Solved: Re: R81.10 cipher_util issue

G_W_Albrecht · ‎2022-03-02

cipher_util does no longer work for multiportal in R81.10, look for yourself:

- start cipher_util

- display multiportal cipher list

- disable one cipher

- display cipher list shows the cipher as disabled

- quit cipher_util and type y save:

Would you like to save configuration? [y/N] y

Successfuly reconfigured

Exiting cipher tool...

- start cipher_util

- display multiportal cipher list

---> you will see that nothing was changed and cipher_util has not saved the changes !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

matangi · ‎2022-03-03

Hi @G_W_Albrecht
Yes, issue is present in R80.40 and higher releases

We created a new SK for that matter, see https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&so...

Thanks,
Matan

View solution in original post

matangi · ‎2022-03-02

Hi @G_W_Albrecht

Thank you for raising this issue

We are aware of this issue and working on a fix, will be released in R81.20 once the tests are completed successfully

cipher_util tool works as expected for HTTPS Inspection
A valid Workaround of changing ciphers for Multi-portal is to install policy by running "fw fetch local" on the Gateway right after "save configuration" step

Thanks,
Matan

G_W_Albrecht · ‎2022-03-02

Replicated issue and workaround on R81.10 and R80.40 GWs. Is there an SK for this issue already ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2022-03-03

Is it correct that this issue also is present in R81 @matangi ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

matangi · ‎2022-03-03

Hi @G_W_Albrecht
Yes, issue is present in R80.40 and higher releases

We created a new SK for that matter, see https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&so...

Thanks,
Matan

the_rock · ‎2022-03-03

Good job! Just tested with that sk and worked like a charm.

chuck · ‎2022-11-17

Hi @matangi

Got the same problem in our upgrade from R80.30 to R81.10.

We tried the workaround in sk178165, does not seem to work.

The only difference from the workaround is that after "Multi Portal" a got to select "TLS 1.2 Ciphers"

Thanks

matangi · ‎2022-11-20

Thanks @chuck
In case the problem persists, Please open a service request to Check Point Support

the_rock · ‎2022-03-03

Indeed...tested on R80.40 and above, same issue. On R80.30, works fine.

Andy

Fire_Verse · ‎2023-07-25

So this has been a known issue for over a year? Hey Check Point how about:

Update sk126613 directly with sk178165
Create a hotfix for affected versions

How much more time do you need on this? Amazing.

G_W_Albrecht · ‎2023-07-25

- sk178165 is listed first under Known Limitations of sk126613

- R81.20 includes a fix

- there is a workaround for R80.40 -> R81.10

As disabling ciphers for MultiPortal is no activity repeated every other day it is not so hard to live with it 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Fire_Verse · ‎2023-07-25

"sk178165 is listed first under Known Limitations of sk126613" <-- This should be included within the steps, not added as an afterthought at the end of the SK.

"R81.20 includes a fix" <--Customer is not on R81.20, so this doesn't apply.

"there is a workaround for R80.40 -> R81.10" <-- That's not a "workaround" that is a missing step in the documentation.

"As disabling ciphers for MultiPortal is no activity repeated every other day it is not so hard to live with it" <-- Maybe for you, but I have a customer with an outage because of this SK. This SK article has not been updated after 16 months and multiple reports of problems, sk178165 and sk126613 have not been combined, this not to have been addressed in a hotfix, and the multiportal still has these ciphers enabled by default.

If gateways are going to continue to be shipped this way, then the documentation should be spot on so that they can be quickly corrected and run as actual security devices.

Otherwise this cipher issue is going to be highlighted on any kind of vulnerability scan or pen test, and make it quite a challenge to demonstrate compliance to any reputable standard.

G_W_Albrecht · ‎2023-07-25

Yes, this world could be a better place 😎 ! Missing / incomplete / wrong documentation is an old issue in IT - but i personally prefer fixes to bugs, as the best documentation will not help you if the product has issues...

The gateways shouldn't even have these outdated ciphers enabled by default

--> I would suggest you do a RFE for that...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Fire_Verse · ‎2023-07-25

An RFE to remove Ciphers without PFS support and that use SHA-1? They shouldn't be included on a security gateway in this day and age.

https://ciphersuite.info/

_Val_ · ‎2023-07-25

Feel free to raise this with your local Check Point representative.

the_rock · ‎2023-07-25

Could not agree more @Fire_Verse

Andy

Are you a member of CheckMates?

R81.10 cipher_util issue