Re: Disable weak cipher and TLS on CISCO Firepower Management Center - Page 2

Taro-AB81 · ‎05-04-2020

We are using CISCO Firepower Management Center for VMWare with software version 6.1.0.3 (build 57) and Software Version 6.2.3.14 (build 41). During our VAPT assessment it’s been detected that this use weak cipher and TLS. I did login via web browser and went through the settings but not able to locate where to disable it. Could you please advice on this.

Thank you.

CDS LLC · ‎09-26-2024

Sorry for necroing an old thread, but you seem very capable with this specific issue. Our router is failing an ASV compliance scan because it says that the ECDHE-RSA-AES256-SHA384 cipher is enabled on the port we use for SSL VPN, but in the SSL Settings in FDM I have a custom cipher suite that is only utilizing AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, and ECDHE-RSA-AES256-GCM-SHA384. You mentioning the httpsd.conf file for the Apache server that would run on the SSL VPN port for people to download AnyConnect from makes me thinking that there is where the problem lies. Do you think that may be the issue? And if so, how to a navigate to that file when connected to the CLI of the router so I can edit the httpsd.conf file? Am I able to get to it through the normal CLI, or do I need to use the SYSTEM SUPPORT DIAGNOSTIC-CLI method?

Marvin Rhoads · ‎09-26-2024

The http.conf information I mentioned earlier was specific to FMC and its web UI.

If your FDM-managed FTD has a custom cipher suite for SSL VPN that should suffice for it's interface with VPN enabled.Is it that interface address that is being scanned?

However, if you have any static NAT for a web server as scan might also pickup the web server's settings so be sure to check for that.