- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Currently have a 7 gateway "Meshed" VPN community that was configured 6 or 7 years ago. This is all checkpoint <-> checkpoint equipment. Currently this community runs over a private MPLS network but later this year we moving it all to direct internet connectivity. Just wondering if these encryption suite settings are still considered strong, or should i strengthen it?
All versions are currently r81.10 hotfix 45
thanks
Definitely move from SHA1 to SHA256 for both phases, and you should probably increase your Diffie Hellman Group to 19+ for the supposedly more secure Elliptic Curve key calculations instead of the older MODP. May also want to use AES-GCM-128 for Phase 2 which is slightly more efficient, unless we are talking military applications where people will literally die if someone can crack the encrypted traffic in a reasonable timeframe, then use AES-256 for Phase 2 with PFS. These changes shouldn't cause a noticeable performance impact and I believe are a reasonable balance between performance and security in most cases.
Thanks Tim, appreciate your advice.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY