cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Checkpoint r77.30 cipher suites

Hello,

Could any body advise which cipher suites are available with a checkpoint device running r77.30 please?

We cannot find it in the GUI.. or anywhere online! Is there a command we can use to list the available ciphers?

Many thanks

Tags (2)
0 Kudos
5 Replies
Admin
Admin

Re: Checkpoint r77.30 cipher suites

Cipher Suites in what context?

0 Kudos

Re: Checkpoint r77.30 cipher suites

Is there a way to lock down the supported ciphers for SNX. Mobile Blade?

So for example, I only want to support ciphers with PFS leaving me with DHE and ECDHE. A standard sslscan shows 

AES-128-SHA and AES256-SHA is supported which I want to get rid off to meet our cipher standards

0 Kudos
Admin
Admin

Re: Checkpoint r77.30 cipher suites

Based on the Global Properties, it does not appear this is possible currently.

It looks like you can disable 3DES per the following SK: Check Point response to CVE-2016-2183 (Sweet32) 

I don't see an easy way to disable AES and/or enable ECDHE/DHE support.

I can ask around, but you should probably open a TAC case.

0 Kudos

Re: Checkpoint r77.30 cipher suites

We have a TAC case open as we need to change ciphers to comply to the company requirements. But so far this is not going very well.

0 Kudos
Danny
Pearl

Re: Checkpoint r77.30 cipher suites

Example for HTTPS Inspection:

First you'll want to know if your R77.30 is at the latest Jumbo Hotfix Take.

Just check it on your firewall gateway within expert mode via: installed_jumbo_take

Then you'll want to know which cipher suites are actually configured, to check this, just enter:

cat /opt/CPshrd-R77/registry/HKLM_registry.data | grep -i cptls
   
:CPTLS_ACCEPT_ECDHE (1)
    :CPTLS_PROPOSE_ECDHE (1)

You notice that ECDH P-384 elliptic curve ciphers are not available to your gateway yet
so you follow the instructions from sk110883 and sk112954.

Final result:

cat /opt/CPshrd-R77/registry/HKLM_registry.data | grep -i cptls
    :CPTLS_ACCEPT_ECDHE (1)
    :CPTLS_PROPOSE_ECDHE (1)
    :CPTLS_RI_AS_CLIENT_EXT (1)
    :CPTLS_EC_P384 (1)

All required cipher suites are now available to your gateway
and you can enjoy surfing HTTPS websites without any issues related to P-384.
0 Kudos