This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Arturxr
Explorer
‎2022-04-21 12:20 AM

question about cipher_util

1. tell me, when you disable weak ciphers, you lose access to some old resources on the Internet or our services stop working from the Internet?

2.  after configuring in Global Properties->Advanced->Configure…->Portal Properties, Are there any restrictions on the protocols with which Internet users can connect to our Remote Access Portal?

There is now information that some servers on the Internet are still using TLS 1.0. After completing this step, it will not be possible to connect to these servers through the Security Gateway, but I would like to study these issues in more detail

0 Kudos
4 Replies
G_W_Albrecht
Legend
Legend
‎2022-04-21 01:18 AM

First: cipher_util can configure MultiPortal and/or SSL Inspection ciphers. 

1. Not that i knew any ! Why should that be ?

2. Mobile Access or IPSec VPN should not be changed.

You can always connect to TLS 1.0 servers if you exclude the traffic from https inspection and use an old browser 😉

CCSE CCTE SMB Specialist
0 Kudos
Arturxr
Explorer
‎2022-04-21 01:46 AM
In response to G_W_Albrecht

please specify,
1. By disabling weak ciphers, will we lose access to any old resources on the Internet that use TLS 1.0, but our services from the Internet will continue to work?
And also, can we resume their work by excluding the check in https inspection?
2. What is meant by this? Is it not recommended to disable ciphers when selecting (2) MultiPortal in cipher_util or what? In the portal properties there is no choice to disable for mobile access or ipsec vpn, it is disabled for all services at once

0 Kudos
G_W_Albrecht
Legend
Legend
‎2022-04-21 06:41 AM
In response to Arturxr

- if you disable weak ciphers for outbound https inspection, you can only reach TLS 1.0 by excluding the traffic from it

- if you disable weak ciphers for inbound https inspection, internal servers with TLS 1.0 can not be reached anymore

- if you disable weak ciphers for MultiPortal, GAiA, SmartView, SSLVPN a.o. portals can be reached as before

- IPSec has nothing to do with TLS 1.0

CCSE CCTE SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2022-04-21 06:12 AM

If you’re not using HTTPS Inspection, the configuration you make with cipher_util will have no effect on sites you connect to through the gateway.
If you have proper bypass rules in the HTTPS Inspection policy, those sites should still work.

It will definitely impact all connections to the gateway itself, including the Mobile Access Portal, but excluding IPsec VPN.

0 Kudos