topic Re: CP R.80.30 Not allowed SSL version in Firewall and Security Management

CP R.80.30 Not allowed SSL version

Sried — Thu, 26 Sep 2019 08:59:52 GMT

Hi Everyone,

im currently encountering an issue with several drops of different sevices being rejected with the message Not allowed SSL version.

I checked the DB settings: ssl_min_ver is set to sslv3 while max is set to tls1.2 .

I also created a seperate rule for ssl inspect like described in sk34182., yet i still receive the error.

Currently it blocks me from initiating a rdp session within an existing Site 2 Site VPN Connection.

Remote_Desktop_Protocol (TCP/3389)

Reject

Not allowed SSL version

So far i was not able to find any other sk article regarding this issue,

Has anyone else encountered this problem?

Re: CP R.80.30 Not allowed SSL version

_Val_ — Thu, 26 Sep 2019 09:58:08 GMT

Please check your RDP SSL Inspection is properly set. Look here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk15475

Re: CP R.80.30 Not allowed SSL version

_Val_ — Thu, 26 Sep 2019 09:59:01 GMT

If that does not help, you can try HTTPSi bypass rule for RDP specifically

Re: CP R.80.30 Not allowed SSL version

Sried — Thu, 26 Sep 2019 11:00:50 GMT

Hi Valeri,

i tried the explicit https bypass rule for RDP, unfortunately the behavior is still the same.

I also tried your link, but i get the message: Solution could not be found in the system.

Yet i found a TCP service which could be a remnant from R77.30

Protocol: SSL_V3

Match By Port: Any

Protocol Signature: checked

Could it be that the service is mismatched since it fulfills the criteria for this object?

Re: CP R.80.30 Not allowed SSL version

PhoneBoy — Thu, 26 Sep 2019 18:41:25 GMT

HTTPS Inspection is only for web traffic, it shouldn't impact RDP.
I suspect this is getting blocked by IPS which does have protections that block older SSL versions.
Can you provide a screenshot of the log card? (Feel free to mask sensitive details)

Re: CP R.80.30 Not allowed SSL version

Sried — Fri, 27 Sep 2019 08:09:37 GMT

Hi,

i attached the log for the RDP drop.

Re: CP R.80.30 Not allowed SSL version

_Val_ — Fri, 27 Sep 2019 12:49:18 GMT

@PhoneBoy I am afraid you are mistaken, please check the SK I have referenced above

Re: CP R.80.30 Not allowed SSL version

_Val_ — Fri, 27 Sep 2019 12:51:44 GMT

The action is bypass, so it is not the policy. Which HFA are you running at? With R80.30 you need at least Jumbo 50

Re: CP R.80.30 Not allowed SSL version

_Val_ — Fri, 27 Sep 2019 12:52:46 GMT

Yes, you might need to set up a _new_ RDP service. One inherited from R77.30 is no good

Re: CP R.80.30 Not allowed SSL version

Sried — Fri, 27 Sep 2019 13:26:31 GMT

Hi,

i just checked the version of the cluster.

Sorry, it seems i was mistake. R80.30 is the Console.

Currently installed:

HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87

Re: CP R.80.30 Not allowed SSL version

PhoneBoy — Fri, 27 Sep 2019 22:59:31 GMT

There is a specific hotfix you will need to install, but it's on top of a different jumbo take (47): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk154752
Recommend engaging with the TAC.

Re: CP R.80.30 Not allowed SSL version

PhoneBoy — Fri, 27 Sep 2019 23:00:18 GMT

Huh, you learn something new every day. 😁

Re: CP R.80.30 Not allowed SSL version

Sried — Mon, 28 Oct 2019 14:42:04 GMT

Hi everyone,

it turned out that someone configured multiple Services with active protocol signature(TCP,UDP,) under R77.80.

But instead of matching them to the recommended port (e.g. 443 TCP) they were matched for any port. This led to the error that any tcp / UDP traffic which was encypted matched for those services (which were missing in the security and application policy rules). The issue became visible after the update fron 77.30 to 80.20 .

As a solution, i deleted both services.

Thx for all the help