H3C firewall SSL weak cipher

Nessus vulnerability scan report about H3C firewall SSL weak cipher 

Go to "Objects" -> "SSL" -> "SSL Server Policies"

You will found that even you select "TLS 1.2" and Cipher suites "High level":

SSL_RSA_with_AES_128_CBC_SHA

SSL_RSA_with_AES_256_CBC_SHA

You still false in the security scanning report and it will show weak cipher.

Solution:

Use the following 4 Cipher:

 

https://www.tenable.com/plugins/nessus/156899 

After change the cipher under firewall GUI, then SSH to the firewall

 

> system-view

 

] undo ip https enable

 

] ip https enable

 

] save force

 

] exit

 

>

 

H3C firewall SSL weak cipher

H3C Firewall Change admin portal certificate

1. Go to H3C Firewall -> SSL -> SSL Server Policies to create a new Policy e.g. "abc_2024-2026"

2. Create a PKI Domain for new cert installation

3. Go to PKI -> Certificate -> Import 2 CA cert and 1 local cert

CA to provide TWO CA cert (.cer) (When install second CA, just ignore the cert will be replace warning) and One local cert (.pfx) (RSA 2048) (This local cert need to includ private key and also ignore the cert will be replace warning)

4. SSH to the firewall 

 > show current-configuration (Enable logging on putty before run this command) 

 > system-view ] undo ip https enable 

 ] ip https ssl-server-policy <New Policy Name which is you create at step1> 

 ] ip https enable 

 ] save force 

 ] exit 

 >

H3C Firewall Change admin portal certificate

Install certificates on Symantec Messaging Gateway (SMG)

Error: No stored certificate request matches this certificate.

Manage certificates for your system. The TLS certificate is used by MTAs in each Scanner appliance; the Control Center uses the HTTPS certificate for secure Web management; Domain keys are used for DomainKeys Identified Mail (DKIM) signing of outbound mail.

Solution: SMG will not install a certificate without either:

• the private key included in the PEM file
• a CSR that already exists in the SMG

Reference: https://knowledge.broadcom.com/external/article?legacyId=TECH154806

https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?GroupId=4093&MessageKey=e3c1d68d-6d91-4677-a3ee-f2f4c27a1e5b&CommunityKey=bba1e9dc-0c56-4fb5-9e3d-ef7f0d79b7ee

Install certificates on Symantec Messaging Gateway (SMG)

Free TI feed - rules.emergingthreats.net

The bad IP from emergingthreats:

https://rules.emergingthreats.net/blockrules/compromised-ips.txt

Free TI feed - rules.emergingthreats.net

Oracle JRE and JDK replacement

Azul Zulu OpenJDK 11 is a good choice.
If your computer does not have any existing Java SE installed, it is suggested that you can download and install Azul Zulu OpenJDK 11 from the Zulu Community 
Java 8, 11, 17, 21, 22 Download for Linux, Windows and macOS (azul.com)

Oracle JRE and JDK replacement

The 2 amber lights followed by 4 white lights on a DELL Latitude Laptop

1. Reseat the Original Memory: If applicable to your model, reseat the original memory module in the system. Sometimes, reseating the RAM can resolve the issue.

2. Check for Damaged RAM: If reseating the RAM doesn't work, consider checking for any visible damage to the RAM sticks. If they appear damaged, you may need to replace them.

3. Firmware Updates: Ensure that your system's firmware (BIOS) is up to date. Sometimes, updating the firmware can resolve hardware-related issues.

https://www.dell.com/community/en/conversations/latitude/latitude-7480-2-amber-lights-4-white-lights/647f7c0bf4ccf8a8dea5acf2

The 2 amber lights followed by 4 white lights on a DELL Latitude Laptop

Fortinet SSL VPN - SSL Certificate expired and you need to bypass tempoarilty

Configure SSL VPN to Not Require Certificates

Go to VPN > SSL > Settings > and un-check Require Client Certificate.

Fortinet SSL VPN - SSL Certificate expired and you need to bypass tempoarilty