I’ve recently loaded Firepower Threat Defense on an ASA5525 for my home Internet firewall. For those unfamiliar with FTD, it is basically a combination of critical ASA features and all of the Cisco Firepower features in a single image and execution space. So unlike Firepower Services, which runs separately inside the same ASA sheet metal, FTD takes over the hardware. Once the image installed onto the hardware, the firewall is attached to and managed by a Firepower Management Console.
For those that still want to (or need to) get under the covers to understand the underpinnings or do some troubleshooting of the ASA features, it is still possible to access the familiar CLI. The process first requires an ssh connection to the management IP of the FTD instance, then access expert mode and enter the lina_cli command.
MacBook:~ paulste$ ssh [email protected] Password: Last login: Thu Jun 23 18:16:43 2016 from 192.168.1.48 Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved. Cisco is a registered trademark of Cisco Systems, Inc. All other trademarks are property of their respective owners. Cisco Fire Linux OS v6.0.1 (build 37) Cisco ASA5525-X Threat Defense v6.0.1 (build 1213) //go into expert mode > expert //enter sudo lina_cli -- my su password was the admin pw I set during installation [email protected]:~$ sudo lina_cli Password: Attaching to ASA console ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. //enable password was blank for me firepower> en Password: firepower#
Now the typical ASA show commands are avaialble. For example–
show run dhcpd (yes, you can actually make your FTD device a DHCP server)
firepower# show run dhcpd dhcpd dns 188.8.131.52 dhcpd domain paul.local ! dhcpd address 192.168.1.20-192.168.1.100 inside dhcpd enable inside ! firepower#
show run nat
firepower# show run nat ! object network Internal nat (inside,outside) dynamic interface firepower#
firepower# show conn 49 in use, 448 most used TCP inside 10.101.101.4(192.168.1.54):65152 outside 184.108.40.206:443, idle 0:04:33, bytes 12222, flags UxIO N UDP inside 192.168.1.232:123 outside 220.127.116.11:123, idle 0:00:23, bytes 96, flags - N --snip--
show run access-group|access-list
firepower# show run access-group access-group CSM_FW_ACL_ global firepower# show run access-list CSM_FW_ACL_ access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: FTD5525-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434434: L7 RULE: Monitor URL access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434434 event-log flow-end access-list CSM_FW_ACL_ remark rule-id 268434433: ACCESS POLICY: FTD5525-1 - Default/2 access-list CSM_FW_ACL_ remark rule-id 268434433: L7 RULE: Permit All access-list CSM_FW_ACL_ advanced permit ip object Internal any rule-id 268434433 event-log both access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: FTD5525-1 - Default/3 access-list CSM_FW_ACL_ remark rule-id 268435456: L7 RULE: Permit ICMP access-list CSM_FW_ACL_ advanced permit icmp ifc outside any ifc inside any echo-reply rule-id 268435456 event-log both access-list CSM_FW_ACL_ remark rule-id 268434432: ACCESS POLICY: FTD5525-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268434432 event-log flow-start
As you can see, there is still a lot of familiar territory in Firepower Threat Defense. I hope this article serves as a reminder about this feature so troubleshooting can happen quicker for those familiar with ASA CLI.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.