https://community.checkpoint.com/t5/Firewall-and-Security-Management/TLSv1-3-and-Weak-CBC-Ciphers/m-p/156643#M27020 <P>Do we have a specific document? No.<BR />The ciphers we have enabled by default should provide the best mix of usability and security.<BR />Additional ones can be disabled based on your precise requirements.</P> Tue, 06 Sep 2022 14:36:12 GMT PhoneBoy 2022-09-06T14:36:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TLSv1-3-and-Weak-CBC-Ciphers/m-p/155511#M26503 <P>Hi All,</P><P>We are planning to enable the inspection of TLSv1.3 on R81 gateways. I went through the below document to enable it but not really sure whether the interface IPs configured on firewalls will also be inspected with the TLSv1.3. Also may i know whether this will affect the TLSv1.2 traffic passing through the firewall once we enable this option?</P><P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topics-SECMG/HTTPS-Inspection.htm#Configuring_Security_Gateways_to_Inspect_TLS_v1.3_Traffic" target="_blank">HTTPS Inspection (checkpoint.com)</A></P><P>We are also planning to disable weak CBC ciphers but did not find any such documents related to disable. When it comes to Cisco ASA it can be done directly in ASDM but not finding any options in Checkpoint, could you please help me with any such documents which helps me with the configuration on removing the weak Ciphers?</P><P>Also will there be any impact other than not negotiating with the weak ciphers? Mainly when negotiating for the Remote Access VPN.</P><P>Regards,</P><P>Sanjay S</P> Tue, 23 Aug 2022 11:29:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TLSv1-3-and-Weak-CBC-Ciphers/m-p/155511#M26503 Sanjay_S 2022-08-23T11:29:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TLSv1-3-and-Weak-CBC-Ciphers/m-p/155517#M26505 <P>Different infrastructure needs to be enabled to inspect TLS 1.3.<BR />It will also inspect TLS 1.2 and earlier.&nbsp;</P> <P>For the cipher question:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk126613&amp;partition=Advanced&amp;product=Quantum" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk126613&amp;partition=Advanced&amp;product=Quantum</A></P> Tue, 23 Aug 2022 12:01:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TLSv1-3-and-Weak-CBC-Ciphers/m-p/155517#M26505 PhoneBoy 2022-08-23T12:01:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TLSv1-3-and-Weak-CBC-Ciphers/m-p/155522#M26508 <P>Thank you PhoneBoy this really helps.</P> Tue, 23 Aug 2022 12:42:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TLSv1-3-and-Weak-CBC-Ciphers/m-p/155522#M26508 Sanjay_S 2022-08-23T12:42:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TLSv1-3-and-Weak-CBC-Ciphers/m-p/156629#M27019 <P>Hi PhoneBoy,</P><P>Is there any list of approved Ciphers by Checkpoint to use and weak ciphers list which we can disable?</P><P>Regards,</P><P>Sanjay S</P> Tue, 06 Sep 2022 13:27:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TLSv1-3-and-Weak-CBC-Ciphers/m-p/156629#M27019 Sanjay_S 2022-09-06T13:27:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TLSv1-3-and-Weak-CBC-Ciphers/m-p/156643#M27020 <P>Do we have a specific document? No.<BR />The ciphers we have enabled by default should provide the best mix of usability and security.<BR />Additional ones can be disabled based on your precise requirements.</P> Tue, 06 Sep 2022 14:36:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TLSv1-3-and-Weak-CBC-Ciphers/m-p/156643#M27020 PhoneBoy 2022-09-06T14:36:12Z