Will this work from Windows?  I just grab whatever works on Windows to do a quick test.

I take it your referring to the tool related to sk126613

Which blade would you like to configure?
(1) Multi Portal
(2) SSL Inspection
1
Make sure the selected blade is active.
Cannot access the configuration file

Aborting...

Also the SK does not indicate if we can disable TLSv1.0, TLSv1.1

I've no license on the devices yet.

Did you finish the first time wizard yet or now? If you did not, please do.

Also, there are quite a few discussions for the matter in the community already, for example: https://community.checkpoint.com/t5/General-Topics/Disable-TLS-1-0/m-p/70338#M14237

First time wizard has been completed.

Then license is not an issue, you should have 2 weeks evaluation. Did you try your modifications before or after you used cipher_util? 

before, so within the two week period.

What is the version you are using?

R81 with JHFA23

Then it might be that you have messed with HTTPd settings and corrupted the config file, then cipher_util fails. I would re-install and use cipher_util before anything else. Also, the GW should have policy installed before and after modifications.

I'm doing another build right now, so I can try it on there as well.

Sure, let me know if this works for you. If there is an issue with cipher_util, and before you make any modifications manually, please open a TAC case.

This is a new build, and the policy will be installed within the cutover window.

Clean build - same result

Clean build with JHFA23 - same result

not in all cases no license and policy installed its just a clean build ready for commissioning.

Open a support case with TAC please.

cipher_util is only relevant when you have a policy installed (and configuration such that multi-portal is active)

Same with the TLS versions configured in snx_ssl_max_ver and snx_ssl_min_ver

Without multi-portal in use, the httpd configuration is relevant.

Cool - so back to my original question then related to why TLSv1.2 shows as disabled.

More update:

I've discovered that when locking down the ciphers etc you need to be careful.  The symptom I experienced was:

Logs & Monitors > General Overview or new tab "Error loading tab - Error: SslVersionOrCipherMismatch" Gateway object license tab "Loading Error: ERRL_SSL_VERSION_OR_CIPHER_MISMATCH" for more details see sk166932.

I check the KB and found SK171707, after which then lead me to the lockdown I did.  At this point I tweaked the setting to the following:

SLCipherSuite HIGH:!ADH:!RC4:!DHE:!LOW:!EXP:!RSA:!eNULL:!aNULL:!SSLv2:!MD5

SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}TLSv1.1 +TLSv1.2 +TLSv1.3

When run a scan against the IP for the SMS I get the following discovered:

SLCipherSuite HIGH:!ADH:!RC4:!DHE:!LOW:!EXP:!RSA:!eNULL:!aNULL:!SSLv2:!MD5
SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}TLSv1.1 +TLSv1.2 +TLSv1.3

When run a scan against the IP for the SMS I get the following discovered:

TLSv1.3 enabled

TLS Fallback SCSV:

Server supports TLS Fallback SCSV

TLS renegotiation:

Session renegotiation not supported

TLS Compression:

Compression disabled

Heartbleed:

TLSv1.3 not vulnerable to heartbleed

TLSv1.2 not vulnerable to heartbleed

Supported Server Cipher(s):
Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-ARIA256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-ARIA128-GCM-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-CAMELLIA256-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-CAMELLIA128-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253

Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448
TLSv1.2 128 bits secp256r1 (NIST P-256)
TLSv1.2 192 bits secp384r1 (NIST P-384)
TLSv1.2 260 bits secp521r1 (NIST P-521)
TLSv1.2 128 bits x25519
TLSv1.2 224 bits x448

Issue was resolved in the GUI.

If anyone can suggest further tweaking please shout, as I would like to lock this down much as possible.

I experienced that myself once...playing around with those ciphers can actually cause more harm than good. I dont know if there is a better solution to this currently...

maybe the Gurus can give some guidance that will lock this down and to keep the security audit team happy, while not breaking anything.

I think what I've done is about as good as it gets without breaking something.

I agree cold heartedly. I would leave it alone if I were you.