Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1204
Views
5
Helpful
7
Replies

Do you think FTD image will eventually allow us to make changes from CLI?

Go to solution
sherazy941
Level 1
Level 1

‎01-26-2017 07:58 AM - edited ‎03-12-2019 01:50 AM

Hi,

I just learnt the new FTD image that is the future of the Cisco firewalls does not allow you to make changes from the CLI all changes must be made from the web based GUI I don't like the idea of this at all, I'm really hoping at some point Cisco will include the ability to do everything from the CLI without using the GUI do you see them doing this in the future? Or keeping it as it is now and making everyone work from the GUI. I personally love the CLI and would hate to use a GUI.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Oliver Kaiser
Level 7
Level 7

‎01-27-2017 08:07 AM

It will probably take very, very long for any cli configuration to emerge (except for some minor tricks to break HA locally from the cli). The reason is quite simple... software architecture.

Cisco argues that it is because it would be complicated to configure using cli but tbh its just a technical limitation. Sourcefire configuration has always been through Defense Center (aka FMC) and to add the ASA part in FTD to the mix they just re-used their existing Cisco Security Manager (CSM) code for configuration push and created the frontend for configuration using FMC.

IMO they should have waited one more year, develop the asa rest interface for feature parity and use that to interface with the asa code, but they took the easy road and just generate clear text configuration that is dumped into the asa part of FTD... Since we only use FMC to configure FTD we shouldn't see what is behind the UI but it tends to break from time to time :)

If they had the option of an API first approach a unified CLI and UI using the same api calls wouldnt have been much of a problem (see UCS Manager, Junipers Junos or Palo Altos Firewall), but integrating legacy ASA and CSM code into another solution (sourcefire) can get tricky especially if you are under time pressure... I think they will probably re-write much of the existing codebase at some point to get this fixed, but who knows. :)

View solution in original post

7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-26-2017 08:24 AM

You can do a few things from cli but most are and will continue to be from the GUI only. Policies are not easily expressed as human-readable cli configurations.

You will have an increasing number of things you can do from the REST API. One could argue that's a way of accessing the device with some scripted cli.

0 Helpful

Go to solution
sherazy941
Level 1
Level 1
In response to Marvin Rhoads

‎01-26-2017 10:33 AM

Hi Marvin,

Will the foundation of FTD not be ACLS like with the ASA? I hope they don't do the same with the switches ; (

Feel as if all those ASA commands I comitted to memory were a waste of time.

0 Helpful

Go to solution
Oliver Kaiser
Level 7
Level 7

‎01-27-2017 08:07 AM

It will probably take very, very long for any cli configuration to emerge (except for some minor tricks to break HA locally from the cli). The reason is quite simple... software architecture.

Cisco argues that it is because it would be complicated to configure using cli but tbh its just a technical limitation. Sourcefire configuration has always been through Defense Center (aka FMC) and to add the ASA part in FTD to the mix they just re-used their existing Cisco Security Manager (CSM) code for configuration push and created the frontend for configuration using FMC.

IMO they should have waited one more year, develop the asa rest interface for feature parity and use that to interface with the asa code, but they took the easy road and just generate clear text configuration that is dumped into the asa part of FTD... Since we only use FMC to configure FTD we shouldn't see what is behind the UI but it tends to break from time to time :)

If they had the option of an API first approach a unified CLI and UI using the same api calls wouldnt have been much of a problem (see UCS Manager, Junipers Junos or Palo Altos Firewall), but integrating legacy ASA and CSM code into another solution (sourcefire) can get tricky especially if you are under time pressure... I think they will probably re-write much of the existing codebase at some point to get this fixed, but who knows. :)

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Oliver Kaiser

‎01-29-2017 05:06 AM

Nicely put Oliver.

You should consider blogging this type of analysis / viewpoint. 

0 Helpful

Go to solution
Claudiu Cismaru
Cisco Employee
Cisco Employee
In response to Oliver Kaiser

‎01-29-2017 07:33 AM

FTD is more than LINA + snort side, like Elektra SFR module is for ASA software. It's some sort of symbiosis. Actually, there's tons of references from the generated ACL, which is the ACP from the UI, to snort's objects and back. As there are portions which has to run into snort then come back to lina and back to snort again, maybe.

For simple up to layer 4 ACP rules, which are pushed into lina, is not a big deal. But thing about that layer 7 rules should be handled by lina with help of identification from snort components, like URL, appid rules.

I don't really see how would you configure these manually in CLI... Take a look at some medium complex ACP that includes: users, urls, url categories, application ids, some of them sending the traffic to IPS policies or file policies afterward... see what you get. Do you think you could handle this manually?

0 Helpful

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to Claudiu Cismaru

‎01-31-2017 03:05 PM

To be honest I see no issue with configuring an ACP via CLI. Personally I wouldnt do it, because I am lazy and dont want to remember additional syntax, but apart from my personal preference I still stand with my initial argument which is that the engineering approach taken to unify the two products is not well thought out.

I like firepower. Good ideas are baked into the product, from both ASA and Sourcefire, but Cisco should have given more thought into the integration. 

If an API first approach would have been taken, implementing a usable CLI would be a piece of cake. Both UI + CLI would use the same api calls and users would be free to choose how to manage the solution. Another benefit would be that stuff would fail consistently across the user exposed api, cli and ui if its a backend issue. Fix it once and be done on every front.

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4

‎01-31-2017 04:46 AM

With the version 6.2 of FMC you can make some CLI templates with FCM. It is called FlexConfig. Please, see the release notes:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/relnotes/Firepower_System_Release_Notes_Version_620/new_features_and_functionality.html

It seems, that Cisco tends to GUI rather then to CLI (at least within Firewalls).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card