04-23-2020 06:15 AM
Hi Experts,
I am running a VPN headend with FDM on ASA 5516-X box. FDM is the customer preferred choice as it has GUI and he is not interested in going back to ASA image. Recently we had an email from customer after having a vulnerability assessment done against his environment. below are the outcomes. Any support will be helpful to address this
TLS/SSL Server Supports The Use of Static Key Ciphers |
TLS/SSL Server is enabling the BEAST attack |
TLS Server Supports TLS version 1.1 |
TLS Server Supports TLS version 1.0 |
04-23-2020 06:33 AM
TLS 1.0 and 1.1 are considered vulnerable
recommended is TLS 1.2 or 1.3
04-23-2020 07:08 AM
I am totally aware of it mate, the biggest worry is I dont find an option to disable it in the GUI, Firepower or Lina CLI. Any idea whether this can be done in linux level?
04-23-2020 07:22 AM
The commands necessary to restrict SSL/TLS ciphersuites are not currently available for FDM (or CDO) managed Firepower devices. Also, you cannot add them via Flexconfig (blacklisted).
If you use FMC management, the settings can be changed under Devices > Platforms Settings > SSL. See the following:
04-23-2020 07:37 AM
Thanks Marvin. I am currently in 6.5.04. Any idea on 6.6.0? Not related to the subject, but how is the SBL support for anyconnect FDM or Firepower?
04-23-2020 10:10 AM
6.6 also does not allow this change from FDM/CDO. We have to wait until those settings are API-enabled.
Fingers crossed for 6.7 (Fall 2020) but time will tell.
04-24-2020 12:29 PM
Hi Marvin,
I'm experiencing the same issue with our FTD AnyConnect website. I opened a service ticket earlier this year but the explanation was a little different at the time. Are you saying that currently a Cisco's security product is vulnerable and they don't have any plans to fix this issue until November?
Thanks,
02-11-2021 10:54 AM
anybody figured how to do that?
running 6.7 ngfw2110 with fdm and can't set the tls to tlsv1.2
can't find what flex config i can use for that.
works fine in firesight managed devices.
03-27-2021 07:20 AM
This FDM shortcoming will be addressed in version 7.0 (the next release after 6.7). It's in the GUI there.
02-11-2021 11:10 AM - edited 02-11-2021 11:48 AM
It looks like you can do this in FDM 6.7 using API.
You don't appear to be able to make changes using flexconfig using 6.7, the CLI commands are currently blacklisted.
03-26-2021 10:29 AM
From Cisco:
If you are using a FDM it’s not possible to enable FIPS. This is a known issue.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp07593/?rfs=iqvred
04-07-2022 11:45 AM
In FDM this can be configured from System Settings -> SSL Settings.
The feature is available for version 7.0+.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: