topic Re: Static Routes on FTD 2130 using CLI in Network Security

Static Routes on FTD 2130 using CLI

Knassi — Fri, 19 Apr 2024 19:18:20 GMT

Has anyone Created statoc route on the FTD sensor via the CLI?

Mine looks like it goes throught bu when i FDM into it, i do not see them.

Any Advice will be appreciated.

Thanks.

Re: Static Routes on FTD 2130 using CLI

Rob Ingram — Fri, 19 Apr 2024 19:24:56 GMT

@Knassi you cannot configure static routes for FTD via the CLI, all management is via the GUI.

Is the next hop valid and the egress interface up?

Re: Static Routes on FTD 2130 using CLI

Knassi — Fri, 19 Apr 2024 19:44:54 GMT

@Rob Ingram

This is what i used:

Step 1: Login to the Command Line Interface (CLI) of the appliance.

Step 2: Access the network-device directory as root user.

--> sudo su – (become root)

--> cd /etc/sysconfig/network-devices

Step 3: Execute the following command to create the necessary configuration file:

touch ifcfg-static-routes ( in case ifcfg-static-routes is missing inside network-devices directory)

Step 4: Execute the following command to add a static route:

echo '<device> <type> <network> <subnet_prefix> <gateway>'

>> /etc/sysconfig/network-devices/ifcfg-static-routes

Step 5: Execute the following command to load the new static routes:

/etc/rc.d/init.d/routes restart

Re: Static Routes on FTD 2130 using CLI

MHM Cisco World — Sat, 20 Apr 2024 11:27:06 GMT

https://community.cisco.com/t5/security-knowledge-base/add-static-route-on-firepower-module/ta-p/3156256

check alternative way to add static route

configure network static-routes ipv4 add eth0 x.x.x.x x.x.x.x x.x.x.x

MHM

Re: Static Routes on FTD 2130 using CLI

Marvin Rhoads — Sat, 20 Apr 2024 06:26:15 GMT

The method you are trying is not supported and should not be used.

The ONLY supported ways are to use the manager (FDM, CDO or FMC) or push via API.

Re: Static Routes on FTD 2130 using CLI

Aref Alsouqi — Sat, 20 Apr 2024 11:44:21 GMT

I think this command would be to add static routes for the management interface, not for the data interfaces.

Re: Static Routes on FTD 2130 using CLI

Marius Gunnerud — Sun, 21 Apr 2024 21:10:56 GMT

Adding configuration such as a static route from the CLI should only be done if access to the management interface is not possible due to a misconfiguration. Then you can add the required configuration to restore connectivity. But, the problem with this is that it is only local to the FTD and will not propagate to the FDM or FMC. This means that any configuration you add in CLI will be overwritten upon the next deployment from FDM or FMC. So to prevent this from happening you would need to add the configuration you added in CLI to the FDM or FMC so it persists through the next deployment.

To add configuration via the CLI do the following:

>expert

# sudo su -

root# cd /ngfw/var/sf/bin

root# LinaConfigTool "route mgmt-interface 10.10.14.0 255.255.255.0 10.10.5.2";

As others have stated, this is not for configuring the FTD, but rather to correct configurations that have caused loss of connectivity to the regular management interface.

Re: Static Routes on FTD 2130 using CLI

Soren Pedersen Nilsson — Sat, 06 Jul 2024 18:54:55 GMT

Thank you for this very useful "backdoor". Never knew it existed, and it saved me today when 2x FP-4112 lost access to a cloud FMC (Azure).