I am running a VPN headend with FDM on ASA 5516-X box. FDM is the customer preferred choice as it has GUI and he is not interested in going back to ASA image. Recently we had an email from customer after having a vulnerability assessment done against his environment. below are the outcomes. Any support will be helpful to address this
TLS/SSL Server Supports The Use of Static Key Ciphers
TLS/SSL Server is enabling the BEAST attack
TLS Server Supports TLS version 1.1
TLS Server Supports TLS version 1.0
I am totally aware of it mate, the biggest worry is I dont find an option to disable it in the GUI, Firepower or Lina CLI. Any idea whether this can be done in linux level?
The commands necessary to restrict SSL/TLS ciphersuites are not currently available for FDM (or CDO) managed Firepower devices. Also, you cannot add them via Flexconfig (blacklisted).
If you use FMC management, the settings can be changed under Devices > Platforms Settings > SSL. See the following:
Thanks Marvin. I am currently in 6.5.04. Any idea on 6.6.0? Not related to the subject, but how is the SBL support for anyconnect FDM or Firepower?
6.6 also does not allow this change from FDM/CDO. We have to wait until those settings are API-enabled.
Fingers crossed for 6.7 (Fall 2020) but time will tell.
I'm experiencing the same issue with our FTD AnyConnect website. I opened a service ticket earlier this year but the explanation was a little different at the time. Are you saying that currently a Cisco's security product is vulnerable and they don't have any plans to fix this issue until November?
anybody figured how to do that?
running 6.7 ngfw2110 with fdm and can't set the tls to tlsv1.2
can't find what flex config i can use for that.
works fine in firesight managed devices.
It looks like you can do this in FDM 6.7 using API.
You don't appear to be able to make changes using flexconfig using 6.7, the CLI commands are currently blacklisted.
If you are using a FDM it’s not possible to enable FIPS. This is a known issue.