- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
I'm asking this question to a vendor as well. However, I will ask here too. I'm trying to disable TLS1.0 globally on a firewall cluster. This is in an effort to completely eliminate all HTTPS weak ciphers. I've been scanning our environment with various tools and found that TLS 1.0 is still a valid cipher when I scan my cluster IP addresses.
So far, I haven't been able to find any documentation on how to do this with Checkpoint. On an ASA it's 2 or 3 commands to stop supporting the cipher. The only thing I've seen in forums is that on Checkpoint it's not possible. Is this true?
I'm running R80.30 so I would think you would be able to do this but maybe not.
Thanks,
Jon
For HTTPS Inspection:
First create a snapshot of your system!!!
Instructions for versions R80.10 and above
If 'HTTPS Inspection' blade is enabled on a Security Gateway, then configure it not to use TLS 1.0.
Important Note: Some servers on the Internet still use TLS 1.0. Once this step is performed, there will be no connectivity to these servers through the Security Gateway.
For GAIA protal:
First create a snapshot of your system!!!
On each machine that runs Gaia OS, configure Gaia Portal not to use TLS 1.0.
Important Note: Before implementing the steps below, save the current Gaia database - log in to Clish and run save config command.
Backup the current configuration template:
[Expert@HostName:0]# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_BKPAssign the "write" permission to the current configuration template:
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templEdit the current configuration template in Vi editor:
[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templChange the line
fromSSLProtocol -ALL +SSLv3 +TLSv1to
SSLProtocol -ALL +TLSv1.1
Remove the "write" permission from the current configuration template:
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templUpdate the current configuration of HTTPD daemon based on the modified configuration template:
[Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/activeRestart the HTTPD daemon:
[Expert@HostName:0]# tellpm process:httpd2@PhoneBoy or, mush better, use cipher_util
Most communication between SmartConsole and Security Management is CPM today (and this was hardened), but some features are still relying on old CPMI and so you are right: We cannot disable TLS 1.0 completly on Security Management today.
However: SmartConsole (and SmartDashboard) is using TLS 1.2 these days for CMPI. It is just that the server side on Smart Management would also accept a TLS 1.0 connection and this is what is relevant when doing security assessments/audits.
The full answer I got from TAC last summer was (rephrased and not a direct quote, because I'm not sure if I'm allowed to post it here):
For CPMI (FWM) it is possible to change cipher/protocol settings by applying a command with a special flag.
This was provided over a RFE with Check Point local office and was made available having a specific customer environment been taking into consideration.
TAC declined to provide this command based on a normal TAC case (backed up by TAC management). If a customer really needs it, a RFE should been raised at local Check Point office.
They also said, that there was a very good reason this command was not documented anywhere even after the original RFE and it was not meant to be used as a solution for anything just yet.
For me this sounds like: untested, no general support and they do not believe this will work in normal environments. Thats why I have it with "not possible" in my table.
Maybe there will be a day, Check Point R&D finished the replacement of CPMI with CPM 🙂
For HTTPS Inspection:
First create a snapshot of your system!!!
Instructions for versions R80.10 and above
If 'HTTPS Inspection' blade is enabled on a Security Gateway, then configure it not to use TLS 1.0.
Important Note: Some servers on the Internet still use TLS 1.0. Once this step is performed, there will be no connectivity to these servers through the Security Gateway.
For GAIA protal:
First create a snapshot of your system!!!
On each machine that runs Gaia OS, configure Gaia Portal not to use TLS 1.0.
Important Note: Before implementing the steps below, save the current Gaia database - log in to Clish and run save config command.
Backup the current configuration template:
[Expert@HostName:0]# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_BKPAssign the "write" permission to the current configuration template:
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templEdit the current configuration template in Vi editor:
[Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templChange the line
fromSSLProtocol -ALL +SSLv3 +TLSv1to
SSLProtocol -ALL +TLSv1.1
Remove the "write" permission from the current configuration template:
[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templUpdate the current configuration of HTTPD daemon based on the modified configuration template:
[Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/activeRestart the HTTPD daemon:
[Expert@HostName:0]# tellpm process:httpd2I appreciate the quick response. It looks like this solution didn't work when done in a lab. Something I did overlook is that when I scan the firewalls my results are showing the certificates used for my VPN. In this case is there a solution to force the SSL VPN cipher to TLS1.1 or higher?
Dude! 🙂
Hi @JG, were you able to find a solution?
I tried your step and replaced the line in the /web/templates/httpd-ssl.conf.templ, But when we scanned on the interface again for PCI DSS compliance, the error us shown again. Is there any other step that i might have to do to disable tlsv1 on the gateways. The gateways are running R80.10.
Good Morning,
how can I apply the same tls inspection to smtps traffic as well?
Thank you in advance.
Inline? No.
However, the gateway has an MTA that can be enabled with the Threat Prevention and/or DLP blades.
This can terminate SMTPS.
about your procedure for ssl inspection.
i want to ask what will be the impact, actually i need to disable tls 1.0 and tls 1.1 only for specific incoming connection that i do ssl inspection for, so the pen tests will show only tls 1.2 is supported.
but i'm afraid that it will affect also outgoing internet surfing which also goes under ssl inspection, and i wonder, would it reject websites that using tls 1.1 and lower because of that? or it's only between the GW and the internal Pcs that will use only tls 1.2 ?
thanks
For me the configuration that we usually do on a linux server didnt work at all. My first attempt was that. During the vulnerability testing the customer kept on getting the same result where one of the report came out as failed due to tls1.0 and its vulnerability,im guessing it was called POODLE attack.
For the pen test the option of allowing only tls1.2 from the smartconsole works fine. For me though this helped me resolve the issue for the pen test. And installed a ssl certificate signed by a CA.like go daddy.
Gateway setup was Load sharing mode and version is R80.10.
Many internet sites are still using TLS 1.0. If the goal is to disable weak cyphers, you have a much better tool for the purpose than on Heiko mentioned.
There is something completely new available on R80.30 for cypher management, called cipher_util.
See sk126613 for details.
@JG Especially then I suggest you look into the utility I have mentioned.
Hello,
does this tweaks also apply for the SmartCenter server???
Or does it only apply the the Security Gateway?
cipher_util doesnt run on a SmartCenter, in the Global Properties i have set MIN and MAX TLS version to 1.2 already ...
the SmartCenter still runs with TLS1.0 and so on ...
The Security Gateways are now on TLS1.2 after changing the Global Properties ...
iam a bit reluctant to tweak around on a live system ...
best regards
Thomas.
I had to dig through all the available options for hardening HTTPS settings on gateways and management server myself some time ago.
I wrote this table for myself after digging through various SKs, asking TAC and doing lab tests:
Product | TLS Endpoint Scenario | Hardening Ciphers using which sk |
Security Gateway | Gaia Portal only (httpd2), normal operation | sk147272 – may need Redo after JHF needed |
Security Gateway | Gaia Portal only (httpd2), cpstop | sk147272 – may need Redo after JHF needed |
Security Gateway | Multiportal (httpd2), normal operation | sk126613 – No Redo after JHF needed |
Security Gateway | Multiportal (httpd2), cpstop | sk147272 – may need Redo after JHF needed |
Security Management | Gaia Portal (httpd2) | sk147272 – may need Redo after JHF needed |
Security Management | CPM (Java) (:19009) | Supports only TLS 1.2 (hardcoded - sk122073) since • R80.10 Take 278 and on |
Security Management | CPMI (FWM) (:18190) | Not possible |
The difference between normal operation and cpstop on gateways is purely because of Multiportal. If you stopped Check Point services with cpstop, multiportal deamon is not in service anymore, but Gaia portal is still available. So HTTPS cipher config is falling back from multi portal config to plain httpd config. On gateways without Multiportal, there is no difference.
If anybody has additional infos or corrections for this table, I'm happy to hear from you 🙂
Hi,
Thank you Tobias, a good list ...
Question:
so since this process for the SmartConsole / SIC still remains on TLS1.0 its not possible to remove ALL old TLS versions from the Smartcenter?
Security Management | CPMI (FWM) (:18190) | Not possible |
Most communication between SmartConsole and Security Management is CPM today (and this was hardened), but some features are still relying on old CPMI and so you are right: We cannot disable TLS 1.0 completly on Security Management today.
However: SmartConsole (and SmartDashboard) is using TLS 1.2 these days for CMPI. It is just that the server side on Smart Management would also accept a TLS 1.0 connection and this is what is relevant when doing security assessments/audits.
The full answer I got from TAC last summer was (rephrased and not a direct quote, because I'm not sure if I'm allowed to post it here):
For CPMI (FWM) it is possible to change cipher/protocol settings by applying a command with a special flag.
This was provided over a RFE with Check Point local office and was made available having a specific customer environment been taking into consideration.
TAC declined to provide this command based on a normal TAC case (backed up by TAC management). If a customer really needs it, a RFE should been raised at local Check Point office.
They also said, that there was a very good reason this command was not documented anywhere even after the original RFE and it was not meant to be used as a solution for anything just yet.
For me this sounds like: untested, no general support and they do not believe this will work in normal environments. Thats why I have it with "not possible" in my table.
Maybe there will be a day, Check Point R&D finished the replacement of CPMI with CPM 🙂
Keep in mind most of the security issues with TLS 1.0 don't apply when certificates are used.
After the initial one-time password initialization, SIC uses certificates for everything.
Hi,
When doing HTTPS inspection inbound, do you think setting the service as "TLSv1.2" in the access policy (or the https inspection policy?) would do?
Many thanks!
I'm asking this question to a vendor as well. However, I will ask here too. I'm trying to disable TLS1.0 globally on a firewall cluster. This is in an effort to completely eliminate all HTTPS weak ciphers. I've been scanning our environment with various tools and found that TLS 1.0 is still a valid cipher when I scan my cluster IP addresses.
So far, I haven't been able to find any documentation on how to do this with Checkpoint. On an ASA it's 2 or 3 commands to stop supporting the cipher. The only thing I've seen in forums is that on Checkpoint it's not possible. Is this true?
I'm running R80.30 so I would think you would be able to do this but maybe not.
Thanks,
Jon
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY