Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend
Legend
Jump to solution

R81.10 cipher_util issue

cipher_util does no longer work for multiportal in R81.10, look for yourself:

- start cipher_util

- display multiportal cipher list

- disable one cipher

- display cipher list shows the cipher as disabled

- quit cipher_util and type y save:

Would you like to save configuration? [y/N] y

Successfuly reconfigured 

Exiting cipher tool...

- start cipher_util

- display multiportal cipher list

---> you will see that nothing was changed and cipher_util has not saved the changes !

CCSE CCTE CCSM SMB Specialist
1 Solution

Accepted Solutions
matangi
Employee
Employee

Hi @G_W_Albrecht 
Yes, issue is present in R80.40 and higher releases

We created a new SK for that matter, see https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&so...

Thanks,
Matan

View solution in original post

15 Replies
matangi
Employee
Employee

Hi @G_W_Albrecht 

Thank you for raising this issue

We are aware of this issue and working on a fix, will be released in R81.20 once the tests are completed successfully

  • cipher_util tool works as expected for HTTPS Inspection
  • A valid Workaround of changing ciphers for Multi-portal is to install policy by running "fw fetch local" on the Gateway right after "save configuration" step

Thanks,
Matan

0 Kudos
G_W_Albrecht
Legend
Legend

Replicated issue and workaround on R81.10 and R80.40 GWs. Is there an SK for this issue already ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

Is it correct that this issue also is present in R81 @matangi ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
matangi
Employee
Employee

Hi @G_W_Albrecht 
Yes, issue is present in R80.40 and higher releases

We created a new SK for that matter, see https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&so...

Thanks,
Matan

the_rock
Legend
Legend

Good job! Just tested with that sk and worked like a charm.

chuck
Explorer

Hi @matangi 

Got the same problem in our upgrade from R80.30 to R81.10.

We tried the workaround in sk178165, does not seem to work.

The only difference from the workaround is that after "Multi Portal" a got to select "TLS 1.2 Ciphers"

Thanks 

 

 

0 Kudos
matangi
Employee
Employee

Thanks @chuck 
In case the problem persists, Please open a service request to Check Point Support

the_rock
Legend
Legend

Indeed...tested on R80.40 and above, same issue. On R80.30, works fine.

Andy

Fire_Verse
Contributor

So this has been a known issue for over a year? Hey Check Point how about:

  • Update sk126613 directly with sk178165
  • Create a hotfix for affected versions

How much more time do you need on this? Amazing.

0 Kudos
G_W_Albrecht
Legend
Legend

- sk178165 is listed first under Known Limitations of sk126613

- R81.20 includes a fix

- there is a workaround for R80.40 -> R81.10

As disabling ciphers for MultiPortal is no activity repeated every other day it is not so hard to live with it 😉

CCSE CCTE CCSM SMB Specialist
Fire_Verse
Contributor

 "sk178165 is listed first under Known Limitations of sk126613" <-- This should be included within the steps, not added as an afterthought at the end of the SK. 

"R81.20 includes a fix" <--Customer is not on R81.20, so this doesn't apply. 

"there is a workaround for R80.40 -> R81.10" <-- That's not a "workaround" that is a missing step in the documentation.

"As disabling ciphers for MultiPortal is no activity repeated every other day it is not so hard to live with it" <-- Maybe for you, but I have a customer with an outage because of this SK. This SK article has not been updated after 16 months and multiple reports of problems, sk178165 and sk126613 have not been combined, this not to have been addressed in a hotfix, and the multiportal still has these ciphers enabled by default.

If gateways are going to continue to be shipped this way, then the documentation should be spot on so that they can be quickly corrected and run as actual security devices.

Otherwise this cipher issue is going to be highlighted on any kind of vulnerability scan or pen test, and make it quite a challenge to demonstrate compliance to any reputable standard.  

 

 

G_W_Albrecht
Legend
Legend

Yes, this world could be a better place 😎 ! Missing / incomplete / wrong documentation is an old issue in IT - but i personally prefer fixes to bugs, as the best documentation will not help you if the product has issues...

The gateways shouldn't even have these outdated ciphers enabled by default

--> I would suggest you do a RFE for that...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Fire_Verse
Contributor

An RFE to remove Ciphers without PFS support and that use SHA-1?  They shouldn't be included on a security gateway in this day and age.

https://ciphersuite.info/

_Val_
Admin
Admin

Feel free to raise this with your local Check Point representative.

0 Kudos
the_rock
Legend
Legend

Could not agree more @Fire_Verse 

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events