP Services

To allow the DHCP relay traffic, it is necessary to configure explicit Security Policy rules with the DHCP relay services.

Such explicit Rule Base configuration is required for these reasons:

• The DHCP relay agents and DHCP servers cannot automatically match replies with requests.
• Clients do not necessarily have a source IP when they send their initial request. The Security Policy has to allow DHCP broadcasts from Any source to the DHCP Server or DHCP Relay.
• The dhcp-request and dhcp-reply services use Check Point’s Stateful Inspection Engine to do Stateful inspection of DHCP traffic. If you do not handle DHCP Relay traffic with these services (for example: a service of Any in the Security Policy or implied rules) the Security Gateway can drop the traffic.

For Security Gateways that are R77.20 or higher, the applicable DHCP services are the new DHCP services: dhcp-request and dhcp-reply. The procedures in this chapter are compatible with the new DHCP services.

For Security Gateways that are older than R77.20, refer to sk98839.

For DHCPv6, the services are dhcp-request, dhcp-reply and dhcp-relay.