Hello everyone,

we just updated our Gateways to R80.30 including JH T155. We also wanted to seize the opportunity to harden the web portal so we used cipher_util to deactivate several Ciphers:

Enabled:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Disabled:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

After this, the vulnerability scan looks much better. Only one vulnerability is left:

Secure Client-Initiated Renegotiation     VULNERABLE (NOT ok), DoS threat

The recommendation from Qualys is to  check for client-initiated renegotiation support in your servers, and disable it where possible. Is there a way to perform this in Gaia?

There is an IPS Protection to block this kind of exploit, but I think this refers to external Web Servers, not to the firewall’s own service. In any case, we're not doing IPS on this gateway anyways.

Therefore, I'm looking for a way to disable the response to the client-initiated renegotiation on the Check Point gateway.

Thank you in advance!

Br,

Miguel