This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
P_Williams
Contributor
‎2025-04-02 07:11 AM
Jump to solution

Resolving TLS1.0 and TLS1.1 Security Threats for Remote Access

I have been sent a report listing various public facing services on our firewalls and whether they are allowing TLS1.0 and TLS1.1.

For the URL that clients use to connect to use the Remote Access vpn it has come back as allowing 1.0 and 1.1

Risk VectorFinding IdentifierLast SeenGradeAttributed ToFinding Severity
SSL Configurationsremoteaccess.mycompany.com:44327/03/2025BADMy Company Inc.severe
Asset ImportanceAssetsDetails
criticalremoteaccess.mycompany.comAllows insecure protocol: TLSv1.0; Allows insecure protocol: TLSv1.1

 

Presumably the client, when it connects initially, wouldn't be using 1.0 or 1.1. But beyond that I don't know what I can do to get rid of the vulnerability. I am not sure if the vulnerability even is to do with the RemoteAccess service, it is just that it uses the same public IP as the firewalls.

What could I do on the firewall to remove this vulnerability?

The firewalls are VSX running r81

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-04-03 01:21 AM
In response to the_rock
Jump to solution

Yes, found here: sk154532: Vulnerability scan detects that the Security Gateway supports TLS 1.0 or TLS 1.1 when one ...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

8 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-04-02 07:47 AM
Jump to solution

See sk178505: Which TLS version do Check Point products use?

and then

sk154532: Vulnerability scan detects that the Security Gateway supports TLS 1.0 or TLS 1.1 when one ...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
P_Williams
Contributor
‎2025-04-02 08:21 AM
In response to G_W_Albrecht
Jump to solution

That looks promising, many thanks. Looks like it will need a proper review and CAB before implementing but will feedback how I get on.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-04-03 01:20 AM
In response to P_Williams
Jump to solution

It is just an advanced Portal configuration option in SmartDashboard menue, see the screenshot @the_rock has posted.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
P_Williams
Contributor
‎2025-04-22 06:10 AM
In response to G_W_Albrecht
Jump to solution

Hi,

Just confirming that this worked, we changed the setting to 1.2 and the vulnerability scan has now succeeded. Thank you

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-04-02 09:29 AM
Jump to solution

Hey @P_Williams 

I believe you can also correct this with settings I attached from global properties.

Andy

 

Best,
Andy
"Have a great day and if its not, change it"
Preview file
131 KB
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-04-03 01:21 AM
In response to the_rock
Jump to solution

Yes, found here: sk154532: Vulnerability scan detects that the Security Gateway supports TLS 1.0 or TLS 1.1 when one ...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
MVP Diamond
MVP Diamond
‎2025-04-03 03:42 AM
In response to G_W_Albrecht
Jump to solution

Sorry, my bad, it asked me to log in to view that sk when I tried yesterday, but I see it now.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-04-03 06:15 AM
In response to the_rock
Jump to solution

You did post the shortcut 🙃

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events