Enter Cisco Firepower CLI (Read-Only)
You have the FMC installed and connect to FTD device with configuration deployed but for what ever reason there is a problem and you need to enter the CLI on the Firepower device to troubleshoot the equipment and although you can’t configure anything you can do show and debug commands to troubleshoot via the CLI. We have to enter the Diagnostic CLI and we can do this in two ways:
- Once logged into the Firepower default prompt type system support diagnostic-cli command.
> system support diagnostic-cli
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
firepower#- The other way is to go into expert mode followed by using the sudo lina_cli command.
host-172-16-1-187 login: admin
Password:
Last login: Sun Jul 23 17:30:34 UTC 2017 on ttyS0
> expert
admin@host-172-16-1-187:~$ sudo lina_cli
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
firepower> en
Password: ********
Invalid password
Password:
firepower#If we look at the show version we can see in this example we are running ASA code with FXOS running with it.
firepower# show version
---------------[ host-172-16-1-187 ]----------------
Model : Cisco Firepower Threat Defense for KVM (75) Version 6.2.0.2 (Build 51)
UUID : 3b5ca718-6fc3-11e7-a879-c553f010958b
Rules update version : 2017-06-07-001-vrt
VDB version : 281
----------------------------------------------------
Cisco Adaptive Security Appliance Software Version 9.7(1)10
Firepower Extensible Operating System Version 2.1(1.66)
Compiled on Wed 10-May-17 09:41 PDT by builders
System image file is "(hd0,0)/asa971-4-smp-k8.bin"
Config file at boot was "startup-config"
firepower up 37 mins 39 secs
Hardware: ASAv, 8192 MB RAM, CPU Pentium II 3600 MHz, 1 CPU (4 cores)
Model Id: ASAv30
BIOS Flash Firmware Hub @ 0x0, 0KB
0: Int: Internal-Data0/0 : address is fa16.3ee6.43df, irq 11
1: Ext: GigabitEthernet0/0 : address is fa16.3ebf.f299, irq 10
2: Ext: GigabitEthernet0/1 : address is fa16.3e8b.53bc, irq 10
3: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
4: Int: Internal-Data0/0 : address is 0000.0000.0000, irq 0
5: Ext: Management0/0 : address is fa16.3ee6.43df, irq 0
6: Int: Internal-Data0/1 : address is 0000.0000.0000, irq 0
Serial Number: 9AXESJTCR3F
Image type : Release
Key version : A
Configuration last modified by enable_1 at 18:24:33.151 UTC Sun Jul 23 2017If you worked in the Cisco ASA world before you might find the CLI a refreshing memory because all of your debugs, show outputs and the packet tracer troubleshooting tool are all there. You might be asking well its good to see the configuration but how do I configure something that may not be in the FMC? Well we can use something called FlexConfig and is available from FMC 6.2.0 and onward.