topic Re: Export entire FTD configuration by cli in Network Security

Export entire FTD configuration by cli

MaErre21325 — Fri, 30 Jun 2023 10:53:31 GMT

Hello,

i need to export the entire configuration of 2 ftd 2130 managed by FMC, how can i do that?
Is there any possibility to achieve it via CLI?
I would like to have a .txt. file, i didn't find anything on official documentation.

Thank you

Regards

Re: Export entire FTD configuration by cli

Aref Alsouqi — Fri, 30 Jun 2023 11:05:18 GMT

Yes you can, just SSH into the FTD, and from the clish mode (>) type "support system diagnostric-cli", then type "enable" and hit enter with no password, and finally "sh run". You can also run "show system:runn" if you want to reveal the passwords of the VPN tunnels in case you have any. Essentially it will be the same syntax as you would do on a normal ASA. One you have the output on the screen, copy and paste it into a text file.

Re: Export entire FTD configuration by cli

andrew.butterworth — Fri, 30 Jun 2023 13:54:28 GMT

That will show you the LINA configuration, however all the IPS/Snort stuff won't be there - i.e. if you have rules that reference URLs or categories of URLs they won't show in the ACLs and you'll just have some 'any4' and 'rule-id xxxxxxx'

I've had to provide FTD configs as part of a security audit recently and was told there are lots of very relaxed rules - however these are the rules with 'any4' but have IPS/Snort stuff defined elsewhere in the FTD configuration that don't appear with a 'show running-config'. The command 'show access-control-config' from the main FTD console shows more but its formatted differently and I'm not sure of anything that can parse this output?

Re: Export entire FTD configuration by cli

MaErre21325 — Fri, 30 Jun 2023 14:42:23 GMT

Maybe the opening of a TAc could be useful?

Re: Export entire FTD configuration by cli

MHM Cisco World — Fri, 30 Jun 2023 14:56:06 GMT

https://www.youtube.com/watch?v=5Dhkc2aobWo

from FMC is easy I think, from CLI as @andrew.butterworth mention there are two parts of config one for LINA and other for Snort.
go with FMC option it better

Re: Export entire FTD configuration by cli

Aref Alsouqi — Fri, 30 Jun 2023 15:05:34 GMT

Very good point, I forgot to mention it.

Re: Export entire FTD configuration by cli

MaErre21325 — Fri, 30 Jun 2023 15:22:29 GMT

it's useful from the same fmc, but i need to export the config fro a migration so i need the txt file.

i'll try as advised from @Aref Alsouqi and the i'll check and manually add the missing things as @andrew.butterworth said.

i hope to have at least all routing/object and some acl...

Re: Export entire FTD configuration by cli

MHM Cisco World — Fri, 30 Jun 2023 15:32:51 GMT

https://www.cisco.com/c/en/us/td/docs/security/firepower/ftd-api/guide/ftd-rest-api/ftd-api-import-export.html

check this, BUT I really dont use before

Re: Export entire FTD configuration by cli

Vix-O-Ren — Wed, 28 Aug 2024 19:29:58 GMT

I have a question related to this conversation. It is posible to create a kron(like in Catalyst) or Scheduler(like in Nexus) on an FTD by CLI?
For example, I would like to be able to create an automatic task that copies a show route via sftp to an external server, is this possible?

I was able to do this without problems with Kron, EEM and Schduler in Switches, but in the case of the backups in FMC, the files generated do not come in a format that can be read through a notepad.

Re: Export entire FTD configuration by cli

Marius Gunnerud — Thu, 29 Aug 2024 06:44:06 GMT

I have not tried this, but you could try to create an EEM script using Flexconfig that exports show route on a set schedule. The alternative would be to create a python script that uses API to fetch the information you are after and call that script in a kron job an a Linux machine.

Re: Export entire FTD configuration by cli

Vix-O-Ren — Thu, 29 Aug 2024 15:07:23 GMT

Hey @Marius Gunnerud, perfect!

I'm going to check this configuration and tell you how it goes, but I think it could work with a FlexConfig.

Greetings,