https://community.checkpoint.com/t5/SASE-and-Remote-Access/Disable-weak-ciphers-on-remote-access-clients/m-p/203175#M4181 <P>These are the settings for the IKE algorithms. So they should not impact how the IPsec traffic is tunneled over HTTPS in Visitor Mode. It seems like the Visitor Mode is part of the&nbsp;MultiPortal daemon (<A title="Visitor Mode port grayed out when Mobile Access Blade is enabled" href="https://support.checkpoint.com/results/sk/sk107852" target="_self">sk107852</A>) and is therefore affected by the settings of the <EM>cipher_util</EM>.</P> Tue, 16 Jan 2024 07:38:36 GMT Martin_Schwarz 2024-01-16T07:38:36Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Disable-weak-ciphers-on-remote-access-clients/m-p/203117#M4179 <P>We hardened a customers' security gatway via <EM>cipher_util</EM> (<A href="https://support.checkpoint.com/results/sk/sk126613" target="_self">sk126613</A>) and disabled all weak ciphers to reach PCI DSS compliance. Then remote access clients (<EM>MacOS using visitor mode</EM>) failed to connect, so&nbsp;we opened a SR.<BR /><BR />Check Point support advised to enable these three ciphers according to&nbsp;<A href="https://support.checkpoint.com/results/sk/sk108426" target="_self">sk108426</A>.</P> <UL> <LI><SPAN>TLS_RSA_WITH_RC4_128_MD5</SPAN></LI> <LI><SPAN>TLS_RSA_WITH_AES_128_CBC_SHA</SPAN></LI> <LI><SPAN>TLS_RSA_WITH_AES_256_CBC_SHA</SPAN></LI> </UL> <P>and noted:</P> <BLOCKQUOTE><HR />It is best to keep the 3 ciphers on to avoid any issues regarding remote access/mobile access connectivity<BR />Currently there is no ETA to whether the client will be on the same cipher suite as the GW itself.</BLOCKQUOTE> <P>Of course that doesn't satisfy our customer as it conflicts with PCI DSS requirements for strong ciphers, such as SHA-2.<BR /><STRONG>Is there any other solution or workaround available?</STRONG></P> Mon, 15 Jan 2024 21:28:22 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Disable-weak-ciphers-on-remote-access-clients/m-p/203117#M4179 Danny 2024-01-15T21:28:22Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Disable-weak-ciphers-on-remote-access-clients/m-p/203148#M4180 <P>Hey Danny,</P> <P>Guy in TAC told me while back that some of these settings in global properties may have something to do with it, but I never ended up testing it, so hard to say.</P> <P>Andy</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24070i11F3A2CF0B09E9DF/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P> </P> Mon, 15 Jan 2024 19:49:42 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Disable-weak-ciphers-on-remote-access-clients/m-p/203148#M4180 the_rock 2024-01-15T19:49:42Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Disable-weak-ciphers-on-remote-access-clients/m-p/203175#M4181 <P>These are the settings for the IKE algorithms. So they should not impact how the IPsec traffic is tunneled over HTTPS in Visitor Mode. It seems like the Visitor Mode is part of the&nbsp;MultiPortal daemon (<A title="Visitor Mode port grayed out when Mobile Access Blade is enabled" href="https://support.checkpoint.com/results/sk/sk107852" target="_self">sk107852</A>) and is therefore affected by the settings of the <EM>cipher_util</EM>.</P> Tue, 16 Jan 2024 07:38:36 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Disable-weak-ciphers-on-remote-access-clients/m-p/203175#M4181 Martin_Schwarz 2024-01-16T07:38:36Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Disable-weak-ciphers-on-remote-access-clients/m-p/203212#M4182 <P>Thats true, thats why I found it a bit odd when TAC told me that was related to remote access, but maybe as it was under remote access section, not sure.</P> <P>Andy</P> Tue, 16 Jan 2024 12:49:17 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Disable-weak-ciphers-on-remote-access-clients/m-p/203212#M4182 the_rock 2024-01-16T12:49:17Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Disable-weak-ciphers-on-remote-access-clients/m-p/203238#M4183 <P>You may find this SK helpful which details how to completely banish 3DES from being used in any part of the Check Point product including Remote Access VPN, Gaia Portal, management API, etc.&nbsp; This is mentioned in my <A href="http://www.maxpowerfirewalls.com/gw-optimization-course.html" target="_blank" rel="noopener">Gateway Performance Optimization</A> class as improving performance, but certainly improves security as well:</P> <P><A href="https://support.checkpoint.com/results/sk/sk113114" target="_blank" rel="noopener"><SPAN>sk113114: Check Point response to CVE-2016-2183 (Sweet32)</SPAN></A></P> <P>Might be able to deconstruct the provided commands and banish SHA1 and other weak ciphers too.&nbsp;&nbsp;</P> Tue, 16 Jan 2024 15:01:05 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Disable-weak-ciphers-on-remote-access-clients/m-p/203238#M4183 Timothy_Hall 2024-01-16T15:01:05Z