This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Soeren_Rothe
Collaborator
‎2020-04-21 01:07 AM

cipher_util - R80.30 / R80.40 - sk126613

Hello,

for the Azure VMSS Rollout we need to change the Ciphers automatically, when a new FW instance is deployed.

I would like to disable these Ciphers:

Disabled:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

 

I tried this, it works on a VPN Cluster and another VM, but not on the VMSS. I believe this is a timing issue. 

(printf '1\n3\n' ; sleep 2 ; printf '21,22,23\n' ; sleep 1 ; printf 'q\ny\n' ) | cipher_util

 

I am looking for a proper way to modify these ciphers, what does cipher_util do? Can I somehow do it like on R80.20 ? Is cipher_util able to use a configuration file, if not, is this planned? 

0 Kudos
4 Replies
Soeren_Rothe
Collaborator
‎2020-04-21 05:05 AM

The sk126613 was updated.

You may need to do a policy push after you modify the cipher suites using cipher_util so that the Security Gateway is updated with the changes.

 

After the policy push the changes are now active and the cipher_util tool shows the disabled Ciphers. 

PhoneBoy
Admin
Admin
‎2020-05-05 03:20 PM
In response to Soeren_Rothe

cipher_util modifies a couple of configuration files:
$CPDIR/conf/multi_portal_cipher_priority.conf
$CPDIR/conf/ssl_inspection_cipher_priority.conf

It might be easier to simply copy pre-configured versions of these files to the gateways.
This is noted in sk126613.
0 Kudos
Soeren_Rothe
Collaborator
‎2020-05-05 03:54 PM
In response to PhoneBoy

Thanks for the hint, I think you refer to this note? 

In order to apply a configuration to multiple Security Gateways, the 'multi_portal_cipher_priority.conf' / 'ssl_inspection_cipher_priority.conf' files need to be copied to $CPDIR/conf followed by cprestart command. Otherwise, DO NOT edit them as in previous versions. The tool manages the files interactively.

The thing is, to perform a cprestart in the middle of the FW Instance creating (VMSS) sounds a little bit risky. So I prefer the cipher_tool using the echo command to disable unwanted ciphers.

It would be great to just copy over the files to the gateway, just like you mentioned, and ran a command to activate / deactivate the ciphers, just like it is done by cipher_util. Something like "cipher_util --reload config" 😉 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-05 04:10 PM
In response to Soeren_Rothe

I assume it would be enough to install policy afterwords, but that would obviously require testing.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events