Configuring DHCP Security Policy

You configure the DHCP services on these ports:

• DHCP requests from a DHCP client are sent as UDP unicasts or broadcasts with a source port of 68 and a destination port of 67. The source IP may be 0.0.0.0 if the client does not have an IP address yet.
• DHCP replies to a client are sent as UDP unicasts or broadcasts with a source port of 67 and a destination port of 68.
• DHCP relay traffic between relay and server is sent as UDP unicasts with source port of 67 and destination port of 67.

To configure DHCP Security Policy:

1. Go to the main SmartConsole Menu () Global Properties > Firewall. If the Accept outgoing packets originating from gateway implied rule is enabled, then from the drop-down menu, select Last or Before Last.
2. Create a host object for the DHCP server. In the SmartConsole main view, go to Objects > New Host.

   The New Host window opens.

   1. Enter the object name.
   2. Enter the IPv4 address of the DHCP server.
   3. Click OK.
3. Create a host object for the Global Broadcast. In the SmartConsole main view, go to Objects > New Host.

   The New Host window opens.

   1. Enter the object name
   2. Enter the IPv4 Address of 255.255.255.255.
   3. Click OK.
4. Create a Client Network object. In the SmartConsole main view, go to Objects > New Network.

   The New Network window opens.

   1. Enter the object name.
   2. Enter the Network address and Net mask to which the which the DHCP clients are connected.
   3. Click OK.
5. Make sure that the legacy DHCP configuration does not exist:
   1. Delete/disable all security rules for DHCP traffic that use these legacy services:
      • bootp
      • dhcp-relay
      • dhcp-req-localmodule
      • dhcp-rep-localmodule
   2. Delete/disable all manual NAT rules for legacy DHCP configuration. For more about NAT rules, see sk97566.
6. Configure the required Security Policy rules with the new DHCP services (dhcpv6-request and dhcpv6-reply).

   Note - Use the DHCP-relay object, which you configured on the Security Gateway. For its value, enter the name of the Security Gateway, which runs DHCP Relay.

   An example for a Rule Base with the DHCP relay services:

   Source IP	Destination IP	Service	Action	Description of the rule
   Any	<Global Broadcast>	dhcp-request	Accept	Source IP must be Any. A value of 0.0.0.0 does not work.
   <DHCP Relay> <Client Network>	<DHCP Server>	dhcp-request	Accept	In some situations, the DHCP client sends some requests directly to the DHCP Server.
   <DHCP Relay>	<Client Network> <Global Broadcast>	dhcp-reply	Accept	The replies can be unicast or broadcast based on the DHCP client options.
   <DHCP Server>	<Client Network> <Global Broadcast>	dhcp-reply	Accept	The replies can be unicast or broadcast based on the DHCP client options. In some situations, the DHCP server sends some requests directly to the DHCP client.

7. Install the <tp_acccess> Policy on the applicable Security Gateways.