topic Re: Disable weak cipher and TLS on CISCO Firepower Management Center in Network Security

Disable weak cipher and TLS on CISCO Firepower Management Center

Taro-AB81 — Mon, 04 May 2020 15:34:38 GMT

We are using CISCO Firepower Management Center for VMWare with software version 6.1.0.3 (build 57) and Software Version 6.2.3.14 (build 41). During our VAPT assessment it’s been detected that this use weak cipher and TLS. I did login via web browser and went through the settings but not able to locate where to disable it. Could you please advice on this.

Thank you.

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

Rob Ingram — Mon, 04 May 2020 18:08:21 GMT

Hi,

SSL/TLS settings are configured under Platform Settings, reference here. You should probably consider upgrading 6.1 and 6.2 as they are very outdated.

From FTD 6.6 allows you to configure DTLS 1.2 if using SSL/TLS VPN.

HTH

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

Taro-AB81 — Fri, 08 May 2020 02:21:29 GMT

Hi,

Thanks for the reply. But under platform i do not see a separate option for SSL settings. i have attached a screenshot. To be specific on the issue im facing, following is the vulnerability that been reported. (SSL Cipher Block Chaining Cipher Suites Supported - 443)

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

Marvin Rhoads — Sat, 09 May 2020 11:55:35 GMT

The platform settings mentioned earlier apply to managed devices. You will see additional options for them on later releases of FMC.

For FMC itself, you need to upgrade the version to get stronger cipher and TLS 1.2 support. FMC 6.5 disabled TLS 1.0 and 1.1. Here is a scan of an FMC 6.6 server:

nmap -sV --script ssl-enum-ciphers -p 443 <host>
starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 19:48 Malay Peninsula Standard Time
Nmap scan report for fmc.ccielab.mrneteng.com (172.31.1.10)
Host is up (0.00s latency).

PORT STATE SERVICE VERSION
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (secp256r1) of lower strength than certificate key
|_ least strength: A
MAC Address: 00:0C:29:EF:2F:0F (VMware)

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

Taro-AB81 — Sat, 09 May 2020 15:11:53 GMT

Hi Marvin,
Thanks a lot for your reply. I will propose to upgrade to latest version. meanwhile do u think allowing only trusted IP connection via access list will secure the device?
As shown in my attachment earlier, currently it sets to any.

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

Marvin Rhoads — Sun, 10 May 2020 02:36:08 GMT

Yes, restricting the management access to subnets where authorized management users are located can help - assuming this is consistent with your network operations model. It may require using a jumpbox for certain use cases - for instance if you want network admins to be able to access FMC when they are connected to the network via VPN and the VPN addresses are shared with non-admins.

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

alex.f. — Fri, 04 Feb 2022 16:11:39 GMT

Hi Marvin,

I am currently running 7.0.1 on our FMC but I can not find any Information where to configure TLS cipher for the FMC it self.

Do you know where?

kind regards

Alex

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

Marvin Rhoads — Sat, 05 Feb 2022 12:15:25 GMT

@alex.f. The FMC ciphersuite is not configurable. As I mentioned in my earlier post, upgrading to newer releases changes the ciphers used by FMC.

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

MaErre21325 — Mon, 07 Mar 2022 15:55:21 GMT

Hello @Marvin Rhoads,

Will enabling tls1.2 create some disruption on active client to site vpn via anyconnect or will the new parameter be taken at the new connection?
Should we expect a global disconnection or the new parameter is simply enabled for all new client to lan sessions?

thanks
hello

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

Rob Ingram — Mon, 07 Mar 2022 16:37:15 GMT

@MaErre21325 TLS on the FMC has no bearing on a Client to Site VPN via anyconnect, the clients connect to the FTD.

If you've got more questions create a new thread rather than potentially highjacking this thread.

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

Marvin Rhoads — Fri, 14 Apr 2023 15:33:35 GMT

Updating this old thread, FMC still does not allow you to natively disable weak ciphers.

I had a customer who requested I dig deeper to address an audit finding and found that FMC relies on the Apache web server and we can manage the configuration file it uses to restrict available ciphers. The file is /etc/httpd/httpsd.conf. It has a section as follows:

SSLCipherSuite DHE-DSS-AES256-SHA:AES256-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384

I edited my lab FMC to make the following change:

SSLCipherSuite DHE-DSS-AES256-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:DHE-DSS-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384

(removing the “insecure” ciphers). After making the change with vi (must be root user first), I restarted the FMC from clish using "system restart" and see that fewer ciphers are accepted, removing the ones their scanning service considers insecure.

Scan before:

Scan after:

Use at your own risk but it doesn't appear to break anything on my FMC 7.4.

NOTE: It may be necessary to reapply the fix after any upgrades.

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

kpyle — Fri, 09 Feb 2024 18:42:36 GMT

I keep getting this result in Rapid7 scans which brought me to this feed. I'm running the currently the recommended 7.2.5 version of FDM. One thing I am concerned about is that this is a security device which has the capability to inspect traffic including decrypting SSL/TLS with a known key. Wouldn't removing the device's ability to decipher weak TLS also hamper its ability to inspect traffic and decrease the security provided by the device? I would think the main concern is that weak cyphers aren't used to connect to the management interfaces of the device. I'm considering testing this by limiting a computer to only using one of the weak cyphers and trying to connect via the management interface of the router. If I can connect then maybe there is value in going through the steps above, if not then perhaps this is a false reading on the part of the scanner which is only looking at the fact that the weak cypher exists on the device and not how its used. I could be thinking about this all wrong.

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

Marvin Rhoads — Mon, 12 Feb 2024 03:13:17 GMT

The instructions for disabling weak ciphers only affects traffic that is TO the device itself. It doesn't affect traffic THROUGH the device - including SSL decryption, inspection etc.

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

kpyle — Wed, 14 Feb 2024 21:17:45 GMT

I've tried to putty in and use expert mode to find and change the config file listed above. Apparently on 7.2.5 they have moved the ciphers, and they don't appear in that file anymore. So, I'm going to have to do some more digging when I get some time. I'd like to point out though that anyone scanning their environment and eliminating weak ciphers has most likely already eliminated those ciphers from every computer that would be connecting to the device via the management interface anyway. It's kind of dumb on Cisco's part to continue making these ciphers frustrating and difficult to change.

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

Marvin Rhoads — Thu, 15 Feb 2024 16:39:00 GMT

The SSLCipherSuite section is still in my FMC 7.4.1 httpsd.conf file.

They keep the older cipher compatibility in place to give the greatest client compatibility. Any modern client will negotiation a mutually acceptable strong cipher. I have not had any issues disabling the old ones to make my clients'

auditors happy though.

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

CDS LLC — Thu, 26 Sep 2024 15:22:33 GMT

Sorry for necroing an old thread, but you seem very capable with this specific issue. Our router is failing an ASV compliance scan because it says that the ECDHE-RSA-AES256-SHA384 cipher is enabled on the port we use for SSL VPN, but in the SSL Settings in FDM I have a custom cipher suite that is only utilizing AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, and ECDHE-RSA-AES256-GCM-SHA384. You mentioning the httpsd.conf file for the Apache server that would run on the SSL VPN port for people to download AnyConnect from makes me thinking that there is where the problem lies. Do you think that may be the issue? And if so, how to a navigate to that file when connected to the CLI of the router so I can edit the httpsd.conf file? Am I able to get to it through the normal CLI, or do I need to use the SYSTEM SUPPORT DIAGNOSTIC-CLI method?

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

Marvin Rhoads — Thu, 26 Sep 2024 16:35:46 GMT

The http.conf information I mentioned earlier was specific to FMC and its web UI.

If your FDM-managed FTD has a custom cipher suite for SSL VPN that should suffice for it's interface with VPN enabled.Is it that interface address that is being scanned?

However, if you have any static NAT for a web server as scan might also pickup the web server's settings so be sure to check for that.

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

minhn — Tue, 18 Mar 2025 14:27:50 GMT

"If we are using only FDM and not FMC, how can we disable SSL CBC ciphers? Also, do we need any licenses to proceed with this configuration?"

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

CDS LLC — Wed, 25 Jun 2025 20:10:06 GMT

I'm in the same place again unfortunately. You were right: it looks like the HTTPS web server that runs on our SSL VPN port to provide the Cisco AnyConnect package to users has a separate set of SSL Ciphers, of which include the less secure CBC ciphers that my PCI DSS scanning vendor is flagging me for. I researched for a WHILE and found a way to edit the SSL settings for the HTTPS server using the FXOS cli, but when I went to commit my changes to the buffer it errored out. Turns out you're not allowed to use FXOS configuration commands in the CLI if you're not using a Cisco 4300 or 9100 series router, which in my opinion is INSANE. The "connect ftd" cli has no way of editing these same settings, which is unfortunate. Am I just SOL?

It's OK if I am, I'd just like to know so I can stop wasting time on it and try to negotiate something with my scanning vendor. Thanks for always being helpful.

Re: Disable weak cipher and TLS on CISCO Firepower Management Center

Marvin Rhoads — Tue, 01 Jul 2025 15:55:33 GMT

SSL VPN ciphers are controlled under device platform settings in FMC, not within FXOS (cli) or FCM (GUI for chassis only).

Here's a good blog post walking you through the steps: https://integratingit.wordpress.com/2021/01/28/secure-ftd-tls-ciphers/