Configurability of TLSv1.3 in FTD RA

Lukinno · ‎02-13-2025

Hello,

Im running Cisco FTD virtual 7.6.0-113 with FDM in my lab, im looking around and wanted to test performance of Remote Access feature with different versions of TLS/DTLS and ciphers. Unfortunatelly, im having a hard time with configuring / disabling TLSv1.3, which is enabled by default and by far seems not configurable.

So my question is:

Is it possible to change priority of ciphers in TLSv1.3, so I can test performance of AES_256_GCM_SHA384 and ChaCha20_Poly1305?

Is it possible to disable TLSv1.3 completely for Remote Access feature?

As said before, this is firewall in virtual lab environment, Im fully aware that TLSv1.3 with AES_128_GCM is completely fine and for now the best possible configuration with balanced performance and security.

Rob Ingram · ‎02-13-2025

@Lukinno I don't have 7.6 to hand to double check, but you change the TLS settings by naviagating to Devices > Platform Settings and modify the existing policy (if configured) or create new. Click the SSL tab and change the TLS version.

Lukinno · ‎02-13-2025

@Rob Ingram Im littlebit confused by your navigation, im logged into FDM, I have opened specific device, but im unable to find Platform settings.

Only SSL/TLS configuration im aware of is in FDM --> device (name) --> System settings --> SSL settings - here im able to specify which DH / ECDH group will be used + SSL/TLS specific ciphers and versions, but unfortunately this does not apply for configuration of TLSv1.3, which is not configurable here at all. You can specify only TLSv1.2 and below.

Rob Ingram · ‎02-13-2025

@Lukinno sorry I missed the part where you said FDM, the settings I provided apply when using FMC management. If you cannot change the settings in the GUI, then try the API explorer. If there is no option to change that setting, then it probably is not available.