topic Re: cipher_util - R80.30 / R80.40 - sk126613 in Firewall and Security Management

cipher_util - R80.30 / R80.40 - sk126613

Soeren_Rothe — Tue, 21 Apr 2020 08:07:05 GMT

Hello,

for the Azure VMSS Rollout we need to change the Ciphers automatically, when a new FW instance is deployed.

I would like to disable these Ciphers:

Disabled: TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA

I tried this, it works on a VPN Cluster and another VM, but not on the VMSS. I believe this is a timing issue.

(printf '1\n3\n' ; sleep 2 ; printf '21,22,23\n' ; sleep 1 ; printf 'q\ny\n' ) | cipher_util

I am looking for a proper way to modify these ciphers, what does cipher_util do? Can I somehow do it like on R80.20 ? Is cipher_util able to use a configuration file, if not, is this planned?

Re: cipher_util - R80.30 / R80.40 - sk126613

Soeren_Rothe — Tue, 21 Apr 2020 12:05:10 GMT

The sk126613 was updated.

You may need to do a policy push after you modify the cipher suites using cipher_util so that the Security Gateway is updated with the changes.

After the policy push the changes are now active and the cipher_util tool shows the disabled Ciphers.

Re: cipher_util - R80.30 / R80.40 - sk126613

PhoneBoy — Tue, 05 May 2020 22:20:12 GMT

cipher_util modifies a couple of configuration files:
$CPDIR/conf/multi_portal_cipher_priority.conf
$CPDIR/conf/ssl_inspection_cipher_priority.conf

It might be easier to simply copy pre-configured versions of these files to the gateways.
This is noted in sk126613.

Re: cipher_util - R80.30 / R80.40 - sk126613

Soeren_Rothe — Tue, 05 May 2020 22:54:50 GMT

Thanks for the hint, I think you refer to this note?

In order to apply a configuration to multiple Security Gateways, the 'multi_portal_cipher_priority.conf' / 'ssl_inspection_cipher_priority.conf' files need to be copied to $CPDIR/conf followed by cprestart command. Otherwise, DO NOT edit them as in previous versions. The tool manages the files interactively.

The thing is, to perform a cprestart in the middle of the FW Instance creating (VMSS) sounds a little bit risky. So I prefer the cipher_tool using the echo command to disable unwanted ciphers.

It would be great to just copy over the files to the gateway, just like you mentioned, and ran a command to activate / deactivate the ciphers, just like it is done by cipher_util. Something like "cipher_util --reload config" 😉

Re: cipher_util - R80.30 / R80.40 - sk126613

PhoneBoy — Tue, 05 May 2020 23:10:09 GMT

I assume it would be enough to install policy afterwords, but that would obviously require testing.