Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
194
Views
0
Helpful
2
Replies

Firepower 4125 - how to resolve plugin 157288,

Go to solution
robert-l-swafford2-ctr
Level 1
Level 1

‎06-10-2025 12:46 AM

Our current ACAS scans are showing plugin 157288, TLS Version 1.1 Deprecated Protocol findings on Firepower 4120 and Firepower 4125 with FTD devices.

The Firepower 4120 is running version 7.2.9,

The Firepower 4125 is running version 7.4.2.2

I am asking if there is a correct method to resolve plugin 157288.  It my understand the FXOS, FMC and FTP software versions are the newest we can apply to these devices.  Any detailed support on how to resolve this issue on this model device will be greatly appreciated.

PluginColumn1Plugin NameSeverityPlugin OutputSteps to Remediate
157288Firepower 4125 with FTDTLS Version 1.1 Deprecated ProtocolMediumPlugin Output: TLSv1.1 is enabled and the server supports at least one cipher.Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pieterh
VIP
VIP

‎06-10-2025 07:22 AM - edited ‎06-10-2025 07:28 AM

the plugin reports TLS V1.1 is ENABLED not that the software version is outdated
-> you need to configure TLSV1.2 as enabled and TLSV1.1 as disabled

according to this document: chrome-https://media.defense.gov/2023/Aug/02/2003272858/-1/-1/0/CTR_CISCO_FIREPOWER_HARDENING_GUIDE.PDF 
the neccessary FX-OS command would be: 
Firepower-module /system# set services tls-ver v1_2

the bug https://bst.cisco.com/bugsearch/bug/CSCwe93566?rfs=qvlogin  does not list the versions above

View solution in original post

0 Helpful
2 Replies 2

Go to solution
pieterh
VIP
VIP

‎06-10-2025 07:22 AM - edited ‎06-10-2025 07:28 AM

the plugin reports TLS V1.1 is ENABLED not that the software version is outdated
-> you need to configure TLSV1.2 as enabled and TLSV1.1 as disabled

according to this document: chrome-https://media.defense.gov/2023/Aug/02/2003272858/-1/-1/0/CTR_CISCO_FIREPOWER_HARDENING_GUIDE.PDF 
the neccessary FX-OS command would be: 
Firepower-module /system# set services tls-ver v1_2

the bug https://bst.cisco.com/bugsearch/bug/CSCwe93566?rfs=qvlogin  does not list the versions above

0 Helpful

Go to solution
robert-l-swafford2-ctr
Level 1
Level 1
In response to pieterh

‎06-11-2025 03:59 AM

Pieterh,

 

Thank you for taking the time to reply with a valid solution.  Additionally below is the exact solution CISCO TAC provided and it was very easy to follow:

To change the Minium tls version that the HTTPS server will negotiate you can follow this documentation:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos231/cli-guide/b_CLI_ConfigGuide_FXOS_231/platform_settings.html?bookSearch=true#task_gnp_cmf_sbb

In summary you can verify within the CLI:

scope system > scope services > show

There will be a section for TLS inside the HTTPS, that is the minimum TLS version that the box will negotiate.

You can then use the following command to increase the minimum version to 1.2:

scope system > set services tls-ver v1_2

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card