• Press
  • Check Point Users: You Are Not Ready for June 5th, 2016

Check Point Users: You Are Not Ready for June 5th, 2016

Published on: August 9, 2015

An avatar of the author
Yoni Leitersdorf
Key Takeaways
  • Check Point is transitioning its online update services from SHA-1 to SHA-256 certificates due to known and anticipated cryptographic weaknesses in SHA-1.
  • To maintain connectivity to Check Point online update services using SHA-256 certificates, a specific hotfix or upgrade to R77.30 is required on all firewalls and management servers.
  • The rollout of SHA-256 certificate usage by Check Point was postponed to June 5, 2016, but systems must still be prepared before the enforced cutoff.
  • Only 17.9% of Check Point firewalls observed in the referenced dataset were compliant (running R77.30 or the required SHA-256 hotfix), indicating widespread exposure to potential update failures.
  • Operators should inventory all Check Point devices, verify installed software versions and hotfixes, and ensure the presence of either an R77_30 or SHA256-related hotfix per device.
  • According to Check Point’s support documentation (SK103839), deploying the required hotfix across the environment should not cause downtime, enabling proactive remediation.


UPDATE May 31st 2016: Check Point has updated the SK. The rollout of SHA-256 has been postponed to June 5th 2016.

Back in April 2015, Check Point published SK103839. In it, Check Point informs its customers that the update services for the various software blades will start using SHA-256 instead of SHA-1. This is in response to reports that SHA-1 has weaknesses that, if not already overcome by hackers, may be overcome as soon as 2018. Check Point is not alone in this effort, Google and other vendors are at it, too.

As the SK states, “To ensure the connectivity of Check Point software to Check Point online update services that use SHA-256 based certificates, a hotfix is required. Check Point highly recommends to install this hotfix to maintain the aforementioned update services functionality.”. In other words – if you’re not on R77.30, you should install the hotfix on all of your firewalls and management servers before November.

Shockingly, though, a quick query of indeni Insight’s database shows that only 17.9% of Check Point firewalls are either running R77.30 or the required hotfix. So the vast majority of Check Point firewalls out there are not ready for November.

So, what should you do? This is what we recommend:

  1. Read the SK to get the complete picture.
  2. Map out the devices that you own, the versions of software they are running and which of them have the hotfix installed.Users of indeni can generate an inventory report (Reporting -> Inventory Report in the web dashboard) and review the Hotfixes Installed sheet. For each device, you should have either a hotfix containing “R77_30” installed or one containing the text “SHA256”. The screenshot to the right shows an example of what you should look for. In 5.3, you will also receive an alert for each device that still needs to be upgraded.
  3. Plan the installation of the hotfix throughout your environment. According to the SK, this should not result in any downtime.

Time to get cracking!

Get in touch

We’re the DDI provider you’ve been looking for.
Drop us a line and let’s talk.

Contact us

Related content

Isometric dashboard illustration showing a circular "33 Total Devices" donut chart, issue counts, and filter controls
Press

BlueCat moves agentic AI from insight to action with new AI integrations

Extends its Intelligent NetOps platform to help organizations unlock measurable AI value through a unified data foundation

Read more
Headshot of a man in a suit and striped tie wearing rectangular glasses against a blurred office background
Press

BlueCat appoints Jeff McCullough as Vice President, Worldwide Channel and Alliance

Experienced channel leader will drive partner-led growth and support partners in generating revenue and value within BlueCat’s global ecosystem

Read more
BlueCat logo above Horizon product name with stylized network horizon graphic and glowing center
Press

BlueCat introduces BlueCat Horizon, a SaaS-first Intelligent NetOps platform for cross-domain network operations

The platform delivers a unified control plane for DNS, DHCP, IPAM, security, and observability, empowering rapid, automated action across networks

Read more
Report cover titled "The Network Observability Maturity Model" with EMA and BlueCat logos and purple design accents
Press

Fewer than half of enterprises are fully successful with network observability tools

Fragmented tools and cloud blind spots are straining NetOps, but a new five-stage maturity model charts the path to excellence.

Read more

⏳ Cisco Live is almost here. Put BlueCat on your agenda for smarter, more secure networks.

Get the details