This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bachan
Contributor
‎2024-10-17 07:54 AM
Jump to solution

Vulnerability scan shows ports 18231 uses weak ciphers

Hi Team,

Checkpoint devices showing that weak ciphers are used on port 18231.

Current version on Gateway : R81.20 Take 76.

As per the sk132712 the issue should have been resolved in R81.20 . But we still see this vulnerability in the scan report.

Can you please let us know if there is any other solution to this ?

Attached is the scan report of the same.

 

0 Kudos
2 Solutions

Accepted Solutions
Bachan
Contributor
‎2024-11-15 07:45 AM
In response to the_rock
Jump to solution

Hi Rock,

We performed the sk132712  and this didnt resolve our issue. After policy installation the gateway stopped listening on port 18231, but after making VPN connection the icon for Compliance on Endpoint VPN Client changed to grey(Greyed out) and status to Off. So this solution will not work of our environment. Hence we ended up opening TAC. TAC provided us the below solution.

 Follow the steps - (Make this changes on Gateway)

  1. If you do not need policy on the client, you can uncheck the policy server checkbox on the GW.
  2. If you do need policy, you can edit fwauthd.conf that is located in $FWDIR/conf and mark out the policy server processes as follow:

*#*0 dtps dtpsd respawn 0

*#*0 dtls dtlsd respawn 0

Then perform  cprestart on the GW. Do a cpstop; cpstart in a maintenance window. 

3. After this, the policy server should be shown down.

4. After that, we need to apply the hotfix(Contact TAC). The hotfix will assist to make the configuration changes permanent. 

5. Check the status of port 18231 - 

# netstat -tulnp |grep 18231
# netstat –atun |grep 18231

Note: Checkpoint has created PRHF-32277 for this issue and they don't have any plans to integrate this issue in next JHF anytime soon. So for every upgrade, we need to reach TAC for hot-patch.

View solution in original post

10 Replies
Tal_Paz-Fridman
Employee
Employee
‎2024-10-17 11:11 AM
Jump to solution

I'll forward this to the relevant R&D owner but the SK details how to disable the Legacy Desktop Policy process.

Do you use Policy Server and Desktop Policy enabled?

"For other versions and Jumbo Hotfixes;
You can disable the daemon completely by editing the implied_rules.def, and removing/commenting the relevant lines:"

0 Kudos
Bachan
Contributor
‎2024-10-18 06:36 AM
In response to Tal_Paz-Fridman
Jump to solution

Do you use Policy Server and Desktop Policy enabled?

Yes, we have both the features enabled.

Desktop_policy.png
Preview file
99 KB
Policy Server.png
Preview file
150 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-17 11:24 AM
Jump to solution

Have you tried disabling dtpsd as described in the SK?

0 Kudos
the_rock
Legend
Legend
‎2024-10-17 12:23 PM
Jump to solution

Can you try follow below from the sk?

Andy

 

You can disable the daemon completely by editing the implied_rules.def, and removing/commenting the relevant lines:


  1. Open the relevant Gateway object properties in SmartDashboard and uncheck the box “Policy Server” under the “IPSec VPN” blade, click OK (Do not push policy) and close the SmartDashboard.
  2. Open ssh / console connection to the Management Server.
  3. Change directory to $FWDIR/lib : (cd $FWDIR/lib)

    Note: For the location of the implied_rules.def file on the Management server, refer to sk92281.

  4. Open the implied_rules.def file with vim:

    [Expert@HostName:0]# vim implied_rules.def

  5. Comment the following lines:

    Before the change:

    #define ENABLE_FWD_TOPO

    #define ENABLE_FW1_PSLOGON_NG

    After the change:

     /*#define ENABLE_FWD_TOPO*/

     /*#define ENABLE_FW1_PSLOGON_NG*/

  6. Save the modified file.
  7. Install Policy on the relevant gateway.
0 Kudos
Bachan
Contributor
‎2024-10-18 12:37 AM
In response to the_rock
Jump to solution

Hi Rock,

As mentioned in sk132712  " The workaround is given for other version" . But we are running on the checkpoint fixed version(R81.20 Take 76). Is it still recommended to do this ?

0 Kudos
the_rock
Legend
Legend
‎2024-10-18 04:52 AM
In response to Bachan
Jump to solution

Good question. I cant say 100%. as I dont know, so maybe better verify with TAC, to get an official answer. However, I will say this...if you decide to do it, please backup everything first.

Andy

0 Kudos
Bachan
Contributor
‎2024-10-18 06:38 AM
In response to the_rock
Jump to solution

Hi Rock,

We will give a shot on the test environment to implement this SK and update you.

0 Kudos
Bachan
Contributor
‎2024-11-15 07:45 AM
In response to the_rock
Jump to solution

Hi Rock,

We performed the sk132712  and this didnt resolve our issue. After policy installation the gateway stopped listening on port 18231, but after making VPN connection the icon for Compliance on Endpoint VPN Client changed to grey(Greyed out) and status to Off. So this solution will not work of our environment. Hence we ended up opening TAC. TAC provided us the below solution.

 Follow the steps - (Make this changes on Gateway)

  1. If you do not need policy on the client, you can uncheck the policy server checkbox on the GW.
  2. If you do need policy, you can edit fwauthd.conf that is located in $FWDIR/conf and mark out the policy server processes as follow:

*#*0 dtps dtpsd respawn 0

*#*0 dtls dtlsd respawn 0

Then perform  cprestart on the GW. Do a cpstop; cpstart in a maintenance window. 

3. After this, the policy server should be shown down.

4. After that, we need to apply the hotfix(Contact TAC). The hotfix will assist to make the configuration changes permanent. 

5. Check the status of port 18231 - 

# netstat -tulnp |grep 18231
# netstat –atun |grep 18231

Note: Checkpoint has created PRHF-32277 for this issue and they don't have any plans to integrate this issue in next JHF anytime soon. So for every upgrade, we need to reach TAC for hot-patch.

the_rock
Legend
Legend
‎2024-11-15 07:59 AM
In response to Bachan
Jump to solution

Excellent update, thank you very much for that! Glad its solved.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top