Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5609
Views
9
Helpful
10
Replies

Export entire FTD configuration by cli

MaErre21325
Level 1
Level 1

‎06-30-2023 03:53 AM

Hello,

i need to export the entire configuration of 2 ftd 2130 managed by FMC, how can i do that?
Is there any possibility to achieve it via CLI?
I would like to have a .txt. file, i didn't find anything on official documentation.

Thank you

Regards

10 Replies 10

Aref Alsouqi
VIP
VIP

‎06-30-2023 04:02 AM - edited ‎06-30-2023 04:05 AM

Yes you can, just SSH into the FTD, and from the clish mode (>) type "support system diagnostric-cli", then type "enable" and hit enter with no password, and finally "sh run". You can also run "show system:runn" if you want to reveal the passwords of the VPN tunnels in case you have any. Essentially it will be the same syntax as you would do on a normal ASA. One you have the output on the screen, copy and paste it into a text file.

andrew.butterworth
Level 7
Level 7
In response to Aref Alsouqi

‎06-30-2023 06:54 AM

That will show you the LINA configuration, however all the IPS/Snort stuff won't be there - i.e. if you have rules that reference URLs or categories of URLs they won't show in the ACLs and you'll just have some 'any4' and 'rule-id xxxxxxx'

I've had to provide FTD configs as part of a security audit recently and was told there are lots of very relaxed rules - however these are the rules with 'any4' but have IPS/Snort stuff defined elsewhere in the FTD configuration that don't appear with a 'show running-config'.  The command 'show access-control-config' from the main FTD console shows more but its formatted differently and I'm not sure of anything that can parse this output?

 

MaErre21325
Level 1
Level 1
In response to andrew.butterworth

‎06-30-2023 07:42 AM

Maybe the opening of a TAc could be useful?

MHM Cisco World
VIP
VIP
In response to MaErre21325

‎06-30-2023 07:56 AM

https://www.youtube.com/watch?v=5Dhkc2aobWo

from FMC is easy I think, from CLI as @andrew.butterworth  mention there are two parts of config one for LINA and other for Snort. 
go with FMC option it better

0 Helpful

MaErre21325
Level 1
Level 1
In response to MHM Cisco World

‎06-30-2023 08:22 AM

it's useful from the same fmc, but i need to export the config fro a migration so i need the txt file.

i'll try as advised from @Aref Alsouqi  and the i'll check and manually add the missing things as @andrew.butterworth said.

i hope to have at least all routing/object and some acl...

0 Helpful

Aref Alsouqi
VIP
VIP
In response to andrew.butterworth

‎06-30-2023 08:05 AM

Very good point, I forgot to mention it.

0 Helpful

Vix-O-Ren
Level 1
Level 1

‎08-28-2024 12:29 PM

I have a question related to this conversation. It is posible to create a kron(like in Catalyst) or Scheduler(like in Nexus) on an FTD by CLI?
For example, I would like to be able to create an automatic task that copies a show route via sftp to an external server, is this possible?

I was able to do this without problems with Kron, EEM and Schduler in Switches, but in the case of the backups in FMC, the files generated do not come in a format that can be read through a notepad.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Vix-O-Ren

‎08-28-2024 11:44 PM

I have not tried this, but you could try to create an EEM script using Flexconfig that exports show route on a set schedule.  The alternative would be to create a python script that uses API to fetch the information you are after and call that script in a kron job an a Linux machine.

--
Please remember to select a correct answer and rate helpful posts

Vix-O-Ren
Level 1
Level 1
In response to Marius Gunnerud

‎08-29-2024 08:07 AM

Hey @Marius Gunnerud, perfect!

I'm going to check this configuration and tell you how it goes, but I think it could work with a FlexConfig.

Greetings,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card