topic Disable https on Firepower Threat Defense 2100 nodes? in Network Security

Disable https on Firepower Threat Defense 2100 nodes?

andrewjinks — Tue, 08 Nov 2022 16:10:09 GMT

Security analysts told us that a network security scan shows that the HTTPS service may be running on the management interfaces our FTD nodes. Trying to access it via browser, it returned the following message:

Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

...when trying to access a secure webpage using https://FQDN of the FTD 2130 (Firepower Threat Defense) nodes. We have a 2-node cluster they scanned and it seems https service is enabled somewhere but I'm not sure how to disable it if it is enabled. The browser tab message shows "503 service unavailable", so I'm not even sure it's actually enabled. Can anyone confirm? Can this be disabled using the FMC or must this be done in the FTD CLI? If so, how? Thanks in advance.

Re: Disable https on Firepower Threat Defense 2100 nodes?

Arunkumar Sathasivam — Thu, 17 Nov 2022 10:44:31 GMT

Hi Andrewjinks,

When you are using FMC to Manage FTD. Then you cannot access FTD via GUI using Management IP. FTD device Management settings you can configure in FMC by navigating to

FMC --> Device --> Platform settings

Now you can disable HTTP Access for FTD by navigating through

FMC --> Device --> Platform settings --> HTTP Access and uncheck Enable HTTP Server check box

Kindly apply the above steps and let us know if you have more queries

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Regards

Arunkumar

Re: Disable https on Firepower Threat Defense 2100 nodes?

Marvin Rhoads — Thu, 17 Nov 2022 12:28:56 GMT

Unfortunately the service cannot be disabled, even when following the steps suggest by @Arunkumar Sathasivam .

There is an unresolved ENH bug (enhancement request) pending against this behavior.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz41482

Re: Disable https on Firepower Threat Defense 2100 nodes?

andrewjinks — Tue, 07 Nov 2023 17:23:55 GMT

@Arunkumar Sathasivamwas this ever resolved? It seems to have been a bug as the other user pointed out. The HTTP option is disabled (unchecked) for the FTD nodes in the Device Management settings as described, but the 503 message still appears when you try to access the management interface of the nodes. Our security scans are picking it up and we'll either need to disable it completely somehow, or apply a SSL/TLS certificate. I don't see how to add a certificate for that interface, either, and I imagine that is because when using the FMC to manage the nodes, HTTP/S is supposed to be disabled on the nodes since the FMC is using HTTPS and there's a certificate for that.

Is there a way to apply a cert or disable HTTP/S completely via CLI or through FMC?

Re: Disable https on Firepower Threat Defense 2100 nodes?

Marvin Rhoads — Wed, 08 Nov 2023 05:38:18 GMT

I advise my customers to cite the vendor ENH defect as a response to any security scans. If you try to manually disable it under the covers, you will be potentially be making your system unusable.

I have had some success at limiting the ciphers presented. Reference these threads:

https://community.cisco.com/t5/vpn/how-to-disable-tls-v1-0-v1-1-on-ftd-using-the-fdm-or-cli/td-p/4841893

https://community.cisco.com/t5/network-security/disable-weak-cipher-and-tls-on-cisco-firepower-management-center/td-p/4079053