ā04-23-2020 06:15 AM
Hi Experts,
I am running a VPN headend with FDM on ASA 5516-X box. FDM is the customer preferred choice as it has GUI and he is not interested in going back to ASA image. Recently we had an email from customer after having a vulnerability assessment done against his environment. below are the outcomes. Any support will be helpful to address this
TLS/SSL Server Supports The Use of Static Key Ciphers |
TLS/SSL Server is enabling the BEAST attack |
TLS Server Supports TLS version 1.1 |
TLS Server Supports TLS version 1.0 |
ā04-23-2020 06:33 AM
TLS 1.0 and 1.1 are considered vulnerable
recommended is TLS 1.2 or 1.3
ā04-23-2020 07:08 AM
I am totally aware of it mate, the biggest worry is I dont find an option to disable it in the GUI, Firepower or Lina CLI. Any idea whether this can be done in linux level?
ā04-23-2020 07:22 AM
The commands necessary to restrict SSL/TLS ciphersuites are not currently available for FDM (or CDO) managed Firepower devices. Also, you cannot add them via Flexconfig (blacklisted).
If you use FMC management, the settings can be changed under Devices > Platforms Settings > SSL. See the following:
ā04-23-2020 07:37 AM
Thanks Marvin. I am currently in 6.5.04. Any idea on 6.6.0? Not related to the subject, but how is the SBL support for anyconnect FDM or Firepower?
ā04-23-2020 10:10 AM
6.6 also does not allow this change from FDM/CDO. We have to wait until those settings are API-enabled.
Fingers crossed for 6.7 (Fall 2020) but time will tell.
ā04-24-2020 12:29 PM
Hi Marvin,
I'm experiencing the same issue with our FTD AnyConnect website. I opened a service ticket earlier this year but the explanation was a little different at the time. Are you saying that currently a Cisco's security product is vulnerable and they don't have any plans to fix this issue until November?
Thanks,
ā02-11-2021 10:54 AM
anybody figured how to do that?
running 6.7 ngfw2110 with fdm and can't set the tls to tlsv1.2
can't find what flex config i can use for that.
works fine in firesight managed devices.
ā03-27-2021 07:20 AM
This FDM shortcoming will be addressed in version 7.0 (the next release after 6.7). It's in the GUI there.
ā02-11-2021 11:10 AM - edited ā02-11-2021 11:48 AM
It looks like you can do this in FDM 6.7 using API.
You don't appear to be able to make changes using flexconfig using 6.7, the CLI commands are currently blacklisted.
ā03-26-2021 10:29 AM
From Cisco:
If you are using a FDM itās not possible to enable FIPS. This is a known issue.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp07593/?rfs=iqvred
ā04-07-2022 11:45 AM
In FDM this can be configured from System Settings -> SSL Settings.
The feature is available for version 7.0+.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: