topic Re: Identical R82.10 GWs with different options for set ssh server mac and set ssh server kex in Firewall and Security Management

Identical R82.10 GWs with different options for set ssh server mac and set ssh server kex

Douglas_Rich — Fri, 13 Mar 2026 17:20:13 GMT

Identical R82.10 GWs with different options for set ssh server mac and set ssh server kex
For R82.10 if you do a fresh install these setting are an option in clish, On another lab server that I upgraded from R82 to R82.10 these are not options in clish:
set ssh server mac hmac-md5 off
set ssh server mac hmac-md5-96 off
set ssh server mac hmac-sha1-96 off
set ssh server kex sntrup761x25519-sha512@openssh.com on

==============================

atl-msslab-R82-fw1> show ssh server mac supported
--------------------------------
supported mac:
--------------------------------
hmac-md5-96-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-sha1
hmac-sha1-96-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com
--------------------------------
atl-msslab-R82-fw1> show ssh server kex supported
--------------------------------
supported kex:
--------------------------------
curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
--------------------------------
atl-msslab-R82-fw1> show asset system
Platform: VMware Virtual Platform
CPU Model: Intel(R) Xeon(R) CPU E5-2670 v3
CPU Frequency: 2299.997 Mhz
Number of Cores: 12
CPU Hyperthreading: Disabled

atl-msslab-R82-fw1> fw ver
This is Check Point's software version R82.10 - Build 767
atl-msslab-R82-fw1> exit
[Expert@atl-msslab-R82-fw1:0]# uname -a
Linux atl-msslab-R82-fw1 5.14.0-427.13.1cpx86_64 #1 SMP Fri Dec 12 10:23:31 IST 2025 x86_64 x86_64 x86_64 GNU/Linux

==============================

atl-msslab-CP-FW1> show ssh server mac supported
--------------------------------
supported mac:
--------------------------------
hmac-md5
hmac-md5-96
hmac-md5-96-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-sha1
hmac-sha1-96
hmac-sha1-96-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com
--------------------------------
atl-msslab-CP-FW1> show ssh server kex supported
--------------------------------
supported kex:
--------------------------------
curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
sntrup761x25519-sha512@openssh.com
--------------------------------
atl-msslab-CP-FW1> show asset system
Platform: VMware Virtual Platform
CPU Model: Intel(R) Xeon(R) CPU E5-2670 v3
CPU Frequency: 2299.997 Mhz
Number of Cores: 8
CPU Hyperthreading: Disabled

atl-msslab-CP-FW1> fw ver
This is Check Point's software version R82.10 - Build 767
atl-msslab-CP-FW1> exit
[Expert@atl-msslab-CP-FW1:0]# uname -a
Linux atl-msslab-CP-FW1 5.14.0-427.13.1cpx86_64 #1 SMP Fri Dec 12 10:23:31 IST 2025 x86_64 x86_64 x86_64 GNU/Linux

Re: Identical R82.10 GWs with different options for set ssh server mac and set ssh server kex

Bob_Zimmerman — Wed, 25 Mar 2026 19:44:39 GMT

I've also hit this problem now. I have a cluster with two members.

02 was built a while ago at R81.10, upgraded to R81.20, then R82, now R82.10.

01 originally followed the same path. I tried to roll it back to a snapshot I took manually on R82 so others on the team could run the upgrade, but the snapshot is broken. A very large file (snap_log_backup.tgz) was added to /tmp while the snapshot was being taken, and it prevented other, more important files from being copied. I've confirmed this happened on both members, and I've got a ticket about it.

I just restored 01 factory defaults on R81.10, used config_system to run the first-time config, updated CPUSE, upgraded to R82.10 (via 'installer upgrade'), installed the sk184766 hotfix, established SIC, and pushed policy. Once it was talking to the management, I tried to get it to the same config as 02 (except IPs, hostname, and other expected differences). I can't because 01 has these options and 02 doesn't.

SomeFirewall-01> set ssh server kex [Tab] curve25519-sha256 curve25519-sha256@libssh.org diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 sntrup761x25519-sha512@openssh.com SomeFirewall-01> set ssh server mac [Tab] hmac-md5 hmac-md5-96 hmac-md5-96-etm@openssh.com hmac-md5-etm@openssh.com hmac-sha1 hmac-sha1-96 hmac-sha1-96-etm@openssh.com hmac-sha1-etm@openssh.com hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com umac-64-etm@openssh.com umac-64@openssh.com umac-128-etm@openssh.com umac-128@openssh.com SomeFirewall-01> set ssh server public-key [Tab] ecdsa-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com rsa-sha2-256 rsa-sha2-256-cert-v01@openssh.com rsa-sha2-512 rsa-sha2-512-cert-v01@openssh.com sk-ecdsa-sha2-nistp256-cert-v01@openssh.com sk-ecdsa-sha2-nistp256@openssh.com sk-ssh-ed25519-cert-v01@openssh.com sk-ssh-ed25519@openssh.com ssh-dss ssh-dss-cert-v01@openssh.com ssh-ed25519 ssh-ed25519-cert-v01@openssh.com ssh-rsa ssh-rsa-cert-v01@openssh.com

And on member 02:

SomeFirewall-02> set ssh server kex [Tab] curve25519-sha256 curve25519-sha256@libssh.org diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 SomeFirewall-02> set ssh server mac [Tab] hmac-md5-96-etm@openssh.com hmac-md5-etm@openssh.com hmac-sha1 hmac-sha1-96-etm@openssh.com hmac-sha1-etm@openssh.com hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com umac-64-etm@openssh.com umac-64@openssh.com umac-128-etm@openssh.com umac-128@openssh.com SomeFirewall-02> set ssh server public-key [Tab] ecdsa-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com rsa-sha2-256 rsa-sha2-256-cert-v01@openssh.com rsa-sha2-512 rsa-sha2-512-cert-v01@openssh.com ssh-dss ssh-dss-cert-v01@openssh.com ssh-ed25519 ssh-ed25519-cert-v01@openssh.com ssh-rsa ssh-rsa-cert-v01@openssh.com

Re: Identical R82.10 GWs with different options for set ssh server mac and set ssh server kex

Bob_Zimmerman — Wed, 25 Mar 2026 21:08:10 GMT

As a workaround, I was given a few commands to make clish aware of the settings:

dbset ssh:kex:supported:sntrup761x25519-sha512@openssh.com t dbset ssh:mac:supported:hmac-md5 t dbset ssh:mac:supported:hmac-md5-96 t dbset ssh:mac:supported:hmac-sha1-96 t dbset ssh:public-key:supported:sk-ecdsa-sha2-nistp256-cert-v01@openssh.com t dbset ssh:public-key:supported:sk-ecdsa-sha2-nistp256@openssh.com t dbset ssh:public-key:supported:sk-ssh-ed25519-cert-v01@openssh.com t dbset ssh:public-key:supported:sk-ssh-ed25519@openssh.com t

Note that I have no idea how supported or not this is. Get support's advice before trying it on a firewall you intend to use for anything but lab purposes.

Got to say between the snapshot problems and this, my impressions of R82.10 are rather negative so far. Also irritated by all my SSH server keys getting regenerated yet again, and with the use of systemd.