cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10938
Views
15
Helpful
7
Replies

FTD interaction with FMC and CLI access

Hello,

 

I'm using a 3rd party utility called OpManager to manage backups and monitoring of my network. I've been working with their support and I found out that my firewall's enable password in "system support diagnostic-cli" is blank. They don't support it being blank. That said, I'm very new to firepower and I don't understand the implications of changing the enable password. A few questions.

1. Can I change the enable password in the diagnostic CLI while the firewall is connected to FMC?

2. Does FMC rely on the enable password for any remote management?

3. Are there any other concerns with changing the enable password on the FTD device?

 

Thanks!

Andy

2 Accepted Solutions

Accepted Solutions

JohnLong3
Level 1
Level 1

Hi Andy,

 

The concept of an enable password does not exist on the FTD platform as it does on other Cisco platforms. Here is an excerpt from the FTD Command Reference Guide, which explains why this is so:

 

Privileged EXEC Mode. Enter the enable command to enter this mode (press enter without entering a password when prompted for a password). Note that you cannot set a password for this mode. Access is protected by the account login to the FTD CLI only. However, users cannot enter configuration mode within Privileged EXEC mode, so the extra password protection is not necessary

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/using_the_FTD_CLI.html

View solution in original post

Glad to help. The user guide does not mention a way to configure an enable password, but the 'system support diagnostic-cli' command actually opens a console session to the lina CLI. The first time this is entered, it will start you off in user exec mode. But after you enter into privileged exec mode (with the blank password), it will keep you in privileged exec mode. So if you were to exit the diagnostic cli with Ctrl+a, then d, and then enter back into it, you would be in privileged exec mode still. As long as you don't enter the exit command or reboot, you will remain in privileged exec mode. Hope that helps.

View solution in original post

7 Replies 7

JohnLong3
Level 1
Level 1

Hi Andy,

 

The concept of an enable password does not exist on the FTD platform as it does on other Cisco platforms. Here is an excerpt from the FTD Command Reference Guide, which explains why this is so:

 

Privileged EXEC Mode. Enter the enable command to enter this mode (press enter without entering a password when prompted for a password). Note that you cannot set a password for this mode. Access is protected by the account login to the FTD CLI only. However, users cannot enter configuration mode within Privileged EXEC mode, so the extra password protection is not necessary

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/using_the_FTD_CLI.html

Hey John!

 

Thank you for that! I went back to their support and showed it to them. They're insisting that they support other firepower devices, but that they don't support a blank password. Do you know if there is any way for it to go directly into privileged exec mode without having to type enable? So I would type system support diagnostic-cli, and it would go directly to the priviledged exec prompt.

 

Thanks,

Andy

Glad to help. The user guide does not mention a way to configure an enable password, but the 'system support diagnostic-cli' command actually opens a console session to the lina CLI. The first time this is entered, it will start you off in user exec mode. But after you enter into privileged exec mode (with the blank password), it will keep you in privileged exec mode. So if you were to exit the diagnostic cli with Ctrl+a, then d, and then enter back into it, you would be in privileged exec mode still. As long as you don't enter the exit command or reboot, you will remain in privileged exec mode. Hope that helps.

Thank you! That clarifies things. I'll work with their support to figure it out one way or another.

Their support may be referring to other ASAs with Firepower service modules or Firepower appliances running ASA software. Those all behave differently than ASAs or Firepower appliances running Firepower Threat Defense software.

Marvin Rhoads
Hall of Fame
Hall of Fame

In addition to what @JohnLong3 correctly mentioned, the answers to your questions are:

1. No

2. No

3. It's not supported.

Thanks for both your replies! You may be right about the ASAs with firepower services. And the clear bullet pointed answers. :)
Review Cisco Networking for a $25 gift card