Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Steve_Pearson
Contributor

Disabling weak ciphers

There are quite a few "weak" ciphers that are enabled on the gateways and I'm looking to disable them, which I can do this with the cipher_util tool on each gateway.

My query is, is there a way to do this from the management, such that the config remains following an upgrade, or is it something that you have to remember to do every time you upgrade or rebuild?

This is primarily for the SSLVPN portal, as these weak ciphers are being listed as available by a vulnerability scan.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

You can make the settings on one gateway and copy the necessary configuration files to the other gateways.
See: https://support.checkpoint.com/results/sk/sk126613 
Note that we include support for new ciphers in every release, so it should probably be re-generated versus simply blindly copied on an upgrade.

0 Kudos
Steve_Pearson
Contributor

Does this recreation apply just to version upgrades (eg R81.10 -> R81.20) or to Jumbo's too?

Is there a way to disable them from the CLI? (thinking I could create a script to do this)

0 Kudos
PhoneBoy
Admin
Admin

Not sure these files are updated on a JHF upgrade.

cipher_util is a CLI tool.
However, I assume you mean a non-interactive CLI tool, which I don't believe we have currently.

0 Kudos
Timothy_Hall
Legend Legend
Legend

You may also find the following SK quite helpful to track down all the places weak ciphers might be used; it details the precise steps to completely banish 3DES from being used anywhere on a Check Point firewall, and there are quite a few places to change: sk113114: Check Point response to CVE-2016-2183 (Sweet32)  

In case it is not obvious after reading that SK, 3DES is an absolute no-go in today's world from both a security and performance perspective, as 3DES is easily 2-3 times slower than AES.  3DES was hurriedly rolled out in a bit of a panic back in the day when it was realized that DES 56-bit was not secure enough anymore, due mainly to Moore's Law.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
the_rock
Legend
Legend

Same question came up once with one of customers I was helping with and TAC confirmed it has to be done manually. Not sure if that changed, as this was 3 years ago.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events