• Check Point
  • Check Point Users: You Are Not Ready for June 5th, 2016

Check Point Users: You Are Not Ready for June 5th, 2016

UPDATE May 31st 2016: Check Point has updated the SK. The rollout of SHA-256 has been postponed to June 5th 2016.

Back in April 2015, Check Point published SK103839. In it, Check Point informs its customers that the update services for the various software blades will start using SHA-256 instead of SHA-1. This is in response to reports that SHA-1 has weaknesses that, if not already overcome by hackers, may be overcome as soon as 2018. Check Point is not alone in this effort, Google and other vendors are at it, too.

As the SK states, “To ensure the connectivity of Check Point software to Check Point online update services that use SHA-256 based certificates, a hotfix is required. Check Point highly recommends to install this hotfix to maintain the aforementioned update services functionality.”. In other words – if you’re not on R77.30, you should install the hotfix on all of your firewalls and management servers before November.

Shockingly, though, a quick query of indeni Insight‘s database shows that only 17.9% of Check Point firewalls are either running R77.30 or the required hotfix. So the vast majority of Check Point firewalls out there are not ready for November.

So, what should you do? This is what we recommend:

  1. Read the SK to get the complete picture.
  2. Map out the devices that you own, the versions of software they are running and which of them have the hotfix installed.

    Users of indeni can generate an inventory report (Reporting -> Inventory Report in the web dashboard) and review the Hotfixes Installed sheet. For each device, you should have either a hotfix containing “R77_30” installed or one containing the text “SHA256”. The screenshot to the right shows an example of what you should look for. In 5.3, you will also receive an alert for each device that still needs to be upgraded.

  3. Plan the installation of the hotfix throughout your environment. According to the SK, this should not result in any downtime.

Time to get cracking!

Get in touch

We’re the DDI provider you’ve been looking for.
Drop us a line and let’s talk.

Related content

Article

So What’s ”indeni”

Not a week goes by without someone asking me – “So, what’s indeni?”. Those who know me well, know that when I notice something repeating itself,…

Read more
Article

Fujitsu and indeni sign agreement to enhance security operations

London, UK – (June, 2014) – indeni has announced the signing of a new three year agreement with Fujitsu Ltd. The agreement, that focuses on…

Read more
Article

Top 5 Issues To Look For When Troubleshooting Your Check Point Firewalls

We’ve recently taken a snapshot of alerts across all the customers using our indeni Insight service. It’s amazing to see what indeni finds in…

Read more
Article

Check Point Firewall Clusters Healthy Checklist

Each and every organization we work with goes through the trouble of setting up a cluster of firewalls in every single critical location in the network.…

Read more