Finding ACLS in FMC

JJEOROME · ‎01-04-2019

Ok I have to admit I am an old CLI guy and a medicore FW guy at best anyway. So, saying that, I can see specific ACLS when I issue "the show access-list command" on the CLI on my FWS. however since this is Firepower/FMC we have to use FMC to modify them. For the life of me I cant find THEM!!! I have no problem identifying objects, ports and policies but specific ACLS might as well be on an the Dead Sea Scrolls. I checked all the docs and I just cant find it.. Help !!

Rob Ingram · ‎01-04-2019

Hi,
In the FMC you configure what you refer to the ACLs in an Access Control Policy (ACP). In the FMC you navigate to Policies > Access Control > Access Control.

HTH

matty-boy · ‎01-04-2019

Hello JJEOROME,

As RJI say, the main access lists are found under Policies > Access Control.

If you are looking for other standard or extended ACLs (like for identifying split tunnel or VPN filters, etc) you need to look under the main OBJECTS tab. On the left you will find a section for standard and extended access lists.

Hope this helps,

Matt.

Abheesh Kumar · ‎01-05-2019

Hi,
In FTD you can create ACL's in two way's - Access Control Policy & Pre-Filter Policy.
You can check the ACL's from FMC:

Policy > Access Control Policy

Policy > Pre-Filter Policy

FTD is not like to manage easy like ASA, as most of the Folks are familiar to manage via cli for configuration and tshoot. On FTD case its everything changed and we need to do all the configuration/verification's via the management console and we can tshoot via FTD cli.

HTH

Abheesh

Chess Norris · ‎01-08-2019

You can still can run the "show access-list" or "show running-config access-list" command from the LINA CLI of the FTD device. However, you can only view the ACL and not edit it from there. (Unless you know the super-secret TAC method :))

Also note that the ACL in FTD is global, so you don’t need to use a different ACL per interface.

Abheesh Kumar · ‎01-08-2019

@Chess Norris (Unless you know the super-secret TAC method :))

Is there a way like this...?????

Sheraz.Salim · ‎01-08-2019

@Chess Norriskindly please share this super command with us too

please do not forget to rate.

Chess Norris · ‎01-09-2019

TAC helped us with this before when one FTD 4100 appliance went berserk after a FXOS upgrade and shut down all sub interfaces – including the management interface - of the device.

This resulted in that we lost all communication between the FMC and the FTD and there was no way we could bring the interfaces up again from the FMC.

To resolve this, TAC had to get config access from the CLI and manually do a “no shut” on all sub interfaces.

I am not sure exactly how they did it, but it was a quite complicated process and you had to modify the /mnt/disk0/enable_configure file from expert mode.

You will then get a warning message when you type the “config terminal” command saying something like “This command is not supported and should not be used”

I therefore don’t recommend anyone to mess with this. The chance that you will end up with a broken configuration is probably huge and you will most likely not be getting any help from TAC.