Banner

gunnydaman · ‎02-16-2023

Ok, I am in a pickle here. The security requirments for my Cisco firepower 2140 require a pre-login banner to be posted. As far as I can tell there is not place within the FDM to configure a banner, and when I do it via cli I get the error telling me that configurations can only be made via FDM. So...I am sort stuck here.

Anyone know how to create a banner via smartcli or flex? That is the only way I can think of to get this task done.

Thanks,

Matt

Karsten Iwen · ‎02-16-2023

I am not aware of a way to do that on FDM. But if compliance requests this, you could use the Firewall Management Center FMC. There you can add a banner and also get much better visibility and reporting.

gunnydaman · ‎02-17-2023

Appreciate the solution but I am only using a single firepower, so the FMC seems kinda like overkill to me. But if it comes down to it I may get the VM to make the config lol

Marius Gunnerud · ‎02-16-2023

You should be able to set this in fxos

connect fxos
scope security
scope banner

I don't have an FTD I can test on unfortunately but creating a pre-login-banner here should work.

--
Please remember to select a correct answer and rate helpful posts

Sheraz.Salim · ‎02-16-2023

@Marius Gunnerud I check with 2140 fxos. luckily it give you the options and even let you configure the pre-login and post-login. but when you try to initiate a new ssh the banner never showed up even though the pre and post banner was customize the one I put the banner but sadly nothing show up.

it could be fxos is more robust for 4100 and 9000 series firewalls.

FTD# connect ftd
>
>
>
> show b
banner       bfd          bgp          blocks       bootvar      bridge-group
> show banner
Cisco FPR Series Security Appliance
> connect fxos
You came from FXOS Service Manager. Please enter 'exit' to go back.
> exit
FTD# scope se
security  server
FTD# scope security
FTD /security # scope banner
FTD /security/banner #
  create  Create managed objects
  delete  Delete managed objects
  enter   Enters a managed object
  scope   Changes the current mode
  show    Show system information

FTD /security/banner # delete
  post-login-banner  Post login banner
  pre-login-banner   Pre login banner

FTD /security/banner # delete pre-login-banner
FTD /security/banner* # delete post-login-banner
Error: Managed object doesn't exist
FTD /security/banner* #
  create  Create managed objects
  delete  Delete managed objects
  enter   Enters a managed object
  scope   Changes the current mode
  show    Show system information

FTD /security/banner* # create
  post-login-banner  Post login banner
  pre-login-banner   Pre login banner

FTD /security/banner* # create pre-login-banner
  <CR>

FTD /security/banner* # create pre-login-banner
Warning: discarding previous delete operation for managed object
FTD /security/banner/pre-login-banner #
  clear  Clear managed objects
  set    Set property values
  show   Show system information

FTD /security/banner/pre-login-banner # clear
  message  Message

FTD /security/banner/pre-login-banner # clear message
  <CR>

FTD /security/banner/pre-login-banner # clear message
FTD /security/banner/pre-login-banner* #
  clear  Clear managed objects
  set    Set property values
  show   Show system information

FTD /security/banner/pre-login-banner* # show
  <CR>
  >       Redirect it to a file
  >>      Redirect it to a file in append mode
  detail  Detail
  |       Pipe command output to filter

FTD /security/banner/pre-login-banner* # show detail

Pre login banner:
    Message: Cisco FPR Series Security Appliance

FTD /security/banner/pre-login-banner* #
  clear  Clear managed objects
  set    Set property values
  show   Show system information

FTD /security/banner/pre-login-banner* # set
  message  Message

FTD /security/banner/pre-login-banner* # set message
  <CR>

FTD /security/banner/pre-login-banner* # set message
Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort.
Enter prelogin banner:
>THIS IS SECURE-FIREWALL
>ENDOFBUF
commit-buffer  connect
FTD /security/banner/pre-login-banner* # commit-buffer
Error: Changes not allowed. use: 'connect ftd' to make changes.

please do not forget to rate.

gunnydaman · ‎02-17-2023

I am thinking this as well. I know you can do it using FMC but that feels like a waste for a single firepower 2140.

Karsten Iwen · ‎02-17-2023

The virtual FMC for two firewalls is quite cheap, it just needs some resources on the VM-host.

gunnydaman · ‎02-17-2023

These commands work, however you cannot save the config because the CLI informs you that only configuration done in the FDM can be saved. That is why I was wondering if it could be done via smart CLI or flex config in the FDM. Appreciate the help though.

bgezkovk · ‎09-12-2024

@gunnydaman I don't know if you managed to do set this up, but here is what i do to set prelogin banners for ssh sessions.

SSH into the firewalll.
Then do the following:

> expert
# sudo su
# vim /etc/ssh/sshd_config

/--------------------/
Find the line with the "Banner" option.
you will see that its pointing to /etc/issue
Edit /etc/issue whit the banner message you want.
/-------------------/

# vim /etc/issue

Keep in mind that I'm not sure what /etc/issue is, but it was an empty file so i presume that in some circumstance that files get overwritten by an error message.

Pete P · ‎07-07-2025

Update to issue file is lost after reboot. Please let us know if there is a way to make it stay?

Marvin Rhoads · ‎07-08-2025

FDM can have a pre-login banner since Version 7.7. (Unfortunately it does not help the original poster since the 2100 series is now end of sales and supports nothing higher than version 7.4.x)

It also applies to ssh logins:

See the text "custom login page" found in the release notes here" https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/770/threat-defense-release-notes-77.html#new-features-fdm-770