Firepower CLI password recovery via FMC

AyoubC · ‎09-27-2022

Hello Folks,

I have 2 FP-2210 in HA managed by FMC and I noticed recently that one of the Firewalls has no valid SSH credentials, based on the Keepass,

I want to recover that specific Firewall CLI password without reboot so I won't bother productions with tickets,

is there a backdoor to create a new admin account or reset the Account of that Firewall from FMC ?

Thanks,

Dinesh Moudgil · ‎09-27-2022

For FTD devices running on Firepower 1000/2100, you must reimage the device for password reset, though you could console into FTD and create a new user for CLI login:

firepower1#
firepower1# connect ftd
> configure user add <username> <basic/config>

Thank you,

Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

AyoubC · ‎09-30-2022

@Dinesh Moudgil thank you for the details,

I'm prety new with FTDs and FMC,

this output from FTD

Model : Cisco ASA5508-X Threat Defense (75) Version 6.6.1 (Build 91)

and it's managed by a FMC, and I don't have credentials to access to it,

I tried the cmd above for connect ftd and it didn't work,

Dinesh Moudgil · ‎09-30-2022

@AyoubC What hardware platform do you have ? Initially, you mentioned it is 2210 and from the last output it appears to be 5508.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

AyoubC · ‎10-03-2022

@Dinesh Moudgil

I took the output from the wrong HArdware, sorry about the confusion,

the firewall is an FP-2210

Dinesh Moudgil · ‎10-03-2022

You mean 2110 ? Command I shared earlier should work on this platform.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

AyoubC · ‎10-11-2022

@Dinesh Moudgil - sorry for the delay,

I want to step back to my initial question, is there any backdoor to access the FDT from the FMC and put like a new account priv 15 ? or the only way is just to console and reimage the FDT to reset the password ?

Marvin Rhoads · ‎10-12-2022

Resetting the admin password requires reimaging.Reimaging can only be done from console or ssh session.

Adding a new user can be done without reimaging; but it does require console access.

Neither can be done from FMC per se. We can allow ssh user access to FTD for externally authenticated users via FMC settings, but that does not cover the admin user.

AyoubC · ‎11-27-2022

@Marvin Rhoads sorry for my late reply, The problem of not having admin creds isn't a show-stopper at the moment as long as we can fully manage by FMC.

An ssh access is a must for me, so I need to keep working on that.

the FPR-2100 that I miss SSH account (primary FW) of it is running in a HA mode with another FPR-2100 (secondary FW)that is fully accessible and both are managed via FMC

So as long as reimaging will get my firewall config lost, do you think FMC will keep the configuration of my primary firewall? I'm thinking about promoting the secondary FW to Active status, and reimage the affected one, but I want to make sure that once I'll provide IP add and connect the firewall back to FMC it will sync all config and get back to normal (of course force it to be active again.)

What do you think here?

Marvin Rhoads · ‎11-28-2022

There is a procedure to replace a firewall in an HA pair - reference the configuration guide for details. If you follow it, you can break HA, leave the secondary as active and reimage (essentially replace) the primary. You then rebuild HA as if from scratch after bootstrapping the reimaged unit. It will sync the config from the secondary-active unit (which will be the new primary-active actually since it has the valid config).

AyoubC · ‎11-28-2022

@Marvin Rhoads when we say "Break HA" / "Rebuild HA" these two actions must be done from the FMC right?

means FMC will keep playing the main role of maintaining the configuration of my firewalls

Marvin Rhoads · ‎11-28-2022

Yes @AyoubC that's correct.

AyoubC · ‎11-29-2022

Thank you ! @Marvin Rhoads