Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2042
Views
1
Helpful
5
Replies

Enable_1 user on FTD

systems100
Level 1
Level 1

‎11-02-2022 07:10 AM

Dears,

I found the following log amongst the email received from our FTD:

<173>:Nov 02 2022 12:44:28: %FTD-config-5-111010: User 'enable_1', running 'N/A' from IP 0.0.0.0, executed 'copy /noconfirm system:running-config disk0:/running-config-backup.txt'

And as at this time on the timestamp i didn't make any change on the firewall or run a backup on the firewall.

Please what does this command mean and also the enable_1 is it the default admin user on the FTD device or another user

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎11-02-2022 07:25 AM

%FTD-config-5-111010   - check more logs, the command trying to copy config backup.

111010

Error Message %FTD-5-111010: User username , running application-name from IP ip addr , executed cmd

Explanation A user made a configuration change.

  • username —The user making the configuration change
  • application-name —The application that the user is running
  • ip addr —The IP address of the management station
  • cmd —The command that the user has executed

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

systems100
Level 1
Level 1
In response to balaji.bandi

‎11-02-2022 08:13 AM

There is no such user as enable_1 on the device.

So where could this be coming from.

Or could it be e that the device is running an ASA image alongside the FTD image and the is a unknown user running some configuration on the asa.

From my experience with FTD, it is not possible to issue such command as this 'copy /noconfirm system:running-config disk0:/running-config-backup.txt' on the FTD cli interface expect via expert mode.

what do you think?.

 

0 Helpful

buffkata
Level 1
Level 1

‎11-02-2022 08:10 AM

Enable_1 ...Enable_15 are the default admin users on the FTD. Not sure why it behaves like that but that has always been the case even when I logged in with local username( not the default admin).

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvi23216

 

systems100
Level 1
Level 1
In response to buffkata

‎11-02-2022 08:43 AM

Do you mean when you login to the ftd as another user the log displays the user as Enable_1............Enable_15?

Also have come across such situation before where you find an activity carried out by a user you didn't create or does not exist on your firewall?.

Also am surprised that such command is showing on the ftd, since i know fully well the commands that demands global config privilege can not be carried out on the ftd clish or lian cli mode but all configs has to come via deployment from the FMC.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to systems100

‎11-03-2022 08:57 AM

Is there possibly a scheduled device backup task in your FMC? That would result in the log message you cited.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card