This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chandhrasekar_S
Collaborator
‎2018-12-11 01:45 PM

How to prevent TLS1.0 traffic passing through gateway using IPS

Hello,

We are running CheckPoint R80.10 and have enabled IPS, Anti-Virus, Anti-Bot threat prevention blades. There is a requirement to block TLS1.0 traffic passing through the gateway. Just wondering how we can achieve this using our Threat Prevention blades.

Thanks,

Chandru

6 Replies
Anthony_Nguyen
Employee
Employee
‎2018-12-11 01:55 PM

You can enable the IPS protection "Transport Layer (TLS) Version 1.0" to block TLSv1.0:

Chandhrasekar_S
Collaborator
‎2018-12-11 02:19 PM
In response to Anthony_Nguyen

Thanks Anthony. Thats very helpful.

The requirement is to block TLS1.0 traffic for a particular subnet reaching an public IP address. Does it mean, I need to create a new rule under Threat Prevention policy specifying the source and destination with block on TLSv1.0  

0 Kudos
Vladimir
Champion
Champion
‎2018-12-11 05:49 PM
In response to Chandhrasekar_S

You are better off creating this exception:

Otherwise, you'll have to create a separate profile with TLS 1.0 protection only and apply it to your desired scope.

Chandhrasekar_S
Collaborator
‎2018-12-11 06:59 PM
In response to Vladimir

OK. Thanks Vladimir. This seems to be a possible solution

Magnus-Holmberg
Advisor
‎2021-12-27 01:01 AM
In response to Anthony_Nguyen

Would SSL inspection be needed for this to actually work?

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Timothy_Hall
Champion
Champion
‎2021-12-27 06:50 AM
In response to Magnus-Holmberg

Pretty sure the answer is no, as the client and server agree on SSL/TLS versions and cipher suites right at the start of the negotiations which are still in the clear, and the firewall should be able to inspect it without full HTTPS Inspection.

New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at maxpowerfirewalls.com