ASA view configuration changes made from ASDM via CLI?

Alan Inman · ‎01-04-2021

I like the CLI. My counterpart likes ASDM. Sometimes when troubleshooting I need to see if he made any recent changes. What command(s) would I use in the CLI to see recent configuration changes made in the ASDM?

Thank you so much,

Alan

Tyson Joachims · ‎01-04-2021

As far as I'm aware, there is not a way to review those changes. Sometimes when I have the ASDM open for a time and get the message that a change has been made, I'll grab an output of the current running-config and compare it to the last running-config in my backups using a program like CompareIT or the compare utility in Notepad++. I'm sure you could also do this in Linux bash and even script it to occur at regular intervals and notify you if there's any changes. I believe there are already solutions out there that cost money that will do the same thing.

Ideally what you would want is TACACS+ authentication to the ASA with command accounting. That way you could just review the commands that were sent to the ASA from your counterpart's account (I'm hoping you're both using different accounts to login). Cisco's Identity Services Engine (ISE) would do this quite nicely. https://www.ciscopress.com/articles/article.asp?p=1552963&seqNum=6

balaji.bandi · ‎01-05-2021

if can offload the logs - since ASA does not hold big syslog information, if you hve TACACS configured all the commands logged.

you can also do config change backup and compare (like we do always use Tuffin tool that does all automatically).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help