Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
346
Views
1
Helpful
4
Replies

Warning - v7.2.5 Upgrade on FPR-2140 removes Mgmt Interface SSH ACL

ida71
Level 1
Level 1

‎01-04-2024 02:36 AM

This is just a piece of info. I recently started our next round of Cisco Gold Star upgrades due to v7.0.5 having a DoS attack vulnerability.

I initially upgraded 3 HA pairs of FPR-2120, followed by an HA pair FPR-2140's in middle of December 2023.

Today I got an incident from Security Team, stating the management interfaces on the 2140's were showing a SSH vulnerability from the latest Qualys scan. This was strange as I have SSH ACL's on all management interfaces & Qualys can't reach them.

On checking the reported FTD's the ACL's were gone !  See below where <snip> is removed content.

>>>

Cisco Firepower Extensible Operating System (FX-OS) v2.12.0 (build 519)
Cisco Firepower 2140 Threat Defense v7.2.5 (build 208)

>
> show version
---------[ <snip>-FTD-2 ]----------
Model : Cisco Firepower 2140 Threat Defense (77) Version 7.2.5 (Build 208)
UUID : <snip>
Rules update version : 2023-12-07-001-vrt
VDB version : 377
----------------------------------------------------

> show ssh-access-list
f2b-sshd tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain f2b-sshd (1 references)
ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh
>
>
>configure ssh-access-list <snip>

The ssh access list was changed successfully.

> show ssh-access-list
ACCEPT tcp -- <snip> anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- <snip> anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- <snip> anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- <snip> anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- <snip> anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- <snip> anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- <snip> anywhere state NEW tcp dpt:ssh
>
<<<

I checked the FPR-2120's & they still had their ACL's intact, so I suspect it Hardware related issue. I have logged a case with TAC for it.

Might be worth adding another post change validation check to your upgrades process.

Have Fun

 

 

0 Helpful
4 Replies 4

Marius Gunnerud
VIP
VIP

‎01-04-2024 02:45 AM

I am assuming that you remembered to deploy policies after the upgrade?

It is quite possible that something on the management plane has been changed and is missing some pre and post upgrade checks.  The jump from pre 7.2.x to 7.2.x and higher has a 40% change in code so missing checks is quite possible.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

ida71
Level 1
Level 1

‎01-04-2024 02:54 AM

Yes Policy was deployed post upgrade, multiple times since too. Management Interface configuration is local & not FMC managed so should not evaporate. Worked fine on the 2120's so has to be some hardware/software cockup. I'll be doing more 2140's this weekend, so will check them post upgrade.

0 Helpful

ida71
Level 1
Level 1

‎01-04-2024 07:09 AM

TAC suggest this is due to Bug, basically says this happens at random

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz13564

MHM Cisco World
VIP
VIP
In response to ida71

‎01-04-2024 07:43 AM

thanks alot for update us 
have a nice day 
MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card