08-14-2024 01:25 PM
In my SSL/decryption policy advanced settings I have chosen the option to block unknown cipher suites and therefore in my connection logs I see lots of connections that are blocked due to unknown cipher suites, which is expected. However, the particular cipher suite being blocked doesn't seem to be unknown. It is available for selection in the FMC and can be added to custom cipher suite lists. The problem is that these cipher lists can only be added to user defined decryption rules and the rule that is blocking this particular cipher suite is the default action. I don't see where I can assign a cipher suite to the default rule. Is there somewhere else where I can define which cipher suites are allowed?
TIA,
Diego
Solved! Go to Solution.
09-21-2024 09:03 AM
So, it turns out that the "unknown cipher" suite error in the log is not generated because the FTD considers the cipher unknown, it is an error from the host side. The connection events in question are triggered by Win2019 servers using MS Azure/Entra authentication services. The MS Azure side is using TLS 1.3 and TLS_AES_256_GCM_SHA384 cipher suite both of which are unsupported and therefore "unknown" to Win2019.
My mistake was that since the error appeared in the FMC connectivity log I automatically assumed that it was the FTD reporting this cipher as "unknown". I felt this was an error because FTD 7.4 supports TLS 1.3 and TLS_AES_256_GCM_SHA384. I don't have any Win2022 servers to test with but I am fairly confident that this error will not be logged when Win2022 authenticates against MS Entra.
08-17-2024 07:13 AM
However, the particular cipher suite being blocked doesn't seem to be unknown
Use
System support ssl-debug
Check if cipher is unknown or CN to SNI is mismatch of bac cert.
MHM
09-21-2024 09:03 AM
So, it turns out that the "unknown cipher" suite error in the log is not generated because the FTD considers the cipher unknown, it is an error from the host side. The connection events in question are triggered by Win2019 servers using MS Azure/Entra authentication services. The MS Azure side is using TLS 1.3 and TLS_AES_256_GCM_SHA384 cipher suite both of which are unsupported and therefore "unknown" to Win2019.
My mistake was that since the error appeared in the FMC connectivity log I automatically assumed that it was the FTD reporting this cipher as "unknown". I felt this was an error because FTD 7.4 supports TLS 1.3 and TLS_AES_256_GCM_SHA384. I don't have any Win2022 servers to test with but I am fairly confident that this error will not be logged when Win2022 authenticates against MS Entra.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide