topic Re: Disabling Weak Ciphers for SSL VPN in Firepower FDM in Network Security

Disabling Weak Ciphers for SSL VPN in Firepower FDM

Arshad Safrulla — Thu, 23 Apr 2020 13:15:43 GMT

Hi Experts,

I am running a VPN headend with FDM on ASA 5516-X box. FDM is the customer preferred choice as it has GUI and he is not interested in going back to ASA image. Recently we had an email from customer after having a vulnerability assessment done against his environment. below are the outcomes. Any support will be helpful to address this

TLS/SSL Server Supports The Use of Static Key Ciphers

TLS/SSL Server is enabling the BEAST attack

TLS Server Supports TLS version 1.1

TLS Server Supports TLS version 1.0

Re: Disabling Weak Ciphers for SSL VPN in Firepower FDM

omz — Thu, 23 Apr 2020 13:33:17 GMT

TLS 1.0 and 1.1 are considered vulnerable

recommended is TLS 1.2 or 1.3

Re: Disabling Weak Ciphers for SSL VPN in Firepower FDM

Arshad Safrulla — Thu, 23 Apr 2020 14:08:45 GMT

I am totally aware of it mate, the biggest worry is I dont find an option to disable it in the GUI, Firepower or Lina CLI. Any idea whether this can be done in linux level?

Re: Disabling Weak Ciphers for SSL VPN in Firepower FDM

Marvin Rhoads — Thu, 23 Apr 2020 14:22:02 GMT

The commands necessary to restrict SSL/TLS ciphersuites are not currently available for FDM (or CDO) managed Firepower devices. Also, you cannot add them via Flexconfig (blacklisted).

If you use FMC management, the settings can be changed under Devices > Platforms Settings > SSL. See the following:

Re: Disabling Weak Ciphers for SSL VPN in Firepower FDM

Arshad Safrulla — Thu, 23 Apr 2020 14:37:53 GMT

Thanks Marvin. I am currently in 6.5.04. Any idea on 6.6.0? Not related to the subject, but how is the SBL support for anyconnect FDM or Firepower?

Re: Disabling Weak Ciphers for SSL VPN in Firepower FDM

Marvin Rhoads — Thu, 23 Apr 2020 17:10:26 GMT

6.6 also does not allow this change from FDM/CDO. We have to wait until those settings are API-enabled.

Fingers crossed for 6.7 (Fall 2020) but time will tell.

Re: Disabling Weak Ciphers for SSL VPN in Firepower FDM

aswit — Fri, 24 Apr 2020 19:29:57 GMT

Hi Marvin,

I'm experiencing the same issue with our FTD AnyConnect website. I opened a service ticket earlier this year but the explanation was a little different at the time. Are you saying that currently a Cisco's security product is vulnerable and they don't have any plans to fix this issue until November?

Thanks,

Re: Disabling Weak Ciphers for SSL VPN in Firepower FDM

loizosko — Thu, 11 Feb 2021 18:54:25 GMT

anybody figured how to do that?

running 6.7 ngfw2110 with fdm and can't set the tls to tlsv1.2

can't find what flex config i can use for that.

works fine in firesight managed devices.

Re: Disabling Weak Ciphers for SSL VPN in Firepower FDM

Rob Ingram — Thu, 11 Feb 2021 19:48:02 GMT

@loizosko

It looks like you can do this in FDM 6.7 using API.

You don't appear to be able to make changes using flexconfig using 6.7, the CLI commands are currently blacklisted.

Re: Disabling Weak Ciphers for SSL VPN in Firepower FDM

IvanAlvarenga25979 — Fri, 26 Mar 2021 17:29:52 GMT

From Cisco:

If you are using a FDM it’s not possible to enable FIPS. This is a known issue.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp07593/?rfs=iqvred

Re: Disabling Weak Ciphers for SSL VPN in Firepower FDM

Marvin Rhoads — Sat, 27 Mar 2021 14:20:41 GMT

This FDM shortcoming will be addressed in version 7.0 (the next release after 6.7). It's in the GUI there.

Re: Disabling Weak Ciphers for SSL VPN in Firepower FDM

rtahirov — Thu, 07 Apr 2022 18:45:20 GMT

In FDM this can be configured from System Settings -> SSL Settings.
The feature is available for version 7.0+.