Re: Disable weak cipher and TLS on CISCO Firepower Management Center - Page 2

Taro-AB81 · ‎05-04-2020

We are using CISCO Firepower Management Center for VMWare with software version 6.1.0.3 (build 57) and Software Version 6.2.3.14 (build 41). During our VAPT assessment it’s been detected that this use weak cipher and TLS. I did login via web browser and went through the settings but not able to locate where to disable it. Could you please advice on this.

Thank you.

CDS LLC · ‎09-26-2024

Sorry for necroing an old thread, but you seem very capable with this specific issue. Our router is failing an ASV compliance scan because it says that the ECDHE-RSA-AES256-SHA384 cipher is enabled on the port we use for SSL VPN, but in the SSL Settings in FDM I have a custom cipher suite that is only utilizing AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, and ECDHE-RSA-AES256-GCM-SHA384. You mentioning the httpsd.conf file for the Apache server that would run on the SSL VPN port for people to download AnyConnect from makes me thinking that there is where the problem lies. Do you think that may be the issue? And if so, how to a navigate to that file when connected to the CLI of the router so I can edit the httpsd.conf file? Am I able to get to it through the normal CLI, or do I need to use the SYSTEM SUPPORT DIAGNOSTIC-CLI method?

Marvin Rhoads · ‎09-26-2024

The http.conf information I mentioned earlier was specific to FMC and its web UI.

If your FDM-managed FTD has a custom cipher suite for SSL VPN that should suffice for it's interface with VPN enabled.Is it that interface address that is being scanned?

However, if you have any static NAT for a web server as scan might also pickup the web server's settings so be sure to check for that.

CDS LLC · ‎06-25-2025

I'm in the same place again unfortunately. You were right: it looks like the HTTPS web server that runs on our SSL VPN port to provide the Cisco AnyConnect package to users has a separate set of SSL Ciphers, of which include the less secure CBC ciphers that my PCI DSS scanning vendor is flagging me for. I researched for a WHILE and found a way to edit the SSL settings for the HTTPS server using the FXOS cli, but when I went to commit my changes to the buffer it errored out. Turns out you're not allowed to use FXOS configuration commands in the CLI if you're not using a Cisco 4300 or 9100 series router, which in my opinion is INSANE. The "connect ftd" cli has no way of editing these same settings, which is unfortunate. Am I just SOL?

It's OK if I am, I'd just like to know so I can stop wasting time on it and try to negotiate something with my scanning vendor. Thanks for always being helpful.

minhn · ‎03-18-2025

"If we are using only FDM and not FMC, how can we disable SSL CBC ciphers? Also, do we need any licenses to proceed with this configuration?"