cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2041
Views
1
Helpful
5
Replies

Enable_1 user on FTD

systems100
Level 1
Level 1

Dears,

I found the following log amongst the email received from our FTD:

<173>:Nov 02 2022 12:44:28: %FTD-config-5-111010: User 'enable_1', running 'N/A' from IP 0.0.0.0, executed 'copy /noconfirm system:running-config disk0:/running-config-backup.txt'

And as at this time on the timestamp i didn't make any change on the firewall or run a backup on the firewall.

Please what does this command mean and also the enable_1 is it the default admin user on the FTD device or another user

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

%FTD-config-5-111010   - check more logs, the command trying to copy config backup.

111010

Error Message %FTD-5-111010: User username , running application-name from IP ip addr , executed cmd

Explanation A user made a configuration change.

  • username —The user making the configuration change
  • application-name —The application that the user is running
  • ip addr —The IP address of the management station
  • cmd —The command that the user has executed

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

There is no such user as enable_1 on the device.

So where could this be coming from.

Or could it be e that the device is running an ASA image alongside the FTD image and the is a unknown user running some configuration on the asa.

From my experience with FTD, it is not possible to issue such command as this 'copy /noconfirm system:running-config disk0:/running-config-backup.txt' on the FTD cli interface expect via expert mode.

what do you think?.

 

buffkata
Level 1
Level 1

Enable_1 ...Enable_15 are the default admin users on the FTD. Not sure why it behaves like that but that has always been the case even when I logged in with local username( not the default admin).

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvi23216

 

Do you mean when you login to the ftd as another user the log displays the user as Enable_1............Enable_15?

Also have come across such situation before where you find an activity carried out by a user you didn't create or does not exist on your firewall?.

Also am surprised that such command is showing on the ftd, since i know fully well the commands that demands global config privilege can not be carried out on the ftd clish or lian cli mode but all configs has to come via deployment from the FMC.

Is there possibly a scheduled device backup task in your FMC? That would result in the log message you cited.

Review Cisco Networking for a $25 gift card