topic Re: WinSCP and FMC in Network Security

WinSCP and FMC

donald.heslop1 — Mon, 30 Mar 2020 16:01:47 GMT

Can anyone tell me how to get the rsa key file and the csr out of the FMC using WinSCP. I've seen so many video that show people using WinSCP to log into the FMC and get the .key and .csr file but they don't go into how WinSCP should be setup to get that to work.

Has anyone experience this problem with WinSCP?

Re: WinSCP and FMC

Marius Gunnerud — Mon, 30 Mar 2020 17:56:31 GMT

Use SCP protocol (port tcp/22).

Re: WinSCP and FMC

donald.heslop1 — Mon, 30 Mar 2020 18:20:31 GMT

Mauris,
I did and it will not connect. I get the error that I attached to my original post.

Re: WinSCP and FMC

Marius Gunnerud — Mon, 30 Mar 2020 19:44:20 GMT

The user you are logging in with needs to have rights to access the FMC CLI / Linux shell. Add your user to the Shell Access Filter under System > Users or log in with a user that already has access to the CLI

Re: WinSCP and FMC

donald.heslop1 — Mon, 30 Mar 2020 19:52:31 GMT

Mauris,
I am using the local admin account on the FMC (6.5.0). That Shell Access Filter is under External Authentication which I am not using.

Re: WinSCP and FMC

Marius Gunnerud — Mon, 30 Mar 2020 19:59:16 GMT

I am assuming that the admin account can access the CLI of the FMC? When you log in do you get to the > prompt or straight to the Linux Shell (expert mode)? If you only get to the > enter expert mode and then try accessing from the WinSCP. The account needs to go directly to the Linux shell.

Re: WinSCP and FMC

donald.heslop1 — Mon, 30 Mar 2020 20:47:16 GMT

Marius,

I'm still getting the same issue even though I logged into the FMC via putty and entered expert mode. See attached screenshot. You will see the putty session and the error message I'm getting in WinSCP

Re: WinSCP and FMC

Marius Gunnerud — Mon, 30 Mar 2020 21:22:29 GMT

Odd, I am able to connect to my FMC using WinSCP, however when I login to the CLI I get directly to the Linux Shell. I suspect that this is your issue that when you are logging in via WinSCP you are not going directly to the Linux Shell.

Re: WinSCP and FMC

Gabriel Copil — Thu, 23 Apr 2020 22:20:16 GMT

Hi,

since version 6.4 (if I recall correctly), SSH login to FMC doesn't open directly with the Linux shell prompt, but into the custom CLI where you need to execute the command "expert" in order to get to the real bash.

Unfortunately this new feature makes impossible to use from a remote PC the command scp (or Winscp) to copy files to/from the FMC.

I've just spent 4 hours trying different options to be able to copy the last successful backup from my broken FMCv. One alternative that theoretically should work, I've found in the Winscp documentation: with SCP protocol, you can specify a command as custom shell on the SCP/Shell page of Advanced Site Settings dialog. I've tried replacing the value of [Shell:] with "expert", but didn't do the trick. In theory this is used when you need to execute "sudo -s" before copying the files as root.

So, I've gave up and used the scp command the other way around: execute it on the FMC and use a remote SSH server to transfer the files. As I didn't have at hand a Linux machine, I had to install the "OpenSSH SSH Server" on my notebook (if you have Windows 10 version 1803 or newer, you'll find it in the Settings app, Apps > Apps & features > Manage optional features).

I'm still curious if there is a working solution to the initial problem created by the intermediary CLI.

Re: WinSCP and FMC

Marvin Rhoads — Fri, 24 Apr 2020 03:17:05 GMT

The files in question are just very short plain text files so it's much much easier to just cat them to your terminal session. Then copy and paste into a local text editor and save as the same file name.

Re: WinSCP and FMC

Gabriel Copil — Fri, 24 Apr 2020 09:34:02 GMT

For those particular files, you are totally right.

But still, for transfer of a backup file or a troubleshooting file, it will be nice to learn the workaround for using scp from remote PC to the newer versions of FMC (>=6.4)

Re: WinSCP and FMC

Marvin Rhoads — Fri, 24 Apr 2020 12:36:07 GMT

FMC won't act as an SCP server but it works just fine as an SCP client.

Here's a transfer from my FMC VM (version 6.6) to another Linux host running SCP server (my EVE-NG host in this example):

root@fmc:~# scp preinstall.rpms.list root@172.31.1.13:/var/tmp
root@172.31.1.13's password: 
preinstall.rpms.list                                                                                                                                                            100%  163   369.8KB/s   00:00    
root@fmc:~#

We can now see the transferred file on the remote host:

root@eve-ng:/var/tmp# ls -al
total 12
drwxrwxrwt  2 root root 4096 Apr 24 15:21 .
drwxr-xr-x 12 root root 4096 Jun  9  2018 ..
-rw-r--r--  1 root root  163 Apr 24 15:21 preinstall.rpms.list
root@eve-ng:/var/tmp#

Since the remote host does run an SCP server I can move the file onto my Windows host using the WinSCP client:

WinSCP screenshot

It's a bit of a kludge to have to go via a third host (i.e. a Linux box running SCP server) but once you have it setup it works perfectly fine. You can use this process in either direction - to either get files from or put files onto the FMC. Here is a SCP file copy from the EVE-NG server to FMC:

root@fmc:~# scp root@172.31.1.13:/var/tmp/dcprime.cer dcprime.cer
root@172.31.1.13's password: 
dcprime.cer                                                                                                                                                                     100%  625     1.4MB/s   00:00    
root@fmc:~# 
root@fmc:~# 
root@fmc:~# ls -al
total 748
drwx------  7 root root   4096 Apr 24 12:34 .
drwxr-xr-x 23 root root   4096 Apr  7 19:00 ..
-rw-------  1 root root   3280 Apr  9 10:52 .bash_history
drwx------  2 root root   4096 Sep 27  2019 .cache
-r--------  1 root root     37 Apr  7 18:31 .erlang.cookie
drwxr-xr-x  2 root root   4096 Aug 16  2017 .oracle_jre_usage
-rw-------  1 root root   1024 Apr  9 11:06 .rnd
drwxr-xr-x  3 root root   4096 Aug 27  2017 .sqlanywhere16
drwxr-xr-x  3 root root   4096 Apr  7 18:10 .sqlanywhere17
drwx------  2 root root   4096 Aug 16  2017 .ssh
-rw-r--r--  1 root root    163 Apr 24 12:06 ?
-rw-r--r--  1 root root    625 Apr 24 12:33 dcprime.cer
-rw-r--r--  1 root root 228416 Jan 20  2017 install.log
-rw-r--r--  1 root root 227030 Apr  4 14:50 preinstall.log
-rw-r--r--  1 root root  17741 Apr  4 14:50 preinstall.packages.list
-rw-r--r--  1 root root    163 Apr  4 14:50 preinstall.rpms.list
-rw-r--r--  1 root root 115845 Jan 20  2017 strip.install.log
-rw-r--r--  1 root root 114577 Apr  4 14:50 strip.preinstall.log
root@fmc:~#

Re: WinSCP and FMC

Gabriel Copil — Fri, 24 Apr 2020 13:05:47 GMT

Thank you for the explanations, a similar solution I've used also - but without the 3rd machine I had to install Open SSH server on my notebook.
I have to disagree that there is no "SCP server", because scp is using the SSH protocol, and as long as you can login via SSH on the FMC, scp would work also.
The fact is, it was working for FMC versions <6.4, to prove it I've just used WinSCP to connect to an FMC v.6.2.3.10:

So, my question still remains: how can we overcome the new intermediary CLI feature that was implemented in 6.4, if we don't want to use a 3rd device (or to install Open SSH server on our Windows computers) and we want to use the same scp/WinSCP operation that was working in all the previous versions of the FMC?

Re: WinSCP and FMC

Gabriel Copil — Sat, 25 Apr 2020 02:26:06 GMT

LE, the below "solution" works only for FMC v.6.3.x and v.6.4.x

Unfortunately in v.6.5, the ability to disable the FMC CLI was deprecated, so the only possibility is to execute the scp command only directly in the FMC and use a remote SSH server to transfer files (Linux box or Open SSH for Windows).

For v.6.3 and 6.4, here is the solution for WinSCP's failure to connect with the error message:

Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended).

You need to go in the GUI of the FMC, in System > Configuration > Console Configuration and disable the option "Enable CLI Access". Then press <Save> and try to logon with a ssh client (e.g. Putty) to the FMC management IP. If after you enter the password, you get directly the Linux shell prompt (e.g. admin@test-fmc-01:~$ ), then WinSCP should work correctly also.

If you still get the FMC CLI ( just the symbol ">" ), then make sure you've pressed the <Save> button (ask me how I know ;-))

After I've disabled this option, I could logon to the FMC v.6.4.0.8 with WinSCP, like expected.

You can read here about the option "Enable CLI Access": About the Firepower Management Center CLI

Re: WinSCP and FMC

Fatjon.Celaj — Tue, 15 Sep 2020 20:21:03 GMT

Hi,

as you can see from the follwing output the default cli has changed:

admin@fmc:~$ more /etc/passwd
root:x:0:0:Operator:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
mysql:x:27:27:MySQL:/var/lib/mysql:/sbin/nologin
nobody:x:99:99:nobody:/:/sbin/nologin
sshd:x:33:33:sshd:/:/sbin/nologin
www:x:67:67:HTTP server:/var/www:/sbin/nologin
sfrna:x:88:88:SF RNA User:/Volume/home/sfrna:/sbin/nologin
snorty:x:90:90:Snorty User:/Volume/home/snorty:/sbin/nologin
sfsnort:x:95:95:SF Snort User:/Volume/home/sfsnort:/sbin/nologin
sfremediation:x:103:103::/Volume/home/remediations:/sbin/nologin
admin:x:100:100::/Volume/home/admin:/usr/bin/clish
casuser:x:101:104:CiscoUser:/var/opt/CSCOpx:/sbin/nologin
lamplighter:x:110:110::/var/opt/lamplighter:/bin/sh
monetdb:x:111:111::/Volume/lib/monetdb:/sbin/nologin
fatjon:x:1000:201::/Volume/home/fatjon:/usr/bin/clish

you can modify the default cli of a user by using the following command:

root@fmc:/Volume/home/admin# usermod --shell /bin/bash admin

now you will be able to use winscp or an sftp client.

after you've finished remeber to rollback:

root@fmc:/Volume/home/admin# usermod --shell /usr/bin/clish admin

Re: WinSCP and FMC

Fatjon.Celaj — Tue, 15 Sep 2020 20:24:37 GMT

Hi,

first connect in ssh then reach the expert mode:

Cisco Firepower Management Center for VMWare v6.6.0.1 (build 7)

> expert

as you can see from the follwing output the default cli has changed:

you can modify the default cli of a user by using the following command:

admin@fmc:~$ sudo su

root@fmc:/Volume/home/admin$ usermod --shell /bin/bash admin

now you will be able to use winscp or an sftp client.

after you've finished remeber to rollback:

root@fmc:/Volume/home/admin# usermod --shell /usr/bin/clish admin

Re: WinSCP and FMC

pzkqx6000 — Wed, 23 Feb 2022 17:11:46 GMT

Thank you. Running veersion 6.5.0 ant your trick did the job.

In my case, as admin user in FMC, I used sudo for those commands.

 27/09/2021   17:37.11   /home/mobaxterm  scp -P 22 admin@10.1.1.120:/var/sf/backup/FMC-2021-05-25T19-05-57.tar .
admin@10.1.1.120's password:
FMC-2021-05-25T19-05-57.tar 100% 309MB 5.3MB/s 00:58
✔

 27/09/2021   17:48.14   /home/mobaxterm 

Keep in mind you can change cli shell like this as well:

You may need to use "sudo" before the command or log in as a root with: $ sudo su Password: # - This will tell you shells available cat /etc/shells /bin/sh /bin/bash /bin/rbash /bin/tcsh /sbin/nologin /usr/bin/clish --> by default you will have this (the one that needs "expert" command first) - Change shell for the user: admin@FMC:~$ chsh Password: Changing the login shell for admin Enter the new value, or press ENTER for the default Login Shell [/usr/bin/clish]: /bin/bash --> We would need bash to avoid "non expert" part. - Check if change has been done: admin@FMC:~$ cat /etc/passwd [...] admin:x:100:100::/Volume/home/admin:/bin/bash [...]

Re: WinSCP and FMC

jgustafzon — Sun, 03 Apr 2022 17:14:10 GMT

Hi, How can I transfer files to the FMC with WinSCP, I desperatly need to upgrade an old FMC and sensor but the GUI upload won't work. I can connect to the FMC with WinSCP and I located the updates folder in /Volume/6.1.0/sf/updates on the FMC but when I try to upload it just gives me scp: /Volume/6.1.0/sf/updates/Sourcefire_3D_Defense_Center_S3_Upgrade-6.2.3-113.sh: Permission denied. I can elivate to expert and sudo su in CLI. I can also download files from the FMC with WinSCP but in this case I want to upload the sensor and FMC 6.2.3 patch. This is an old 6.1.2.57 if that matters. Maybe trying to upload to /Volume/6.1.0/sf/updates is the wrong way to go about this?

Re: WinSCP and FMC

Marvin Rhoads — Mon, 04 Apr 2022 12:27:22 GMT

When you connect to FMC with scp, use the root user (or temporarily chmod the target directory to allow write by all users).

Re: WinSCP and FMC

alfred.thyri — Mon, 08 Aug 2022 15:02:41 GMT

You can also set the Shell inside the WinSCP session options to expert. With this option you can directly connect via WinSCP to FMC.