topic Re: FTD connection troubleshooting command in Network Security

FTD connection troubleshooting command

Pavel Pokorny — Thu, 19 Jan 2023 13:01:25 GMT

Dear all,

Please advice in one thing. Imagine I am looking for user which is causing most of the connections over my firewall.

On ASA I was using simple commands (where 500 is number of connections per ip address):

sh local-host connection udp 500 | i local or sh local-host connection tcp 500 | i local

Is there any easy way to use something like above on FTD? Or any suggestion how to handle this issue?

Kind regards,

Pavel

Re: FTD connection troubleshooting command

MHM Cisco World — Thu, 19 Jan 2023 13:13:37 GMT

Cisco Secure Firewall Threat Defense Command Reference - show j - show o [Cisco Secure Firewall Threat Defense] - Cisco

according to this command ref you can use same command in FTD also

Re: FTD connection troubleshooting command

Marvin Rhoads — Thu, 19 Jan 2023 13:37:36 GMT

How about using "show conn"? Save the output and sort it with Excel to get a count.

Re: FTD connection troubleshooting command

Pavel Pokorny — Thu, 19 Jan 2023 13:49:06 GMT

Hi,

Yes you can, but there is no option for limit - ie 500 in my example.

Thnx

Re: FTD connection troubleshooting command

Pavel Pokorny — Thu, 19 Jan 2023 13:51:36 GMT

Hi,

That's very time consuming. Instead of 2 commands (one for UDP, second for TCP) I will have use Excel and copy data to this, sort and then filter. Imagine you have hundreds thousands of connections....

Anyway, thank you

Re: FTD connection troubleshooting command

buffkata — Thu, 19 Jan 2023 15:27:44 GMT

This is interesting - I have done this in FTD (v6.4) but I have not used those commands recently and now it is not available in v7.0.4/9.16.3.18

show local-host connection tcp 500 | in host|count/limit

it is not an option :

sh local-host ?

Hostname or A.B.C.D Show local host information corresponding to this ip
address
Hostname or X:X:X:X::X Show local host information corresponding to an IPV6
address
brief Enter this keyword for brief information
detail Enter this keyword for detailed information
zone Show local host information based on zone
| Output modifiers
<cr>

Re: FTD connection troubleshooting command

MHM Cisco World — Thu, 19 Jan 2023 16:06:36 GMT

show local-host [ hostname | ip_address] [ detail] [ all] [ brief] [ connection { sctp | tcp | udp | embryonic} start[- end]] [ zone]

But there count in command ref.

Also guide five example excat what you need

Show local-host udp 4 tcp 10.

Can you check the guide again.

Re: FTD connection troubleshooting command

Pavel Pokorny — Thu, 19 Jan 2023 16:43:00 GMT

Cisco in their wisdom made a change:

7.0	The following keywords were deprecated: all , connection .

Re: FTD connection troubleshooting command

Pavel Pokorny — Thu, 19 Jan 2023 16:44:47 GMT

> show local-host
Hostname or A.B.C.D Show local host information corresponding to this ip address
brief Enter this keyword for brief information
detail Enter this keyword for detailed information
zone Show local host information based on zone
| Output modifiers
<cr>

As you can see, there is no option for UDP or TCP selection (version 7.0.4)