cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3248
Views
10
Helpful
7
Replies

Cisco FTD Internal Certificate Expiration

peymansarayeli
Level 1
Level 1

Hi guys, I hope you are doing well.

 

I have a question regarding FTD devices' internal certificate.

 

We have FTDs which are being managed by a FMC. As far as I understood, FMC talks to the FTDs over an encrypted (Https) channel when it wants to deploy configuration to it.

 

Recently we had a security audit in our infrastructure and they reported that the certificates on the FTD devices are expired.

I have searched a lot about how to renew these certificates, but I was not successful.

 

Could you please help me if you have any idea?

 

Best Regards,

Peyman

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

You're correct in understanding that they are used to secure the communications between FMC and managed FTDs (configuration and eventing over the sftunnel process which uses TLS over tcp/8305).

AFAIK Cisco doesn't provide any mechanism to renew these certificates. I would suggest that one could cite the fact that you use a mutually set registration key to verify the authenticity of the managed FTDs vs the certificate. I'd argue that is a "compensating control" for the issue.

So in that case the usage of the X.509 certificate is quite a bit different than in the case of a traditional client-web server type of interaction.

@Marvin Rhoads Thanks for your answer.

I realized that there are two sets of ports which are allowed on the FTDs.

 

1- The one that you have already mentioned.

2- It also listens on port 443 for the sake of "REST API" and "Terminal Services".

 

The security auditors referred to the second one. I have checked some documents, So far I was not able to find a solution to disable the 443 or the mentioned services on the FTD itself.

If you have any idea, I would appreciate it if you can share it with me.

 

Best,

Peyman

I wouldn't expect the REST API interface to be available on FMC-managed FTD devices. If FDM/CDO-managed, yes. In that case ti uses the configured management certificate.

Terminal services may refer to the TS Agent identity source. Are you using that in your setup? Again, I would not expect it to be on an FTD device.

Did the auditors actually find your FTD devices to be listening on tcp/443 (https default port)?

Dear @Marvin Rhoads 

 

Thanks for your answer.

 

Regarding your questions:

- We are not utilizing neither "REST-API" nor "TS-Agent"

- The auditors ran their tests and found that from their machine they can see that the 443 port on FTD is open and listening. Even I was able to see that the port is open. I tried to connect to it over a web session, the web responds with an invalid certificate (and the security risk acceptance error which appears on the browser). And when I accept the risk it returns an error (Service Unavailable).

 

FYI: We are investigating this problem on the "Management Port"

That's not the expected behavior.

I checked two different FMC-managed FTD appliances and neither is listening on tcp/443 (https).

What platform (hardware model or VM) are you using and what software version is it?

 

also for me, It is not the expected behavior for the FTD devices to listen on 443 on management port!

 

We are using:

Hardware FTDs, Series 2110, Software version 6.6.1

Virtual FMC, Software version 6.6.1

 

Marvin,

I have checked a few different models and versions (6.6.5 and 7.0.5). The management port listens on 443, but does not attach any service to it. So if you browse to the IP, you get prompted for an insecure certificate. Once you accept it, you get a 503 Service Unavailable response. 

I am just turning off the alerting in my monitoring software, but wouldn't mind finding a way to turn it off since I've seen this a few other times.

Review Cisco Networking for a $25 gift card