The Check Point “OpenSSL Padding Oracle…” IPS signature is blocking ALL SSL traffic in some environments:

I have seen the signature first-hand in production on R80.20 gateways and it shuts down all SSL traffic including the SSL VPN portal (Mobility Access Blade). I have not been able to recreate this on R80.30, and am not sure about R80.10 or R80.40, but for sure it looks like R80.20 is affected. The bad update to this particular signature was on July 7th 2020.

I almost never (ever?) recommend signatures with a Confidence Level of “Low” for this very reason. This is a known issue right now within Check Point and hopefully they will have a corrected update.

For now make sure it is not enabled:

Select IPS Protections in SmartConsole

Search for “Open SSL Padding”

Set it to “Detect” or “Inactive”

Install the updated Threat Prevention policy

Bad IPS Signature: OpenSSL Padding Oracle

Leave a Reply

Your email address will not be published. Required fields are marked *

13 − 1 =