- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
Hello Guys,
I believed it is possible to disable weak ciphers for the security gateway but how about for the security management (smart-1)? I searched over the some data but I always saw the procedure for the security gateways.
Anyone here knows how to disable weak ciphers for smart-1?
Thank you very much for the great help.
Hi @CyberBreaker,
Use the following comand to see all posible ciphers:
# cpopenssl ciphers -v 'HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5'
1) Back up the current /web/templates/httpd-ssl.conf.templ file:
# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_backup
2) Assign the 'write' permission to the file:
# ls -l /web/templates/httpd-ssl.conf.templ
# chmod u+w /web/templates/httpd-ssl.conf.templ
# ls -l /web/templates/httpd-ssl.conf.templ
3) Edit the current /web/templates/httpd-ssl.conf.templ file:
[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ
>>> In the section "SSL Cipher Suite" change the chihper:
# SSL Cipher Suite:
# Add your chiper:
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256- SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1
4) Restart the httpd
# tellpm process:httpd2
Hi @CyberBreaker,
Use the following comand to see all posible ciphers:
# cpopenssl ciphers -v 'HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5'
1) Back up the current /web/templates/httpd-ssl.conf.templ file:
# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_backup
2) Assign the 'write' permission to the file:
# ls -l /web/templates/httpd-ssl.conf.templ
# chmod u+w /web/templates/httpd-ssl.conf.templ
# ls -l /web/templates/httpd-ssl.conf.templ
3) Edit the current /web/templates/httpd-ssl.conf.templ file:
[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ
>>> In the section "SSL Cipher Suite" change the chihper:
# SSL Cipher Suite:
# Add your chiper:
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256- SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1
4) Restart the httpd
# tellpm process:httpd2
Hi @HeikoAnkenbrand ,
Thanks for the help, I will try this.
Is this for HTTPS and SSH as well? Is there's SK document for this one?
Thanks
sk126613: Cipher configuration tool for R80.x Gateways
sk147272: Vulnerability scan shows that Gaia Portal supports SSL medium strength cipher suites
sk163542: How to list the current active TLS version supported on Gaia appliances
Hi @G_W_Albrecht ,
this sk is only for gatways not for SMS.
sk126613: Cipher configuration tool for R80.x Gateways
Regards
Heiko
Yes, very true ! It is the two other SKs that concern pure SMS.
Here is what I did:
clear
ls -l /web/templates/httpd-ssl.conf.templ
#Note: Above just confirms permissions set back to read-only.
cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_ORIGINAL
chmod u+w /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5/SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:!RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1/g' /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}TLSv1.2 +TLSv1.3/g' /web/templates/httpd-ssl.conf.templ
chmod u-w /web/templates/httpd-ssl.conf.templ
/bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active
tellpm process:httpd2
tellpm process:httpd2 t
ls -l /web/templates/httpd-ssl.conf.templ
#Note: Above just confirms permissions set back to read-only.
I then ran an sslscan against the IP which resulted in only TLSv1.3 being seen.
Testing SSL server aa.bb.cc.dd on port 443 using SNI name aa.bb.cc.dd
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 enabled
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLSv1.3 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253
Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448
What I'm not sure about is if this procedure would need to run again after updating the jumbo.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 66 | |
| 22 | |
| 7 | |
| 6 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 2 | |
| 2 |
Thu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY