cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3041
Views
8
Helpful
10
Replies

Export entire FTD configuration by cli

MaErre21325
Level 1
Level 1

Hello,

i need to export the entire configuration of 2 ftd 2130 managed by FMC, how can i do that?
Is there any possibility to achieve it via CLI?
I would like to have a .txt. file, i didn't find anything on official documentation.

Thank you

Regards

10 Replies 10

Yes you can, just SSH into the FTD, and from the clish mode (>) type "support system diagnostric-cli", then type "enable" and hit enter with no password, and finally "sh run". You can also run "show system:runn" if you want to reveal the passwords of the VPN tunnels in case you have any. Essentially it will be the same syntax as you would do on a normal ASA. One you have the output on the screen, copy and paste it into a text file.

That will show you the LINA configuration, however all the IPS/Snort stuff won't be there - i.e. if you have rules that reference URLs or categories of URLs they won't show in the ACLs and you'll just have some 'any4' and 'rule-id xxxxxxx'

I've had to provide FTD configs as part of a security audit recently and was told there are lots of very relaxed rules - however these are the rules with 'any4' but have IPS/Snort stuff defined elsewhere in the FTD configuration that don't appear with a 'show running-config'.  The command 'show access-control-config' from the main FTD console shows more but its formatted differently and I'm not sure of anything that can parse this output?

 

Maybe the opening of a TAc could be useful?

https://www.youtube.com/watch?v=5Dhkc2aobWo

from FMC is easy I think, from CLI as @andrew.butterworth  mention there are two parts of config one for LINA and other for Snort. 
go with FMC option it better

In this video, we'll be exploring FTD device copy, backup and restore. Device copy is used to easily copy configurations and policies from a pre-configured device to a completely different device while device copy copies the configurations, logs, events, etc and restore them to the same device.

it's useful from the same fmc, but i need to export the config fro a migration so i need the txt file.

i'll try as advised from @Aref Alsouqi  and the i'll check and manually add the missing things as @andrew.butterworth said.

i hope to have at least all routing/object and some acl...

Very good point, I forgot to mention it.

Vicente Miño
Level 1
Level 1

I have a question related to this conversation. It is posible to create a kron(like in Catalyst) or Scheduler(like in Nexus) on an FTD by CLI?
For example, I would like to be able to create an automatic task that copies a show route via sftp to an external server, is this possible?

I was able to do this without problems with Kron, EEM and Schduler in Switches, but in the case of the backups in FMC, the files generated do not come in a format that can be read through a notepad.

I have not tried this, but you could try to create an EEM script using Flexconfig that exports show route on a set schedule.  The alternative would be to create a python script that uses API to fetch the information you are after and call that script in a kron job an a Linux machine.

--
Please remember to select a correct answer and rate helpful posts

Hey @Marius Gunnerud, perfect!

I'm going to check this configuration and tell you how it goes, but I think it could work with a FlexConfig.

Greetings,

Review Cisco Networking for a $25 gift card