cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13942
Views
46
Helpful
13
Replies

Disable TLS 1.0 - 1.1 on CISCO Firepower Management Center and FTD

MaErre21325
Level 1
Level 1

Hello guys,

 

we need to disable tls 1.0 and 1.1 and move to tls 1.2, does this change impact all the active client to site vpn or the new parameter will be negotiated only for the new connections?

There will be downtime for this changing  or it is fully transparent to user?

Our anyconnect version is 4,10.

 

Thanks

Regards

4 Accepted Solutions

Accepted Solutions

@MaErre21325 changing the TLS ciphers used on the FTD would impact the user connections. You change the FTD SSL/TLS setting using the Platform Settings. Guide here.

 

Any TLS settings on the FMC is for connections to the management Web GUI, therefore has no bearing on the anyconnect clients connecting to the FTD.

 

View solution in original post

Hi Rob,

 

now it's clear, thank you very much!

View solution in original post

@MaErre21325 I forgot to mention, from memory I think making the changes ended the users session, forcing them to reconnect, so you may want to make the change during a out of hours.

 

You may also wish to confirm that the current connected sessions support and are currently connecting using DTLS 1.2, using the command "show vpn-sessiondb detail anyconnect | include Encapsulation"

 

> show vpn-sessiondb detail anyconnect | include Encapsulation
Encapsulation: TLSv1.2 TCP Src Port : 35205
Encapsulation: DTLSv1.2 UDP Src Port : 26702

 

If you are changing the encryption, use "show vpn-sessiondb ratio encryption" to confirm what the current connections are using.

View solution in original post

yes, i'll do the change out of business hours

thanks for the tips

View solution in original post

13 Replies 13

@MaErre21325 changing the TLS ciphers used on the FTD would impact the user connections. You change the FTD SSL/TLS setting using the Platform Settings. Guide here.

 

Any TLS settings on the FMC is for connections to the management Web GUI, therefore has no bearing on the anyconnect clients connecting to the FTD.

 

Hi Rob,

 

now it's clear, thank you very much!

@MaErre21325 I forgot to mention, from memory I think making the changes ended the users session, forcing them to reconnect, so you may want to make the change during a out of hours.

 

You may also wish to confirm that the current connected sessions support and are currently connecting using DTLS 1.2, using the command "show vpn-sessiondb detail anyconnect | include Encapsulation"

 

> show vpn-sessiondb detail anyconnect | include Encapsulation
Encapsulation: TLSv1.2 TCP Src Port : 35205
Encapsulation: DTLSv1.2 UDP Src Port : 26702

 

If you are changing the encryption, use "show vpn-sessiondb ratio encryption" to confirm what the current connections are using.

yes, i'll do the change out of business hours

thanks for the tips

Hi Rob,

How do I achieve this using FDM? FTD is on 6.4.0.15

Thanks always

Appreciate it, Rob.

mrlorincz
Level 1
Level 1

I know this is an old post but was curious if there was a different area to disable support for TLSv1.0 and TLSv1.1 for the FMC GUI, I presume platform settings only applies to the FTD devices (443 and RAVPN)?

Yes, platform settings are applied to the managed FTD. For FMC, I believe you will have to upgrade the FMC to the latest version in order to get TLS 1.2 and weak ciphers 1.0 or 1.1 should be disabled in that version.

Thanks! That makes sense. I appreciate you responding.

The FMC GUI, even on the soon-to-be-released 7.4 does not disable weak ciphers.

See this thread and my reply dated 8 June for more details: https://community.cisco.com/t5/network-security/tls-version-1-1-protocol-deprecated/m-p/4851435#M1101375

Thanks Marvin! Always nice to hear from a legend! That stinks about platform settings not affecting the mgmt interface's ciphers (being unable to disable TLSv1.0/TLSv1.1. I realized after my question that our security report didn't call out FMC as using TLSv1.0/TLSv1.2, I just ran an nmap scan and It seems it's only using TLSv1.2 (FMC7.0.5). At least that's some good news for me. Thanks for responding!

PORT STATE SERVICE VERSION
443/tcp open ssl/http Apache httpd
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
|_http-server-header: Apache

NSE: Script Post-scanning.
Initiating NSE at 08:55
Completed NSE at 08:55, 0.00s elapsed
Initiating NSE at 08:55
Completed NSE at 08:55, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.14 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (72B)

 

Ah, they may have updated that with 7.0.5. I think the previous 7.0 version I checked still had weak ciphers in the offering.

Review Cisco Networking for a $25 gift card