Re: Cisco FTD Internal Certificate Expiration

peymansarayeli · ‎07-20-2021

Hi guys, I hope you are doing well.

I have a question regarding FTD devices' internal certificate.

We have FTDs which are being managed by a FMC. As far as I understood, FMC talks to the FTDs over an encrypted (Https) channel when it wants to deploy configuration to it.

Recently we had a security audit in our infrastructure and they reported that the certificates on the FTD devices are expired.

I have searched a lot about how to renew these certificates, but I was not successful.

Could you please help me if you have any idea?

Best Regards,

Peyman

Marvin Rhoads · ‎07-20-2021

You're correct in understanding that they are used to secure the communications between FMC and managed FTDs (configuration and eventing over the sftunnel process which uses TLS over tcp/8305).

AFAIK Cisco doesn't provide any mechanism to renew these certificates. I would suggest that one could cite the fact that you use a mutually set registration key to verify the authenticity of the managed FTDs vs the certificate. I'd argue that is a "compensating control" for the issue.

So in that case the usage of the X.509 certificate is quite a bit different than in the case of a traditional client-web server type of interaction.

peymansarayeli · ‎07-21-2021

@Marvin Rhoads Thanks for your answer.

I realized that there are two sets of ports which are allowed on the FTDs.

1- The one that you have already mentioned.

2- It also listens on port 443 for the sake of "REST API" and "Terminal Services".

The security auditors referred to the second one. I have checked some documents, So far I was not able to find a solution to disable the 443 or the mentioned services on the FTD itself.

If you have any idea, I would appreciate it if you can share it with me.

Best,

Peyman

Marvin Rhoads · ‎07-21-2021

I wouldn't expect the REST API interface to be available on FMC-managed FTD devices. If FDM/CDO-managed, yes. In that case ti uses the configured management certificate.

Terminal services may refer to the TS Agent identity source. Are you using that in your setup? Again, I would not expect it to be on an FTD device.

Did the auditors actually find your FTD devices to be listening on tcp/443 (https default port)?

peymansarayeli · ‎07-22-2021

Dear @Marvin Rhoads

Thanks for your answer.

Regarding your questions:

- We are not utilizing neither "REST-API" nor "TS-Agent"

- The auditors ran their tests and found that from their machine they can see that the 443 port on FTD is open and listening. Even I was able to see that the port is open. I tried to connect to it over a web session, the web responds with an invalid certificate (and the security risk acceptance error which appears on the browser). And when I accept the risk it returns an error (Service Unavailable).

FYI: We are investigating this problem on the "Management Port"

Marvin Rhoads · ‎07-22-2021

That's not the expected behavior.

I checked two different FMC-managed FTD appliances and neither is listening on tcp/443 (https).

What platform (hardware model or VM) are you using and what software version is it?

peymansarayeli · ‎07-23-2021

also for me, It is not the expected behavior for the FTD devices to listen on 443 on management port!

We are using:

Hardware FTDs, Series 2110, Software version 6.6.1

Virtual FMC, Software version 6.6.1

goodwin_charles · ‎03-18-2024

Marvin,

I have checked a few different models and versions (6.6.5 and 7.0.5). The management port listens on 443, but does not attach any service to it. So if you browse to the IP, you get prompted for an insecure certificate. Once you accept it, you get a 503 Service Unavailable response.

I am just turning off the alerting in my monitoring software, but wouldn't mind finding a way to turn it off since I've seen this a few other times.