https://community.checkpoint.com/t5/Firewall-and-Security-Management/Disabling-Weak-Ciphers-Specifically-DES-for-IPSEC-on-R80-30-and/m-p/115440#M16230 <P>A new R80.30 cluster has been flagged by Qualys as supporting "Weak IPSec Encryption Settings".&nbsp; I assumed this was over SHA-1 or 1024-bit keys, but got a bit of a surprise when I viewed the report and saw that it was complaining of DES.&nbsp; Like RC4 and MD5, DES has been obsolete for about 20 years and there's absolutely no reason to have it enabled or even supported for that matter.&nbsp;&nbsp;</P><P>&nbsp;</P><P>But, how do I disable it?&nbsp; It's not clear to me if unchecking it in traditional mode is adequate, or I should be looking somewhere else.&nbsp;&nbsp;</P><P><LI-PRODUCT title="Security Gateway Appliances" id="security-gateway-appliances"></LI-PRODUCT>&nbsp;</P> Tue, 06 Apr 2021 22:38:38 GMT johnnyringo 2021-04-06T22:38:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Disabling-Weak-Ciphers-Specifically-DES-for-IPSEC-on-R80-30-and/m-p/115440#M16230 <P>A new R80.30 cluster has been flagged by Qualys as supporting "Weak IPSec Encryption Settings".&nbsp; I assumed this was over SHA-1 or 1024-bit keys, but got a bit of a surprise when I viewed the report and saw that it was complaining of DES.&nbsp; Like RC4 and MD5, DES has been obsolete for about 20 years and there's absolutely no reason to have it enabled or even supported for that matter.&nbsp;&nbsp;</P><P>&nbsp;</P><P>But, how do I disable it?&nbsp; It's not clear to me if unchecking it in traditional mode is adequate, or I should be looking somewhere else.&nbsp;&nbsp;</P><P><LI-PRODUCT title="Security Gateway Appliances" id="security-gateway-appliances"></LI-PRODUCT>&nbsp;</P> Tue, 06 Apr 2021 22:38:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Disabling-Weak-Ciphers-Specifically-DES-for-IPSEC-on-R80-30-and/m-p/115440#M16230 johnnyringo 2021-04-06T22:38:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Disabling-Weak-Ciphers-Specifically-DES-for-IPSEC-on-R80-30-and/m-p/115449#M16233 <P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&amp;eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk82900" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&amp;eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk82900</A></P> Wed, 07 Apr 2021 02:30:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Disabling-Weak-Ciphers-Specifically-DES-for-IPSEC-on-R80-30-and/m-p/115449#M16233 PhoneBoy 2021-04-07T02:30:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Disabling-Weak-Ciphers-Specifically-DES-for-IPSEC-on-R80-30-and/m-p/115463#M16236 <P>Thanks.&nbsp; The steps left me a bit confused because we're not configuring VPNs via Traditional Mode (which is the default) and this is a fresh policy created in R80.30.&nbsp; Also, we don't use Remote Access VPN.&nbsp; But I'll give that a shot and ask for a re-scan.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CheckPointR8040VPNConfigMethod.png" style="width: 697px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/11293i6585378478288439/image-size/large?v=v2&amp;px=999" role="button" title="CheckPointR8040VPNConfigMethod.png" alt="CheckPointR8040VPNConfigMethod.png" /></span></P> Wed, 07 Apr 2021 04:20:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Disabling-Weak-Ciphers-Specifically-DES-for-IPSEC-on-R80-30-and/m-p/115463#M16236 johnnyringo 2021-04-07T04:20:54Z