topic Re: weak ciphers in Firewall and Security Management

weak ciphers

umar7 — Wed, 05 Apr 2023 09:01:27 GMT

Re: weak ciphers

_Val_ — Mon, 30 Jan 2023 09:28:29 GMT

You already found the solution, sk126613. Run cipher_util and remove the weak ciphers. The SK has full instructions on how to do that.

Re: weak ciphers

umar7 — Wed, 05 Apr 2023 09:02:01 GMT

hell

Re: weak ciphers

_Val_ — Mon, 30 Jan 2023 10:51:04 GMT

Wait a moment, you are running R80.30? It is out of support for a while now.

Concerning your question, you really need to explain what you are trying to achieve. Removing ciphers from SSL Inspection will lead to a situation when traffic will not be inspected if a website only offers weak ciphers to use.

What are you trying to achieve in the first place? Harden the system? Which part of the functionalities?

Re: weak ciphers

G_W_Albrecht — Mon, 30 Jan 2023 12:04:21 GMT

Do you have SSL Inspection enabled at all ?

Re: weak ciphers

umar7 — Mon, 30 Jan 2023 12:10:47 GMT

no @G_W_Albrecht

actually how to we check this ssl enabled or not ?

Re: weak ciphers

umar7 — Mon, 30 Jan 2023 12:13:05 GMT

apologies to val , here i have attached the weak ciphers i really don;t know where i need to disable this and this is my first time using the cipher_utill

actually that was my lab environment R80.30 ,the original vulnerability observed by R81

Re: weak ciphers

_Val_ — Mon, 30 Jan 2023 12:45:03 GMT

Which vulnerability? You are not making much sense. Please elaborate, what do you want to achieve here?

What is the tool reporting week filters?

Re: weak ciphers

umar7 — Wed, 05 Apr 2023 09:02:31 GMT

hello

Re: weak ciphers

umar7 — Mon, 30 Jan 2023 13:09:01 GMT

the tools QUALYS SSl labs

Re: weak ciphers

G_W_Albrecht — Mon, 30 Jan 2023 13:46:02 GMT

According to the output above you do not have SSL Inspection for TP enabled. Open the GW object and select HTTPS inspection in left column - Enable HTTPS inspection is unchecked.

Re: weak ciphers

G_W_Albrecht — Mon, 30 Jan 2023 13:51:49 GMT

Multi Portal as this is always enabled ! See about the process and how to restart which services here: sk178165: The configuration made with the 'cipher_util' on a Security Gateway is not applied immediately after modifying Multi-Portal ciphers

Re: weak ciphers

_Val_ — Mon, 30 Jan 2023 13:52:10 GMT

I assume it is testing the SSL capabilities of your GW. Choose the Multi-portal, remove weak filters and check if the issue is resolved.

Re: weak ciphers

G_W_Albrecht — Wed, 08 Feb 2023 13:23:29 GMT

Did you succeed to disable the weak ciphers yet ?

Re: weak ciphers

umar7 — Wed, 08 Feb 2023 13:39:49 GMT

hi @G_W_Albrecht ,

i have succesfully completed the vulnerability mitigations based on the sk147272 and cipher_util tool

thanks for the response guys