@darrenj if the FTDs are managed by an FMC, I am not sure you could use API if the FMC is down.

You could also consider to migrate to the cloud delivered FMC (cdFMC), so long the FTD's have internet access they are manageable. You rely on the resilency of the cloud managed service.

Ooohhh thanks for this! Noted that this is done at own risk, etc but I will definitely try this in the lab (trying to add a firewall rule/policy). I'll report back how I go on.....

In terms of an update, for testing I created a rule to block SSH between two hosts. I then "pretended" I lost FMC and needed to allow SSH between the two hosts. I did the below on FTD, basically allowing TCP between anyone.

admin@fmc:~$ sudo su -
Password:
root@fmc:~# cd /ngfw/var/sf/bin
root@fmc:bin# LinaConfigTool "access-list CSM_FW_ACL_ line 1 advanced permit tcp any any";
root@fmc:bin#

This entry was shown in my access-list output, so I thought it would work;

> show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list CSM_FW_ACL_; 10 elements; name hash: 0x4a69e3f3
access-list CSM_FW_ACL_ line 1 advanced permit tcp any any (hitcnt=3) 0xb2cceaf1

Although the traffic is allowed (a connection is created), the initial SYN never reaches the SSH server

One of the flags indicates that Snort is inspecting the flow, so it may be Snort dropping the traffic because the rule is not properly configured/deployed by FMC? 

> show conn detail
1 in use, 80 most used
Inspect Snort:
preserve-connection: 2 enabled, 0 in effect, 80 most enabled, 0 most in effect
Flags: A - awaiting responder ACK to SYN, a - awaiting initiator ACK to SYN,
B - TCP probe for server certificate,
b - TCP state-bypass or nailed,
C - CTIQBE media, c - cluster centralized,
D - DNS, d - dump, E - outside back connection, e - semi-distributed,
F - initiator FIN, f - responder FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - initiator data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, L - decap tunnel, M - SMTP data, m - SIP media
N - inspected by Snort (1 - preserve-connection enabled, 2 - preserve-connection in effect,
3 - elephant-flow, 4 - elephant-flow bypassed, 5 - elephant-flow throttled, 6 - elephant-flow exempted )
n - GUP, O - responder data, o - offloaded,
P - inside back connection, p - passenger flow,
Q - QUIC, q - SQL*Net data, R - initiator acknowledged FIN,
R - UDP SUNRPC, r - responder acknowledged FIN,
T - SIP, t - SIP transient, U - up,
V - VPN orphan, v - M3UA W - WAAS,
w - secondary domain backup,
X - inspected by service module,
x - per session, Y - director stub flow, y - backup stub flow,
Z - Scansafe redirection, Z1 - zero-trust flow, z - forwarding stub flow

TCP outside: 192.168.6.10/22 inside: 192.168.5.10/40394,
flags aA N, idle 5s, uptime 5s, timeout 30s, bytes 0, Rx-RingNum invalid, Internal-Data invalid
Initiator: 192.168.5.10, Responder: 192.168.6.10
Connection lookup keyid: 108772834

Not sure if anyone has any other ideas...?

Well, first off are you able to ping both test devices from the firewall?  One thing I would suggest doing is setting up a packet capture on the interface that connects towards the device you are SSHing to to see if the packet is actually leaving the interface.  If you see the packet leaving the interface then there is an issue on the device that you are SSHing to.  If you do not see the packet leaving the device, then it is being dropped and I would suggest running "system support trace" and also enable firewall-engine-debug to try to see where it is being dropped.

So did you run a 'system support trace' and run a test with the config from CLI implemented? I would also suggest having a packet capture on both interfaces on the firewall where the traffic will be flowing.  if you did not have these running when you last tested, then I suggest you do it.  this will indicate if it is SNORT that is blocking.

Also, I was wondering if you were able to ping the two devices from the firewall when the configuration was implemented.

Is this a clean installed FTD with no previous access list implemented?  If yes, issue the command show run | in access-group is there an entry there that looks something like "access-group CSM_FW_ACL_ global" ? if not, then you will need to add this line to the configuration.

I have read your initial post and based off of your test results there is obviously something missing from the configuration.  I was in the exact same situation you which you are trying to reproduce, where there was a routing issue which caused connection between the FMC and FTD to be dropped.  That LinaConfigTool command I provided earlier is what saved me by placing a static route in the routing table.  but aside from the static route all other configuration was already in place.  So to figure out why your configuration is not working I need more context to how you have setup your lab.

Then please define your initial setup that you are testing with.  have you deployed an FMC and FDT in a lab provided initial configuration and then break that configuration or remove FMC from the picture?  Or have you just spun up an FTD and configure it from scratch from the CLI?  If you have not added an access policy before testing this you are probably missing the "access-group CSM_FW_ACL_ global" command, which is why I asked about that.

If that command is present then we need to figure out what is happening, which is where system support trace and packet-capture comes into play. 

You could also do a packet-tracer to see the path the packet takes inside the firewall.