Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Soeren_Rothe
Collaborator

cipher_util - R80.30 / R80.40 - sk126613

Hello,

for the Azure VMSS Rollout we need to change the Ciphers automatically, when a new FW instance is deployed.

I would like to disable these Ciphers:

Disabled:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

 

I tried this, it works on a VPN Cluster and another VM, but not on the VMSS. I believe this is a timing issue. 

(printf '1\n3\n' ; sleep 2 ; printf '21,22,23\n' ; sleep 1 ; printf 'q\ny\n' ) | cipher_util

 

I am looking for a proper way to modify these ciphers, what does cipher_util do? Can I somehow do it like on R80.20 ? Is cipher_util able to use a configuration file, if not, is this planned? 

0 Kudos
4 Replies
Soeren_Rothe
Collaborator

The sk126613 was updated.

You may need to do a policy push after you modify the cipher suites using cipher_util so that the Security Gateway is updated with the changes.  

 

After the policy push the changes are now active and the cipher_util tool shows the disabled Ciphers. 

PhoneBoy
Admin
Admin

cipher_util modifies a couple of configuration files:
$CPDIR/conf/multi_portal_cipher_priority.conf
$CPDIR/conf/ssl_inspection_cipher_priority.conf

It might be easier to simply copy pre-configured versions of these files to the gateways.
This is noted in sk126613.
0 Kudos
Soeren_Rothe
Collaborator

Thanks for the hint, I think you refer to this note? 

In order to apply a configuration to multiple Security Gateways, the 'multi_portal_cipher_priority.conf' / 'ssl_inspection_cipher_priority.conf' files need to be copied to $CPDIR/conf followed by cprestart command. Otherwise, DO NOT edit them as in previous versions. The tool manages the files interactively.

The thing is, to perform a cprestart in the middle of the FW Instance creating (VMSS) sounds a little bit risky. So I prefer the cipher_tool using the echo command to disable unwanted ciphers.

It would be great to just copy over the files to the gateway, just like you mentioned, and ran a command to activate / deactivate the ciphers, just like it is done by cipher_util. Something like "cipher_util --reload config" 😉 

 

0 Kudos
PhoneBoy
Admin
Admin

I assume it would be enough to install policy afterwords, but that would obviously require testing.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events