Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chandhrasekar_S
Collaborator

How to prevent TLS1.0 traffic passing through gateway using IPS

Hello,

We are running CheckPoint R80.10 and have enabled IPS, Anti-Virus, Anti-Bot threat prevention blades. There is a requirement to block TLS1.0 traffic passing through the gateway. Just wondering how we can achieve this using our Threat Prevention blades.

Thanks,

Chandru

6 Replies
Anthony_Nguyen
Employee
Employee

You can enable the IPS protection "Transport Layer (TLS) Version 1.0" to block TLSv1.0:

Chandhrasekar_S
Collaborator

Thanks Anthony. Thats very helpful.

The requirement is to block TLS1.0 traffic for a particular subnet reaching an public IP address. Does it mean, I need to create a new rule under Threat Prevention policy specifying the source and destination with block on TLSv1.0  

0 Kudos
Vladimir
Champion
Champion

You are better off creating this exception:

Otherwise, you'll have to create a separate profile with TLS 1.0 protection only and apply it to your desired scope.

Chandhrasekar_S
Collaborator

OK. Thanks Vladimir. This seems to be a possible solution

Magnus-Holmberg
Advisor

Would SSL inspection be needed for this to actually work?

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Timothy_Hall
Champion
Champion

Pretty sure the answer is no, as the client and server agree on SSL/TLS versions and cipher suites right at the start of the negotiations which are still in the clear, and the firewall should be able to inspect it without full HTTPS Inspection.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com