cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8260
Views
15
Helpful
11
Replies

Disabling Weak Ciphers for SSL VPN in Firepower FDM

Arshad Safrulla
VIP Alumni
VIP Alumni

Hi Experts,

I am running a VPN headend with FDM on ASA 5516-X box. FDM is the customer preferred choice as it has GUI and he is not interested in going back to ASA image. Recently we had an email from customer after having a vulnerability assessment done against his environment. below are the outcomes. Any support will be helpful to address this

TLS/SSL Server Supports The Use of Static Key Ciphers

TLS/SSL Server is enabling the BEAST attack

TLS Server Supports TLS version 1.1

TLS Server Supports TLS version 1.0

11 Replies 11

omz
VIP Alumni
VIP Alumni

TLS 1.0 and 1.1 are considered vulnerable

recommended is TLS 1.2 or 1.3

 

I am totally aware of it mate, the biggest worry is I dont find an option to disable it in the GUI, Firepower or Lina CLI. Any idea whether this can be done in linux level?

Marvin Rhoads
Hall of Fame
Hall of Fame

The commands necessary to restrict SSL/TLS ciphersuites are not currently available for FDM (or CDO) managed Firepower devices. Also, you cannot add them via Flexconfig (blacklisted).

If you use FMC management, the settings can be changed under Devices > Platforms Settings > SSL. See the following:

 

FMC SSL settings for FTD.PNG

Thanks Marvin. I am currently in 6.5.04. Any idea on 6.6.0? Not related to the subject, but how is the SBL support for anyconnect FDM or Firepower?

6.6 also does not allow this change from FDM/CDO. We have to wait until those settings are API-enabled.

Fingers crossed for 6.7 (Fall 2020) but time will tell.

Hi Marvin,

 

I'm experiencing the same issue with our FTD AnyConnect website. I opened a service ticket earlier this year but the explanation was a little different at the time. Are you saying that currently a Cisco's security product is vulnerable and they don't have any plans to fix this issue until November?

 

Thanks,

anybody figured how to do that?

running 6.7 ngfw2110 with fdm and can't set the tls to tlsv1.2

can't find what flex config i can use for that.

 

works fine in firesight managed devices.

 

This FDM shortcoming will be addressed in version 7.0 (the next release after 6.7). It's in the GUI there.

@loizosko 

It looks like you can do this in FDM 6.7 using API.

 

ssl ciphers.PNG

You don't appear to be able to make changes using flexconfig using 6.7, the CLI commands are currently blacklisted.

From Cisco:

 

If you are using a FDM it’s not possible to enable FIPS. This is a known issue.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp07593/?rfs=iqvred

 

rtahirov
Cisco Employee
Cisco Employee

In FDM this can be configured from System Settings -> SSL Settings.
The feature is available for version 7.0+.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: