topic Resolving TLS1.0 and TLS1.1 Security Threats for Remote Access in Firewall and Security Management

Resolving TLS1.0 and TLS1.1 Security Threats for Remote Access

P_Williams — Wed, 02 Apr 2025 14:11:21 GMT

I have been sent a report listing various public facing services on our firewalls and whether they are allowing TLS1.0 and TLS1.1.

For the URL that clients use to connect to use the Remote Access vpn it has come back as allowing 1.0 and 1.1

Risk Vector	Finding Identifier	Last Seen	Grade	Attributed To	Finding Severity
SSL Configurations	remoteaccess.mycompany.com:443	27/03/2025	BAD	My Company Inc.	severe

Asset Importance	Assets	Details
critical	remoteaccess.mycompany.com	Allows insecure protocol: TLSv1.0; Allows insecure protocol: TLSv1.1

Presumably the client, when it connects initially, wouldn't be using 1.0 or 1.1. But beyond that I don't know what I can do to get rid of the vulnerability. I am not sure if the vulnerability even is to do with the RemoteAccess service, it is just that it uses the same public IP as the firewalls.

What could I do on the firewall to remove this vulnerability?

The firewalls are VSX running r81

Re: Resolving TLS1.0 and TLS1.1 Security Threats for Remote Access

G_W_Albrecht — Wed, 02 Apr 2025 14:50:38 GMT

See sk178505: Which TLS version do Check Point products use?

and then

sk154532: Vulnerability scan detects that the Security Gateway supports TLS 1.0 or TLS 1.1 when one or more security blades are enabled

Re: Resolving TLS1.0 and TLS1.1 Security Threats for Remote Access

P_Williams — Wed, 02 Apr 2025 15:21:41 GMT

That looks promising, many thanks. Looks like it will need a proper review and CAB before implementing but will feedback how I get on.

Re: Resolving TLS1.0 and TLS1.1 Security Threats for Remote Access

the_rock — Wed, 02 Apr 2025 16:29:31 GMT

Hey @P_Williams

I believe you can also correct this with settings I attached from global properties.

Andy

Re: Resolving TLS1.0 and TLS1.1 Security Threats for Remote Access

G_W_Albrecht — Thu, 03 Apr 2025 08:22:48 GMT

It is just an advanced Portal configuration option in SmartDashboard menue, see the screenshot @the_rock has posted.

Re: Resolving TLS1.0 and TLS1.1 Security Threats for Remote Access

G_W_Albrecht — Thu, 03 Apr 2025 08:21:46 GMT

Yes, found here: sk154532: Vulnerability scan detects that the Security Gateway supports TLS 1.0 or TLS 1.1 when one ...

Re: Resolving TLS1.0 and TLS1.1 Security Threats for Remote Access

the_rock — Thu, 03 Apr 2025 10:42:50 GMT

Sorry, my bad, it asked me to log in to view that sk when I tried yesterday, but I see it now.

Andy

Re: Resolving TLS1.0 and TLS1.1 Security Threats for Remote Access

G_W_Albrecht — Thu, 03 Apr 2025 13:15:54 GMT

You did post the shortcut 🙃

Re: Resolving TLS1.0 and TLS1.1 Security Threats for Remote Access

P_Williams — Tue, 22 Apr 2025 13:10:49 GMT

Hi,

Just confirming that this worked, we changed the setting to 1.2 and the vulnerability scan has now succeeded. Thank you