Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3372
Views
3
Helpful
4
Replies

How to enable the HTTPOnly Cookies attribute on a Cisco FRP 2130

Go to solution
Vicente Miño
Level 1
Level 1

‎02-19-2024 08:06 AM - edited ‎02-19-2024 08:09 AM

Hi to Everyone!

Recently, the company where I work carried out an Ethical Hacking process and one of the vulnerabilities that it showed and that I have not been able to solve, was the enablement of an HTTPOnly attribute which was disabled in our Remote Access VPN implemented in our Cisco Firepower 2130, these FRP are administered vía FMC.

I have visited the URLs which name this attribute but only refer to its configuration to Cisco ASA, executing the http-only-cookies command within the webvpn configuration.

But nothing that refers to Firepower, so I have tried checking both the FMC GUI, as well as connecting directly to the FTD via SSH, but I did not find anything that made reference to the HTTPOnly attribute or http-cookies-only as well.

I had no choice but to consult with the community, I would like to know more than anything if it is possible to enable this attribute in Firepower and how to do it, since up to this point I have run out of ideas on the matter.

If you could help me with this question I would greatly appreciate it.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tvotna
Spotlight
Spotlight

‎02-20-2024 02:05 AM

You need to use FlexConfig in order to configure features which are not supported by the GUI:

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/flex-config.html

The enhancement mentioned by @MHM Cisco World has not been implemented, although this is a very valid request as FTD doesn't support Clientless WebVPN and hence should always set http-only-cookie flag.

 

View solution in original post

4 Replies 4

Go to solution
tvotna
Spotlight
Spotlight

‎02-20-2024 02:05 AM

You need to use FlexConfig in order to configure features which are not supported by the GUI:

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/flex-config.html

The enhancement mentioned by @MHM Cisco World has not been implemented, although this is a very valid request as FTD doesn't support Clientless WebVPN and hence should always set http-only-cookie flag.

 

Go to solution
Vicente Miño
Level 1
Level 1
In response to tvotna

‎05-29-2024 07:11 AM

Hey @tvotna I tried with the flex config policy, one of the situations that occurred to me is that when applying it once we performed another deploy the policy disappeared, for this problem is that in the Deployment field we must add "Everytime", but apart from this we realized that by enabling the policy we would lose the anyconnect download port over the internet, so we decided it was better not to apply it after all. But anyway, thank you very much, I'm going to leave this comment as the solution to the case.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card