Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3210
Views
4
Helpful
10
Replies

How to disable TLS v1.0 v1.1 on FTD using the FDM or cli

Go to solution
mjsu
Level 1
Level 1

‎05-24-2023 05:42 AM

Is it possible to disable TLS v1.0 and v1.1 on FTD using the cli or FDM? (do not have FMC). These are offered on the webvpn portal, which also seems to be non-obvious how to disable.

 

 

 

> show running-config all ssl
ssl server-version tlsv1 dtlsv1
ssl client-version tlsv1
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 high
ssl cipher dtlsv1 medium
ssl cipher dtlsv1.2 high
...

> show ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1 or greater
Start connections using TLSv1 and negotiate to TLSv1 or greater
SSL DH Group: group14 (2048-bit modulus, FIPS)
SSL ECDH Group: group19 (256-bit EC)

 

 

 

 I have also looked at the API and it doesn't seem possible.

Device is running version 7.0.5.

I can see https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs23509 but not access the related bug details.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mjsu

‎05-25-2023 10:40 AM - edited ‎05-25-2023 10:40 AM

If you set the SSL/TLS setting properly in the referenced section, they will apply to the public-facing webvpn/AnyConnect/remote access VPN interfaces. That covers the data interfaces listening for connections to the device. You can run an nmap scan with the enum ciphers option against it to validate.

To change the on-box (management) TLS cipher support is not possible via the GUI. I have found in working with a customer that we can go into the expert mode and modify the web server properties to remove the ciphers you don't want. I wrote up doing that for FMC here:

https://community.cisco.com/t5/network-security/disable-weak-cipher-and-tls-on-cisco-firepower-management-center/td-p/4079053

For FTD devices, the httpsd.conf file is in /ngfw/etc/httpd. I confirmed in my lab that the procedure also works to reduce the ciphers presented via the management interface on an FDM locally -managed FTD device.

View solution in original post

10 Replies 10

Go to solution
Sheraz.Salim
VIP
VIP

‎05-24-2023 06:38 AM

Have look at this link HERE it more from FMC but you will get an idea how to configure in FDM

please do not forget to rate.
0 Helpful

Go to solution
mjsu
Level 1
Level 1
In response to Sheraz.Salim

‎05-25-2023 02:24 AM

Thank you for this. I did come across this already and cannot see the ability to do this in FDM or the cli. The ssl settings in the FDM only apply to the anyconnect, and do not seem to apply to the webvpn.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to mjsu

‎05-25-2023 02:45 AM

use flexconfig in FDM

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-25-2023 09:14 AM

Check under Device > System Settings > SSL Settings. This was added for FDM in version 7.0.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/roadmap/device-manager-new-features-by-release.html

 

Device Manager SSL cipher settings for remote access VPN.

You can define the TLS versions and encryption ciphers to use for remote access VPN connections in device manager. Previously, you needed to use the threat defense API to configure SSL settings.

We added the following pages: Objects > SSL Ciphers; Device > System Settings > SSL Settings.
0 Helpful

Go to solution
mjsu
Level 1
Level 1

‎05-25-2023 09:52 AM

Thanks, but when you configure those settings (device > system settings > ssl settings) it says they apply to remote access VPN connections only. This does seem to work for anyconnect VPN connections and I had this configured already but the 'show ssl' result is the same as in above snippet. When someone is auditing and scans the IP they still see TLS 1.0, 1.1 are available. 

I did read somewhere that the ssl commands are blacklisted from flexconfig so am slightly wary of trying this and currently not in position to test on a spare system. It seems odd that disabling these is not a common task.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mjsu

‎05-25-2023 10:40 AM - edited ‎05-25-2023 10:40 AM

If you set the SSL/TLS setting properly in the referenced section, they will apply to the public-facing webvpn/AnyConnect/remote access VPN interfaces. That covers the data interfaces listening for connections to the device. You can run an nmap scan with the enum ciphers option against it to validate.

To change the on-box (management) TLS cipher support is not possible via the GUI. I have found in working with a customer that we can go into the expert mode and modify the web server properties to remove the ciphers you don't want. I wrote up doing that for FMC here:

https://community.cisco.com/t5/network-security/disable-weak-cipher-and-tls-on-cisco-firepower-management-center/td-p/4079053

For FTD devices, the httpsd.conf file is in /ngfw/etc/httpd. I confirmed in my lab that the procedure also works to reduce the ciphers presented via the management interface on an FDM locally -managed FTD device.

Go to solution
mjsu
Level 1
Level 1

‎05-26-2023 02:37 AM

I looked again at the SSL/TLS setting and found my error, the security level was set to High. My understanding of this security level setting was lacking. Setting this to All has applied to the interface and nmap is now showing only TLSv1.2. I will try the expert mode fix for management.

Thank you for your assistance and patience.

Go to solution
MHM Cisco World
VIP
VIP
In response to mjsu

‎05-26-2023 03:09 AM

the SSL/TLS level is different than TLSv
there are many cipher in FW and it class to ALL LOW MEDIUM and HIGH 
ALL contain all Cipher 
and other Class each one remove some of Cipher

0 Helpful

Go to solution
mjsu
Level 1
Level 1

‎05-26-2023 03:31 AM

Hmm. When I had this set to High, nmap showed TLSv1.0, 1.1, and 1.2. I changed it to ALL and now nmap only shows TLSv1.2

0 Helpful
Customers Also Viewed These Support Documents