Configuring IPv6 DHCP Relay Security Policy on Management Servers

IPv6 DHCP Services on Management Servers

DHCPv6 clients and servers send and receive messages through UDP.

A special link-scoped multicast address lets DHCPv6 clients request the configuration information, when they do not know the IPv6 address of a relay or server:

FF02::1:2

• The client sends DHCPv6 requests as UDP unicasts or multicasts with source port 546 and destination port 547.

  The related security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. service is dhcpv6-request.

• DHCPv6 replies to a client are sent as UDP unicasts to the client's IPv6 link-local address.

  They are sent with source port 547 and destination port 546. The related security policy service is dhcpv6-reply.

• The relay and server send DHCPv6 traffic between them as IPv6 UDP unicasts with source port 547 and destination port 547.

  Multiple server addresses can be specified.

  Each server address must be an IPv6 unicast address.

  Each server address can refer to a DHCPv6 server or one more DHCPv6 relay.

  The related security policy service is dhcpv6-relay.

• Unlike IPv4 BOOTP/DHCP Relay, DHCPv6 server sends its replies to the nearest relay to the server, as opposed to the nearest relay to the client.

Configuring Security Policy in SmartConsole

Configuring IPv6 DHCP Security Policy

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click the main Menu () > Global properties.

2. In the Global Properties window, click Firewall.

   If the Accept outgoing packets originating from gateway implied rule is enabled, then from the drop-down menu, select Last or Before Last.

   Click OK.

3. Create a new host for the DHCP server.

   In the SmartConsole main view, go to Objects > New Host.

   1. Enter the server name.

   2. Enter the IPv6 address of the DHCP server.

   3. Click OK.

4. Create the object of a Client Network, to which the which the IPv6 DHCP clients are connected.

   In the SmartConsole main view, go to Objects > New Network.

   1. Enter the object name.

   2. In the IPv6 section, enter the IPv6 Network address and IPv6 Prefix.

   3. Click OK.

5. Configure the required Security Policy rules with the DHCPv6 services (dhcpv6-request, dhcpv6-reply, and dhcpv6-relay).

   Note - Use: The DHCPv6 Relay object, which you configured for the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. The pre-defined object "All_DHCPv6_Relay_Agents_and_Servers". The pre-defined object "IPv6_Link_Local_Hosts".

   Example for a Rule Base with the IPv6 DHCP Relay services

   Source	Destination	Service	Notes
   <IPv6 Link Local Hosts> object	<All DHCPv6 Relay Agents and Servers> object	dhcpv6-request	Allows requests from DHCPv6 clients to a DHCPv6 relay (on a Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Security Gateway), which is directly connected to the client network.
   <DHCPv6 Relay> object <IPv6 Link Local Hosts> object	<IPv6 Link Local Hosts> object	dhcpv6-reply	Allows replies from a DHCPv6 relay to local DHCPv6 clients.
   <DHCPv6 Relay> object	<DHCPv6 Server> object	dhcpv6-relay	Allows traffic between DHCPv6 relays and DHCPv6 servers.
   <DHCPv6 Server> object	<DHCPv6 Relay> object	dhcpv6-reply	With the implied rules in their default settings (Before Last), replies from the DHCPv6 Server to the DHCPv6 relay are automatically accepted when the reply matches a request from the relay to the server. However, to make sure that such replies are accepted, we recommend to make an explicit rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to allow traffic from the DHCPv6 Server to the DHCPv6 Relay.
   <Client Network> object	<DHCPv6 Server> object	dhcpv6-request	When DHCPv6 relay is used, the DHCPv6 client can still send requests directly to the DHCPv6 server.
   <DHCPv6 Server> object	<Client Network> object	dhcpv6-reply	Accepts replies from DHCPv6 servers to DHCPv6 clients. When DHCPv6 relay is used, the DHCPv6 client can still receive replies directly from a remotely located DHCPv6 server through UDP unicasts.

6. Install the Access Control Policy on the applicable Security Gateways.