This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
lincolnwebber
Participant
Tuesday

TLS versions and NAT methods

Hi Guys,

I have noticed an issue with a particular Internet website depending on the NAT method used by the firewall when accessed by clients inside the network.

If I hide the traffic, the website will not load (timeout). However, if I static NAT, the website loads fine.

I took tcpdumps of both scenarios and noticed the following:

  • When using hide NAT, the TLS version proposed by the gateway/hidden address is TLSv1 (site times out)
  • When using static NAT, the TLS version proposed by the static NAT address is TLSv1.2 (site loads successfully)

Any idea what may cause this? Can I force the firewall to use TLSv1.2 as a client?

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
Tuesday

Version/JHF of the gateway?
What blades are enabled on the gateway?
Did you run a tcpdump to see what the actual clients are proposing?
The only time I'd think we'd mess with the TLS version is if HTTPS Inspection is on.
Not sure why the NAT type would make any difference.

0 Kudos