Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10399
Views
15
Helpful
7
Replies

FTD interaction with FMC and CLI access

Go to solution
ExecutechSupport12215
Level 1
Level 1

‎06-16-2020 05:21 PM

Hello,

 

I'm using a 3rd party utility called OpManager to manage backups and monitoring of my network. I've been working with their support and I found out that my firewall's enable password in "system support diagnostic-cli" is blank. They don't support it being blank. That said, I'm very new to firepower and I don't understand the implications of changing the enable password. A few questions.

1. Can I change the enable password in the diagnostic CLI while the firewall is connected to FMC?

2. Does FMC rely on the enable password for any remote management?

3. Are there any other concerns with changing the enable password on the FTD device?

 

Thanks!

Andy

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
JohnLong3
Level 1
Level 1

‎06-17-2020 09:00 AM

Hi Andy,

 

The concept of an enable password does not exist on the FTD platform as it does on other Cisco platforms. Here is an excerpt from the FTD Command Reference Guide, which explains why this is so:

 

Privileged EXEC Mode. Enter the enable command to enter this mode (press enter without entering a password when prompted for a password). Note that you cannot set a password for this mode. Access is protected by the account login to the FTD CLI only. However, users cannot enter configuration mode within Privileged EXEC mode, so the extra password protection is not necessary

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/using_the_FTD_CLI.html

View solution in original post

0 Helpful

Go to solution
JohnLong3
Level 1
Level 1
In response to ExecutechSupport12215

‎06-17-2020 11:59 AM

Glad to help. The user guide does not mention a way to configure an enable password, but the 'system support diagnostic-cli' command actually opens a console session to the lina CLI. The first time this is entered, it will start you off in user exec mode. But after you enter into privileged exec mode (with the blank password), it will keep you in privileged exec mode. So if you were to exit the diagnostic cli with Ctrl+a, then d, and then enter back into it, you would be in privileged exec mode still. As long as you don't enter the exit command or reboot, you will remain in privileged exec mode. Hope that helps.

View solution in original post

7 Replies 7

Go to solution
JohnLong3
Level 1
Level 1

‎06-17-2020 09:00 AM

Hi Andy,

 

The concept of an enable password does not exist on the FTD platform as it does on other Cisco platforms. Here is an excerpt from the FTD Command Reference Guide, which explains why this is so:

 

Privileged EXEC Mode. Enter the enable command to enter this mode (press enter without entering a password when prompted for a password). Note that you cannot set a password for this mode. Access is protected by the account login to the FTD CLI only. However, users cannot enter configuration mode within Privileged EXEC mode, so the extra password protection is not necessary

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/using_the_FTD_CLI.html

0 Helpful

Go to solution
ExecutechSupport12215
Level 1
Level 1
In response to JohnLong3

‎06-17-2020 10:59 AM

Hey John!

 

Thank you for that! I went back to their support and showed it to them. They're insisting that they support other firepower devices, but that they don't support a blank password. Do you know if there is any way for it to go directly into privileged exec mode without having to type enable? So I would type system support diagnostic-cli, and it would go directly to the priviledged exec prompt.

 

Thanks,

Andy

0 Helpful

Go to solution
JohnLong3
Level 1
Level 1
In response to ExecutechSupport12215

‎06-17-2020 11:59 AM

Glad to help. The user guide does not mention a way to configure an enable password, but the 'system support diagnostic-cli' command actually opens a console session to the lina CLI. The first time this is entered, it will start you off in user exec mode. But after you enter into privileged exec mode (with the blank password), it will keep you in privileged exec mode. So if you were to exit the diagnostic cli with Ctrl+a, then d, and then enter back into it, you would be in privileged exec mode still. As long as you don't enter the exit command or reboot, you will remain in privileged exec mode. Hope that helps.

Go to solution
ExecutechSupport12215
Level 1
Level 1
In response to JohnLong3

‎06-18-2020 03:46 PM

Thank you! That clarifies things. I'll work with their support to figure it out one way or another.
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ExecutechSupport12215

‎06-17-2020 06:48 PM

Their support may be referring to other ASAs with Firepower service modules or Firepower appliances running ASA software. Those all behave differently than ASAs or Firepower appliances running Firepower Threat Defense software.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-17-2020 09:56 AM

In addition to what @JohnLong3 correctly mentioned, the answers to your questions are:

1. No

2. No

3. It's not supported.

Go to solution
ExecutechSupport12215
Level 1
Level 1
In response to Marvin Rhoads

‎06-18-2020 03:47 PM

Thanks for both your replies! You may be right about the ASAs with firepower services. And the clear bullet pointed answers. :)
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card