This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CaseyB
Advisor
6 hours ago

PSA: Check Point and Palo Alto - GCM Phase 1

Upgrading to R82 allows the use of GCM ciphers in Phase 1. If you were as excited as I, you might have tried to use them already and you might have had issues getting it to work with Palo Alto. This topic is for you!

How to define Pseudo Random Functions in the VPN community - According to this 7-year-old SK, you would assume that Check Point would send PRF-256 for AES-GCM-256 for Phase 1, this is not the case. Check Point sends PRF-384 for AES-GCM-256 in Phase 1, this is confirmed by debugs & TAC. Maybe there is a newer SK? I submitted feedback for that SK article.

Per Palo documentation - If you select an AES-GCM algorithm for encryption, you must select the Authentication setting non-auth or the commit will fail. The hash is automatically selected based on the DH Group selected. DH Group 19 and below uses sha256; DH Group 20 uses sha384.

So, for AES-GCM-256 in Phase 1 to work between Check Point and Palo Alto, you need to use at least Group 20. Group 19 and below will fail due to issues with PRF differences.

1 Reply
PhoneBoy
Admin
Admin
3 hours ago

Good to know!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events