This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TG_Mai
Explorer
‎2019-09-18 12:06 PM

Disable CBC mode cipher and enable GCM cipher mode for https inspection

hello 

we have R80.10 with https inspection on, does anyone know how to disable the CBC mode cipher for TLS_ECDHE_RSA * in the https inspection?

There an SK show how to allow specific cipher suites only for VPN in R80.10

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

any help would be great, thank you.

TG

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2019-10-24 11:31 AM

See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Note that if you're using HTTPS Inspection, it's a good idea to upgrade to R80.30 as it supports additional ciphers, has a better utility to configure what it supported/allowed, and improved SNI support.
0 Kudos
Suresh_Kumar
Explorer
‎2020-08-26 07:09 AM
In response to PhoneBoy

We have already on R80.30 and we are facing the same issue that the all CBC Cipher are showing enable for all the application.

Is there any way to restrict ciphers for specific natted IP?

0 Kudos
Zatimus
Explorer
‎2021-10-06 12:37 AM
In response to Suresh_Kumar

Hi Suresh,

Hope you are doing well. Want to ask, you manage to have your questions answered? if you do could you share with me the steps.

Thank you

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-10-06 01:06 AM
In response to Zatimus

A good starting point is sk104562: Supported cipher suites for HTTPS Inspection that lists supported ciphers for many versions. Then use sk126613: Cipher configuration tool for Security Gateways to configure it as requested.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
tavi0906
Contributor
‎2023-08-29 11:11 PM
In response to Suresh_Kumar

is there any way to block the CBC ciphers on a NAT ip

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-08-30 12:25 AM
In response to tavi0906

Please explain - what is a NAT IP for you? Usually, allowed ciphers can be set for SSH, SSL VPN and Multiportal.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events