Identical R82.10 GWs with different options for se...

Douglas_Rich · ‎2026-03-13

Identical R82.10 GWs with different options for set ssh server mac and set ssh server kex
For R82.10 if you do a fresh install these setting are an option in clish, On another lab server that I upgraded from R82 to R82.10 these are not options in clish:
set ssh server mac hmac-md5 off
set ssh server mac hmac-md5-96 off
set ssh server mac hmac-sha1-96 off
set ssh server kex sntrup761x25519-sha512@openssh.com on

==============================

atl-msslab-R82-fw1> show ssh server mac supported
--------------------------------
supported mac:
--------------------------------
hmac-md5-96-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-sha1
hmac-sha1-96-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com
--------------------------------
atl-msslab-R82-fw1> show ssh server kex supported
--------------------------------
supported kex:
--------------------------------
curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
--------------------------------
atl-msslab-R82-fw1> show asset system
Platform: VMware Virtual Platform
CPU Model: Intel(R) Xeon(R) CPU E5-2670 v3
CPU Frequency: 2299.997 Mhz
Number of Cores: 12
CPU Hyperthreading: Disabled

atl-msslab-R82-fw1> fw ver
This is Check Point's software version R82.10 - Build 767
atl-msslab-R82-fw1> exit
[Expert@atl-msslab-R82-fw1:0]# uname -a
Linux atl-msslab-R82-fw1 5.14.0-427.13.1cpx86_64 #1 SMP Fri Dec 12 10:23:31 IST 2025 x86_64 x86_64 x86_64 GNU/Linux

==============================

atl-msslab-CP-FW1> show ssh server mac supported
--------------------------------
supported mac:
--------------------------------
hmac-md5
hmac-md5-96
hmac-md5-96-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-sha1
hmac-sha1-96
hmac-sha1-96-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com
--------------------------------
atl-msslab-CP-FW1> show ssh server kex supported
--------------------------------
supported kex:
--------------------------------
curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
sntrup761x25519-sha512@openssh.com
--------------------------------
atl-msslab-CP-FW1> show asset system
Platform: VMware Virtual Platform
CPU Model: Intel(R) Xeon(R) CPU E5-2670 v3
CPU Frequency: 2299.997 Mhz
Number of Cores: 8
CPU Hyperthreading: Disabled

atl-msslab-CP-FW1> fw ver
This is Check Point's software version R82.10 - Build 767
atl-msslab-CP-FW1> exit
[Expert@atl-msslab-CP-FW1:0]# uname -a
Linux atl-msslab-CP-FW1 5.14.0-427.13.1cpx86_64 #1 SMP Fri Dec 12 10:23:31 IST 2025 x86_64 x86_64 x86_64 GNU/Linux

Bob_Zimmerman · ‎2026-03-25

I've also hit this problem now. I have a cluster with two members.

02 was built a while ago at R81.10, upgraded to R81.20, then R82, now R82.10.

01 originally followed the same path. I tried to roll it back to a snapshot I took manually on R82 so others on the team could run the upgrade, but the snapshot is broken. A very large file (snap_log_backup.tgz) was added to /tmp while the snapshot was being taken, and it prevented other, more important files from being copied. I've confirmed this happened on both members, and I've got a ticket about it.

I just restored 01 factory defaults on R81.10, used config_system to run the first-time config, updated CPUSE, upgraded to R82.10 (via 'installer upgrade'), installed the sk184766 hotfix, established SIC, and pushed policy. Once it was talking to the management, I tried to get it to the same config as 02 (except IPs, hostname, and other expected differences). I can't because 01 has these options and 02 doesn't.

SomeFirewall-01> set ssh server kex [Tab]

curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
sntrup761x25519-sha512@openssh.com

SomeFirewall-01> set ssh server mac [Tab]

hmac-md5
hmac-md5-96
hmac-md5-96-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-sha1
hmac-sha1-96
hmac-sha1-96-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com

SomeFirewall-01> set ssh server public-key [Tab]

ecdsa-sha2-nistp256
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521
ecdsa-sha2-nistp521-cert-v01@openssh.com
rsa-sha2-256
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512
rsa-sha2-512-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
ssh-dss
ssh-dss-cert-v01@openssh.com
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-rsa-cert-v01@openssh.com

And on member 02:

SomeFirewall-02> set ssh server kex [Tab]

curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521

SomeFirewall-02> set ssh server mac [Tab]

hmac-md5-96-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-sha1
hmac-sha1-96-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com

SomeFirewall-02> set ssh server public-key [Tab]

ecdsa-sha2-nistp256
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521
ecdsa-sha2-nistp521-cert-v01@openssh.com
rsa-sha2-256
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512
rsa-sha2-512-cert-v01@openssh.com
ssh-dss
ssh-dss-cert-v01@openssh.com
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-rsa-cert-v01@openssh.com

Bob_Zimmerman · ‎2026-03-25

As a workaround, I was given a few commands to make clish aware of the settings:

dbset ssh:kex:supported:sntrup761x25519-sha512@openssh.com t
dbset ssh:mac:supported:hmac-md5 t
dbset ssh:mac:supported:hmac-md5-96 t
dbset ssh:mac:supported:hmac-sha1-96 t
dbset ssh:public-key:supported:sk-ecdsa-sha2-nistp256-cert-v01@openssh.com t
dbset ssh:public-key:supported:sk-ecdsa-sha2-nistp256@openssh.com t
dbset ssh:public-key:supported:sk-ssh-ed25519-cert-v01@openssh.com t
dbset ssh:public-key:supported:sk-ssh-ed25519@openssh.com t

Note that I have no idea how supported or not this is. Get support's advice before trying it on a firewall you intend to use for anything but lab purposes.

Got to say between the snapshot problems and this, my impressions of R82.10 are rather negative so far. Also irritated by all my SSH server keys getting regenerated yet again, and with the use of systemd.

Are you a member of CheckMates?

Identical R82.10 GWs with different options for set ssh server mac and set ssh server kex