Solved: Re: Disable TLS 1.0 - 1.1 on CISCO Firepower Management Center and FT

MaErre21325 · ‎03-07-2022

Hello guys,

we need to disable tls 1.0 and 1.1 and move to tls 1.2, does this change impact all the active client to site vpn or the new parameter will be negotiated only for the new connections?

There will be downtime for this changing or it is fully transparent to user?

Our anyconnect version is 4,10.

Thanks

Regards

Rob Ingram · ‎03-07-2022

@MaErre21325 changing the TLS ciphers used on the FTD would impact the user connections. You change the FTD SSL/TLS setting using the Platform Settings. Guide here.

Any TLS settings on the FMC is for connections to the management Web GUI, therefore has no bearing on the anyconnect clients connecting to the FTD.

View solution in original post

MaErre21325 · ‎03-07-2022

Hi Rob,

now it's clear, thank you very much!

View solution in original post

Rob Ingram · ‎03-07-2022

@MaErre21325 I forgot to mention, from memory I think making the changes ended the users session, forcing them to reconnect, so you may want to make the change during a out of hours.

You may also wish to confirm that the current connected sessions support and are currently connecting using DTLS 1.2, using the command "show vpn-sessiondb detail anyconnect | include Encapsulation"

> show vpn-sessiondb detail anyconnect | include Encapsulation
Encapsulation: TLSv1.2 TCP Src Port : 35205
Encapsulation: DTLSv1.2 UDP Src Port : 26702

If you are changing the encryption, use "show vpn-sessiondb ratio encryption" to confirm what the current connections are using.

View solution in original post

MaErre21325 · ‎03-08-2022

yes, i'll do the change out of business hours

thanks for the tips

View solution in original post

Rob Ingram · ‎03-07-2022

@MaErre21325 changing the TLS ciphers used on the FTD would impact the user connections. You change the FTD SSL/TLS setting using the Platform Settings. Guide here.

Any TLS settings on the FMC is for connections to the management Web GUI, therefore has no bearing on the anyconnect clients connecting to the FTD.

MaErre21325 · ‎03-07-2022

Hi Rob,

now it's clear, thank you very much!

Rob Ingram · ‎03-07-2022

@MaErre21325 I forgot to mention, from memory I think making the changes ended the users session, forcing them to reconnect, so you may want to make the change during a out of hours.

You may also wish to confirm that the current connected sessions support and are currently connecting using DTLS 1.2, using the command "show vpn-sessiondb detail anyconnect | include Encapsulation"

> show vpn-sessiondb detail anyconnect | include Encapsulation
Encapsulation: TLSv1.2 TCP Src Port : 35205
Encapsulation: DTLSv1.2 UDP Src Port : 26702

If you are changing the encryption, use "show vpn-sessiondb ratio encryption" to confirm what the current connections are using.

MaErre21325 · ‎03-08-2022

yes, i'll do the change out of business hours

thanks for the tips

engineer467 · ‎07-20-2022

Hi Rob,

How do I achieve this using FDM? FTD is on 6.4.0.15

Thanks always

Rob Ingram · ‎07-20-2022

@engineer467 to change the TLS ciphers in FDM for RAVPN, you'll need to upgrade to version 7.0.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/features.html

engineer467 · ‎07-20-2022

Appreciate it, Rob.

mrlorincz · ‎06-12-2023

I know this is an old post but was curious if there was a different area to disable support for TLSv1.0 and TLSv1.1 for the FMC GUI, I presume platform settings only applies to the FTD devices (443 and RAVPN)?

engineer467 · ‎06-13-2023

Yes, platform settings are applied to the managed FTD. For FMC, I believe you will have to upgrade the FMC to the latest version in order to get TLS 1.2 and weak ciphers 1.0 or 1.1 should be disabled in that version.

mrlorincz · ‎06-13-2023

Thanks! That makes sense. I appreciate you responding.

Marvin Rhoads · ‎06-14-2023

The FMC GUI, even on the soon-to-be-released 7.4 does not disable weak ciphers.

See this thread and my reply dated 8 June for more details: https://community.cisco.com/t5/network-security/tls-version-1-1-protocol-deprecated/m-p/4851435#M1101375

mrlorincz · ‎06-14-2023

Thanks Marvin! Always nice to hear from a legend! That stinks about platform settings not affecting the mgmt interface's ciphers (being unable to disable TLSv1.0/TLSv1.1. I realized after my question that our security report didn't call out FMC as using TLSv1.0/TLSv1.2, I just ran an nmap scan and It seems it's only using TLSv1.2 (FMC7.0.5). At least that's some good news for me. Thanks for responding!

NSE: Script Post-scanning.
Initiating NSE at 08:55
Completed NSE at 08:55, 0.00s elapsed
Initiating NSE at 08:55
Completed NSE at 08:55, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.14 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (72B)

Marvin Rhoads · ‎06-14-2023

Ah, they may have updated that with 7.0.5. I think the previous 7.0 version I checked still had weak ciphers in the offering.

Disable TLS 1.0 - 1.1 on CISCO Firepower Management Center and FTD