https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276031#M46074 <P>You may also wish to review&nbsp;<SPAN>sk113114 more broadly</SPAN></P> Fri, 24 Apr 2026 01:16:54 GMT Chris_Atkinson 2026-04-24T01:16:54Z https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276015#M46065 <P>I have a site where PCI Scans are failing for&nbsp;DES and DH Group 1 vulnerabilities.</P><P>I'm pretty sure that we can disable DES exposure in Cluster&gt;IPSEC VPN&gt;Traditional Mode&gt;General Properties (see pic) while following sk82900</P><P><A href="https://support.checkpoint.com/results/sk/sk82900" target="_blank">https://support.checkpoint.com/results/sk/sk82900.</A></P><P>But in same pane/pic for Advanced Properties, it lists all the supported DH Groups and DH-1 Group is not selected.</P><P>So I need a document or sk for how/why DH Group-1 is being detected and how to disable it</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="cm-cluster-ipsec-props-1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/34089iE72A1017C89BCE26/image-size/medium?v=v2&amp;px=400" role="button" title="cm-cluster-ipsec-props-1.png" alt="cm-cluster-ipsec-props-1.png" /></span></P><P> </P><P>&nbsp;</P> Thu, 23 Apr 2026 19:16:22 GMT https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276015#M46065 D_Riddleberger 2026-04-23T19:16:22Z https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276018#M46066 <P>Maybe worth to check also here&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 693px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/34090iC371CD4DED31ED55/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Thu, 23 Apr 2026 20:10:44 GMT https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276018#M46066 Lesley 2026-04-23T20:10:44Z https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276020#M46068 <P>Are the results maybe from a GAIA embedded unit? then check out</P> <P><A href="https://support.checkpoint.com/results/sk/sk184658" target="_blank">https://support.checkpoint.com/results/sk/sk184658</A></P> Thu, 23 Apr 2026 20:23:05 GMT https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276020#M46068 Lesley 2026-04-23T20:23:05Z https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276025#M46070 <P>Hi Lesley,</P><P>&nbsp;</P><P>No, these are not embedded Gaia SMB Appliances.</P> Thu, 23 Apr 2026 21:02:35 GMT https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276025#M46070 D_Riddleberger 2026-04-23T21:02:35Z https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276031#M46074 <P>You may also wish to review&nbsp;<SPAN>sk113114 more broadly</SPAN></P> Fri, 24 Apr 2026 01:16:54 GMT https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276031#M46074 Chris_Atkinson 2026-04-24T01:16:54Z https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276062#M46083 <P>Hi Chris,</P><P>Yes, that sk does provide some additional insight. Thank You.</P><P>I have confirmed that DES as well DH Group-1 is not used in any VPN Communities. As I did not think that it was. The problem is that the gateways are 'responding to' some level of acknowledgement/response from the scan that features/functionality for DES and DH Group 1 are enabled. I also confirmed from the scan report that it is IPSEC that is being flagged. So, I think we are in the clear for DES and DH Group 1 when it comes to SSH and Remote Access&nbsp;features/functionality whereas those can be turned off in Global Properties&gt;Remote Access&gt;VPN Auth and Encryption &lt;edit algorithms&gt;. I'm still digging....</P> Fri, 24 Apr 2026 17:47:46 GMT https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276062#M46083 D_Riddleberger 2026-04-24T17:47:46Z https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276063#M46084 <P>Hey Dan,</P> <P>Seems like you have it all configured properly. Might be worth TAC case to confirm, for sure. I did check in smart console and all the settings you mentioned are 100% right.</P> Fri, 24 Apr 2026 18:54:35 GMT https://community.checkpoint.com/t5/General-Topics/PCI-Scans-Failing-and-Disablement-of-DES-and-DH-Group-1/m-p/276063#M46084 the_rock 2026-04-24T18:54:35Z