Checkpoint SecurePlatform NGX R65 - Enabling DHCP IP relay between VLAN's

During the configuration of the Checkpoint Firewall as a DHCP relay I ran into some trouble. Finally the configuration has been properly set and below is an example how to do it.

Example network scheme:

First You need to enable the DHCP relay on the Checkpoint to do so connect to the CLI of FW1 via ssh or other protocol which You specified before.

Type "sysconfig"

First we need to add properly the DHCP servers list so choose Configure DHCP relay and then 1.

First lets have a look at the DHCP servers list - if You didnt configure anything before here it should be empty.

Next choose to Add the DHCP server.

In our case it will be 192.168.100.1 - i You have more DHCP servers enter their IP@ here. Keep them in the same VLAN.

Now go back and choose 2 for "Relay via interfaces".

Now You have to pick the interfaces between which the dhcp traffic should go trough.

In our case it is:

eth0 - physicall interface

eth0.1 - server vlan

eth0.2 - data vlan

Keep in mind that You need to choose the physical interface not only the VLAN interface.

In case Your DHCP server is for example in eth1.2 You need to choose:

eth1 - physical interface

eth1.2 - server vlan

After choosing the proper interfaces go back and press 3 to enable the DHCP relay.

You need to perform the same steps on FW2 if You have a cluster - I remind You this example config is based on a cluster checkpoint.

Now run the SmartDashboard - we need to create rules so our Checkpoint is not blocking the DHCP traffic.

Those rules must be created before the STEALTH rule.

1.Create a HOST object - call it DHCP - the IP@ will be 255.255.255.255

Source: Any

Destination: DHCP

Service: UDP Dhcp-req-localmodule

2. Rule

Source: 192.168.1.0/24 (Data Vlan)

Destination: 192.168.100.1 (DHCP Server)

Service: dhcp-req-localmodule

3. Rule

Source: 192.168.100.1 (DHCP Server)

Destination: FWCluster

Service: dhcp-relay

4. Rule

Source: 192.168.100.1 (DHCP Server)

Destination: 192.168.1.0/24 (Data Vlan)

Service: dhcp-rep-localmodule

On some forums You can find the information that You should put all the service together like:
dhcp-rep-localmodule
dhcp-relay
dhcp-req-localmodule

In each rule - this is not necessary so if You want to keep it clean use the above configuration.

Compile the rules.

To give You a complete overview of the services:

dhcp-req-localmodule

Port UDP: 67

Source Port: 68

Accept Replies

Enable Aggressive Aging

Synchronize connections on Cluster

dhcp-rep-localmodule

Port UDP: 68

Source Port: 67

Accept Replies

Enable Aggressive Aging

Synchronize connections on Cluster

dhcp-relay

Port: 67

Source Port: 67

Accept Replies

Enable Aggressive Aging

Synchronize connections on Cluster

Hope this helps - if You see any errors feel free...