topic Disabling TLS 1.0 and TLS 1.1 on Quantum Spark 1555 in Firewall and Security Management

Disabling TLS 1.0 and TLS 1.1 on Quantum Spark 1555

kiriwaEvariste — Tue, 21 Oct 2025 11:55:36 GMT

Hello community,
How do I disable TLS1.0 and TLS1.1 on Quantum Spark devices in CLI with version R81.10.10 ?

Re: Disabling TLS 1.0 and TLS 1.1 on Quantum Spark 1555

Lesley — Tue, 21 Oct 2025 13:24:56 GMT

VPN? Syslog? Gaia portal? SSH? HTTPS inspection?

SSL inspection try:

https://sc1.checkpoint.com/documents/Appliances/Quantum_Spark_R82.00.X/CLI/EN/Content/Topics/set-admin-access.htm

SSH:

https://sc1.checkpoint.com/documents/Appliances/Quantum_Spark_R82.00.X/CLI/EN/Content/Topics/show-ssh-cipher.htm

webui try:

Enter Clish mode.

clish
Run:

set admin-access support-weak-tls-version false
Save the changes in the database:

save config

Re: Disabling TLS 1.0 and TLS 1.1 on Quantum Spark 1555

kiriwaEvariste — Tue, 21 Oct 2025 14:16:12 GMT

Thanks, that was helpful.
However, is there a command to disable it generally in the LAN so that it's not just SSH and the web portal, but all services using TLS 1.0 and TLS 1.1 are blocked?

Re: Disabling TLS 1.0 and TLS 1.1 on Quantum Spark 1555

Lesley — Tue, 21 Oct 2025 14:21:52 GMT

you mean clients that sends TLS 1.0 you want to block? Or you want to block TLS 1.0 on the fw itself?

So traffic that flows via this firewall , like browsing traffic?

Then you need security blades likes IPS and application control to block old TLS versions.

Re: Disabling TLS 1.0 and TLS 1.1 on Quantum Spark 1555

kiriwaEvariste — Tue, 21 Oct 2025 14:33:33 GMT

We want to block clients that send TLS 1.0.
We have the IPS module.
How can we specifically block TLS 1.0 and TLS 1.1 with IPS?

Re: Disabling TLS 1.0 and TLS 1.1 on Quantum Spark 1555

Lesley — Tue, 21 Oct 2025 14:51:58 GMT

With app control: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Blocking_TLS_Connections.htm

Recommended way is with https inspection:

https://support.checkpoint.com/results/sk/sk182224

IPS: search for IPS protections TLS 1.0 and TLS 1.1 overwrite protection with drop instead of accept / inactive -> https://support.checkpoint.com/results/sk/sk179910

Generic info:

https://support.checkpoint.com/results/sk/sk178505

Re: Disabling TLS 1.0 and TLS 1.1 on Quantum Spark 1555

kiriwaEvariste — Tue, 21 Oct 2025 15:11:43 GMT

Thanks,

But it's an SMB that is managed locally, so this procedure will be difficult to implement.
And writing a rule with port 443 on SMBs, I'm afraid it will block other services using that port. That's why I was looking for a command that could disable TLS1.0 and TLS1.1 so that a user couldn't use a service using TLS1.0 and TLS1.0.

Re: Disabling TLS 1.0 and TLS 1.1 on Quantum Spark 1555

Lesley — Tue, 21 Oct 2025 16:31:57 GMT

Start a test rule with only 1 machine (IP) , test with SSL labs (browser test) to compare results.

For ips start with: https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Viewing-IPS-Protections-List.htm?tocpath=Managing%20Threat%20Prevention%7C_____5

try to find tls in application database for app control