Configuring IPv4 DHCP Relay Security Policy on Management Servers

Configuring IPv4 DHCP Services on Management Servers

This procedure shows how to configure the DHCP services on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or the Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS..

1. Connect to the command line on the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or the Multi-Domain Server (over SSH, or console).

2. Log in to the Expert mode.

3. On Multi-Domain Server, go to the context of the applicable Domain Management Server:

   mdsenv <Name or IP Address of Domain Management Server>

4. Examine the contents of all the related table.def files. For file locations, refer to sk98339.

   egrep "no_hide_services_ports|no_fold_services_ports" /<Path>/<To>/<Applicable>/table.def

5. If UDP port 67 and UDP port 68 are configured in the "no_hide_services_ports" or the "no_fold_services_ports" tables, edit the related table.def file and remove these ports.

   vi /<Path>/<To>/<Applicable>/table.def

   Note - These table changes are only necessary if one or more VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. or ClusterXL clusters run DHCP Relay. You can skip this step, if DHCP Relay is only used on VRRP clusters or Standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server..

   Change from:

   no_hide_services_ports = { <4500,17>, <500,17>, <259,17>, <1701,17>, ..., <68,17>, <67,17> } no_fold_services_ports = { <4500,17>, <500,17>, <259,17>, <1701,17>, ..., <68,17>, <67,17> }

   To:

   no_hide_services_ports = { <4500,17>, <500,17>, <259,17>, <1701,17>, ... } no_fold_services_ports = { <4500,17>, <500,17>, <259,17>, <1701,17>, ... }

6. Save the changes in the file and exit the editor.

7. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., install the Access Control Policy on the applicable Security Gateways.

Configuring Security Policy in SmartConsole

To allow the IPv4 DHCP relay traffic, it is necessary to configure explicit Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. rules with the IPv4 DHCP relay services.

Such explicit Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. configuration is required for these reasons:

• The IPv4 DHCP relay agents and IPv4 DHCP servers cannot automatically match replies with requests.

• Clients do not necessarily have a source IP address when they send their initial request.

  The Security Policy has to allow IPv4 DHCP broadcasts from Any source to the IPv4 DHCP Server or IPv4 DHCP Relay.

• The dhcp-request and dhcp-reply services use Check Point's Stateful Inspection Engine to do Stateful inspection of IPv4 DHCP traffic.

  Important - If you do not handle IPv4 DHCP Relay traffic with these services (for example: a service of Any in the Security Policy or implied rules) the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. can drop the traffic.

You configure the IPv4 DHCP services on these ports:

• IPv4 DHCP requests from an IPv4 DHCP client are sent as UDP unicasts or broadcasts with a source port of 68 and a destination port of 67.

  The source IPv4 address may be 0.0.0.0 if the client does not have an IPv4 address yet.

• IPv4 DHCP replies to a client are sent as UDP unicasts or broadcasts with a source port of 67 and a destination port of 68.

• IPv4 DHCP relay traffic between relay and server is sent as UDP unicasts with source port of 67 and destination port of 67.

For Security Gateways R77.20 or higher, the applicable IPv4 DHCP services are the new DHCP services: dhcp-request and dhcp-reply.

Configuring IPv4 DHCP Security Policy

1. In SmartConsole, click the main Menu () > Global properties.

2. In the Global Properties window, click Firewall.

   If the Accept outgoing packets originating from gateway implied rule is enabled, then from the drop-down menu, select Last or Before Last.

   Click OK.

3. Create a host object for the DHCP server.

   In the SmartConsole main view, go to Objects > New Host.

   1. Enter the object name.

   2. Enter the IPv4 address of the IPv4 DHCP server.

   3. Click OK.

4. Create a host object for the Global Broadcast.

   In the SmartConsole main view, click Objects > New Host.

   1. Enter the object name.

   2. Enter the IPv4 Address of 255.255.255.255.

   3. Click OK.

5. Create the object of a Client Network, to which the which the IPv4 DHCP clients are connected.

   In the SmartConsole main view, go to Objects > New Network.

   1. Enter the object name.

   2. In the IPv4 section, enter the IPv4 Network address and IPv4 Net mask.

   3. Click OK.

6. Make sure that the legacy DHCP configuration does not exist:

   1. Delete or disable all security rules for IPv4 DHCP traffic that use these legacy services:

      • bootp

      • dhcp-relay

      • dhcp-req-localmodule

      • dhcp-rep-localmodule

   2. Delete or disable all manual NAT rules for legacy IPv4 DHCP configuration.

7. Configure the required Access Control Policy rules with the new IPv4 DHCP services (dhcp-request and dhcp-reply).

   Note - Use the IPv4 DHCP Relay object, which you configured for the Security Gateway. For its value, enter the name of the Security Gateway, which runs IPv4 DHCP Relay.

   Example for a Rule Base with the IPv4 DHCP Relay services

   Source	Destination	Service	Action	Description of the rule
   Any	<Global Broadcast> object	dhcp-request	Accept	Source IP must be Any. A value of 0.0.0.0 does not work.
   <DHCP Relay> object <Client Network> object	<DHCP Server> object	dhcp-request	Accept	In some situations, the DHCP client sends some requests directly to the DHCP Server.
   <DHCP Relay> object	<Client Network> object <Global Broadcast> object	dhcp-reply	Accept	The replies can be unicast or broadcast based on the DHCP client options.
   <DHCP Server> object	<Client Network> object <Global Broadcast> object	dhcp-reply	Accept	The replies can be unicast or broadcast based on the DHCP client options. In some situations, the DHCP server sends some requests directly to the DHCP client.

8. Install the Access Control Policy on the applicable Security Gateways.