Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Stefano_Chiesa
Explorer
Jump to solution

SPLAT R75.40 - disable TCP / ICMP timestamp

We were under audit and one of the finding is a TCP and ICMP timestamp response vulnerability/risk. The auditors recommend to turn TCP and ICMP timestamp off.

Does someone know how to do it and if there will be some "side effects"?

Thanks in advance.

Stefano.

0 Kudos
1 Solution

Accepted Solutions
Danny
Champion Champion
Champion

HI Stefano,

you can find all timestamp services via the integrated search function of your SmartDashboard:

You've probably allowed icmp pings by permitting the entire icmp protocol suite, including timestamps:

Just replace icmp-proto with echo-request like this:

I wonder why your internal audit didn't note that R75.40 is a version that went out of support in April 2016. You should consider upgrading to a more recent release, such as R77.30 or higher.

View solution in original post

6 Replies
Danny
Champion Champion
Champion

HI Stefano,

you can find all timestamp services via the integrated search function of your SmartDashboard:

You've probably allowed icmp pings by permitting the entire icmp protocol suite, including timestamps:

Just replace icmp-proto with echo-request like this:

I wonder why your internal audit didn't note that R75.40 is a version that went out of support in April 2016. You should consider upgrading to a more recent release, such as R77.30 or higher.

Stefano_Chiesa
Explorer

Hi Danny, thanks for the greetings.

0 Kudos
Stefano_Chiesa
Explorer

Thanks a lot Danny, I'll try this solution.

Let me say that the most up-to-date clusters are R75.40 but there is a R65 HFA 70 cluster in production too.. Smiley Sad

Thanks again.

Stefano.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi Stefano,

I do a lot of security audits at our company. I think the timstamp problem is the smallest.

The following vulnerabilities should occur with R65HFA 70 and possibly R75.40:

- SHA1 vulnerabilities

- RC4 vulnerabilities

- poodle vulnerabilitys

and and and

I agree with Danny here. I should urgently upgrade the systems to R77.30 or higher.

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Itri
Explorer

Hi. Any idea how to disable the same but on MDS smart center or log server, for local vulnerability scanner, where there is no firewall in between? 
Edit: Have also some Eventia Reporter servers with same "issue", for which I can not even open smart console directly.

0 Kudos
PhoneBoy
Admin
Admin

That requires disabling them at the OS level.
For TCP timestamps: sysctl -w net.ipv4.tcp_timestamps=0
For ICMP, I'm not sure it's relevant or not and would recommend engaging TAC: https://help.checkpoint.com 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events