topic Re: Banner in Network Security

Banner

gunnydaman — Thu, 16 Feb 2023 13:26:29 GMT

Ok, I am in a pickle here. The security requirments for my Cisco firepower 2140 require a pre-login banner to be posted. As far as I can tell there is not place within the FDM to configure a banner, and when I do it via cli I get the error telling me that configurations can only be made via FDM. So...I am sort stuck here.

Anyone know how to create a banner via smartcli or flex? That is the only way I can think of to get this task done.

Thanks,

Matt

Re: Banner

Karsten Iwen — Thu, 16 Feb 2023 13:33:16 GMT

I am not aware of a way to do that on FDM. But if compliance requests this, you could use the Firewall Management Center FMC. There you can add a banner and also get much better visibility and reporting.

Re: Banner

Marius Gunnerud — Thu, 16 Feb 2023 15:15:36 GMT

You should be able to set this in fxos

connect fxos
scope security
scope banner

I don't have an FTD I can test on unfortunately but creating a pre-login-banner here should work.

Re: Banner

Sheraz.Salim — Thu, 16 Feb 2023 15:56:05 GMT

@Marius Gunnerud I check with 2140 fxos. luckily it give you the options and even let you configure the pre-login and post-login. but when you try to initiate a new ssh the banner never showed up even though the pre and post banner was customize the one I put the banner but sadly nothing show up.

it could be fxos is more robust for 4100 and 9000 series firewalls.

FTD# connect ftd > > > > show b banner bfd bgp blocks bootvar bridge-group > show banner Cisco FPR Series Security Appliance > connect fxos You came from FXOS Service Manager. Please enter 'exit' to go back. > exit FTD# scope se security server FTD# scope security FTD /security # scope banner FTD /security/banner # create Create managed objects delete Delete managed objects enter Enters a managed object scope Changes the current mode show Show system information FTD /security/banner # delete post-login-banner Post login banner pre-login-banner Pre login banner FTD /security/banner # delete pre-login-banner FTD /security/banner* # delete post-login-banner Error: Managed object doesn't exist FTD /security/banner* # create Create managed objects delete Delete managed objects enter Enters a managed object scope Changes the current mode show Show system information FTD /security/banner* # create post-login-banner Post login banner pre-login-banner Pre login banner FTD /security/banner* # create pre-login-banner <CR> FTD /security/banner* # create pre-login-banner Warning: discarding previous delete operation for managed object FTD /security/banner/pre-login-banner # clear Clear managed objects set Set property values show Show system information FTD /security/banner/pre-login-banner # clear message Message FTD /security/banner/pre-login-banner # clear message <CR> FTD /security/banner/pre-login-banner # clear message FTD /security/banner/pre-login-banner* # clear Clear managed objects set Set property values show Show system information FTD /security/banner/pre-login-banner* # show <CR> > Redirect it to a file >> Redirect it to a file in append mode detail Detail | Pipe command output to filter FTD /security/banner/pre-login-banner* # show detail Pre login banner: Message: Cisco FPR Series Security Appliance FTD /security/banner/pre-login-banner* # clear Clear managed objects set Set property values show Show system information FTD /security/banner/pre-login-banner* # set message Message FTD /security/banner/pre-login-banner* # set message <CR> FTD /security/banner/pre-login-banner* # set message Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort. Enter prelogin banner: >THIS IS SECURE-FIREWALL >ENDOFBUF commit-buffer connect FTD /security/banner/pre-login-banner* # commit-buffer Error: Changes not allowed. use: 'connect ftd' to make changes.

Re: Banner

gunnydaman — Fri, 17 Feb 2023 15:28:50 GMT

These commands work, however you cannot save the config because the CLI informs you that only configuration done in the FDM can be saved. That is why I was wondering if it could be done via smart CLI or flex config in the FDM. Appreciate the help though.

Re: Banner

gunnydaman — Fri, 17 Feb 2023 15:29:55 GMT

I am thinking this as well. I know you can do it using FMC but that feels like a waste for a single firepower 2140.

Re: Banner

gunnydaman — Fri, 17 Feb 2023 15:30:38 GMT

Appreciate the solution but I am only using a single firepower, so the FMC seems kinda like overkill to me. But if it comes down to it I may get the VM to make the config lol

Re: Banner

Karsten Iwen — Fri, 17 Feb 2023 15:51:23 GMT

The virtual FMC for two firewalls is quite cheap, it just needs some resources on the VM-host.

Re: Banner

bgezkovk — Thu, 12 Sep 2024 22:00:00 GMT

@gunnydaman I don't know if you managed to do set this up, but here is what i do to set prelogin banners for ssh sessions.

SSH into the firewalll.
Then do the following:

> expert # sudo su # vim /etc/ssh/sshd_config /--------------------/ Find the line with the "Banner" option. you will see that its pointing to /etc/issue Edit /etc/issue whit the banner message you want. /-------------------/ # vim /etc/issue

Keep in mind that I'm not sure what /etc/issue is, but it was an empty file so i presume that in some circumstance that files get overwritten by an error message.

Re: Banner

Pete P — Mon, 07 Jul 2025 16:49:25 GMT

Update to issue file is lost after reboot. Please let us know if there is a way to make it stay?

Re: Banner

Marvin Rhoads — Tue, 08 Jul 2025 16:19:37 GMT

FDM can have a pre-login banner since Version 7.7. (Unfortunately it does not help the original poster since the 2100 series is now end of sales and supports nothing higher than version 7.4.x)

It also applies to ssh logins:

See the text "custom login page" found in the release notes here" https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/770/threat-defense-release-notes-77.html#new-features-fdm-770