Classic Device Command Line Reference

The Classic device CLI reference applies to:

  • ASA FirePOWER

  • NGIPSv

For other Firepower appliances:

About the Classic Device CLI

After you log into a Classic device (ASA FirePOWER, NGIPSv) via the CLI (see Logging Into the CLI on ASA FirePOWER and NGIPSv Devices), you can use the commands described in this appendix to view, configure, and troubleshoot your device.

Note that CLI commands are case-insensitive with the exception of parameters whose text is not part of the CLI framework, such as user names and search filters.

Classic Device CLI Modes

The CLI encompasses four modes. The default mode, CLI Management, includes commands for navigating within the CLI itself. The remaining modes contain commands addressing three different areas of classic device functionality; the commands within these modes begin with the mode name: system, show, or configure.

When you enter a mode, the CLI prompt changes to reflect the current mode. For example, to display version information about system components, you can enter the full command at the standard CLI prompt:

> show version

If you have previously entered show mode, you can enter the command without the show keyword at the show mode CLI prompt:

show> version

Classic Device CLI Access Levels

Within each mode, the commands available to a user depend on the user’s CLI access. When you create a user account, you can assign it one of the following CLI access levels:

  • Basic — The user has read-only access and cannot run commands that impact system performance.

  • Configuration — The user has read-write access and can run commands that impact system performance.

  • None — The user is unable to log into the CLI.

On NGIPSv and ASA FirePOWER, you assign command line permissions using the CLI.

Classic Device CLI Management Commands

The CLI management commands provide the ability to interact with the CLI. These commands do not affect the operation of the device.

configure password

Allows the current user to change their password. After issuing the command, the CLI prompts the user for their current (or old) password, then prompts the user to enter the new password twice.

Access

Basic

Syntax

configure password 

Example

> configure password
Enter current password:
Enter new password:
Confirm new password:

exit

Moves the CLI context up to the next highest CLI context level. Issuing this command from the default mode logs the user out of the current CLI session, and is equivalent to issuing the logout CLI command.

Access

Basic

Syntax


exit

Example


configure network ipv4> exit
configure network>

expert

Invokes the Linux shell.


Caution


We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit instructions in the user documentation. For more information, see Firepower System User Accounts.


Access

Configuration

Syntax


expert

Example


> expert

history

Displays the command line history for the current session.

Access

Basic

Syntax


history limit

where limit sets the size of the history list. To set the size to unlimited, enter zero.

Example


history 25

logout

Logs the current user out of the current CLI console session.

Access

Basic

Syntax


logout

Example


> logout

? (question mark)

Displays context-sensitive help for CLI commands and parameters. Use the question mark (?) command as follows:

  • To display help for the commands that are available within the current CLI context, enter a question mark (?) at the command prompt.

  • To display a list of the available commands that start with a particular character set, enter the abbreviated command immediately followed by a question mark (?).

  • To display help for a command’s legal arguments, enter a question mark (?) in place of an argument at the command prompt.

Note that the question mark (?) is not echoed back to the console.

Access

Basic

Syntax


?
abbreviated_command ?
command [arguments] ?

Example


> ?

Classic Device CLI Show Commands

Show commands provide information about the state of the device. These commands do not change the operational mode of the device and running them has minimal impact on system operation. Most show commands are available to all CLI users; however, only users with configuration CLI access can issue the show user command.

access-control-config

Displays the currently deployed access control configurations, including:

  • Security Intelligence settings

  • Names of any subpolicies the access control policy invokes

  • Intrusion variable set data

  • Logging settings

  • Other advanced settings, including policy-level performance, preprocessing, and general settings

Also displays policy-related connection information, such as source and destination port data (including type and code for ICMP entries) and the number of connections that matched each access control rule (hit counts).

Access

Basic

Syntax


show access-control-config

Example


> show access-control-config

audit-log

Displays the audit log in reverse chronological order; the most recent audit log events are listed first.

Access

Basic

Syntax


show audit-log

Example


> show audit-log

audit_cert

Displays the current audit log client certificate.

Access

Basic

Syntax


show audit_cert

Example


> show audit_cert

cpu

Displays the current CPU usage statistics appropriate for the platform for all CPUs on the device.

  • CPU — Processor number.

  • %user — Percentage of CPU utilization that occurred while executing at the user level (application).

  • %nice — Percentage of CPU utilization that occurred while executing at the user level with nice priority.

  • %sys — Percentage of CPU utilization that occurred while executing at the system level (kernel). This does not include time spent servicing interrupts or softirqs. A softirq (software interrupt) is one of up to 32 enumerated software interrupts that can run on multiple CPUs at once.

  • %iowait — Percentage of time that the CPUs were idle when the system had an outstanding disk I/O request.

  • %irq — Percentage of time spent by the CPUs to service interrupts.

  • %soft — Percentage of time spent by the CPUs to service softirqs.

  • %steal — Percentage of time spent in involuntary wait by the virtual CPUs while the hypervisor was servicing another virtual processor.

  • %guest — Percentage of time spent by the CPUs to run a virtual processor.

  • %idle — Percentage of time that the CPUs were idle and the system did not have an outstanding disk I/O request.

Access

Basic

Syntax


show cpu [procnum]

where procnum is the number of the processor for which you want the utilization information displayed. Valid values are 0 to one less than the total number of processors on the system.


> show cpu

database Commands

The show database commands configure the device’s management interface.

Access

Basic

processes

Displays a list of running database queries.

Access

Basic

Syntax

show database processes
Example

> show database processes

slow-query-log

Displays the slow query log of the database.

Access

Basic

Syntax

show database slow-query-log
Example

> show database slow-query-log

device-settings

Displays information about application bypass settings specific to the current device.

Access

Basic

Syntax


show device-settings

Example


> show device-settings

disk

Displays the current disk usage.

Access

Basic

Syntax


show disk

Example


> show disk

disk-manager

Displays detailed disk usage information for each part of the system, including silos, low watermarks, and high watermarks.

Access

Basic

Syntax


show disk-manager

Example


> show disk-manager

dns

Displays the current DNS server addresses and search domains.

Access

Basic

Syntax


show dns

Example


> show dns

hostname

Displays the device’s host name and appliance UUID. If you edit the host name of a device using the CLI, confirm that the changes are reflected on the managing Firepower Management Center. In some cases, you may need to edit the device management settings manually.

Access

Basic

Syntax


show hostname

Example


> show hostname

hosts

Displays the contents of an ASA FirePOWER module’s /etc/hosts file.

Access

Basic

Syntax


show hosts

Example


> show hosts

hyperthreading

Displays whether hyperthreading is enabled or disabled. This command is not available on ASA FirePOWER.

Access

Basic

Syntax


show hyperthreading

Example


> show hyperthreading

inline-sets

Displays configuration data for all inline security zones and associated interfaces. This command is not available on ASA FirePOWER.

Access

Basic

Syntax


show inline-sets

Example


> show inline-sets

interfaces

If no parameters are specified, displays a list of all configured interfaces. If a parameter is specified, displays detailed information about the specified interface.

Access

Basic

Syntax


show interfaces interface

where interface is the specific interface for which you want the detailed information.

Example


> show interfaces

ifconfig

Displays the interface configuration for an ASA FirePOWER module.

Access

Basic

Syntax


show ifconfig

Example


> show ifconfig

link-state

Displays type, link, speed of the ports on the device. This command is not available on ASA FirePOWER devices.

Access

Basic

Syntax


show link-state

Example


> show link-state

log-ips-connection

Displays whether the logging of connection events that are associated with logged intrusion events is enabled or disabled.

Access

Basic

Syntax


show log-ips-connection

Example


> show log-ips-connection

managers

Displays the configuration and communication status of the Firepower Management Center. Registration key and NAT ID are only displayed if registration is pending.

Access

Basic

Syntax


show managers

Example


> show managers

memory

Displays the total memory, the memory in use, and the available memory for the device.

Access

Basic

Syntax


show memory

Example


> show memory

model

Displays model information for the device.

Access

Basic

Syntax


show model

Example


> show model

netstat

Displays the active network connections for an ASA FirePOWER module.

Access

Basic

Syntax


show netstat

Example


> show netstat

network

Displays the IPv4 and IPv6 configuration of the management interface, its MAC address, and HTTP proxy address, port, and username if configured.

Access

Basic

Syntax


show network

Example


> show network

network-static-routes

Displays all configured network static routes and information about them, including interface, destination address, network mask, and gateway address.

Access

Basic

Syntax


show network-static-routes

Example


> show network-static-routes

ntp

Displays the ntp configuration.

Access

Basic

Syntax


show ntp

Example


> show ntp

perfstats

Displays performance statistics for the device.

Access

Basic

Syntax


show perfstats

Example


> show perfstats

process-tree

Displays processes currently running on the device, sorted in tree format by type.

Access

Basic

Syntax


show process-tree

Example


> show process-tree

processes

Displays processes currently running on the device, sorted by descending CPU usage.

Access

Basic

Syntax


show processes sort-flag filter

where sort-flag can be -m to sort by memory (descending order), -u to sort by username rather than the process name, or verbose to display the full name and path of the command. The filter parameter specifies the search term in the command or username by which results are filtered. The header row is still displayed.

Example


> show processes -u user1

route

Displays the routing information for an ASA FirePOWER module.

Access

Basic

Syntax


show route

Example


> show route

serial-number

Displays the chassis serial number. This command is not available on NGIPSv.

Access

Basic

Syntax


show serial-number

Example


> show serial-number

ssl-policy-config

Displays the currently deployed SSL policy configuration, including policy description, default logging settings, all enabled SSL rules and rule configurations, trusted CA certificates, and undecryptable traffic actions.

Access

Basic

Syntax


show ssl-policy-config

Example


> show ssl-policy-config

summary

Displays a summary of the most commonly used information (version, type, UUID, and so on) about the device. For more detailed information, see the following show commands: version, interfaces, device-settings, and access-control-config.

Access

Basic

Syntax


show summary

Example


> show summary

syslog

Displays the system log in reverse chronological order. You can optionally specify a filter to display specific records based on content and the number of records to display per page view (the default is 25).

Access

Basic

Syntax


show syslog ["filter" records_per_page]

where filter specifies a Grep-compatible search filter and records_per_page specifies the number of records to display with each page view. See Syntax for System Log Filters for more information on search filters.

Example


> show syslog "ssh" 20

The system displays the 20 most recent syslog records containing the string "ssh". To display the next 20 records, press Enter; to stop the display enter q.

time

Displays the current date and time in UTC and in the local time zone configured for the current user.

Access

Basic

Syntax


show time

Example


> show time

traffic-statistics

If no parameters are specified, displays details about bytes transmitted and received from all ports. If a port is specified, displays that information only for the specified port. You cannot specify a port for ASA FirePOWER modules; the system displays only the data plane interfaces.


Note


In some situations the output of this command may show packet drops when, in point of fact, the device is not dropping traffic. Drop counters increase when malformed packets are received. A malformed packet may be missing certain information in the header or it may have failed a cyclical-redundancy check (CRC). Typically, common root causes of malformed packets are data link layer issues such as bad cables or a bad interface. The dropped packets are not logged. However, if the source is a reliable transport protocol such as TCP, the packets will be retransmitted.


Access

Basic

Syntax


show traffic-statistics port

where port is the specific port for which you want information.

Example


> show traffic-statistics s1p1

user

Applicable to NGIPSv only. Displays detailed configuration information for the specified user(s). The following values are displayed:

  • Login — the login name

  • UID — the numeric user ID

  • Auth (Local or Remote) — how the user is authenticated

  • Access (Basic or Config) — the user's privilege level

  • Enabled (Enabled or Disabled) — whether the user is active

  • Reset (Yes or No) — whether the user must change password at next login

  • Exp (Never or a number) — the number of days until the user's password must be changed

  • Warn (N/A or a number) — the number of days a user is given to change their password before it expires

  • Str (Yes or No) — whether the user's password must meet strength checking criteria

  • Lock (Yes or No) — whether the user's account has been locked due to too many login failures

  • Max (N/A or a number) — the maximum number of failed logins before the user's account is locked

Access

Configuration

Syntax


show user username username username ...

where username specifies the name of the user and the usernames are space-separated.

Example


> show user jdoe

users

Displays detailed configuration information for all local users. The following values are displayed:

  • Login — the login name

  • UID — the numeric user ID

  • Auth (Local or Remote) — how the user is authenticated

  • Access (Basic or Config) — the user's privilege level

  • Enabled (Enabled or Disabled) — whether the user is active

  • Reset (Yes or No) — whether the user must change password at next login

  • Exp (Never or a number) — the number of days until the user's password must be changed

  • Warn (N/A or a number) — the number of days a user is given to change their password before it expires

  • Str (Yes or No) — whether the user's password must meet strength checking criteria

  • Lock (Yes or No) — whether the user's account is locked due to too many login failures

  • Max (N/A or a number) — the maximum number of failed logins before the user's account is locked

Access

Configuration

Syntax


show users

Example


> show users

version

Displays the product version and build. If the detail parameter is specified, displays the versions of additional components.


Note


The detail parameter is not available on ASA with FirePOWER Services.


Access

Basic

Syntax


show version [detail]

Example


> show version

vmware-tools

Indicates whether VMware Tools are currently enabled on a virtual device. This command is available only on NGIPSv.

VMware Tools is a suite of utilities intended to enhance the performance of the virtual machine. These utilities allow you to make full use of the convenient features of VMware products. The system supports the following plugins on all virtual appliances:

  • guestInfo

  • powerOps

  • timeSync

  • vmbackup

For more information about VMware Tools and the supported plugins, see the VMware website (http://www.vmware.com).

Access

Basic

Syntax


show vmware-tools

Example


> show vmware-tools

Classic Device CLI Configuration Commands

The configuration commands enable the user to configure and manage the system. These commands affect system operation; therefore, with the exception of Basic-level configure password, only users with configuration CLI access can issue these commands.

audit_cert Commands

The configure audit_cert commands configure the device’s audit log client certificate for secure audit log streaming.

Access

Configuration

delete

Deletes the current client certificate for secure audit log streaming.

Syntax

configure audit_cert delete
Example

> configure audit_cert delete

import

Imports a client certificate for secure audit log streaming. After the user enters the command, the CLI prompts the user to provide either a client certificate and private key, or a certificate chain.

Syntax

configure audit_cert import
Example

> configure audit_cert import
***************Import Audit Client Certificate**************

1 Import Client Certificate and Private Key
2 Import Certificate Chain
0 Exit

**************************************************************
Enter choice: 1
Enter your audit client certificate (PEM format) here:
-----BEGIN CERTIFICATE-----
MIIEoTCCA4mgAwIBAgICAR4wDQYJK0ZIhvcNaQALBWAugYICzAJBqNVBATYAiVT
   ...certificate details ...
Tx*FAhnXeUZ78hFepg1yHQMYWTkD7hCqmSN3UkAb1l0IoBcxTA==
-----END CERTIFICATE-----

Enter your private key (PEM format) here:
-----BEGIN RSA PRIVATE KEY-----
miiieOWobabkc3qwaOgVx0Tt61eY83Mrqa+bek_qPetcHRAw6ea4p0TlMVVsE7qr
   ...private key details ...
nRI6QNkoumLUT9EvjF6bFoT3M6eDI7+NdDIhjVeOP*E4+hxEX50jM
-----END RSA PRIVATE KEY-----

Client certificate import succeed, exiting...

log-ips-connections

Enables or disables logging of connection events that are associated with logged intrusion events.

Access

Configuration

Syntax


configure log-ips-connections {enable | disable}

Example


> configure log-ips-connections disable

manager Commands

The configure manager commands configure the device’s connection to its managing Firepower Management Center.

Access

Configuration

add

Configures the device to accept a connection from a managing Firepower Management Center. This command works only if the device is not actively managed.

A unique alphanumeric registration key is always required to register a device to a Firepower Management Center. In most cases, you must provide the hostname or the IP address along with the registration key. However, if the device and the Firepower Management Center are separated by a NAT device, you must enter a unique NAT ID, along with the registration key, and specify DONTRESOLVE instead of the hostname.

Syntax

configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE} regkey [nat_id]

where {hostname | IPv4_address | IPv6_address | DONTRESOLVE} specifies the DNS host name or IP address (IPv4 or IPv6) of the Firepower Management Center that manages this device. If the Firepower Management Center is not directly addressable, use DONTRESOLVE. If you useDONTRESOLVE, nat_id is required. regkey is the unique alphanumeric registration key required to register a device to the Firepower Management Center. nat_id is an optional alphanumeric string used during the registration process between the Firepower Management Center and the device. It is required if the hostname is set to DONTRESOLVE.

Example

> configure manager add DONTRESOLVE abc123 efg456

delete

Removes the Firepower Management Center’s connection information from the device. This command only works if the device is not actively managed.

Syntax

configure manager delete
Example

> configure manager delete

network Commands

The configure network commands configure the device’s management interface.

Access

Configuration

dns searchdomains

Replaces the current list of DNS search domains with the list specified in the command.

Syntax

configure network dns searchdomains {searchlist}

where searchlist is a comma-separated list of domains.

Example

> configure network dns searchdomains foo.bar.com,bar.com

dns servers

Replaces the current list of DNS servers with the list specified in the command.

Syntax

configure nework dns servers {dnslist}

where dnslist is a comma-separated list of DNS servers.

Example

> configure network dns servers 10.123.1.10,10.124.1.10

hostname

Sets the hostname for the device.

Syntax

configure network hostname {name}

where name is the new hostname.

Example

> configure network hostname sfrocks

http-proxy

On NGIPSv devices, configures an HTTP proxy. After issuing the command, the CLI prompts the user for the HTTP proxy address and port, whether proxy authentication is required, and if it is required, the proxy username, proxy password, and confirmation of the proxy password.

Use this command on NGIPSv to configure an HTTP proxy server so the virtual device can submit files to the AMP cloud for dynamic analysis.

Syntax

The proxy password can use only alphanumeric characters.


configure network http-proxy
Example

> configure network http-proxy
Manual proxy configuration
Enter HTTP Proxy address:
Enter HTTP Proxy Port:
Use Proxy Authentication? (y/n) [n]:
Enter Proxy Username:
Enter Proxy Password:
Confirm Proxy Password:

http-proxy-disable

On NGIPSv devices, deletes any HTTP proxy configuration.

Syntax

configure network http-proxy-disable
Example

> configure network http-proxy-disable
Are you sure that you wish to delete the current 
http-proxy configuration? (y/n):

ipv4 delete

Disables the IPv4 configuration of the device’s management interface.

Syntax

configure network ipv4 delete
Example

> configure network ipv4 delete eth1

ipv4 dhcp

Sets the IPv4 configuration of the device’s management interface to DHCP. The management interface communicates with the DHCP server to obtain its configuration information.

Syntax

configure network ipv4 dhcp [management_interface]

where management_interface is the management interface ID. DHCP is supported only on the default management interface, so you do not need to use this argument.

Example

> configure network ipv4 dhcp

ipv4 manual

Manually configures the IPv4 configuration of the device’s management interface.

Syntax

configure network ipv4 manual ipaddr netmask [gw]

where ipaddr is the IP address, netmask is the subnet mask, and gw is the IPv4 address of the default gateway.

Example

> configure network ipv4 manual 10.123.1.10 255.255.0.0 10.123.1.1

ipv6 delete

Disables the IPv6 configuration of the device’s management interface.

Syntax

configure network ipv6 delete
Example

> configure network ipv6 delete

ipv6 dhcp

Sets the IPv6 configuration of the device’s management interface to DHCP. The management interface communicates with the DHCP server to obtain its configuration information.

Syntax

configure network ipv6 dhcp [management_interface]

where management_interface is the management interface ID. DHCP is supported only on the default management interface, so you do not need to use this argument.

Example

> configure network ipv6 dhcp

ipv6 manual

Manually configures the IPv6 configuration of the device’s management interface.

Syntax

configure network ipv6 manual ip6addr/ip6prefix [ip6gw]

where ip6addr/ip6prefix is the IP address and prefix length and ip6gw is the IPv6 address of the default gateway.

Example

> configure network ipv6 manual 2001:DB8:3ffe:1900:4545:3:200:f8ff:fe21:67cf 64

ipv6 router

Sets the IPv6 configuration of the device’s management interface to Router. The management interface communicates with the IPv6 router to obtain its configuration information.

Syntax

configure network ipv6 router
Example

> configure network ipv6 router

management-interface tcpport

Changes the value of the TCP port for management.

Syntax

configure network management-interface tcpport port

where port is the management port value you want to configure.

Example

> configure network management-interface tcpport 8500

management-port

Sets the value of the device’s TCP management port.

Syntax

configure network management-port number

where number is the management port value you want to configure.

Example

> configure network management-port 8500

static-routes ipv4 add

Adds an IPv4 static route for the specified management interface.

Syntax

configure network static-routes ipv4 
add interface destination netmask gateway

where interface is the management interface, destination is the destination IP address, netmask is the network mask address, and gateway is the gateway address you want to add.

Example

> configure network static-routes ipv4 
add eth1 10.115.24.0 255.255.255.0 10.115.9.2

static-routes ipv4 delete

Deletes an IPv4 static route for the specified management interface.

Syntax

configure network static-routes ipv4 
delete interface destination netmask gateway

where interface is the management interface, destination is the destination IP address, netmask is the network mask address, and gateway is the gateway address you want to delete.

Example

> configure network static-routes ipv4 
delete eth1 10.115.24.0 255.255.255.0 10.115.9.2

static-routes ipv6 add

Adds an IPv6 static route for the specified management interface.

Syntax

configure network static-routes ipv6 
add interface destination prefix gateway

where interface is the management interface, destination is the destination IP address, prefix is the IPv6 prefix length, and gateway is the gateway address you want to add.

Example

> configure network static-routes ipv6 
add eth1 2001:DB8:3ffe:1900:4545:3:200: f8ff:fe21:67cf 64

static-routes ipv6 delete

Deletes an IPv6 static route for the specified management interface.

Syntax

configure network static-routes ipv6 
delete interface destination prefix gateway

where interface is the management interface, destination is the destination IP address, prefix is the IPv6 prefix length, and gateway is the gateway address you want to delete.

Example

> configure network static-routes ipv6 
delete eth1 2001:DB8:3ffe:1900:4545:3:200:f8ff: fe21:67cf 64

password

Allows the current user to change their password. After issuing the command, the CLI prompts the user for their current (or old) password, then prompts the user to enter the new password twice.

Access

Basic

Syntax


configure password

Example


> configure password
Enter current password:
Enter new password:
Confirm new password:

user Commands

Applicable only to NGIPSv, the configure user commands manage the device’s local user database.

Access

Configuration

access

Modifies the access level of the specified user. This command takes effect the next time the specified user logs in.

Syntax

configure user access username [basic | config]

where username specifies the name of the user for which you want to modify access, basic indicates basic access, and config indicates configuration access.

Example

> configure user access jdoe basic

add

Creates a new user with the specified name and access level. This command prompts for the user’s password.

Syntax

configure user add username [basic | config]

where username specifies the name of the new user, basic indicates basic access, and config indicates configuration access.

Example

> configure user add jdoe basic
Enter new password for user jdoe:
Confirm new password for user jdoe:

aging

Forces the expiration of the user’s password.

Syntax

configure user aging username max_days warn_days

where username specifies the name of the user, max_days indicates the maximum number of days that the password is valid, andwarn_days indicates the number of days that the user is given to change the password before it expires.

Example

> configure user aging jdoe 100 3

delete

Deletes the user and the user’s home directory.

Syntax

configure user delete username

where username specifies the name of the user.

Example

> configure user delete jdoe

disable

Disables the user. Disabled users cannot login.

Syntax

configure user disable username

where username specifies the name of the user.

Example

> configure user disable jdoe

enable

Enables the user.

Syntax

configure user enable username

where username specifies the name of the user.

Example

> configure user enable jdoe 

forcereset

Forces the user to change their password the next time they login. When the user logs in and changes the password, strength checking is automatically enabled.

Syntax

configure user forcereset username

where username specifies the name of the user.

Example

> configure user forcereset jdoe

maxfailedlogins

Sets the maximum number of failed logins for the specified user.

Syntax

configure user maxfailedlogins username number

where username specifies the name of the user, and number specifies the maximum number of failed logins.

Example

> configure user maxfailedlogins jdoe 3

minpasswdlen

Sets the minimum number of characters a user password must contain.

Syntax

configure user minpasswdlen username number

Where username specifies the name of the user account, and number specifies the minimum number of characters the password for that account must contain (ranging from 1 to 127).

Example

> configure user minpasswdlen jdoe 13

password

Sets the user’s password. This command prompts for the user’s password.

Syntax

configure user password username

where username specifies the name of the user.

Example

> configure user pasword jdoe
Enter new password for user jdoe:
Confirm new password for user jdoe:

strengthcheck

Enables or disables the strength requirement for a user’s password. When a user’s password expires or if the configure user forcereset command is used, this requirement is automatically enabled the next time the user logs in.

Syntax

configure user strengthcheck username {enable | disable}

where username specifies the name of the user, enable sets the requirement for the specified users password, and disable removes the requirement for the specified user’s password.

Example

> configure user strengthcheck jdoe enable

unlock

Unlocks a user that has exceeded the maximum number of failed logins.

Syntax

configure user unlock username

where username specifies the name of the user.

Example

> configure user unlock jdoe

user-agent

Syntax

Allows you to change the password used to authenticate the Cisco Firepower User Agent Version 2.5 or later with ASA with FirePOWER Services.

Password rules:

  • 8 character minimum length

  • 127 character maximum length

  • Must contain at least 1 digit

  • Must contain at least 1 letter

    Must contain at least one special character not including ?$= (question mark, dollar sign, equal sign)

  • Cannot contain \, ', " (backslash, single quote, double quote)

  • Cannot be dictionary word

  • Cannot include non-printable ASCII characters / extended ASCII characters

  • Must have no more than 2 repeating characters


configure user-agent

Example


> configure user-agent
Enter new password for user-agent:
Confirm new password for user-agent:
The user-agent password has been changed.

vmware-tools

Enables or disables VMware Tools functionality on NGIPSv. This command is available only on NGIPSv.

VMware Tools is a suite of utilities intended to enhance the performance of the virtual machine. These utilities allow you to make full use of the convenient features of VMware products. The system supports the following plugins on all virtual appliances:

  • guestInfo

  • powerOps

  • timeSync

  • vmbackup

For more information about VMware Tools and the supported plugins, see the VMware website (http://www.vmware.com).

Access

Basic

Syntax


configure vmware-tools [enable | disable]

Example


> configure vmware-tools enable

Classic Device CLI System Commands

The system commands enable the user to manage system-wide files and access control settings. Only users with configuration CLI access can issue commands in system mode.

access-control Commands

The system access-control commands enable the user to manage the access control configuration on the device.

Access

Configuration

archive

Saves the currently deployed access control policy as a text file on /var/common.

Syntax

system access-control archive
Example

> system access-control archive

clear-rule-counts

Resets the access control rule hit count to 0.

Syntax

system access-control clear-rule-counts
Example

> system access-control clear-rule-counts

rollback

Reverts the system to the previously deployed access control configuration.

Syntax

system access-control rollback
Example

> system access-control rollback

compliance Commands

The compliance commands display and configure the device’s security certifications compliance mode.

Caution


After you enable this setting, you cannot disable it. If you need to do so, contact Support for assistance.


Access

Configuration

enable cc

Configures the device’s security certifications compliance to Common Criteria (CC) mode.


Caution


After you enable this setting, you cannot disable it. If you need to do so, contact Support for assistance.


Syntax

system compliance enable cc
Example

> system compliance enable cc

enable ucapl

Configures the device’s security certifications compliance to Unified Capabilities Approved Products List (UCAPL) mode.


Caution


After you enable this setting, you cannot disable it. If you need to do so, contact Support for assistance.


Syntax

system compliance enable ucapl
Example

> system compliance enable ucapl

show

Displays the device's current security certifications compliance mode.

Syntax

system compliance show
Example

> system compliance show

disable-http-user-cert

Disables the requirement that the browser present a valid client certificate.

Access

Configuration

Syntax


system disable-http-user-cert

Example


> system disable-http-user-cert

file Commands

The system file commands enable the user to manage the files in the common directory on the device.

Access

Configuration

copy

Uses FTP to transfer files to a remote location on the host using the login username. The local files must be located in the common directory.

Syntax

system file copy hostname username path filenames filenames ...

where hostname specifies the name or ip address of the target remote host, username specifies the name of the user on the remote host, path specifies the destination path on the remote host, and filenames specifies the local files to transfer; the file names are space-separated.

Example

> system file copy sfrocks jdoe /pub *

delete

Removes the specified files from the common directory.

Syntax

system file delete filenames filenames ...

where filenames specifies the files to delete; the file names are space-separated.

Example

> system file delete *

list

If no file names are specified, displays the modification time, size, and file name for all the files in the common directory. If file names are specified, displays the modification time, size, and file name for files that match the specified file names.

Syntax

system file list filenames

where filenames specifies the files to display; the file names are space-separated.

Example

> system file list

secure-copy

Uses SCP to transfer files to a remote location on the host using the login username. The local files must be located in the /var/common directory.

Syntax

system file secure-copy hostname username path filenames filenames ...

where hostname specifies the name or ip address of the target remote host, username specifies the name of the user on the remote host, path specifies the destination path on the remote host, and filenames specifies the local files to transfer; the file names are space-separated.

Example

> system file secure-copy 10.123.31.1 jdoe /tmp *

generate-troubleshoot

Generates troubleshooting data for analysis by Cisco.


Caution


Generating troubleshooting files for lower-memory devices can trigger Automatic Application Bypass (AAB) when AAB is enabled, At a minimum, triggering AAB restarts the Snort process, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information. In some such cases, triggering AAB can render the device temporarily inoperable. If inoperability persists, contact Cisco Technical Assistance Center (TAC), who can propose a solution appropriate to your deployment. Susceptible devices include ASA 5508-X, 5516-X, and 5525-X; NGIPSv.

Access

Configuration

Syntax


system generate-troubleshoot option1 optionN

Where options are one or more of the following, space-separated:

  • ALL: Run all of the following options.

  • SNT: Snort Performance and Configuration

  • PER: Hardware Performance and Logs

  • SYS: System Configuration, Policy, and Logs

  • DES: Detection Configuration, Policy, and Logs

  • NET: Interface and Network Related Data

  • VDB: Discover, Awareness, VDB Data, and Logs

  • UPG: Upgrade Data and Logs

  • DBO: All Database Data

  • LOG: All Log Data

  • NMP: Network Map Information

Example


> system generate-troubleshoot VDB NMP
starting /usr/local/sf/bin/sf_troubleshoot.pl…
Please, be patient. This may take several minutes.
The troubleshoot options codes specified are VDB,NMP.
Getting filenames from [usr/local/sf/etc/db_updates/index]
Getting filenames from [usr/local/sf/etc/db_updates/base-6.2.3]
Troubleshooting information successfully created at /var/common/results-06-14-2018—222027.tar.gz

ldapsearch

Enables the user to perform a query of the specified LDAP server. Note that all parameters are required.

Access

Configuration

Syntax


system ldapsearch host port baseDN userDN basefilter

where host specifies the LDAP server domain, port specifies the LDAP server port, baseDN specifies the DN (distinguished name) that you want to search under, userDN specifies the DN of the user who binds to the LDAP directory, and basefilter specifies the record or records you want to search for.

Example


> system ldapsearch ldap.example.com 389 cn=users,

dc=example,dc=com cn=user1,cn=users,dc=example,dc=com, cn=user2

lockdown

Removes the expert command and access to the Linux shell on the device.


Caution


This command is irreversible without a hotfix from Support. Use with care.


Access

Configuration

Syntax


system lockdown

Example


> system lockdown

reboot

Reboots the device.

Access

Configuration

Syntax


system reboot

Example


> system reboot

restart

Restarts the device application.

Access

Configuration

Syntax


system restart

Example


> system restart

support Commands

The system support commands enable the user to manage special SSL ClientHello processing on the device.

Access

Configuration

ssl-client-hello-display

Displays the current settings for processing the ClientHello message during an SSL handshake. For a description of these settings, see the ssl-client-hello-enabled and ssl-client-hello-tuning commands.

Access

Basic

Syntax
system support ssl-client-hello-display
Example

> system support ssl-client-hello-display

ssl-client-hello-enabled

Controls special processing of the ClientHello message during the SSL handshake.


Caution


Use these commands only if advised to do so by Cisco TAC.


Access

Configuration

Syntax
system support ssl-client-hello-enabled setting {true | false}

Possible setting values are:

feature
Controls all special handling of ClientHello messages.
curves
Controls stripping of elliptic curves that the Firepower System does not support:
  • true (enabled)—The system strips any unsupported elliptic curves from the ClientHello message, increasing the likelihood of traffic decryption. You must also enable the extensions setting.

  • false (disabled)—The system retains unsupported elliptic curves in the ClientHello message, decreasing the likelihood of traffic decryption.

ciphers
Controls stripping of cipher suites that the Firepower System does not support:
  • true (enabled)—The system strips unsupported cipher suites from ClientHello messages, increasing the likelihood of traffic decryption.

  • false (disabled)—The system retains unsupported cipher suites in ClientHello messages. This decreases the likelihood of traffic decryption and can result in a number of Unsupported or Unknown Cipher errors in the SSL Flow Error field of associated connection events.

extensions
Controls stripping of TLS extensions that prevent decryption:
  • true (enabled)—The system identifies TLS extensions that prevent decryption and strips them from the ClientHello message. This value is required if you want to enable curves, session_ticket, and alpn.

  • false (disabled)—The system retains all TLS extensions in the ClientHello message. This decreases the likelihood of traffic decryptions and can result in Unknown Session errors in the SSL Flow Error field of associated connection events.

session_ticket
Controls processing of the SessionTicket extension in ClientHello messages. If the system can match a SessionTicket value in an incoming ClientHello message to cached session data, it can resume the session without the client and server performing the full SSL handshake.
  • true (enabled)—The system strips unrecognized SessionTicket values from the ClientHello message. This increases the likelihood of traffic decryption for the resumed session. You must also enable the extensions setting.

  • false (disabled)—The system retains all SessionTicket values in the ClientHello message. This decreases the likelihood of traffic decryption and can result in Uncached Session errors in the SSL Flow Error field of associated connection events.

session_id
Controls processing of the Session Identifier element in ClientHello messages. If the system can match the Session Identifier in an incoming ClientHello message to cached session data, it can resume the session without the client and server performing the full SSL handshake.
  • true (enabled)—The system strips unrecognized Session Identifier values from the ClientHello message. This increases the likelihood of traffic decryption for the resumed session.

  • false (disabled)—The system retains all Session Identifier values in the ClientHello message. This decreases the likelihood of traffic decryption and can result in Uncached Session errors in the SSL Flow Error field of associated connection events.

alpn
Controls stripping of ALPN protocol values that cannot be decrypted, specifically, the SPDY and HTTP2 protocols:
  • true (enabled)—The system prevents the client from establishing SPDY or HTTP2 sessions, increasing the likelihood of traffic decryption and inspection. You must also enable the extensions setting.

  • false (disabled)—The system allows the client to establish SPDY or HTTP2 sessions with the server, decreasing the likelihood of traffic decryption and inspection.

compression
Controls stripping of TLS compression requests from ClientHello messages:
  • true (enabled)—The system prevents the client from establishing a TLS compressed session with the server.

  • false (disabled)—The system allows the client to establish a TLS compressed session with the server. This prevents traffic decryption for the session and can result in Compression Used errors in the SSL Flow Error field of associated connection events.

tls13_downgrade
Determines whether or not the FTD attempts to downgrade to TLS 1.2 a server request for a TLS 1.3 connection. FTD does not currently support TLS 1.3.
  • true (enabled)—The system attempts to downgrade a TLS 1.3 connection to TLS 1.2.

  • false (disabled)—The system does not attempt to downgrade, resulting in a failed connection.

aggressive_tls13_downgrade
Use this command only if advised to do so by Cisco TAC.
Example

> system support ssl-client-hello-enabled feature false

ssl-client-hello-force-reset

Resets the configurable settings for ClientHello message processing to default values. The system does not require user confirmation before proceeding.


Caution


Do not use this command unless you are directed to do so by Support.


Access

Configuration

Syntax
system support ssl-client-hello-force-reset
Example

> system support ssl-client-hello-force-reset

ssl-client-hello-reset

Resets the configurable settings for ClientHello message processing to default values. The system requires user confirmation before proceeding.


Caution


Do not use this command unless you are directed to do so by Support.


Access

Configuration

Syntax
system support ssl-client-hello-reset
Example

> system support ssl-client-hello-reset

ssl-client-hello-tuning

Allows you to refine how the managed device modifies ClientHello messages during SSL handshakes. This command tunes the default lists of cipher suites, elliptic curves, and extensions that the system allows in ClientHello messages. This command only adds entries to or removes entries from the default lists of allowed values. It does not overwrite the default lists.


Caution


Do not use this command unless you are directed to do so by Support.


Access

Configuration

Syntax
system support ssl-client-hello-tuning setting value

The value element supports a comma-delimited list of values. Possible values for the setting and value elements include:

Setting

System Action

Value

ciphers_allow

Allows the specified cipher suites in ClientHello messages. If you use this command, the system retains the specified cipher suites in any ClientHello messages it modifies.

Obtain individual cipher suite numbers from the IANA website: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

IANA provides values in hexadecimal. Convert them to decimal for use in this command.

ciphers_remove

Disallows the specified cipher suites in ClientHello messages. If you use this command, the system strips the specified cipher suites from any ClientHello message it modifies.

curves_allow

Allows the specified elliptic curves in ClientHello messages. If you use this command, the system retains the specified elliptic curves in any ClientHello message it modifies.

Obtain curve numbers from the IANA website: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8

curves_remove

Disallows the specified elliptic curves in ClientHello messages. If you use this command, the system strips the specified elliptic curves from any ClientHello message it modifies.

extensions_allow

Allows the specified extensions in ClientHello messages. If you use this command, the system retains the specified extensions in any ClientHello message it modifies.

Obtain extension numbers from the IANA website: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml

extensions_remove

Disallows the specified elliptic curves in ClientHello messages. The system strips the specified extensions from any ClientHello message it modifies. By default, the system disallows extensions 22, 23, and 30032.

Example

> system support ssl-client-hello-tuning ciphers_allow 4,7,16,22

shutdown

Shuts down the device. This command is not available on ASA FirePOWER modules.

Access

Configuration

Syntax


system shutdown

Example


> system shutdown

History for Classic Device CLI

Feature

Version

Details

Deprecated CLI commands

6.5

The following CLI commands are useful only on devices that are not supported with Version 6.5:

  • show alarms

  • show arp-tables

  • show bypass and config bypass

  • show high-availability and configure high-availability (all commands)

  • show fan-status

  • show fastpath-rules

  • show gui and configure gui

  • show http-cert-expire-date

  • show lcd and configure lcd

  • show link-aggregation (all commands)

  • show mpls-depth and configure mpls-depth

  • show nat and system nat (all commands)

  • show network-modules

  • show portstats

  • show power-supply-status

  • show routing-table

  • show stacking and configure stacking

  • show virtual-routers

  • show virtual-switches

  • show vpn (all commands)

  • configure network management-interface (all commands to enable and disable management and event channels)

  • system renew-http-cert

Although the CLI will display help for these deprecated commands if you use the ? (question mark) command, they are not described in this guide or the online help. For detailed information on these commands, see the CLI appendix in the Firepower Management Center Configuration Guide that corresponds to your device version.

Configure the Firepower User Agent password.

6.5

You can change the password for the user agent version 2.5 and later using the configure user-agent command.

HTTPS Certificates

6.3

The default HTTPS server certificate provided with the system now expires in three years. If your appliance uses a default certificate that was generated before you upgraded to Version 6.3, the certificate will expire 20 years from when it was first generated. If you are using the default HTTPS server certificate the system now provides the ability to renew it.

New classic CLI commands: show http-cert-expire date , system renew-http-cert

Supported platforms: Physical FMCs

Classic CLI command system lockdown-sensor syntax.

6.3

The system lockown-sensor command in the Classic CLI is now system lockdown .