Re: Banner

gunnydaman · ‎02-16-2023

Ok, I am in a pickle here. The security requirments for my Cisco firepower 2140 require a pre-login banner to be posted. As far as I can tell there is not place within the FDM to configure a banner, and when I do it via cli I get the error telling me that configurations can only be made via FDM. So...I am sort stuck here.

Anyone know how to create a banner via smartcli or flex? That is the only way I can think of to get this task done.

Thanks,

Matt

Karsten Iwen · ‎02-16-2023

I am not aware of a way to do that on FDM. But if compliance requests this, you could use the Firewall Management Center FMC. There you can add a banner and also get much better visibility and reporting.

gunnydaman · ‎02-17-2023

Appreciate the solution but I am only using a single firepower, so the FMC seems kinda like overkill to me. But if it comes down to it I may get the VM to make the config lol

Marius Gunnerud · ‎02-16-2023

You should be able to set this in fxos

connect fxos
scope security
scope banner

I don't have an FTD I can test on unfortunately but creating a pre-login-banner here should work.

--
Please remember to select a correct answer and rate helpful posts

Sheraz.Salim · ‎02-16-2023

@Marius Gunnerud I check with 2140 fxos. luckily it give you the options and even let you configure the pre-login and post-login. but when you try to initiate a new ssh the banner never showed up even though the pre and post banner was customize the one I put the banner but sadly nothing show up.

it could be fxos is more robust for 4100 and 9000 series firewalls.

FTD# connect ftd
>
>
>
> show b
banner       bfd          bgp          blocks       bootvar      bridge-group
> show banner
Cisco FPR Series Security Appliance
> connect fxos
You came from FXOS Service Manager. Please enter 'exit' to go back.
> exit
FTD# scope se
security  server
FTD# scope security
FTD /security # scope banner
FTD /security/banner #
  create  Create managed objects
  delete  Delete managed objects
  enter   Enters a managed object
  scope   Changes the current mode
  show    Show system information

FTD /security/banner # delete
  post-login-banner  Post login banner
  pre-login-banner   Pre login banner

FTD /security/banner # delete pre-login-banner
FTD /security/banner* # delete post-login-banner
Error: Managed object doesn't exist
FTD /security/banner* #
  create  Create managed objects
  delete  Delete managed objects
  enter   Enters a managed object
  scope   Changes the current mode
  show    Show system information

FTD /security/banner* # create
  post-login-banner  Post login banner
  pre-login-banner   Pre login banner

FTD /security/banner* # create pre-login-banner
  <CR>

FTD /security/banner* # create pre-login-banner
Warning: discarding previous delete operation for managed object
FTD /security/banner/pre-login-banner #
  clear  Clear managed objects
  set    Set property values
  show   Show system information

FTD /security/banner/pre-login-banner # clear
  message  Message

FTD /security/banner/pre-login-banner # clear message
  <CR>

FTD /security/banner/pre-login-banner # clear message
FTD /security/banner/pre-login-banner* #
  clear  Clear managed objects
  set    Set property values
  show   Show system information

FTD /security/banner/pre-login-banner* # show
  <CR>
  >       Redirect it to a file
  >>      Redirect it to a file in append mode
  detail  Detail
  |       Pipe command output to filter

FTD /security/banner/pre-login-banner* # show detail

Pre login banner:
    Message: Cisco FPR Series Security Appliance

FTD /security/banner/pre-login-banner* #
  clear  Clear managed objects
  set    Set property values
  show   Show system information

FTD /security/banner/pre-login-banner* # set
  message  Message

FTD /security/banner/pre-login-banner* # set message
  <CR>

FTD /security/banner/pre-login-banner* # set message
Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort.
Enter prelogin banner:
>THIS IS SECURE-FIREWALL
>ENDOFBUF
commit-buffer  connect
FTD /security/banner/pre-login-banner* # commit-buffer
Error: Changes not allowed. use: 'connect ftd' to make changes.

please do not forget to rate.

gunnydaman · ‎02-17-2023

I am thinking this as well. I know you can do it using FMC but that feels like a waste for a single firepower 2140.

Karsten Iwen · ‎02-17-2023

The virtual FMC for two firewalls is quite cheap, it just needs some resources on the VM-host.

gunnydaman · ‎02-17-2023

These commands work, however you cannot save the config because the CLI informs you that only configuration done in the FDM can be saved. That is why I was wondering if it could be done via smart CLI or flex config in the FDM. Appreciate the help though.

bgezkovk · ‎09-12-2024

@gunnydaman I don't know if you managed to do set this up, but here is what i do to set prelogin banners for ssh sessions.

SSH into the firewalll.
Then do the following:

> expert
# sudo su
# vim /etc/ssh/sshd_config

/--------------------/
Find the line with the "Banner" option.
you will see that its pointing to /etc/issue
Edit /etc/issue whit the banner message you want.
/-------------------/

# vim /etc/issue

Keep in mind that I'm not sure what /etc/issue is, but it was an empty file so i presume that in some circumstance that files get overwritten by an error message.