Back
Cisco FTD Command Line Interface

Cisco FTD Command Line Interface (CLI)

Majority of Cisco devices provide command line interface (CLI) as we call it to configure, manage and troubleshoot devices. Use of CLI allows users to execute Cisco IOS commands directly and simply as well as via remote access. 

In today’s blog we will cover in detail about how CLI works for Cisco FTD and what CLI commands are available in Cisco FTD.  

Overview of Command line interface (CLI)

You can use an SSH client to make a connection to the management IP address and log in using admin username (default password is admin 123) or another CLI user account. CLI supports local authentication only and you cannot access CLI using external authentication. Another option you can use is to connect directly to the console port via console cable. 

Cisco FTD Command Line Interface

The CLI in FirePower threat defence device has different modes. We will understand more about them in the upcoming section. 

  • Regular CLI is used for threat defence management system configuration and troubleshooting.
  • Diagnostic CLI is used for advanced troubleshooting as it has additional show and other commands. To login to this CLI use session wlan console command. To enter Privileged EXEC mode use system support diagnostic -cli command 

Expert mode is used only if a documented procedure tells you to do so or if the Cisco technical assistance center asks you to use it. Use ‘expert’ command to enter this mode. 

FXOS is also used for configuration and troubleshooting so from FXOS you can enter ‘connect’ command to enter into threat defence console

For all appliance mode models (other than FirePower 4100/9300) you can go to threat defence CLI to the FXOS CLI using connect fxos command 

Cisco FTD commands 

There is a huge list of CLI commands in Cisco FTD, we will look at some important commands and understand its usage.

Capture – to enable packet capturing capabilities for packet sniffing and network fault isolation you can use this command. 

Capture capture_name

FTD is capable of tracking all IP traffic that flows across it and of capturing all the IP traffic

To enable / disable automatic updates of CA certificates on FTD device use 

Configure cert-update auto-update {enable | disable} 

To clear HTTPS access list, configure device to reject HTTPS connection attempts from all IP addresses 

Configure disable-https-access

To clear SSH access list, configure device to reject SSH connection attempts from all IP addresses 

Configure disable-ssh-access

To configure FTD to accept HTTPS connections from specific IP address use

Configure https-access-list address_list

To enable or disable the default application protocol inspection engines, use

Configure inspection protocol {enable | disable}

To configure the DNS servers for the management interface, use

Configure network dns servers [ dnslist]

To view a brief status of the connection (tunnel) between the device and the managing management center, use

sftunnel-status-brief

Displays statistics about egress optimization

show asp inspect-dp egress optimization

To display the queue information for all snort instances (processes) aggregating all queues to the same instance

show asp inspect-dp snort queues [instance instance_id] [detail] [debug]

To display the automatic snapshots of when a snort queue exhaustion occurs, use

show asp inspect-dp snort queue-exhaustion [ snapshot snapshot_id] [ export location]

To determine the route packets will take to their destination through data interfaces, use

traceroute destination [ source { source_ip | source-interface}] [ numeric] [ timeout timeout_value] [ probe probe_num] [ ttl min_ttl max_ttl] [ port port_value] [ use-icmp]

**Important Tip**

When making changes to the configuration of your Secure Firewall Management Center or Secure Firewall device manager, avoid using the threat defense command line interface for commands that take a long time to execute (i.e. using ping with a large number of repetitions or size). Doing so could lead to deployment issues.

For the complete list of commands, you can refer this link 

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_2.html

Continue Reading:

Palo Alto Troubleshooting CLI Commands

Intro to Cisco FTD Firewall (Firepower Threat Defense)

Tag:,

Rashmi Bhardwaj

I am here to share my knowledge and experience in the field of networking with the goal being - "The more you share, the more you learn."

I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.

I am a strong believer of the fact that "learning is a constant process of discovering yourself."
- Rashmi Bhardwaj (Author/Editor)

You may also like

Simplifying Power over Ethernet PoE Installation
Simplifying Power over Ethernet PoE Installation
19 November, 2024
Cloudflare – What is it
What is Cloudflare? Working, Uses, Pros & Cons
14 November, 2024
Configure DHCP Relay Traffic to Use SD-WAN Rules
Configure DHCP Relay Traffic to Use SD-WAN Rules
12 November, 2024

Leave A Reply

Your email address will not be published. Required fields are marked *

five × 4 =

Select your currency
USD United States (US) dollar
INR Indian rupee