Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chandhrasekar_S
Collaborator

How to prevent TLS1.0 traffic passing through gateway using IPS

Hello,

We are running CheckPoint R80.10 and have enabled IPS, Anti-Virus, Anti-Bot threat prevention blades. There is a requirement to block TLS1.0 traffic passing through the gateway. Just wondering how we can achieve this using our Threat Prevention blades.

Thanks,

Chandru

7 Replies
Anthony_Nguyen
Employee
Employee

You can enable the IPS protection "Transport Layer (TLS) Version 1.0" to block TLSv1.0:

Chandhrasekar_S
Collaborator

Thanks Anthony. Thats very helpful.

The requirement is to block TLS1.0 traffic for a particular subnet reaching an public IP address. Does it mean, I need to create a new rule under Threat Prevention policy specifying the source and destination with block on TLSv1.0  

0 Kudos
Vladimir
Champion
Champion

You are better off creating this exception:

Otherwise, you'll have to create a separate profile with TLS 1.0 protection only and apply it to your desired scope.

Chandhrasekar_S
Collaborator

OK. Thanks Vladimir. This seems to be a possible solution

Kirupa_Shankar_
Explorer

@Chandhrasekar_S @Timothy_Hall @@Did you try and did it work? Does using those protection increase cpu or memory as the performance impact is like 4/5 ?

0 Kudos
Magnus-Holmberg
Advisor
Advisor

Would SSL inspection be needed for this to actually work?

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Timothy_Hall
Legend Legend
Legend

Pretty sure the answer is no, as the client and server agree on SSL/TLS versions and cipher suites right at the start of the negotiations which are still in the clear, and the firewall should be able to inspect it without full HTTPS Inspection.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events