Check Point Users: You Are Not Ready for June 5th, 2016
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.The article explains Check Point's migration from SHA-1 to SHA-256 for update service certificates and the urgent requirement to install a hotfix or run R77.30 to maintain connectivity to Check Point online updates. It highlights that indeni Insight data showed only 17.9% of Check Point firewalls were compliant, exposing the majority of deployments to potential update failures before November, and describes how administrators can inventory devices and identify required hotfixes. The recommended operational steps are to read Check Point's SK, map device software and hotfix status, generate indeni inventory and hotfix reports, and plan non-disruptive hotfix rollouts to avoid update-service interruptions.
What is the timing and reason for Check Point's change from SHA-1 to SHA-256?
Check Point published SK103839 noting a move from SHA-1 to SHA-256 for update service certificates because SHA-1 has demonstrated weaknesses that could be fully exploitable by around 2018. An update in May 2016 postponed the rollout of SHA-256 to June 5, 2016. This change requires a hotfix or running R77.30 so Check Point software can continue to connect to Check Point online update services that use SHA-256 certificates.
How can I determine which of my Check Point devices need the SHA-256 hotfix?
The article recommends reading the SK for full details, then mapping your devices and their software versions to identify those lacking the required hotfix. Users of indeni can generate an Inventory Report (Reporting -> Inventory Report) and review the Hotfixes Installed sheet; each device should show a hotfix containing “R77_30” or text “SHA256”. indeni 5.3 also provides alerts for devices that still need the upgrade, allowing you to quickly locate and prioritize non-compliant systems.
What operational impact and rollout considerations should I plan for when installing the hotfix?
According to the SK and the article, installing the hotfix or moving to R77.30 is necessary to maintain update service functionality, and the SK indicates the hotfix should not cause downtime. The article advises planning the installation across your environment by first inventorying devices and identifying those missing the hotfix, then scheduling the non-disruptive rollout. Because a large percentage of deployments were found non-compliant (only 17.9% compliant in indeni’s data), administrators should prioritize updates to avoid connectivity failures to Check Point online update services before the November deadline.
UPDATE May 31st 2016: Check Point has updated the SK. The rollout of SHA-256 has been postponed to June 5th 2016.
Back in April 2015, Check Point published SK103839. In it, Check Point informs its customers that the update services for the various software blades will start using SHA-256 instead of SHA-1. This is in response to reports that SHA-1 has weaknesses that, if not already overcome by hackers, may be overcome as soon as 2018. Check Point is not alone in this effort, Google and other vendors are at it, too.
As the SK states, “To ensure the connectivity of Check Point software to Check Point online update services that use SHA-256 based certificates, a hotfix is required. Check Point highly recommends to install this hotfix to maintain the aforementioned update services functionality.”. In other words – if you’re not on R77.30, you should install the hotfix on all of your firewalls and management servers before November.
Shockingly, though, a quick query of indeni Insight’s database shows that only 17.9% of Check Point firewalls are either running R77.30 or the required hotfix. So the vast majority of Check Point firewalls out there are not ready for November.
So, what should you do? This is what we recommend:
- Read the SK to get the complete picture.
- Map out the devices that you own, the versions of software they are running and which of them have the hotfix installed.Users of indeni can generate an inventory report (Reporting -> Inventory Report in the web dashboard) and review the Hotfixes Installed sheet. For each device, you should have either a hotfix containing “R77_30” installed or one containing the text “SHA256”. The screenshot to the right shows an example of what you should look for. In 5.3, you will also receive an alert for each device that still needs to be upgraded.
- Plan the installation of the hotfix throughout your environment. According to the SK, this should not result in any downtime.
Time to get cracking!
Related content
BlueCat moves agentic AI from insight to action with new AI integrations
Extends its Intelligent NetOps platform to help organizations unlock measurable AI value through a unified data foundation
BlueCat appoints Jeff McCullough as Vice President, Worldwide Channel and Alliance
Experienced channel leader will drive partner-led growth and support partners in generating revenue and value within BlueCat’s global ecosystem
BlueCat introduces BlueCat Horizon, a SaaS-first Intelligent NetOps platform for cross-domain network operations
The platform delivers a unified control plane for DNS, DHCP, IPAM, security, and observability, empowering rapid, automated action across networks
Fewer than half of enterprises are fully successful with network observability tools
Fragmented tools and cloud blind spots are straining NetOps, but a new five-stage maturity model charts the path to excellence.