topic Re: Disable TLS 1.0 - 1.2 on CISCO Firepower Management Center and FT in Network Security

Disable TLS 1.0 - 1.1 on CISCO Firepower Management Center and FTD

MaErre21325 — Mon, 07 Mar 2022 17:03:19 GMT

Hello guys,

we need to disable tls 1.0 and 1.1 and move to tls 1.2, does this change impact all the active client to site vpn or the new parameter will be negotiated only for the new connections?

There will be downtime for this changing or it is fully transparent to user?

Our anyconnect version is 4,10.

Thanks

Regards

Re: Disable TLS 1.0 - 1.2 on CISCO Firepower Management Center and FT

Rob Ingram — Mon, 07 Mar 2022 16:52:08 GMT

@MaErre21325 changing the TLS ciphers used on the FTD would impact the user connections. You change the FTD SSL/TLS setting using the Platform Settings. Guide here.

Any TLS settings on the FMC is for connections to the management Web GUI, therefore has no bearing on the anyconnect clients connecting to the FTD.

Re: Disable TLS 1.0 - 1.2 on CISCO Firepower Management Center and FT

MaErre21325 — Mon, 07 Mar 2022 17:09:04 GMT

Hi Rob,

now it's clear, thank you very much!

Re: Disable TLS 1.0 - 1.2 on CISCO Firepower Management Center and FT

Rob Ingram — Mon, 07 Mar 2022 17:17:18 GMT

@MaErre21325 I forgot to mention, from memory I think making the changes ended the users session, forcing them to reconnect, so you may want to make the change during a out of hours.

You may also wish to confirm that the current connected sessions support and are currently connecting using DTLS 1.2, using the command "show vpn-sessiondb detail anyconnect | include Encapsulation"

> show vpn-sessiondb detail anyconnect | include Encapsulation
Encapsulation: TLSv1.2 TCP Src Port : 35205
Encapsulation: DTLSv1.2 UDP Src Port : 26702

If you are changing the encryption, use "show vpn-sessiondb ratio encryption" to confirm what the current connections are using.

Re: Disable TLS 1.0 - 1.2 on CISCO Firepower Management Center and FT

MaErre21325 — Tue, 08 Mar 2022 09:26:02 GMT

yes, i'll do the change out of business hours

thanks for the tips

Re: Disable TLS 1.0 - 1.2 on CISCO Firepower Management Center and FT

engineer467 — Wed, 20 Jul 2022 16:16:35 GMT

Hi Rob,

How do I achieve this using FDM? FTD is on 6.4.0.15

Thanks always

Re: Disable TLS 1.0 - 1.2 on CISCO Firepower Management Center and FT

Rob Ingram — Wed, 20 Jul 2022 16:23:53 GMT

@engineer467 to change the TLS ciphers in FDM for RAVPN, you'll need to upgrade to version 7.0.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/features.html

Re: Disable TLS 1.0 - 1.2 on CISCO Firepower Management Center and FT

engineer467 — Wed, 20 Jul 2022 16:27:21 GMT

Appreciate it, Rob.

Re: Disable TLS 1.0 - 1.1 on CISCO Firepower Management Center and FT

mrlorincz — Mon, 12 Jun 2023 20:19:04 GMT

I know this is an old post but was curious if there was a different area to disable support for TLSv1.0 and TLSv1.1 for the FMC GUI, I presume platform settings only applies to the FTD devices (443 and RAVPN)?

Re: Disable TLS 1.0 - 1.1 on CISCO Firepower Management Center and FT

engineer467 — Tue, 13 Jun 2023 13:02:38 GMT

Yes, platform settings are applied to the managed FTD. For FMC, I believe you will have to upgrade the FMC to the latest version in order to get TLS 1.2 and weak ciphers 1.0 or 1.1 should be disabled in that version.

Re: Disable TLS 1.0 - 1.1 on CISCO Firepower Management Center and FT

mrlorincz — Tue, 13 Jun 2023 14:54:45 GMT

Thanks! That makes sense. I appreciate you responding.

Re: Disable TLS 1.0 - 1.1 on CISCO Firepower Management Center and FT

Marvin Rhoads — Wed, 14 Jun 2023 08:12:37 GMT

The FMC GUI, even on the soon-to-be-released 7.4 does not disable weak ciphers.

See this thread and my reply dated 8 June for more details: https://community.cisco.com/t5/network-security/tls-version-1-1-protocol-deprecated/m-p/4851435#M1101375

Re: Disable TLS 1.0 - 1.1 on CISCO Firepower Management Center and FT

mrlorincz — Wed, 14 Jun 2023 15:59:50 GMT

Thanks Marvin! Always nice to hear from a legend! 🙂 That stinks about platform settings not affecting the mgmt interface's ciphers (being unable to disable TLSv1.0/TLSv1.1. I realized after my question that our security report didn't call out FMC as using TLSv1.0/TLSv1.2, I just ran an nmap scan and It seems it's only using TLSv1.2 (FMC7.0.5). At least that's some good news for me. Thanks for responding!

NSE: Script Post-scanning.
Initiating NSE at 08:55
Completed NSE at 08:55, 0.00s elapsed
Initiating NSE at 08:55
Completed NSE at 08:55, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.14 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (72B)

Re: Disable TLS 1.0 - 1.1 on CISCO Firepower Management Center and FT

Marvin Rhoads — Thu, 15 Jun 2023 02:54:02 GMT

Ah, they may have updated that with 7.0.5. I think the previous 7.0 version I checked still had weak ciphers in the offering.