topic Re: FTD 1120 CLI configuration in Network Security

FTD 1120 CLI configuration

gusarodar85 — Mon, 17 Apr 2023 00:01:23 GMT

When I use the system support diagnostic-cli command I don't see the configure terminal command, can these FTDs only be configured using the FTD GUI?

Re: FTD 1120 CLI configuration

Flavio Miranda — Mon, 17 Apr 2023 00:40:09 GMT

Hi,

The CLI in FirePower threat defence device has different modes.

Regular CLI is used for threat defence management system configuration and troubleshooting.
Diagnostic CLI is used for advanced troubleshooting as it has additional show and other commands. To login to this CLI use session wlan console command. To enter Privileged EXEC mode use system support diagnostic -cli command

Expert mode is used only if a documented procedure tells you to do so or if the Cisco technical assistance center asks you to use it. Use ‘expert’ command to enter this mode.

FXOS is also used for configuration and troubleshooting so from FXOS you can enter ‘connect’ command to enter into threat defence console

Re: FTD 1120 CLI configuration

gusarodar85 — Mon, 17 Apr 2023 01:50:55 GMT

Thank you very much for the answer, I have seen these different modes, but my question would be if in any of these modes you can find the configure terminal command to perform the configuration from the CLI as if it were an ASA

Re: FTD 1120 CLI configuration

Rob Ingram — Mon, 17 Apr 2023 05:56:40 GMT

@gusarodar85 no you cannot use the CLI to configure the FTD, you must use the GUI to configure the device. If managed locally using the FDM GUI or centrally using FMC GUI.

The CLI is used for configuring the mgmt interface and troubleshooting.

Re: FTD 1120 CLI configuration

Flavio Miranda — Mon, 17 Apr 2023 06:03:59 GMT

The closer you can get with ASA is usgin flexconfig

But when managed by fmc, the idea is use gui only.

Take a look here.

https://www.lookingpoint.com/blog/ftd-flexconfig

Re: FTD 1120 CLI configuration

Marius Gunnerud — Mon, 17 Apr 2023 09:34:41 GMT

This kind of depends as to what your expectations are when you say configure the FTD from the CLI. The method you should be using, as mentioned by others in this post, is via the GUI. But now lets say you messed up routing on the FTD and have lost connectivity between the FMC and the FMC because management traffic is routed from the management interface via a data interface on the FTD. In this case you can configure routing directly in the CLI (expert mode) but keep in mind that once connection to FMC is re-established you need to correct or add the configuration to the FMC before you deploy again. When you deploy after configuring on the CLI directly, the configuration on the FTD will be overwritten and you will lose the configuration you added on the CLI unless you update the FMC configuration with the relevant configuration.

Enter expert mode:

>expert

# sudo su -

root# cd /ngfw/var/sf/bin

root# LinaConfigTool "route Localport-base 192.168.0 255.255.255.0 172.16.0.254";

Re: FTD 1120 CLI configuration

MHM Cisco World — Mon, 17 Apr 2023 10:10:01 GMT

The initial CLI you access on the Console port differs by device type.

ASA hardware platforms—The CLI on the Console port is the regular threat defense CLI.
Other hardware platforms—The CLI on the Console port is Secure Firewall eXtensible Operating System (FXOS). You can get to the threat defense CLI using the connect command. Use the FXOS CLI for chassis-level configuration and troubleshooting only. For the Firepower 2100, you cannot perform any configuration at the FXOS CLI. Use the threat defense CLI for basic configuration, monitoring, and normal system troubleshooting. See the FXOS documentation for information on FXOS commands for the Firepower 4100 and 9300. See the FXOS troubleshooting guide for information on FXOS commands for other models.

the other hardware platform it CLI is use for FXOS, so there is different between HW platfrom and CLI you can access
but still you can use FlexConfig

Re: FTD 1120 CLI configuration

Marvin Rhoads — Mon, 17 Apr 2023 13:30:26 GMT

There is no "configure terminal" in any interface of and FTD device. Other than a very few seldom used system level commands (and setup of the management interface), all configuration is via the local manager (FDM) or remote manager (FMC) GUI.

If you use cloud-based management (CDO natively or cdFMC) those manage the device using REST API. You can technically do that directly but it's not something customers often do.