topic Vulnerability scan shows ports 18231 uses weak ciphers in Firewall and Security Management

Vulnerability scan shows ports 18231 uses weak ciphers

Bachan — Thu, 17 Oct 2024 14:54:21 GMT

Hi Team,

Checkpoint devices showing that weak ciphers are used on port 18231.

Current version on Gateway : R81.20 Take 76.

As per the sk132712 the issue should have been resolved in R81.20 . But we still see this vulnerability in the scan report.

Can you please let us know if there is any other solution to this ?

Attached is the scan report of the same.

Re: Vulnerability scan shows ports 18231 uses weak ciphers

Tal_Paz-Fridman — Thu, 17 Oct 2024 18:11:48 GMT

I'll forward this to the relevant R&D owner but the SK details how to disable the Legacy Desktop Policy process.

Do you use Policy Server and Desktop Policy enabled?

"For other versions and Jumbo Hotfixes;
You can disable the daemon completely by editing the implied_rules.def, and removing/commenting the relevant lines:"

Re: Vulnerability scan shows ports 18231 uses weak ciphers

PhoneBoy — Thu, 17 Oct 2024 18:24:42 GMT

Have you tried disabling dtpsd as described in the SK?

Re: Vulnerability scan shows ports 18231 uses weak ciphers

the_rock — Thu, 17 Oct 2024 19:23:00 GMT

Can you try follow below from the sk?

Andy

You can disable the daemon completely by editing the implied_rules.def, and removing/commenting the relevant lines:

Open the relevant Gateway object properties in SmartDashboard and uncheck the box “Policy Server” under the “IPSec VPN” blade, click OK (Do not push policy) and close the SmartDashboard.
Open ssh / console connection to the Management Server.
Change directory to $FWDIR/lib : (cd $FWDIR/lib)
Note: For the location of the implied_rules.def file on the Management server, refer to sk92281.
Open the implied_rules.def file with vim:

[Expert@HostName:0]# vim implied_rules.def
Comment the following lines:

Before the change:

#define ENABLE_FWD_TOPO

#define ENABLE_FW1_PSLOGON_NG

After the change:

/*#define ENABLE_FWD_TOPO*/

/*#define ENABLE_FW1_PSLOGON_NG*/
Save the modified file.
Install Policy on the relevant gateway.

Re: Vulnerability scan shows ports 18231 uses weak ciphers

Bachan — Fri, 18 Oct 2024 07:37:21 GMT

Hi Rock,

As mentioned in sk132712 " The workaround is given for other version" . But we are running on the checkpoint fixed version(R81.20 Take 76). Is it still recommended to do this ?

Re: Vulnerability scan shows ports 18231 uses weak ciphers

the_rock — Fri, 18 Oct 2024 11:52:40 GMT

Good question. I cant say 100%. as I dont know, so maybe better verify with TAC, to get an official answer. However, I will say this...if you decide to do it, please backup everything first.

Andy

Re: Vulnerability scan shows ports 18231 uses weak ciphers

Bachan — Fri, 18 Oct 2024 13:36:36 GMT

Do you use Policy Server and Desktop Policy enabled?

Yes, we have both the features enabled.

Re: Vulnerability scan shows ports 18231 uses weak ciphers

Bachan — Fri, 18 Oct 2024 13:38:30 GMT

Hi Rock,

We will give a shot on the test environment to implement this SK and update you.

Re: Vulnerability scan shows ports 18231 uses weak ciphers

the_rock — Fri, 18 Oct 2024 13:54:24 GMT

sounds good.

Re: Vulnerability scan shows ports 18231 uses weak ciphers

Bachan — Fri, 15 Nov 2024 15:45:20 GMT

Hi Rock,

We performed the sk132712 and this didnt resolve our issue. After policy installation the gateway stopped listening on port 18231, but after making VPN connection the icon for Compliance on Endpoint VPN Client changed to grey(Greyed out) and status to Off. So this solution will not work of our environment. Hence we ended up opening TAC. TAC provided us the below solution.

Follow the steps - (Make this changes on Gateway)

If you do not need policy on the client, you can uncheck the policy server checkbox on the GW.
If you do need policy, you can edit fwauthd.conf that is located in $FWDIR/conf and mark out the policy server processes as follow:

*#*0 dtps dtpsd respawn 0

*#*0 dtls dtlsd respawn 0

Then perform cprestart on the GW. Do a cpstop; cpstart in a maintenance window.

3. After this, the policy server should be shown down.

4. After that, we need to apply the hotfix(Contact TAC). The hotfix will assist to make the configuration changes permanent.

5. Check the status of port 18231 -

# netstat -tulnp |grep 18231
# netstat –atun |grep 18231

Note: Checkpoint has created PRHF-32277 for this issue and they don't have any plans to integrate this issue in next JHF anytime soon. So for every upgrade, we need to reach TAC for hot-patch.

Re: Vulnerability scan shows ports 18231 uses weak ciphers

the_rock — Fri, 15 Nov 2024 15:59:10 GMT

Excellent update, thank you very much for that! Glad its solved.

Andy