This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sried
Participant
‎2019-09-26 01:59 AM
Jump to solution

CP R.80.30 Not allowed SSL version

Hi Everyone,

im currently encountering an issue with several drops of  different sevices being rejected with the message Not allowed SSL version.

I checked the DB settings: ssl_min_ver is set to sslv3 while max is set to tls1.2 . 

I also created a seperate rule for ssl inspect like described in sk34182., yet i still receive the error.

 

Currently it blocks me from initiating a rdp session within an existing Site 2 Site VPN Connection.

Remote_Desktop_Protocol (TCP/3389)

Reject

Not allowed SSL version

 

So far i was not able to find any other sk article regarding this issue,

Has anyone else encountered this problem?

 

0 Kudos
1 Solution

Accepted Solutions
Sried
Participant
‎2019-10-28 07:42 AM
In response to PhoneBoy
Jump to solution

Hi everyone,

 

it turned out that someone configured multiple Services with active protocol signature(TCP,UDP,) under R77.80.

But instead of matching them to the recommended port (e.g. 443 TCP) they were matched for any port. This led to the error that any tcp / UDP traffic which was encypted matched for those services (which were missing in the security and application policy rules). The issue became visible after the update fron 77.30 to 80.20 .

 

As a solution, i deleted both services. 

Thx for all the help

View solution in original post

0 Kudos
12 Replies
_Val_
Admin
Admin
‎2019-09-26 02:58 AM
Jump to solution

Please check your RDP SSL Inspection is properly set. Look here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
_Val_
Admin
Admin
‎2019-09-26 02:59 AM
In response to _Val_
Jump to solution

If that does not help, you can try HTTPSi bypass rule for RDP specifically

0 Kudos
Sried
Participant
‎2019-09-26 04:00 AM
In response to _Val_
Jump to solution

Hi Valeri,

 

i tried the explicit https bypass rule for RDP, unfortunately the behavior is still the same.

I also tried your link, but i get the message: Solution could not be found in the system.

 

Yet i found a TCP service which could be a remnant from R77.30 

Protocol: SSL_V3

Match By Port:  Any  

Protocol Signature: checked

 

Could it be that the service is mismatched since it fulfills the criteria for this object?

 

 

 

 

 

0 Kudos
_Val_
Admin
Admin
‎2019-09-27 05:52 AM
In response to Sried
Jump to solution

Yes, you might need to set up a _new_ RDP service. One inherited from R77.30 is no good

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-26 11:41 AM
Jump to solution

HTTPS Inspection is only for web traffic, it shouldn't impact RDP.
I suspect this is getting blocked by IPS which does have protections that block older SSL versions.
Can you provide a screenshot of the log card? (Feel free to mask sensitive details)
0 Kudos
Sried
Participant
‎2019-09-27 01:05 AM
In response to PhoneBoy
Jump to solution

Hi,

i attached the log for the RDP drop.

 

 

Preview file
36 KB
0 Kudos
_Val_
Admin
Admin
‎2019-09-27 05:51 AM
In response to Sried
Jump to solution

The action is bypass, so it is not the policy. Which HFA are you running at? With R80.30 you need at least Jumbo 50

0 Kudos
_Val_
Admin
Admin
‎2019-09-27 05:49 AM
In response to PhoneBoy
Jump to solution

@PhoneBoy I am afraid you are mistaken, please check the SK I have referenced above 

0 Kudos
Sried
Participant
‎2019-09-27 06:26 AM
In response to _Val_
Jump to solution

Hi,

 

i just checked the version of the cluster.

Sorry, it seems i was mistake. R80.30 is the Console.

Currently installed:

HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-27 03:59 PM
In response to Sried
Jump to solution

There is a specific hotfix you will need to install, but it's on top of a different jumbo take (47): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Recommend engaging with the TAC.
0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-27 04:00 PM
In response to _Val_
Jump to solution

Huh, you learn something new every day. 😁
0 Kudos
Sried
Participant
‎2019-10-28 07:42 AM
In response to PhoneBoy
Jump to solution

Hi everyone,

 

it turned out that someone configured multiple Services with active protocol signature(TCP,UDP,) under R77.80.

But instead of matching them to the recommended port (e.g. 443 TCP) they were matched for any port. This led to the error that any tcp / UDP traffic which was encypted matched for those services (which were missing in the security and application policy rules). The issue became visible after the update fron 77.30 to 80.20 .

 

As a solution, i deleted both services. 

Thx for all the help

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events