Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
7571
Views
4
Helpful
7
Replies

FTD 1120 CLI configuration

gusarodar85
Level 1
Level 1

‎04-16-2023 05:01 PM

When I use the system support diagnostic-cli command I don't see the configure terminal command, can these FTDs only be configured using the FTD GUI?

0 Helpful
7 Replies 7

Flavio Miranda
VIP
VIP

‎04-16-2023 05:40 PM

Hi,

The CLI in FirePower threat defence device has different modes.  

  • Regular CLI is used for threat defence management system configuration and troubleshooting.
  • Diagnostic CLI is used for advanced troubleshooting as it has additional show and other commands. To login to this CLI use session wlan console command. To enter Privileged EXEC mode use system support diagnostic -cli command 

Expert mode is used only if a documented procedure tells you to do so or if the Cisco technical assistance center asks you to use it. Use ‘expert’ command to enter this mode. 

FXOS is also used for configuration and troubleshooting so from FXOS you can enter ‘connect’ command to enter into threat defence console

gusarodar85
Level 1
Level 1
In response to Flavio Miranda

‎04-16-2023 06:50 PM

Thank you very much for the answer, I have seen these different modes, but my question would be if in any of these modes you can find the configure terminal command to perform the configuration from the CLI as if it were an ASA

0 Helpful

Rob Ingram
VIP
VIP
In response to gusarodar85

‎04-16-2023 10:56 PM

@gusarodar85 no you cannot use the CLI to configure the FTD, you must use the GUI to configure the device. If managed locally using the FDM GUI or centrally using FMC GUI.

The CLI is used for configuring the mgmt interface and troubleshooting.

 

Flavio Miranda
VIP
VIP
In response to gusarodar85

‎04-16-2023 11:03 PM

Hi

 The closer you can get with ASA is usgin flexconfig

But when managed by fmc, the idea is use gui only.

Take a look here.

https://www.lookingpoint.com/blog/ftd-flexconfig 

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to gusarodar85

‎04-17-2023 06:30 AM

There is no "configure terminal" in any interface of and FTD device. Other than a very few seldom used system level commands (and setup of the management interface), all configuration is via the local manager (FDM) or remote manager (FMC) GUI.

If you use cloud-based management (CDO natively or cdFMC) those manage the device using REST API. You can technically do that directly but it's not something customers often do.

0 Helpful

Marius Gunnerud
VIP
VIP

‎04-17-2023 02:34 AM

This kind of depends as to what your expectations are when you say configure the FTD from the CLI.  The method you should be using, as mentioned by others in this post, is via the GUI.  But now lets say you messed up routing on the FTD and have lost connectivity between the FMC and the FMC because management traffic is routed from the management interface via a data interface on the FTD.  In this case you can configure routing directly in the CLI (expert mode) but keep in mind that once connection to FMC is re-established you need to correct or add the configuration to the FMC before you deploy again.  When you deploy after configuring on the CLI directly, the configuration on the FTD will be overwritten and you will lose the configuration you added on the CLI unless you update the FMC configuration with the relevant configuration.

Enter expert mode:

>expert

# sudo su -

root# cd /ngfw/var/sf/bin

root# LinaConfigTool "route Localport-base 192.168.0 255.255.255.0 172.16.0.254";

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World
VIP
VIP

‎04-17-2023 03:10 AM

The initial CLI you access on the Console port differs by device type.

  • ASA hardware platforms—The CLI on the Console port is the regular threat defense CLI.

  • Other hardware platforms—The CLI on the Console port is Secure Firewall eXtensible Operating System (FXOS). You can get to the threat defense CLI using the connect command. Use the FXOS CLI for chassis-level configuration and troubleshooting only. For the Firepower 2100, you cannot perform any configuration at the FXOS CLI. Use the threat defense CLI for basic configuration, monitoring, and normal system troubleshooting. See the FXOS documentation for information on FXOS commands for the Firepower 4100 and 9300. See the FXOS troubleshooting guide for information on FXOS commands for other models.

 

the other hardware platform it CLI is use for FXOS, so there is different between HW platfrom and CLI you can access 
but still you can use FlexConfig 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top