Check Point Users: You Are Not Ready for June 5th, 2016

UPDATE May 31st 2016: Check Point has updated the SK. The rollout of SHA-256 has been postponed to June 5th 2016.

Back in April 2015, Check Point published SK103839. In it, Check Point informs its customers that the update services for the various software blades will start using SHA-256 instead of SHA-1. This is in response to reports that SHA-1 has weaknesses that, if not already overcome by hackers, may be overcome as soon as 2018. Check Point is not alone in this effort, Google and other vendors are at it, too.

As the SK states, “To ensure the connectivity of Check Point software to Check Point online update services that use SHA-256 based certificates, a hotfix is required. Check Point highly recommends to install this hotfix to maintain the aforementioned update services functionality.”. In other words – if you’re not on R77.30, you should install the hotfix on all of your firewalls and management servers before November.

Shockingly, though, a quick query of indeni Insight‘s database shows that only 17.9% of Check Point firewalls are either running R77.30 or the required hotfix. So the vast majority of Check Point firewalls out there are not ready for November.

So, what should you do? This is what we recommend:

1. Read the SK to get the complete picture.
2. Map out the devices that you own, the versions of software they are running and which of them have the hotfix installed.

   Users of indeni can generate an inventory report (Reporting -> Inventory Report in the web dashboard) and review the Hotfixes Installed sheet. For each device, you should have either a hotfix containing “R77_30” installed or one containing the text “SHA256”. The screenshot to the right shows an example of what you should look for. In 5.3, you will also receive an alert for each device that still needs to be upgraded.

3. Plan the installation of the hotfix throughout your environment. According to the SK, this should not result in any downtime.

Time to get cracking!