cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3282
Views
15
Helpful
10
Replies
Arshadsaf
Beginner

Disabling Weak Ciphers for SSL VPN in Firepower FDM

Hi Experts,

I am running a VPN headend with FDM on ASA 5516-X box. FDM is the customer preferred choice as it has GUI and he is not interested in going back to ASA image. Recently we had an email from customer after having a vulnerability assessment done against his environment. below are the outcomes. Any support will be helpful to address this

TLS/SSL Server Supports The Use of Static Key Ciphers

TLS/SSL Server is enabling the BEAST attack

TLS Server Supports TLS version 1.1

TLS Server Supports TLS version 1.0

10 REPLIES 10
omz
VIP Collaborator VIP Collaborator
VIP Collaborator

TLS 1.0 and 1.1 are considered vulnerable

recommended is TLS 1.2 or 1.3

 

I am totally aware of it mate, the biggest worry is I dont find an option to disable it in the GUI, Firepower or Lina CLI. Any idea whether this can be done in linux level?

Marvin Rhoads
Hall of Fame Guru

The commands necessary to restrict SSL/TLS ciphersuites are not currently available for FDM (or CDO) managed Firepower devices. Also, you cannot add them via Flexconfig (blacklisted).

If you use FMC management, the settings can be changed under Devices > Platforms Settings > SSL. See the following:

 

FMC SSL settings for FTD.PNG

Thanks Marvin. I am currently in 6.5.04. Any idea on 6.6.0? Not related to the subject, but how is the SBL support for anyconnect FDM or Firepower?

6.6 also does not allow this change from FDM/CDO. We have to wait until those settings are API-enabled.

Fingers crossed for 6.7 (Fall 2020) but time will tell.

Hi Marvin,

 

I'm experiencing the same issue with our FTD AnyConnect website. I opened a service ticket earlier this year but the explanation was a little different at the time. Are you saying that currently a Cisco's security product is vulnerable and they don't have any plans to fix this issue until November?

 

Thanks,

anybody figured how to do that?

running 6.7 ngfw2110 with fdm and can't set the tls to tlsv1.2

can't find what flex config i can use for that.

 

works fine in firesight managed devices.

 

This FDM shortcoming will be addressed in version 7.0 (the next release after 6.7). It's in the GUI there.

Rob Ingram
VIP Mentor

@loizosko 

It looks like you can do this in FDM 6.7 using API.

 

ssl ciphers.PNG

You don't appear to be able to make changes using flexconfig using 6.7, the CLI commands are currently blacklisted.

From Cisco:

 

If you are using a FDM it’s not possible to enable FIPS. This is a known issue.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp07593/?rfs=iqvred

 

Content for Community-Ad