topic Re: R81.10 cipher_util issue in Firewall and Security Management

R81.10 cipher_util issue

G_W_Albrecht — Thu, 03 Mar 2022 12:41:06 GMT

cipher_util does no longer work for multiportal in R81.10, look for yourself:

- start cipher_util

- display multiportal cipher list

- disable one cipher

- display cipher list shows the cipher as disabled

- quit cipher_util and type y save:

Would you like to save configuration? [y/N] y

Successfuly reconfigured

Exiting cipher tool...

- start cipher_util

- display multiportal cipher list

---> you will see that nothing was changed and cipher_util has not saved the changes !

Re: R81.10 cipher_util issue

matangi — Thu, 03 Mar 2022 13:44:02 GMT

Hi @G_W_Albrecht

Thank you for raising this issue

We are aware of this issue and working on a fix, will be released in R81.20 once the tests are completed successfully

cipher_util tool works as expected for HTTPS Inspection
A valid Workaround of changing ciphers for Multi-portal is to install policy by running "fw fetch local" on the Gateway right after "save configuration" step

Thanks,
Matan

Re: R81.10 cipher_util issue

G_W_Albrecht — Wed, 02 Mar 2022 17:06:10 GMT

Replicated issue and workaround on R81.10 and R80.40 GWs. Is there an SK for this issue already ?

Re: R81.10 cipher_util issue

G_W_Albrecht — Thu, 03 Mar 2022 12:40:12 GMT

Is it correct that this issue also is present in R81 @matangi ?

Re: R81.10 cipher_util issue

matangi — Thu, 03 Mar 2022 13:11:19 GMT

Hi @G_W_Albrecht
Yes, issue is present in R80.40 and higher releases

We created a new SK for that matter, see https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178165

Thanks,
Matan

Re: R81.10 cipher_util issue

the_rock — Thu, 03 Mar 2022 14:30:49 GMT

Indeed...tested on R80.40 and above, same issue. On R80.30, works fine.

Andy

Re: R81.10 cipher_util issue

the_rock — Thu, 03 Mar 2022 14:35:04 GMT

Good job! Just tested with that sk and worked like a charm.

Re: R81.10 cipher_util issue

chuck — Thu, 17 Nov 2022 18:29:23 GMT

Hi @matangi

Got the same problem in our upgrade from R80.30 to R81.10.

We tried the workaround in sk178165, does not seem to work.

The only difference from the workaround is that after "Multi Portal" a got to select "TLS 1.2 Ciphers"

Thanks

Re: R81.10 cipher_util issue

matangi — Sun, 20 Nov 2022 09:29:53 GMT

Thanks @chuck
In case the problem persists, Please open a service request to Check Point Support

Re: R81.10 cipher_util issue

Fire_Verse — Tue, 25 Jul 2023 07:42:23 GMT

So this has been a known issue for over a year? Hey Check Point how about:

Update sk126613 directly with sk178165
Create a hotfix for affected versions

How much more time do you need on this? Amazing.

Re: R81.10 cipher_util issue

G_W_Albrecht — Tue, 25 Jul 2023 09:07:18 GMT

- sk178165 is listed first under Known Limitations of sk126613

- R81.20 includes a fix

- there is a workaround for R80.40 -> R81.10

As disabling ciphers for MultiPortal is no activity repeated every other day it is not so hard to live with it 😉

Re: R81.10 cipher_util issue

Fire_Verse — Tue, 25 Jul 2023 22:30:50 GMT

"sk178165 is listed first under Known Limitations of sk126613" <-- This should be included within the steps, not added as an afterthought at the end of the SK.

"R81.20 includes a fix" <--Customer is not on R81.20, so this doesn't apply.

"there is a workaround for R80.40 -> R81.10" <-- That's not a "workaround" that is a missing step in the documentation.

"As disabling ciphers for MultiPortal is no activity repeated every other day it is not so hard to live with it" <-- Maybe for you, but I have a customer with an outage because of this SK. This SK article has not been updated after 16 months and multiple reports of problems, sk178165 and sk126613 have not been combined, this not to have been addressed in a hotfix, and the multiportal still has these ciphers enabled by default.

If gateways are going to continue to be shipped this way, then the documentation should be spot on so that they can be quickly corrected and run as actual security devices.

Otherwise this cipher issue is going to be highlighted on any kind of vulnerability scan or pen test, and make it quite a challenge to demonstrate compliance to any reputable standard.

Re: R81.10 cipher_util issue

G_W_Albrecht — Tue, 25 Jul 2023 09:38:46 GMT

Yes, this world could be a better place 8) ! Missing / incomplete / wrong documentation is an old issue in IT - but i personally prefer fixes to bugs, as the best documentation will not help you if the product has issues...

The gateways shouldn't even have these outdated ciphers enabled by default

--> I would suggest you do a RFE for that...

Re: R81.10 cipher_util issue

Fire_Verse — Tue, 25 Jul 2023 10:07:26 GMT

An RFE to remove Ciphers without PFS support and that use SHA-1? They shouldn't be included on a security gateway in this day and age.

https://ciphersuite.info/

Re: R81.10 cipher_util issue

_Val_ — Tue, 25 Jul 2023 10:34:32 GMT

Feel free to raise this with your local Check Point representative.

Re: R81.10 cipher_util issue

the_rock — Tue, 25 Jul 2023 12:34:04 GMT

Could not agree more @Fire_Verse

Andy