This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chandhrasekar_S
Collaborator
‎2018-12-11 01:45 PM

How to prevent TLS1.0 traffic passing through gateway using IPS

Hello,

We are running CheckPoint R80.10 and have enabled IPS, Anti-Virus, Anti-Bot threat prevention blades. There is a requirement to block TLS1.0 traffic passing through the gateway. Just wondering how we can achieve this using our Threat Prevention blades.

Thanks,

Chandru

7 Replies
Anthony_Nguyen
Employee
Employee
‎2018-12-11 01:55 PM

You can enable the IPS protection "Transport Layer (TLS) Version 1.0" to block TLSv1.0:

Chandhrasekar_S
Collaborator
‎2018-12-11 02:19 PM
In response to Anthony_Nguyen

Thanks Anthony. Thats very helpful.

The requirement is to block TLS1.0 traffic for a particular subnet reaching an public IP address. Does it mean, I need to create a new rule under Threat Prevention policy specifying the source and destination with block on TLSv1.0  

0 Kudos
Vladimir
Champion
Champion
‎2018-12-11 05:49 PM
In response to Chandhrasekar_S

You are better off creating this exception:

Otherwise, you'll have to create a separate profile with TLS 1.0 protection only and apply it to your desired scope.

Chandhrasekar_S
Collaborator
‎2018-12-11 06:59 PM
In response to Vladimir

OK. Thanks Vladimir. This seems to be a possible solution

Kirupa_Shankar_
Explorer
‎2023-08-31 08:32 PM
In response to Chandhrasekar_S

@Chandhrasekar_S @Timothy_Hall @@Did you try and did it work? Does using those protection increase cpu or memory as the performance impact is like 4/5 ?

0 Kudos
Magnus-Holmberg
Advisor
Advisor
‎2021-12-27 01:01 AM
In response to Anthony_Nguyen

Would SSL inspection be needed for this to actually work?

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-12-27 06:50 AM
In response to Magnus-Holmberg

Pretty sure the answer is no, as the client and server agree on SSL/TLS versions and cipher suites right at the start of the negotiations which are still in the clear, and the firewall should be able to inspect it without full HTTPS Inspection.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Thu 15 May 2025 @ 09:00 AM (IDT)

    PA In-Person CloudGuard Workshop (CGNS, WAF, & API Security)
    In-Person

    Tue 20 May 2025 @ 11:30 AM (PDT)

    Las Vegas: Check Point Hybrid Mesh
    In-Person

    Wed 21 May 2025 @ 11:30 AM (MST)

    Tempe, AZ: Check Point Hybrid Mesh
    In-Person

    Tue 03 Jun 2025 @ 09:00 AM (CEST)

    CheckMates LIve France - Workshop Check Point Quantum
    In-Person

    Tue 03 Jun 2025 @ 06:00 PM (EDT)

    Montreal: CPX Recap
    In-Person

    Tue 10 Jun 2025 @ 06:00 PM (EDT)

    Quebec City: CPX Recap
    CheckMates Events