The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the Cisco RADKit Integration in FMC feature added in 7.7 release.
Problem Firewall Administrators Face
Use Case
Some of the key capabilities from which the users could benefit after integrating RADKit in the FMC include:
What’s New - Solution
RADKit Service Integration in FMC Diagram
This diagram shows how RADKit enables communication from user’s (TAC engineer) RADKit client to production FTD devices:
Basics: Supported Platforms, Licensing
Applications and Managers
Other Aspects of Support
Dependencies for Feature to Operate
Feature Overview
Configuration Steps: Overview
1. Device administrator (FMC admin user): Enable and enroll the RADKit service and configure authorizations on FMC GUI.
2. Cisco TAC/Cisco Support: Install RADKit Client on their computer, access, and troubleshoot the devices from RADKit Client.
FMC Admin User: Firewall Management Center Walkthrough
Remote Diagnostics Menu
Initial Remote Diagnostics Page
This is the initial Remote Diagnostics page. The RADKit service can be enabled by toggling the "Enable the RADKit service" switch:
RADKit Service Starting
After enabling the RADKit service, a progress bar appears until the RADKit service is started:
RADKit Service Enabled
Next step is enrollment in the RADKit cloud by clicking on “Enroll with SSO” button.
Enroll with SSO – Enter Email Address
Step 1 of the enrollment process consists of entering the user email address for the RADKit cloud enrollment:
Enroll with SSO – Accept Authorization Request
A new browser tab (or window, depending on browser settings) opens. Click the Accept button.
Enroll with SSO – Authentication Successful
After successful authentication, the user can close the browser tab and return to the FMC Remote Diagnostics page.
RADKit Service Enrolled
The RADKit service is enrolled with the specified service ID (in this example, the ID is 8kji-znxg-3gkt). The ID can be copied to clipboard. Give it to the Cisco TAC engineer so they can connect to the RADKit service from the RADKit client.
The next step is to create an authorization by clicking the “Create New Authorization” button:
Create New Authorization: Step 1
Create New Authorization: Step 2
Notes About Picking Devices
Create New Authorization: Step 3
Create New Authorization Summary
The final step is the authorization summary. Here, a user can review and edit the configuration.
Create New Authorization Completed
A confirmation screen is displayed after authorization creation is completed:
Current Authorizations List, Including Revoke
Device Sudo Access List
Confirm Enabling Device(s) Sudo Access
1. Sudo access can be enabled for all or only for some specific devices by selecting the devices then clicking on "Enable" button.
2. When enabling, a confirmation dialog appears and clicking Confirm is required.
Devices Sudo Access Enabled
Other Notes
RADKit Service REST APIs
To support create and read operations on RADKit Service, these new URLs have been introduced:
RADKit Service Model
The RADKit service model consists of:
Cisco Support:RADKit Client Usage
Support Side: Install the RADKit Client
Obtain and Install RADKit Client
The RADKit client can be installed locally from https://radkit.cisco.com/downloads/release/ then launched from terminal with the command: radkit-client
Installers are available for Windows, MacOS, and Linux.
RADKit client screenshot with login commands (details on the next section).
RADKit Client Login Commands
>>> client = sso_login("user@cisco.com")
A browser window was opened to continue the authentication process. Please follow the instructions there.
Authentication result received.
>>> service = client.service("8abc-znxg-3abc")
15:09:03.639Z INFO | internal | Connection to forwarder successful [forwarder_base_url='wss://prod.radkit-cloud.cisco.com/forwarder-4/' uri='wss://prod.radkit-cloud.cisco.com/forwarder-4/websocket/']
15:09:03.727Z INFO | internal | Forwarder client created. [forwarder_base_url='wss://prod.radkit-cloud.cisco.com/forwarder-4/']
15:09:04.244Z INFO | internal | Connection to forwarder successful [forwarder_base_url='wss://prod.radkit-cloud.cisco.com/forwarder-1/' uri='wss://prod.radkit-cloud.cisco.com/forwarder-1/websocket/']
15:09:04.332Z INFO | internal | Forwarder client created. [forwarder_base_url='wss://prod.radkit-cloud.cisco.com/forwarder-1/']
RADKit Client Service Inventory Command
Command for listing the inventory that the remote user (Cisco TAC engineer) is authorised to access:
>>> service.inventory
<radkit_client.sync.device.DeviceDict object at 0x1154969a0>
name host device_type Terminal Netconf SNMP Swagger HTTP description failed
----------------------- --------- ------------- ---------- --------- ------ --------- ------ ------------- --------
172-16-0-100-1724078669 127.0.0.3 FTD True False False False False 172.16.0.100 False
172-16-0-102-1724078669 127.0.0.2 FTD True False False False False 172.16.0.102 False
firepower-1724078669 127.0.0.1 FMC True False False False False firepower False
Untouched inventory from service 8kji-znxg-3gkt.
There is a filter command for the devices in the inventory (next section). Use the name in the left column to start an interactive session with the device (command on upcoming section).
Tip: If the inventory is outdated, you can update it using the command:
>>> service.update_inventory()
RADKit Client: Filter Devices
Command for filtering devices in the inventory:
>>> ftds = service.inventory.filter(attr='name',pattern='172-16-0’)
>>> ftds
<radkit_client.sync.device.DeviceDict object at 0x111a93130>
name host device_type Terminal Netconf SNMP Swagger HTTP description failed
----------------------- --------- ------------- ---------- --------- ------ --------- ------ ------------- --------
172-16-0-100-1724078669 127.0.0.3 FTD True False False False False 172.16.0.100 False
172-16-0-102-1724078669 127.0.0.2 FTD True False False False False 172.16.0.102 False
2 device(s) from service 8kji-znxg-3gkt.
RADKit Client Device Interactive Session Command
Launching an interactive session for a device (in this case an FMC) with the name "firepower-1724078669” taken from the previous “service.inventory” command.:
>>> service.inventory["firepower-1724078669"].interactive()
08:56:10.829Z INFO | internal | Starting interactive session (will be closed when detached)
08:56:11.253Z INFO | internal | Session log initialized [filepath='/Users/use/.radkit/session_logs/client/20240820-115610830612-firepower-1724078669.log']
Attaching to firepower-1724078669 ...
Type: ~. to terminate.
~? for other shortcuts.
When using nested SSH sessions, add an extra ~ per level of nesting.
Warning: all sessions are logged. Never type passwords or other secrets, except at an echo-less password prompt.
Copyright 2004-2024, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Firepower Extensible Operating System (FX-OS) v82.17.0 (build 170)
Cisco Secure Firewall Management Center for VMware v7.7.0 (build 1376)
RADKit Client Execute Commands on Devices
Execute the commands on devices!
>>> result = ftds.exec(['show version', 'show interface'])
>>>
>>> result.status
<RequestStatus.SUCCESS: 'SUCCESS'>
>>>
>>> result.result['172-16-0-100-1724078669']['show version'].data | print
> show version
-------------------[ firepower ]--------------------
Model : Cisco Secure Firewall Threat Defense for VMware (75) Version 7.7.0 (Build 1376)
UUID : 989b0f82-5e2c-11ef-838b-b695bab41ffa
LSP version : lsp-rel-20240815-1151
VDB version : 392
----------------------------------------------------
Considering this inventory:
>>> service.inventory
[READY] <radkit_client.sync.device.DeviceDict object at 0x192cdb77110>
name host device_type Terminal Netconf SNMP Swagger HTTP description failed
----------------------------- --------- ------------- ---------- --------- ------ --------- ------ ------------------ --------
10-62-184-69-1743156301 127.0.0.4 FTD True False None False False 10.62.184.69 False
fmc1700-1-1742391113 127.0.0.1 FMC True False None False False FMC1700-1 False
ftd3120-3-1743154081 127.0.0.2 FTD True False None False False FTD3120-3 False
ftd3120-4-1743152281 127.0.0.3 FTD True False None False False FTD3120-4 False
To get 'show version' details from the FTD devices:
>>> command = "show version"
>>> ftds = service.inventory.filter("device_type","FTD").exec(command).wait()
>>>
>>> # Print the results
>>> for key in ftds.result.keys():
... print(key)
... ftds.result.get(key).data | print
... <- Press Enter twice
ftd3120-3-1743154081
> show version
-------------------[ FTD3100-3 ]--------------------
Model : Cisco Secure Firewall 3120 Threat Defense (80) Version 7.7.0 (Build 89)
UUID : 123a456a-cccc-bbbb-aaaa-a123456abcde
LSP version : lsp-rel-20250327-1959
VDB version : 404
----------------------------------------------------
>
10-62-184-69-1743156301
> show version
----------------[ KSEC-FPR1010-10 ]-----------------
Model : Cisco Firepower 1010 Threat Defense (78) Version 7.7.0 (Build 89)
UUID : 123a456a-cccc-bbbb-aaaa-a123456abcde
LSP version : lsp-rel-20250327-1959
VDB version : 404
----------------------------------------------------
>
ftd3120-4-1743152281
> show version
-------------------[ FTD3100-4 ]--------------------
Model : Cisco Secure Firewall 3120 Threat Defense (80) Version 7.7.0 (Build 89)
UUID : 123a456a-cccc-bbbb-aaaa-a123456abcde
LSP version : lsp-rel-20250327-1959
VDB version : 404
----------------------------------------------------
>
Alternative approach:
>>> # Get the FTDs. This returns a DeviceDict object:
... ftds = service.inventory.filter("device_type","FTD")
>>> # Access the dictionary of devices from the _async_object attribute
... devices_obj = ftds.__dict__['_async_object']
>>> # Extract the 'name' from each AsyncDevice object
... names = [device.name() for device in devices_obj.values()]
>>> # Get the 'show version' output from all FTD devices:
... command = "show version"
... show_ver_ftds = []
... for name in names:
... ftd = service.inventory[name]
... req = ftd.exec(command)
... req.wait(30) # depending on the number of devices you might need to increase the timeout value
... show_ver_ftds.append(req.result.data)
>>> # Print the inventory device name + 'show version' output from each device:
... for name, show_version in zip(names, show_ver_ftds):
... print(f"Inventory name: {name}")
... print(show_version[2:-2]) # Remove the leading '> ' and trailing ' \n>'
... print("\n")
Inventory name: ftd3120-3-1743154081
show version
-------------------[ FTD3100-3 ]--------------------
Model : Cisco Secure Firewall 3120 Threat Defense (80) Version 7.7.0 (Build 89)
UUID : 123a456a-cccc-bbbb-aaaa-a123456abcde
LSP version : lsp-rel-20250327-1959
VDB version : 404
----------------------------------------------------
Inventory name: ftd3120-4-1743152281
show version
-------------------[ FTD3100-4 ]--------------------
Model : Cisco Secure Firewall 3120 Threat Defense (80) Version 7.7.0 (Build 89)
UUID : 123a456a-cccc-bbbb-aaaa-a123456abcde
LSP version : lsp-rel-20250327-1959
VDB version : 404
----------------------------------------------------
Inventory name: 10-62-184-69-1743156301
show version
----------------[ KSEC-FPR1010-10 ]-----------------
Model : Cisco Firepower 1010 Threat Defense (78) Version 7.7.0 (Build 89)
UUID : 123a456a-cccc-bbbb-aaaa-a123456abcde
LSP version : lsp-rel-20250327-1959
VDB version : 404
----------------------------------------------------
Getting Files from Devices
Using RADKit Network Console
Upgrading to 7.7 and from 7.7 upwards
Experience with Unsupported FTDs
Troubleshooting Points
1. Use Browser Development tools and FMC logs to see what’s happening in FMC.
2. For communication issues between RADKit Service on FMC, RADkit Cloud, and RADKit client, look in RADKit client logging.
3. RADKit Client.
How to Troubleshoot: Browser’s Developer Tools
RADKit Service Go Middleware APIs
Go Middleware for the RADKit integration uses API calls which are not publicly available via the FMC API explorer. The Go Middleware APIs log is available in /var/log/auth-daemon.log. Functionality Go Middleware performs includes:
Logs for Troubleshooting the RADKit Service
/var/log/process_stdout.log
/var/log/process_stderr.log
All these logs are included in FMC/FTD Troubleshoots.
Logs to Submit to Cisco TAC
Monitoring Access
Logging of who has been granted access for how long and who granted the access is in the FMC Audit logs.
RADKit session logs for the operations performed from the RADKit Client on devices (FMCs and FTDs) are present on FMC at /var/lib/radkit/session_logs/service:
RADKit Previous Sessions Logs
The RADKit sessions logs for the device operations performed from the RADKit client are available for download as an archive containing all the logs in the Previous Sessions tab by clicking on “Download All Logs” button.
Troubleshooting Example
In case of an error like “Connect to localhost:2080 [localhost/127.0.0.1] failed: Connection refused (Connection refused)”, try restarting auth-daemon from an FMC SSH session:
root@firepower:~$ sudo pmtool restartbyid auth-daemon
The telemetry output was added for this feature:
"remoteDiagnostics" : {
"isRemoteDiagnosticsEnabled": 0 // 0 = false , 1 = true
}
FAQs: Login and Enrollment
Q. Does the enrollment work with proxy if FMC doesn’t have direct internet access?
A. Yes, if the proxy has access to prod.radkit-cloud.cisco.com which is used for the enrollment process.
Q. Can a user use their own IdP for this service?
A. Only Cisco SSO is accepted on RADKit cloud. There is an option to associate your company account with a Cisco account, so that the RADKit service enrollment is possible with a non-Cisco email.
FAQs: RADKit Versions
Q. What version of RADkit is included in FMC in 7.7 release? How can we know which version of RADKit is included in FMC? Is this something that can be updated without an FMC upgrade?
A.
FAQs: Other
Q. Could external devices - not managed by the FMC – be included?
A. Only devices managed by the FMC can be added to the RADKit inventory and then can be accessed through an authorization.
Q. Is RADKit config backed up as part of FMC backup?
A.
Useful Links:
Revision | Publish Date | Comments |
---|---|---|
1.0 |
19-Mar-2025
|
Initial Release |