I have 2 FP-2210 in HA managed by FMC and I noticed recently that one of the Firewalls has no valid SSH credentials, based on the Keepass,
I want to recover that specific Firewall CLI password without reboot so I won't bother productions with tickets,
is there a backdoor to create a new admin account or reset the Account of that Firewall from FMC ?
For FTD devices running on Firepower 1000/2100, you must reimage the device for password reset, though you could console into FTD and create a new user for CLI login:
firepower1# connect ftd
> configure user add <username> <basic/config>
P.S. Please rate helpful posts.
@Dinesh Moudgil thank you for the details,
I'm prety new with FTDs and FMC,
this output from FTD
Model : Cisco ASA5508-X Threat Defense (75) Version 6.6.1 (Build 91)
and it's managed by a FMC, and I don't have credentials to access to it,
I tried the cmd above for connect ftd and it didn't work,
Resetting the admin password requires reimaging.Reimaging can only be done from console or ssh session.
Adding a new user can be done without reimaging; but it does require console access.
Neither can be done from FMC per se. We can allow ssh user access to FTD for externally authenticated users via FMC settings, but that does not cover the admin user.
@Marvin Rhoads sorry for my late reply, The problem of not having admin creds isn't a show-stopper at the moment as long as we can fully manage by FMC.
An ssh access is a must for me, so I need to keep working on that.
the FPR-2100 that I miss SSH account (primary FW) of it is running in a HA mode with another FPR-2100 (secondary FW)that is fully accessible and both are managed via FMC
So as long as reimaging will get my firewall config lost, do you think FMC will keep the configuration of my primary firewall? I'm thinking about promoting the secondary FW to Active status, and reimage the affected one, but I want to make sure that once I'll provide IP add and connect the firewall back to FMC it will sync all config and get back to normal (of course force it to be active again.)
What do you think here?
There is a procedure to replace a firewall in an HA pair - reference the configuration guide for details. If you follow it, you can break HA, leave the secondary as active and reimage (essentially replace) the primary. You then rebuild HA as if from scratch after bootstrapping the reimaged unit. It will sync the config from the secondary-active unit (which will be the new primary-active actually since it has the valid config).