https://community.checkpoint.com/t5/Spark-Firewall-SMB/Cannot-disable-weak-SSH-ciphers-in-Gaia-Embedded/m-p/170645#M8204 <P>The platforms in question are End of Sale as of 2020.<BR />In this case "support" means with existing functionality, not new functionality.<BR />Refer to our&nbsp;<A href="https://www.checkpoint.com/support-services/support-life-cycle-policy/" target="_self">Appliance Support Timeline</A>&nbsp;for details.</P> <P>Dropbear (used in R77.20.xx for ssh/sshd) doesn't provide a mechanism to change the ciphers used.<BR />That means to provide this functionality, either Dropbear needs modification or it needs to be replaced with something else (like OpenSSH).<BR />Further, the appliances that run R77.20.xx cannot run R8x code due to hardware limitations.<BR />This means additional development would be required to support this in R77.20.xx.<BR />As the affected appliances are End of Sale, this is not currently planned and would require an RFE with your local Check Point office.</P> Tue, 07 Feb 2023 20:21:40 GMT PhoneBoy 2023-02-07T20:21:40Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Cannot-disable-weak-SSH-ciphers-in-Gaia-Embedded/m-p/170618#M8200 <P>Hi community,</P><P>I'd like to disable some (considered weaker) ciphers on SMB appliances, namely on SSH service, like 3DES, SHA1, etc.</P><P><SPAN>After researching through knowledge base and checkmates community, I could only find a solution that&nbsp;</SPAN><SPAN>only</SPAN><SPAN>&nbsp;</SPAN><SPAN>applies to standard Gaia OS - and not Embedded Gaia.</SPAN></P><P>So I decided to open a case in TAC, who analyzed it and answered that I should submit an RFE for this. I'm kind of surprised that a security concern/issue is getting from Check Point the same kind of attention as any other feature....</P><P>However does anyone was able to perform successfully any "unofficial" tweak to accomplish this?</P><P>I'll perform a RFE anyway...</P><P>Best regards,</P><P><SPAN>Pedro</SPAN></P> Tue, 07 Feb 2023 16:44:21 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Cannot-disable-weak-SSH-ciphers-in-Gaia-Embedded/m-p/170618#M8200 Pedro_Boavida 2023-02-07T16:44:21Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Cannot-disable-weak-SSH-ciphers-in-Gaia-Embedded/m-p/170620#M8201 <P>The Gaia OS solution for this (cipher_util) is available on R81.10.05 in Expert Mode.<BR />Refer to the docs here:&nbsp;<A href="https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/cipher_util.htm" target="_blank">https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/cipher_util.htm</A></P> <P>For SSH, R81.10.05 appears to be using OpenSSH and reads its configuration file from /pfrm2.0/etc/sshd_config<BR />Presumably,&nbsp; this is where you would make changes to the allowable SSH ciphers.<BR />In past releases (certainly in R77.20.xx), Dropbear is used, which doesn't provide a mechanism for changing the ciphers.</P> Tue, 07 Feb 2023 16:53:56 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Cannot-disable-weak-SSH-ciphers-in-Gaia-Embedded/m-p/170620#M8201 PhoneBoy 2023-02-07T16:53:56Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Cannot-disable-weak-SSH-ciphers-in-Gaia-Embedded/m-p/170626#M8202 <P>Thanks Dameon,</P><P>Actually I'm talking about past releases, however version R77.20.xx is still supported until 2025.</P><P>This should not be a constraint.</P><P>Regards</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 07 Feb 2023 17:34:22 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Cannot-disable-weak-SSH-ciphers-in-Gaia-Embedded/m-p/170626#M8202 Pedro_Boavida 2023-02-07T17:34:22Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Cannot-disable-weak-SSH-ciphers-in-Gaia-Embedded/m-p/170645#M8204 <P>The platforms in question are End of Sale as of 2020.<BR />In this case "support" means with existing functionality, not new functionality.<BR />Refer to our&nbsp;<A href="https://www.checkpoint.com/support-services/support-life-cycle-policy/" target="_self">Appliance Support Timeline</A>&nbsp;for details.</P> <P>Dropbear (used in R77.20.xx for ssh/sshd) doesn't provide a mechanism to change the ciphers used.<BR />That means to provide this functionality, either Dropbear needs modification or it needs to be replaced with something else (like OpenSSH).<BR />Further, the appliances that run R77.20.xx cannot run R8x code due to hardware limitations.<BR />This means additional development would be required to support this in R77.20.xx.<BR />As the affected appliances are End of Sale, this is not currently planned and would require an RFE with your local Check Point office.</P> Tue, 07 Feb 2023 20:21:40 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Cannot-disable-weak-SSH-ciphers-in-Gaia-Embedded/m-p/170645#M8204 PhoneBoy 2023-02-07T20:21:40Z