Thanks, that was helpful.
However, is there a command to disable it generally in the LAN so that it's not just SSH and the web portal, but all services using TLS 1.0 and TLS 1.1 are blocked?

you mean clients that sends TLS 1.0 you want to block? Or you want to block TLS 1.0 on the fw itself? 

So traffic that flows via this firewall , like browsing traffic?

Then you need security blades likes IPS and application control to block old TLS versions. 

We want to block clients that send TLS 1.0.
We have the IPS module.
How can we specifically block TLS 1.0 and TLS 1.1 with IPS?

With app control: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

Recommended way is with https inspection:

https://support.checkpoint.com/results/sk/sk182224

IPS: search for IPS protections TLS 1.0 and TLS 1.1 overwrite protection with drop instead of accept / inactive -> https://support.checkpoint.com/results/sk/sk179910

Generic info:

https://support.checkpoint.com/results/sk/sk178505

Thanks,

But it's an SMB that is managed locally, so this procedure will be difficult to implement.
And writing a rule with port 443 on SMBs, I'm afraid it will block other services using that port. That's why I was looking for a command that could disable TLS1.0 and TLS1.1 so that a user couldn't use a service using TLS1.0 and TLS1.0.

Start a test rule with only 1 machine (IP) , test with SSL labs (browser test) to compare results.

For ips start with: https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/View...

try to find tls in application database for app control