Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3034
Views
8
Helpful
10
Replies

Export entire FTD configuration by cli

MaErre21325
Level 1
Level 1

‎06-30-2023 03:53 AM

Hello,

i need to export the entire configuration of 2 ftd 2130 managed by FMC, how can i do that?
Is there any possibility to achieve it via CLI?
I would like to have a .txt. file, i didn't find anything on official documentation.

Thank you

Regards

10 Replies 10

Aref Alsouqi
VIP
VIP

‎06-30-2023 04:02 AM - edited ‎06-30-2023 04:05 AM

Yes you can, just SSH into the FTD, and from the clish mode (>) type "support system diagnostric-cli", then type "enable" and hit enter with no password, and finally "sh run". You can also run "show system:runn" if you want to reveal the passwords of the VPN tunnels in case you have any. Essentially it will be the same syntax as you would do on a normal ASA. One you have the output on the screen, copy and paste it into a text file.

andrew.butterworth
Level 7
Level 7
In response to Aref Alsouqi

‎06-30-2023 06:54 AM

That will show you the LINA configuration, however all the IPS/Snort stuff won't be there - i.e. if you have rules that reference URLs or categories of URLs they won't show in the ACLs and you'll just have some 'any4' and 'rule-id xxxxxxx'

I've had to provide FTD configs as part of a security audit recently and was told there are lots of very relaxed rules - however these are the rules with 'any4' but have IPS/Snort stuff defined elsewhere in the FTD configuration that don't appear with a 'show running-config'.  The command 'show access-control-config' from the main FTD console shows more but its formatted differently and I'm not sure of anything that can parse this output?

 

MaErre21325
Level 1
Level 1
In response to andrew.butterworth

‎06-30-2023 07:42 AM

Maybe the opening of a TAc could be useful?

MHM Cisco World
VIP
VIP
In response to MaErre21325

‎06-30-2023 07:56 AM

https://www.youtube.com/watch?v=5Dhkc2aobWo

from FMC is easy I think, from CLI as @andrew.butterworth  mention there are two parts of config one for LINA and other for Snort. 
go with FMC option it better

Copying, Backing Up, and Restoring FTD Device Configuration
Copying, Backing Up, and Restoring FTD Device Configuration
youtube.com/watch?v=5Dhkc2aobWo
In this video, we'll be exploring FTD device copy, backup and restore. Device copy is used to easily copy configurations and policies from a pre-configured device to a completely different device while device copy copies the configurations, logs, events, etc and restore them to the same device.
0 Helpful

MaErre21325
Level 1
Level 1
In response to MHM Cisco World

‎06-30-2023 08:22 AM

it's useful from the same fmc, but i need to export the config fro a migration so i need the txt file.

i'll try as advised from @Aref Alsouqi  and the i'll check and manually add the missing things as @andrew.butterworth said.

i hope to have at least all routing/object and some acl...

0 Helpful

Aref Alsouqi
VIP
VIP
In response to andrew.butterworth

‎06-30-2023 08:05 AM

Very good point, I forgot to mention it.

0 Helpful

Vicente Miño
Level 1
Level 1

‎08-28-2024 12:29 PM

I have a question related to this conversation. It is posible to create a kron(like in Catalyst) or Scheduler(like in Nexus) on an FTD by CLI?
For example, I would like to be able to create an automatic task that copies a show route via sftp to an external server, is this possible?

I was able to do this without problems with Kron, EEM and Schduler in Switches, but in the case of the backups in FMC, the files generated do not come in a format that can be read through a notepad.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Vicente Miño

‎08-28-2024 11:44 PM

I have not tried this, but you could try to create an EEM script using Flexconfig that exports show route on a set schedule.  The alternative would be to create a python script that uses API to fetch the information you are after and call that script in a kron job an a Linux machine.

--
Please remember to select a correct answer and rate helpful posts

Vicente Miño
Level 1
Level 1
In response to Marius Gunnerud

‎08-29-2024 08:07 AM

Hey @Marius Gunnerud, perfect!

I'm going to check this configuration and tell you how it goes, but I think it could work with a FlexConfig.

Greetings,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card