topic Warning - v7.2.5 Upgrade on FPR-2140 removes Mgmt Interface SSH ACL in Network Security

Warning - v7.2.5 Upgrade on FPR-2140 removes Mgmt Interface SSH ACL

ida71 — Thu, 04 Jan 2024 10:36:48 GMT

This is just a piece of info. I recently started our next round of Cisco Gold Star upgrades due to v7.0.5 having a DoS attack vulnerability.

I initially upgraded 3 HA pairs of FPR-2120, followed by an HA pair FPR-2140's in middle of December 2023.

Today I got an incident from Security Team, stating the management interfaces on the 2140's were showing a SSH vulnerability from the latest Qualys scan. This was strange as I have SSH ACL's on all management interfaces & Qualys can't reach them.

On checking the reported FTD's the ACL's were gone ! See below where <snip> is removed content.

>>>

Cisco Firepower Extensible Operating System (FX-OS) v2.12.0 (build 519)
Cisco Firepower 2140 Threat Defense v7.2.5 (build 208)

>
> show version
---------[ <snip>-FTD-2 ]----------
Model : Cisco Firepower 2140 Threat Defense (77) Version 7.2.5 (Build 208)
UUID : <snip>
Rules update version : 2023-12-07-001-vrt
VDB version : 377
----------------------------------------------------

> show ssh-access-list
f2b-sshd tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain f2b-sshd (1 references)
ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh
>
>
>configure ssh-access-list <snip>

The ssh access list was changed successfully.

> show ssh-access-list
ACCEPT tcp -- <snip> anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- <snip> anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- <snip> anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- <snip> anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- <snip> anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- <snip> anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- <snip> anywhere state NEW tcp dpt:ssh
>
<<<

I checked the FPR-2120's & they still had their ACL's intact, so I suspect it Hardware related issue. I have logged a case with TAC for it.

Might be worth adding another post change validation check to your upgrades process.

Have Fun 😞

Re: Warning - v7.2.5 Upgrade on FPR-2140 removes Mgmt Interface SSH AC

Marius Gunnerud — Thu, 04 Jan 2024 10:45:22 GMT

I am assuming that you remembered to deploy policies after the upgrade?

It is quite possible that something on the management plane has been changed and is missing some pre and post upgrade checks. The jump from pre 7.2.x to 7.2.x and higher has a 40% change in code so missing checks is quite possible.

Re: Warning - v7.2.5 Upgrade on FPR-2140 removes Mgmt Interface SSH AC

ida71 — Thu, 04 Jan 2024 10:54:36 GMT

Yes Policy was deployed post upgrade, multiple times since too. Management Interface configuration is local & not FMC managed so should not evaporate. Worked fine on the 2120's so has to be some hardware/software cockup. I'll be doing more 2140's this weekend, so will check them post upgrade.

Re: Warning - v7.2.5 Upgrade on FPR-2140 removes Mgmt Interface SSH AC

ida71 — Thu, 04 Jan 2024 15:09:41 GMT

TAC suggest this is due to Bug, basically says this happens at random 😞

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz13564

Re: Warning - v7.2.5 Upgrade on FPR-2140 removes Mgmt Interface SSH AC

MHM Cisco World — Thu, 04 Jan 2024 15:43:25 GMT

thanks alot for update us
have a nice day
MHM