Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22511
Views
71
Helpful
20
Replies

WinSCP and FMC

donald.heslop1
Level 1
Level 1

‎03-30-2020 09:01 AM

Can anyone tell me how to get the rsa key file and the csr out of the FMC using WinSCP. I've seen so many video that show people using WinSCP to log into the FMC and get the .key and .csr file but they don't go into how WinSCP should be setup to get that to work.

 

Has anyone experience this problem with WinSCP?

 

2 people had this problem
Preview file
275 KB
0 Helpful
20 Replies 20

jgustafzon
Level 1
Level 1
In response to Marvin Rhoads

‎04-03-2022 10:02 AM - edited ‎04-03-2022 10:14 AM

Hi, How can I transfer files to the FMC with WinSCP, I desperatly need to upgrade an old FMC and sensor but the GUI upload won't work. I can connect to the FMC with WinSCP and I located the updates folder in /Volume/6.1.0/sf/updates on the FMC but when I try to upload it just gives me scp: /Volume/6.1.0/sf/updates/Sourcefire_3D_Defense_Center_S3_Upgrade-6.2.3-113.sh: Permission denied. I can elivate to expert and sudo su in CLI. I can also download files from the FMC with WinSCP but in this case I want to upload the sensor and FMC 6.2.3 patch. This is an old 6.1.2.57 if that matters. Maybe trying to upload to /Volume/6.1.0/sf/updates is the wrong way to go about this? 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jgustafzon

‎04-04-2022 05:27 AM

When you connect to FMC with scp, use the root user (or temporarily chmod the target directory to allow write by all users).

alfred.thyri
Level 1
Level 1
In response to Marvin Rhoads

‎08-08-2022 08:02 AM

You can also set the Shell inside the WinSCP session options to expert. With this option you can directly connect via WinSCP to FMC.

 

 

 

Preview file
8 KB
0 Helpful

Gabriel Copil
Level 1
Level 1

‎04-24-2020 06:49 PM - edited ‎04-24-2020 07:26 PM

LE, the below "solution" works only for FMC v.6.3.x and v.6.4.x

Unfortunately in v.6.5, the ability to disable the FMC CLI was deprecated, so the only possibility is to execute the scp command only directly in the FMC and use a remote SSH server to transfer files (Linux box or Open SSH for Windows).

 

For v.6.3 and 6.4, here is the solution for WinSCP's failure to connect with the error message:

Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended).

You need to go in the GUI of the FMC, in System > Configuration > Console Configuration and disable the option "Enable CLI Access". Then press <Save> and try to logon with a ssh client (e.g. Putty) to the FMC management IP. If after you enter the password, you get directly the Linux shell prompt (e.g. admin@test-fmc-01:~$ ), then WinSCP should work correctly also.

If you still get the FMC CLI ( just the symbol ">" ), then make sure you've pressed the <Save> button (ask me how I know ;-))

After I've disabled this option, I could logon to the FMC v.6.4.0.8 with WinSCP, like expected.

You can read here about the option "Enable CLI Access":  About the Firepower Management Center CLI 

Fatjon.Celaj
Level 1
Level 1

‎09-15-2020 01:24 PM

Hi,

 

first connect in ssh then reach the expert mode:

 

Cisco Firepower Management Center for VMWare v6.6.0.1 (build 7)

> expert

 

as you can see from the follwing output the default cli has changed:

admin@fmc:~$ more /etc/passwd
root:x:0:0:Operator:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
mysql:x:27:27:MySQL:/var/lib/mysql:/sbin/nologin
nobody:x:99:99:nobody:/:/sbin/nologin
sshd:x:33:33:sshd:/:/sbin/nologin
www:x:67:67:HTTP server:/var/www:/sbin/nologin
sfrna:x:88:88:SF RNA User:/Volume/home/sfrna:/sbin/nologin
snorty:x:90:90:Snorty User:/Volume/home/snorty:/sbin/nologin
sfsnort:x:95:95:SF Snort User:/Volume/home/sfsnort:/sbin/nologin
sfremediation:x:103:103::/Volume/home/remediations:/sbin/nologin
admin:x:100:100::/Volume/home/admin:/usr/bin/clish
casuser:x:101:104:CiscoUser:/var/opt/CSCOpx:/sbin/nologin
lamplighter:x:110:110::/var/opt/lamplighter:/bin/sh
monetdb:x:111:111::/Volume/lib/monetdb:/sbin/nologin
fatjon:x:1000:201::/Volume/home/fatjon:/usr/bin/clish

 

you can modify the default cli of a user by using the following command:

admin@fmc:~$ sudo su

root@fmc:/Volume/home/admin$ usermod --shell /bin/bash admin

 

now you will be able to use winscp or an sftp client.

 

after you've finished remeber to rollback:

 

root@fmc:/Volume/home/admin# usermod --shell /usr/bin/clish admin

 

KR

f

 

Peter Koltl
Level 7
Level 7

‎06-29-2023 05:47 AM

Files in /var/common can be downloaded from GUI. System-->Monitor and select Active FMC and click on View System & Troubleshoot Details 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card