Cisco Firepower 4100/9300 FXOS Command Reference

decommission

To decommission a server, use the decommission server command.

decommission server { id| chassis_id/ blade_id}

Syntax Description


`id`	The server identification number. This is a value between 1 and 255.
`chassis_id/` `blade_id`	The chassis and blade identification numbers in n/n format.

Command Modes

Any command mode

Command History


Release	Modification
2.3(1)	Command added.

Usage Guidelines

Depending on the type of device hosting the module to be decommissioned, identify it using its module ID (4100 series), or the chassis number and module number (9300 devices).

When you decommission a security module, the module object is deleted from the configuration and the module becomes unmanaged. Any logical devices or software running on the module becomes inactive.

Examples

This example shows how to decommission a server:

firepower# decommission server 1/1
firepower* # commit-buffer
firepower #

Related Commands


Command	Description
delete decommissioned	Deletes a decommissioned server.
show server decommissioned	Shows any decommissioned servers.

decommission-secure

To securely decommission a server, use the decommission-secure server command.

decommission-secure server chassis_id/ blade_id

Syntax Description


`chassis_id/` `blade_id`	The chassis and blade identification numbers in n/n format.

Command Modes

Any command mode

Command History


Release	Modification
2.7(1)	Command added.

Usage Guidelines

This command securely erases the specified module. That is, data is not just deleted—the physical storage is “wiped” (completely erased). After a security module is erased, it remains down until acknowledged (similar to a module that is decommissioned).

Examples

This example shows how to securely decommission a server:

firepower# decommission-secure server 1/2
Warning: 
1.Secure decommissioning of the service module may take some time. Please use the CLI command 'show slot status [n/n] detail' to check for completion.
2.All of the application data on the service module will be lost.  Please back up the application's configuration files before executing the commit-buffer command.
firepower* #

Related Commands


Command	Description
decommission server	Decommissions a server—the module object is deleted from the configuration but the physical storage is not completely erased.
erase secure	Securely erases the specified system component.

delete hw-crypto

To delete a TLS crypto acceleration configuration on a container instance, use the delete hw-crypto command. For more information about TLS crypto acceleration, see the Firepower Management Center Configuration Guide.

delete hw-crypto

Command Modes

connect module

Command History


Release	Modification
2.7.1	This command was introduced.

Usage Guidelines

This command deletes a TLS crypto acceleration configuration for a container instance. If TLS crypto acceleration is enabled on the container instance, the command disables it before deleting the configuration.

Examples

Following is an example of deleting a TLS crypto acceleration configuration:

scope ssa
/ssa # show app-instance

App Name   Identifier Slot ID    Admin State Oper State       Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State   Cluster Role
---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------
ftd        FTD-FDM    1          Enabled     Online           6.5.0.1159      6.5.0.1159      Native      No                      Not Applicable  None
ftd        ftd2       2          Enabled     Online           6.5.0.1159      6.5.0.1159      Container   No         Default-Small Not Applicable  None

/ssa # sc slot 2
/ssa/slot # scope app-instance ftd ftd2
/ssa/slot/app-instance # delete hw-crypto
/ssa/slot/app-instance* # commit-buffer

Related Commands


Command	Description
create hw-crypto	Create a TLS crypto acceleration configuration for a container instance.
scope hw-crypto	Enable or disable TLS crypto acceleration configuration on a container instance.
show hw-crypto	Display the status of TLS crypto acceleration configuration on a container instance.

delete

To delete an existing managed object, use the relevant delete command in the appropriate command mode.

delete object_type name [ parameters]

Syntax Description


`object_type`	The type of object to be deleted. Examples include local user account and organization.
`name`	The name of the specific object to be deleted.
`parameters`	(Optional) Any additional properties or parameters needed to identify the object. Refer to the description of the create command for the specific object type for more information.

Command Modes

Depends on the type of object being deleted; refer to the description of the create command for the specific object type for more information.

Command History


Refer to the description of the create command for the specific object type for history information.

Usage Guidelines

Objects are abstract representations of physical components or logical entities that can be managed. For example, the chassis, security modules, network modules, ports, and processors are physical components represented as managed objects, while licenses, user roles, and platform policies are logical entities represented as managed objects.

FXOS provides four general commands for managing objects: create , delete , enter , and scope . For example, you can create a local user account, you can delete a local user account, and you can enter a local user account to assign or change properties for that account; you also can “scope into” the local user account to assign or change properties.

Generally, the keywords and options available to each of these object-management commands are the same, so we detail only the create version of the various object commands. In other words, for information about the delete command for a particular object, refer to the description of the create command for that object. For example, refer to create local-user for information related to deleting an existing local user account.

Examples

This example shows how to enter security mode and then delete a local user account:

firepower # scope security
firepower /security # delete local-user test_user
firepower /security/local-user* # commit-buffer
firepower /security/local-user #

This example shows how to enter a local-user account and then delete a user role:

firepower # scope security
firepower /security # enter local-user test_user
firepower /security/local-user # delete role aaa
Warning: Change of privileges will terminate active sessions (CLI and Web) of user 'test_user
firepower /security/local-user* # commit-buffer
firepower /security/local-user #

Related Commands


Command	Description
create local-user	Creates a new local user account.
enter local-user	Adds or edits a local user account.
delete local-user	Deletes an existing local user account.
scope local-user	Enters a existing local user account.

delete decommissioned server

To delete a decommissioned server, use the delete decommissioned server command.

delete decommissioned server vendor model serial_number

Syntax Description


`vendor`	The name of the company that manufactured the server; can be no more than 510 characters.
`model`	The module’s model name; can be no more than 510 characters.
`serial_number`	The module’s serial number; can be no more than 510 characters.

Command Modes

Any command mode

Command History


Release	Modification
1.4(1)	Command added.

Examples

This example shows how to delete a decommissioned server.

FP9300-A # delete decommissioned server Cisco Systems, Inc.
Cisco Firepower 9000 Series Security Module
FLM1949C6J1
FP9300-A* # commit-buffer

Related Commands


Command	Description
decommission server	Decommissions a server.

deregister

To remove this Firepower 4100/9300 device from your Cisco Smart Software License account, use the deregister command.

deregister

Syntax Description


This command has no arguments or keywords.

Command Modes

License mode

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Deregistration removes the device from your account, and all license entitlements and certificates on the device are removed. You can use this to free up a license for a new Firepower 4100/9300, or you can remove the device from the Smart Software Manager.

Examples

This example shows how to deregister this device.

FP9300-A # scope license
FP9300-A /license # deregister
FP9300-A /license #

Related Commands


Command	Description
register	Registers a Smart Software Manager account on this Firepower 4100/9300 device.

disable (app-instance)

To disable an existing application instance, use the disable command in app-instance mode.

Syntax Description


This command has no arguments or keywords.

Command Modes

scope ssa/scope slot/scope app-instance

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Use this command to disable an application instance without removing it from the system.

Examples

This example shows how to display current application instances, including their status, then enter application instance mode and disable an application instance:

firepower # scope ssa
firepower /ssa # scope slot 2
firepower /ssa/slot # show app-instance

Application Instance:
    App Name   Identifier Admin State Oper State       Running Version Startup Version Deploy Type Profile Name Cluster State   Cluster Role
    ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ------------ --------------- ------------
    ftd1       IFT-63     Enabled     Online           6.3.0.12        6.3.0.12        Native                   In Cluster      Slave

Application Instance:
    App Name   Identifier Admin State Oper State       Running Version Startup Version Deploy Type Profile Name Cluster State   Cluster Role
    ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ------------ --------------- ------------
    ftd2       FTD-2      Enabled     Online           6.3.0.12        6.3.0.12        Container   bronze       Not Applicable  None
firepower /ssa/slot # scope app-instance ftd2 FTD-2
firepower /ssa/slot/app-instance # disable
firepower /ssa/slot/app-instance* # commit-buffer
firepower /ssa/slot/app-instance #

Related Commands


Command	Description
enable	Enables an existing application instance.
scope app-instance	Enters application mode for a specific application instance.

disable (export-configuration)

To disable an existing export-configuration object, use the disable command in export-config mode.

To disable an existing application instance, use the disable command in app-instance mode.

To disable an existing export-configuration object, use the disable command in export-config mode.

Syntax Description


This command has no arguments or keywords.

Command Modes

scope system/scope export-config

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

In export-configuration mode, use this command to disable an existing export-configuration object without removing it from the system.

Examples

This example shows how to scope into an existing exported configuration object and disable it:

firepower # scope system
firepower /system # scope export-config 192.168.1.2
firepower /system/export-config #disable
firepower /system/export-config* #commit-buffer

Related Commands


Command	Description
enable	In export-config mode, enables an existing export-configuration object.
scope export-config	Enters an existing export-configuration object.

disable (interface)

To disable the current interface, use the disable command in interface mode.

Syntax Description


This command has no arguments or keywords.

Command Modes

scope eth-uplink/scope fabric/interface

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Use this command to disable the current interface.

Examples

This example shows how to disable an interface and confirm its status:

firepower # scope eth-uplink
firepower /eth-uplink # scope fabric
firepower /eth-uplink #/fabric # scope interface Ethernet1/5
firepower /eth-uplink/fabric/interface # disable
firepower /eth-uplink/fabric/interface* # commit-buffer
firepower /eth-uplink/fabric/interface # show

Interface:
    Port Name       Port Type          Admin State Oper State       Allowed Vlan State Reason
    --------------- ------------------ ----------- ---------------- ------------ ------------
    Ethernet1/5     Data               Disabled     Up               All
firepower /eth-uplink/fabric/interface #

Related Commands


Command	Description
enable	Enables the current interface.
set	In interface mode, sets interface configuration parameters.
show interface	Displays interface configuration and status information.

disable (port-channel)

To disable the current port-channel (EtherChannel), use the disable command in port-channel mode.

Syntax Description


This command has no arguments or keywords.

Command Modes

scope eth-uplink/scope fabric/port-channel

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Use this command to disable the current port-channel.

Examples

This example shows how to disable a port-channel and confirm its status:

firepower # scope eth-uplink
firepower /eth-uplink # scope fabric
firepower /eth-uplink #/fabric # scope port-channel 4
firepower /eth-uplink/fabric/port-channel # disable
firepower /eth-uplink/fabric/port-channel* # commit-buffer
firepower /eth-uplink/fabric/port-channel # show

Port Channel:
    Port Channel Id Name             Port Type          Admin State Oper State       Port Channel Mode Allowed Vlan State Reason
    --------------- ---------------- ------------------ ----------- ---------------- ----------------- ------------ ------------
    4               Port-channel4    Data               Disabled    Failed           Active            All          Admin config change
firepower /eth-uplink/fabric/port-channel #

Related Commands


Command	Description
enable	Enables the current port-channel.
show port-channel	Displays port-channel configuration and status information.

disable (security modes)

To disable Common Criteria mode, or FIPS (Federal Information Processing Standard) mode, use the disable command in the security scope.

disable { cc-mode| fips-mode}

Syntax Description


cc-mode	Use this keyword to disable Common Criteria mode.
fips-mode	Use this keyword to disable FIPS mode.

Command Modes

scope security/

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

A reboot of the system will be required after this command is committed.

Examples

This example shows how to enter security mode and disable FIPS mode:

firepower # scope security
firepower /security # disable fips-mode
Warning: A reboot of the system is required in order for the system to be 
operating in a non-FIPS approved mode.
firepower /security* #

Related Commands


Command	Description
enable (security modes)	Enables CC or FIPS mode.
show cc-mode	Shows current Common Criteria mode administrative and operational states.
show fips-mode	Shows current FIPS mode administrative and operational states.

disable reservation

To disable permanent license reservation, use the disable reservation command.

disable reservation

Syntax Description


This command has no arguments or keywords.

Command Modes

License (/license) mode

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Enable license reservation before attempting to assign a permanent license to your Firepower 4100/9300 chassis.

Examples

This example shows how to enter license mode and disable reservation mode:

FP9300-A # scope license
FP9300-A /license # disable reservation
Warning: If you have already generated the authorization code from CSSM 
and have not installed it on the device, please abort this command by 
issuing discard-buffer and complete the installation.
FP9300-A /license* #

Related Commands


Command	Description
enable reservation	Enables permanent license reservation.
show license	Shows current license information.

disable snmp

To disable Simple Network Management Protocol (SNMP) processing on this device, use the disable snmp command.

disable snmp

Syntax Description


This command has no arguments or keywords.

Command Modes

scope monitoring/

Command History


Release	Modification
1.1.1	Command added.

Usage Guidelines

Use this command to disable the SNMP agent on this device. The current SNMP community setting is discarded, the other SNMP configuration settings are not removed.

Examples

The following example shows you how to scope into monitoring mode, disable SNMP processing, and then use the show snmp command to confirm it is disabled:

firepower # scope monitoring
firepower /monitoring # disable snmp
firepower /monitoring* # commit-buffer
firepower /monitoring # show snmp
Name: snmp
    Admin State: Disabled
    Port: 161
    Is Community Set: No
    Sys Contact: R_Admin
    Sys Location:
firepower /monitoring #

Related Commands


Command	Description
enable snmp	Enables SNMP.
set snmp	Sets SNMP configuration parameters: community, system contact person responsible for SNMP, and location of the host.
show snmp	Shows current SNMP configuration.

discard-buffer

To cancel pending configuration changes, use the discard-buffer command.

discard-buffer

Syntax Description


This command has no arguments or keywords.

Command Modes

Any command mode

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Use this command to cancel and discard all uncommitted configuration changes. While any configuration commands are pending, an asterisk (*) appears before the command prompt. When you enter the discard-buffer command, the commands are discarded and the asterisk disappears.

Examples

This example shows how to discard pending configuration changes:

FP9300-1# scope chassis 1
FP9300-1 /chassis # enable locator-led
FP9300-1 /chassis* # show configuration pending
 scope chassis 1
+    enable locator-led
 exit
FP9300-1 /chassis* # discard-buffer
FP9300-1 /chassis #

Related Commands


Command	Description
commit-buffer	Saves or verifies configuration changes.
show configuration pending	Shows uncommitted configuration changes.

download image

To copy an FXOS firmware image to the Firepower 4100/9300 chassis, use the download image command in firmware mode.

To copy a logical device software image to the Firepower 4100/9300 chassis, use the download image command in application software (/ssa/app-software) mode.

download image { ftp:| scp:| sftp:| tftp:| usbA:| usbB:}

Syntax Description

ftp://server-ip-addr/path

(Optional) Specifies the URI of an image file to be imported via FTP (File Transfer Protocol).

scp://username@ server-ip-addr/path

(Optional) Specifies the URI of an image file to be imported via SCP (Secure Copy Protocol).

sftp://username@ server-ip-addr/path

(Optional) Specifies the URI of an image file to be imported via SFTP (SSH File Transfer Protocol or Secure File Transfer Protocol).

tftp://username@ server-ip-addr:port-num/path

(Optional) Specifies the URI of an image file to be imported via TFTP (Trivial File Transfer Protocol).

Note

TFTP has a file size limitation of 32 MB. Because firmware bundles can be much larger than that, we recommend that you do not use TFTP for firmware downloads.

usbA:/path

(Optional) Specifies the path to an image file to be imported from a connected USB Type A device.

usbB:/path

(Optional) Specifies the path to an image file to be imported from a connected USB Type B device.

Command Modes

scope firmware/

scope ssa/scope app-software/

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Be sure you have the location address and authentication credentials for image file access, as well as the fully qualified name of the file.

FXOS stores firmware images in bootflash on the fabric interconnect.

In firmware mode, you can use the show package image_name detail command to monitor the image download process. The output display does not refresh automatically, so you may have to enter the command multiple times until the task State is “Downloaded.”

In firmware mode, and in application software mode, you can use the show download-task command to monitor the image download process. The output display does not refresh automatically, so you may have to enter the command multiple times.

Examples

This example shows how to download a firmware image file using the SCP protocol, and monitor the download progress:

FP9300-A# scope firmware
FP9300-A /firmware # download image scp://user@192.168.1.1/images/fxos-k9.1.1.1.119.SPA
FP9300-A /firmware # show package fxos-k9.1.1.1.119.SPA detail
Download task:
File Name: fxos-k9.1.1.1.119.SPA
Protocol: scp
Server: 192.168.1.1
Userid:
Path:
Downloaded Image Size (KB): 5120
State: Downloading
Current Task: downloading image fxos-k9.1.1.1.119.SPA from
192.168.1.1(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

This example shows how to download a software image file using the SCP protocol, and monitor the download progress:

firepower# scope ssa
firepower /ssa # scope app-software
firepower /ssa/app-software # download image scp://user@192.168.1.1/images/cisco-asa.9.4.1.65.csp
firepower /ssa/app-software # show download-task
Downloads for Application Software:
    File Name                      Protocol   Server               Userid          State
    ------------------------------ ---------- -------------------- --------------- -----
    cisco-asa.9.4.1.65.csp         Scp        192.168.1.1          user            Downloaded

Related Commands


Command	Description
show download-task	Shows progress of the image file download.
show package	Shows progress of the firmware file download.
verify platform-pack	Verifies a specified FXOS platform image.

enable (app-instance)

To enable an existing application instance, use the enable command in app-instance mode.

Syntax Description


This command has no arguments or keywords.

Command Modes

scope ssa/scope slot/scope app-instance

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Use this command to re-enable an application instance that was previously disabled.

Examples

This example shows how to display current application instances, including their status, then enter application instance mode and enable a disabled application:

firepower # scope ssa
firepower /ssa # scope slot 2
firepower /ssa/slot # show app-instance

Application Instance:
    App Name   Identifier Admin State Oper State       Running Version Startup Version Deploy Type Profile Name Cluster State   Cluster Role
    ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ------------ --------------- ------------
    ftd1       IFT-63     Enabled     Online           6.3.0.12        6.3.0.12        Native                   In Cluster      Slave

Application Instance:
    App Name   Identifier Admin State Oper State       Running Version Startup Version Deploy Type Profile Name Cluster State   Cluster Role
    ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ------------ --------------- ------------
    ftd2       FTD-2      Disabled    Online           6.3.0.12        6.3.0.12        Container   bronze       Not Applicable  None
firepower /ssa/slot # scope app-instance ftd2 FTD-2
firepower /ssa/slot/app-instance # enable
firepower /ssa/slot/app-instance* # commit-buffer
firepower /ssa/slot/app-instance #

Related Commands


Command	Description
disable	In app-instance mode, disables an existing application instance.
scope app-instance	Enters application mode for a specific application instance.

enable (CC and FIPS security modes)

To enable Common Criteria mode, or FIPS (Federal Information Processing Standard) mode, use the enable command in the security scope.

enable { cc-mode| fips-mode}

Syntax Description


cc-mode	Use this keyword to enable Common Criteria mode.
fips-mode	Use this keyword to enable FIPS mode.

Command Modes

scope security/

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Connectivity to one or more services may be denied when this command is committed. Also, a reboot of the system will be required.

Important

Prior to FXOS release 2.0.1, the existing SSH host key created during first-time setup of a device was hard-coded to 1024 bits. To comply with FIPS and Common Criteria certification requirements, you must destroy this old host key and generate a new one (see create ssh-server for information about creating and deleting SSH host keys). If you do not perform these additional steps, you will not be able to connect to the Supervisor using SSH after the device has rebooted with Common Criteria mode enabled. If you performed initial setup using FXOS 2.0.1 or later, you do not have to generate a new host key.

Examples

This example shows how to enter security mode and enable FIPS mode:

firepower # scope security
firepower /security # enable fips-mode
Warning: Connectivity to one or more services may be denied when committed. 
Please consult the product's FIPS Security Policy documentation.
WARNING: A reboot of the system is required in order for the system to be operating in a FIPS approved mode.

firepower /security* #

Related Commands


Command	Description
disable (security modes)	Disables CC or FIPS mode.
show cc-mode	Shows current Common Criteria mode administrative and operational states.
show fips-mode	Shows current FIPS mode administrative and operational states.

enable (export-configuration)

To re-enable an existing export-configuration object, use the enable command in export-config mode.

Syntax Description


This command has no arguments or keywords.

Command Modes

scope system/scope export-config

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Use this command to re-enable a previously backed-up export-configuration object, prior to exporting the configuration again. The current system configuration is exported according to the object parameters when you issue the commit-buffer command.

Examples

This example shows how to scope into a previously exported configuration object, enable it, initiate configuration back-up, and then confirm the export is underway:

firepower # scope system
firepower /system # scope export-config 192.168.1.2
firepower /system/export-config #enable
firepower /system/export-config* #commit-buffer
firepower /system/export-config #show

Export Configuration Task:
    Hostname   User       Protocol Admin State Status    Description
    ---------- ---------- -------- ----------- --------- -----------
    192.168.1.2
               user1      Scp      Enabled     Exporting

Related Commands


Command	Description
disable	Disables an existing export-configuration object.
scope export-config	Enters an existing export-configuration object.

enable (interface)

To enable the current interface, use the enable command in interface mode.

Syntax Description


This command has no arguments or keywords.

Command Modes

scope eth-uplink/scope fabric/interface

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Use this command to enable or re-enable an interface.

Examples

This example shows how to enable an interface and confirm its status:

firepower # scope eth-uplink
firepower /eth-uplink # scope fabric
firepower /eth-uplink #/fabric # scope interface Ethernet1/5
firepower /eth-uplink/fabric/interface # enable
firepower /eth-uplink/fabric/interface* # commit-buffer
firepower /eth-uplink/fabric/interface # show

Interface:
    Port Name       Port Type          Admin State Oper State       Allowed Vlan State Reason
    --------------- ------------------ ----------- ---------------- ------------ ------------
    Ethernet1/5     Data               Enabled     Up               All
firepower /eth-uplink/fabric/interface #

Related Commands


Command	Description
disable	Disables the current interface.
set	In interface mode, sets interface configuration parameters.
show interface	Displays interface configuration and status information.

enable (port-channel)

To enable the current port-channel (EtherChannel), use the enable command in port-channel mode.

Syntax Description


This command has no arguments or keywords.

Command Modes

scope eth-uplink/scope fabric/port-channel

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Use this command to enable or re-enable a port-channel.

Examples

The following example shows how to create a new port-channel, enable it and add member ports:

firepower # scope eth-uplink
firepower /eth-uplink/fabric # scope fabric a
firepower /eth-uplink/fabric # create port-channel 4
firepower /eth-uplink/fabric/port-channel* # enable
firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/1
firepower /eth-uplink/fabric/port-channel/member-port* # exit
firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/2
firepower /eth-uplink/fabric/port-channel/member-port* # exit
firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/3
firepower /eth-uplink/fabric/port-channel/member-port* # exit
firepower /eth-uplink/fabric/port-channel* # create member-port Ethernet1/4
firepower /eth-uplink/fabric/port-channel/member-port* # exit
firepower /eth-uplink/fabric/port-channel* # commit-buffer
firepower /eth-uplink/fabric/port-channel #

Related Commands


Command	Description
create member-port	Adds a member port to a port-channel.
disable	Disables the current port-channel.
set (port-channel)	Sets or changes the parameters for an existing port-channel.
show port-channel	Displays port-channel configuration and status information.

enable reservation

To enable permanent license reservation, use the enable reservation command.

enable reservation

Syntax Description


This command has no arguments or keywords.

Command Modes

License (/license) mode

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Enable license reservation before attempting to assign a permanent license to your Firepower 4100/9300 chassis.

Examples

This example shows how to enter license mode and enable reservation mode:

FP9300-A # scope license
FP9300-A /license # enable reservation
FP9300-A /license #

Related Commands


Command	Description
disable reservation	Disables permanent license reservation.
show license	Shows current license information.

enable snmp

To enable Simple Network Management Protocol (SNMP) processing on this device, use the enable snmp command.

enable snmp

Syntax Description


This command has no arguments or keywords.

Command Modes

scope monitoring/

Command History


Release	Modification
1.1.1	Command added.

Usage Guidelines

After using this command to enable the SNMP agent on this device, you can create an SNMP community, and create SNMP users and traps.

Examples

The following example shows you how to scope into monitoring mode and enable SNMP processing:

firepower # scope monitoring
firepower /monitoring # enable snmp
firepower /monitoring* # commit-buffer
firepower /monitoring #

Related Commands


Command	Description
disable snmp	Disables SNMP.
set snmp	Sets SNMP configuration parameters: community, system contact person responsible for SNMP, and location of the host.
show snmp	Shows current SNMP configuration.

end

To return to the EXEC (top level) mode of the CLI, use the end command.

end

Syntax Description


This command has no arguments or keywords.

Command Modes

Any command mode

Command History


Release	Modification
1.1(1)	Command added.

Examples

This example shows how to return to the highest-level mode of the CLI from service profile mode.

FP9300-A # scope org Test
FP9300-A /org # scope service-profile Sample
FP9300-A /org/service-profile # end
FP9300-A #

Related Commands


Command	Description
top	Enters top level mode from any mode.

enter

To enter a managed object, use the relevant enter command in the appropriate command mode. Generally, if the specified object does not exist, it is created.

enter object_type name [ parameters]

Syntax Description


`object_type`	The type of object to be entered. Examples include local user account and organization.
`name`	The name of the specific object to be entered.
`parameters`	(Optional) Any additional properties or parameters needed to identify the object. Refer to the description of the create command for the specific object type for more information.

Command Modes

Depends on the type of object being entered; refer to the description of the create command for the specific object type for more information.

Command History


Refer to the description of the create command for the specific object type for history information.

Usage Guidelines

Objects are abstract representations of physical components or logical entities that can be managed. For example, the chassis, security modules, network modules, ports, and processors are physical components represented as managed objects, while licenses, user roles, and platform policies are logical entities represented as managed objects.

FXOS provides four general commands for managing objects: create , delete , enter , and scope . For example, you can create a local user account, you can delete a local user account, and you can enter a local user account to assign or change properties for that account; you also can “scope into” the local user account to assign or change properties.

Generally, the keywords and options available to each of these object-management commands are the same, so we detail only the create version of the various object commands. In other words, for information about the delete command for a particular object, refer to the description of the create command for that object. For example, refer to create local-user for information related to entering an existing local user account.

Examples

This example shows how to enter security mode, enter a local user account and display account details:

firepower # scope security
firepower /security # enter local-user test_user
firepower /security/local-user # show detail
Local User test_user:
    First Name: test
    Last Name: user
    Email: test_user@testuser.com
    Phone:
    Expiration: Never
    Password: ****
    User lock status: Not Locked
    Account status: Active
    User Roles:
        Name: admin
        Name: read-only
    User SSH public key:
firepower /security/local-user #

Related Commands


Command	Description
create local-user	Creates a new local user account.
enter local-user	Adds or edits a local user account.
delete local-user	Deletes an existing local user account.
scope local-user	Enters a existing local user account.

erase

To erase all user configuration from the applicance, or to securely erase elements of the applicance, use the erase command.

erase { configuration| secure { chassis| security_modulesupervisor} }

Syntax Description


configuration	Use this keyword to erase all user-configuration information on the chassis, restoring it to its original factory-default configuration.
secure	Use this option to securely erase the specified appliance component: chassis – Use this keyword to securely erase the chassis. security_module `module_id` – Use this option to securely erase the specified module. supervisor – Use this keyword to securely erase the chassis supervisor.

Command Modes

connect local-mgmt/

Command History


Release	Modification
2.0.1	Command added.
2.7(1)	secure option added.

Usage Guidelines

The erase configuration command removes all user-configuration information on the chassis, restoring it to its original factory-default configuration.

The erase secure command securely erases the specified appliance component. That is, data is not just deleted—the physical storage is “wiped” (completely erased). This is important when transferring or returning the appliance as hardware storage components do not retain residual data or stubs.

Note

The device reboots during secure erase, which means SSH connections are terminated. Therefore, we recommend performing secure erase over a serial console-port connection.

Examples

This example shows how to erase all user-configuration information on the chassis, restoring it to its original factory-default configuration:

firepower# connect local-mgmt
firepower(local-mgmt)# erase configuration
All configurations will be erased and system will reboot. Are you sure? (yes/no):

This example shows how to securely erase security module 2:

firepower# connect local-mgmt
firepower# erase secure security_module 2
The physical storages in security module will be securely erased.
ALL DATA AND IMAGES WILL BE LOST AND CANNOT BE RECOVERED!
After the erase the module will reboot and need to be re-initialized.
DO NOT POWER OFF THE DEVICE IF YOU DECIDE TO PERFORM THIS TASK!
Are you sure? (yes/no):

Related Commands


Command	Description
decommission-secure	Securely erases the specified module.

exit

To exit the current CLI session and disconnect from the device, or to exit from a connected object mode and return to the EXEC level, use the exit command.

exit

Syntax Description


This command has no arguments or keywords.

Command Modes

Any command mode.

Command History


Release	Modification
1.1(1)	Command added.

Examples

This example shows how to exit the current top level CLI session and disconnect from this device.

FP9300-A # exit

This example shows how to enter and exit a local management connection.

FP9300-A # connect local-mgmt
FP9300-A(local-mgmt) # exit
FP9300-A #

Related Commands


Command	Description
connect	Connects to another managed object.
end	Returns to the highest level mode of the CLI.

export-config

To export the current system configuration to a remote server as an XML file, use the export-config command.

export-config { URL disabled| enabled}

Syntax Description


`URL`	Provide the full path to the remote system, including user-account name, transport protocol and file name, for the exported XML image file. The following transport protocols can be used: `ftp://username@hostname/path/image_name` `scp://username@hostname/path/image_name` `sftp://username@hostname/path/image_name` `tftp://username@hostname/path/image_name`
disabled	Disables the policy administrative state; configuration file is not exported.
enabled	Enables the policy administrative state; configuration file is exported immediately.

Command Modes

scope system/

Command History


Release	Modification
1.1.3	Command added.

Usage Guidelines

You can use the configuration export feature to export an XML file containing logical device and platform configuration settings for your Firepower 4100/9300 chassis to a remote server. You can later import that configuration file to quickly apply the configuration settings to your Firepower 4100/9300 chassis to return to a known good configuration or to recover from a system failure.

Please note the following:

Beginning with FXOS 2.6.1, you must specify a key for use when encrypting sensitive information such as passwords and other secret keys during configuration export, and you must have specified it before you attempt to export the configuration.

Also, the same key used during export must be set on the target system when you import an exported configuration, unless the file was exported from an FXOS release prior to 2.6.1, in which case the target system will not check the encryption key and will allow the import.
Do not modify the contents of the configuration file. If a configuration file is modified, configuration import using that file might fail.
Application-specific configuration settings are not contained in the configuration file. You must use the configuration backup tools provided by the application to manage application-specific settings and configurations.
To avoid overwriting existing back-up files, please be sure to change the file name in the export operation, or copy the existing file to another location.

Depending on the transport protocol, and the remote server configuration, you may have to enter the userʼs password for connection.

When you export a new configuration file, you are automatically entered into export-config mode (system/export-config) with an asterisk indicating the new file has not yet been exported; enter commit-buffer to begin the process.

Examples

This example shows how to export an XML file containing logical device and platform configuration settings to a remote server:

firepower # scope system
firepower /system # export-config scp://user1@192.168.1.2:/export/cfg-backup.xml enabled
Password:
firepower /system/export-config* # commit-buffer
firepower /system/export-config #

Related Commands


Command	Description
cfg-export-policy	Configures a configuration export policy.
import-config	Copies a previously exported XML configuration file to this appliance.
set password-encryption-key	Specifies a key used when encrypting sensitive information during configuration export.

generate password

To generate a fixed-length random password with or without special characters, use the generate password command.

generate password password

Syntax Description


`password`	The password to be used by the user when logging in.

Command Modes

scope security

Command History


Release	Modification
2.10(1)	Command added.

Usage Guidelines

You can generate a fixed-length random password with or without special characters.

Examples

This example shows how to enter security mode, generate a fixed-length random password with or without special characters:

firepower # scope security
firepower # create local-user admin2
firepower /security/local-user #

firepower /security/local-user # generate password 
  8-127  Password length

firepower /security/local-user # generate password 10 with
  with-special-char     With Special Char 
  without-special-char  Without Special Char

firepower /security/local-user # generate password 10 with-special-char 
@!D4%vlwCN

Related Commands


Command	Description
set password	Sets a password for the user account.

import-config

To import a previously exported XML configuration file, use the import-config command.

import-config { URL disabled| enabled}

Syntax Description


`URL`	Provide the full path to the remote system, including transport protocol and file name, for the XML image file to be imported. The following transport protocols can be used: `ftp://username@hostname/path/image_name` `scp://username@hostname/path/image_name` `sftp://username@hostname/path/image_name` `tftp://username@hostname/path/image_name`
disabled	Disables the policy administrative state; configuration file is not imported.
enabled	Enables the policy administrative state; configuration file is imported immediately.

Command Modes

scope system/

Command History


Release	Modification
2.0.1	Command added.

Usage Guidelines

You can use the configuration export feature to export an XML file containing logical device and platform configuration settings for your Firepower 4100/9300 chassis to a remote server. You can later import that configuration file to quickly apply the configuration settings to your Firepower 4100/9300 chassis to return to a known good configuration or to recover from a system failure.

Please note the following:

Beginning with FXOS 2.6.1, you must specify a key for use when encrypting sensitive information such as passwords and other secret keys during configuration export, and you must have specified it before you attempt to export the configuration.

Also, the same key used during export must be set on the target system when you import an exported configuration, unless the file was exported from an FXOS release prior to 2.6.1, in which case the target system will not check the encryption key and will allow the import.
Do not modify the contents of the configuration file. If a configuration file is modified, configuration import using that file might fail.
Application-specific configuration settings are not contained in the configuration file. You must use the configuration backup tools provided by the application to manage application-specific settings and configurations.
When you import a configuration to a Firepower 4100/9300 chassis, all existing configuration on the chassis (including any logical devices) will be deleted and completely replaced by the configuration contained in the import file.
We recommend that you only import a configuration file to the same Firepower 4100/9300 chassis from which the configuration was exported.
The platform software version of the Firepower 4100/9300 chassis to which you are importing should be the same version as when the export was taken. If not, the import operation is not guaranteed to be successful. We recommend that you export a back-up configuration whenever the Firepower 4100/9300 chassis is upgraded or downgraded.
The Firepower 4100/9300 chassis to which you are importing must have the same Network Modules installed in the same slots as when the export was taken.
The Firepower 4100/9300 chassis to which you are importing must have the correct software application images installed for any logical devices defined in the export file that your are importing.
If the configuration file being imported contains a logical device whose application has an End-User License Agreement (EULA), the EULA for that application must be accepted on the Firepower 4100/9300 chassis before importing the configuration or the operation will fail.

Depending on the transport protocol, and the remote server configuration, you may have to enter the remote user password for connection.

You can check the import status and follow its progress by entering the show fsm status command; see the following example. You may have to enter the command multiple times as the task progresses.

Examples

This example shows how to import an XML file containing logical device and platform configuration settings from a remote server:

firepower # scope system
firepower /system # import-config scp://user1@192.168.1.2:/export/cfg-backup.xml enabled
Password:
Warning: After configuration import any changes on the breakout port configuration will cause the system to reboot
firepower /system* # commit-buffer
firepower /system # show fsm status

Hostname: 192.168.1.2

    FSM 1:
        Remote Result: Not Applicable
        Remote Error Code: None
        Remote Error Description:
        Status: Import Wait For Switch
        Previous Status: Import Config Breakout
        Timestamp: 2016-01-03T15:45:03.963
        Try: 0
        Progress (%): 97
        Current Task: updating breakout port configuration(FSM-STAGE:sam:dme:MgmtImporterImport:configBreakout)

Related Commands


Command	Description
cfg-export-policy	Configures an export policy.
export-config	Exports the current system configuration to a remote server as an XML file
set password-encryption-key	Specifies a key used when encrypting sensitive information during configuration export.

install

To install a reservation authorization code, use the install command.

install code

Syntax Description


`code`	The reservation authorization code acquired from the Smart Software Manager.

Command Modes

Reservation (/license/reservation) mode

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

If you have already generated the authorization code, you must install it.

Examples

This example shows how to install a reservation authorization code:

FP9300-A# scope license
FP9300-A /license # scope reservation
FP9300-A /license/reservation # install <code>
FP9300-A /license/reservation* #

Related Commands


Command	Description
request universal	Generates a reservation request code.
show license	Shows current license information.

install firmware

To install a previously downloaded firmware upgrade package, use the install firmware command.

install firmware pack-version version_number

Syntax Description

pack-version version_number

Specifies the version of the firmware package to install.

Note

The package version_number is not the image file name (although it is usually part of the file name). You can use the show command to determine the package version_number .

Command Modes

Firmware installation mode

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

You must have administrator privileges to use this command. The upgrade installation process typically takes between 20 and 30 minutes, and the system will reboot during the process.

Before initiating installation, review the current critical/major faults and back up the current configuration.

Upgrade is a two-step process: verification of the package, followed by installation. You are asked at the beginning of each step if you want to proceed. If you enter no at either prompt, the process is terminated.

You can use the show detail command to monitor the installation process.

Examples

This example shows how to install a previously downloaded firmware upgrade package:

FP9300-A# scope firmware
FP9300-A /firmware # scope firmware-install 
FP9300-A /firmware/firmware-install # install firmware pack-version 1.0.16
Verifying FXOS firmware package 1.0.16. Verification could take several minutes.
Do you want to proceed? (yes/no):yes

FXOS SUP ROMMON: Upgrade from 1.0.10 to 1.0.10
FXOS SUP FPGA : Upgrade from 1.04 to 1.05
This operation upgrades SUP firmware on Security Platform.
Here is the checklist of things that are recommended before starting the install operation
(1) Review current critical/major faults
(2) Initiate a configuration backup
Attention:
   The system will be reboot to upgrade the SUP firmware.
   The upgrade operation will take several minutes to complete.
   PLEASE DO NOT POWER RECYCLE DURING THE UPGRADE.
Do you want to proceed? (yes/no):yes
Upgrading FXOS SUP firmware software package version 1.0.10
command executed

Related Commands

Command

Description

scope firmware-install

Enters firmware-installation mode.

show download-task

Shows information about firmware-package downloads.

show (firmware-install)

In firmware-installation mode, shows firmware package information.

install firmware pack-version version_number verify-only

Verifies the firmware package.

Note

You can use this command to pre-verify the firmware packge before the installation.

install platform

To upgrade firmware and software on the security platform components, use the install platform command.

install platform platform-vers version_number

Syntax Description


platform-vers `version_number`	Specifies the version of the platform package to install.

Command Modes

Auto install (/firmware/auto-install) mode

Command History


Release	Modification
1.4(1)	Command added.

Usage Guidelines

You must have administrator privileges to use this command. The upgrade process typically takes between 20 and 30 minutes.

Before initiating installation, review the current critical/major faults and back up the current configuration.

You can use the show fsm status expand command in auto-install mode to monitor the installation process.

To complete the upgrade installation process, you must acknowledge the pending reboot of the primary fabric-interconnect.

Examples

This example shows how to install a platform upgrade package:

FP9300-A# scope firmware
FP9300-A /firmware # scope auto-install 
FP9300-A /firmware/auto-install # install platform platform-vers 2.3(1.51)
The currently installed FXOS platform software package is 2.2(2.19)

INFO: There is no service impact to install this FXOS platform software 2.3(1.51)

This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup
Do you want to proceed? (yes/no):

Related Commands


Command	Description
download image	Downloads an FXOS software image to the Firepower 4100/9300 chassis.
show validate-task	Displays the status of the image verification process.

mgmt-port (connect local-mgmt)

To display and configure the administrative status os the management port information, use the mgmt-port command.

mgmt-port

Syntax Description


mgmt-port	Displays management port information.

Command Modes

connect local-mgmt

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

By default, this command displays management port information.

Examples

This example shows how to view management port information:

firepower# 
firepower# connect local-mgmt...

firepower(local-mgmt)#mgmt-port 
  <CR>       
  no-shut  Management port up  <====== Administratively enable the chassis management interface.
  shut     Management port down <====== Administratively disable/shutdown the chassis management interface.

ping (connect local-mgmt)

To test basic network connectivity by pinging another device on the network with its IPv4 address, use the ping command.

ping { hostname| IPv4_address} [ count number_packets] | [ deadline seconds] | [ interval seconds] | [ packet-size bytes]

Syntax Description


`hostname\|` `IPv4_address`	The host name or IP address of the network device to be contacted. The maximum number of characters allowed for the host name is 510.
count `number_packets`	(Optional) The number of ping packets to be sent. The range is 1 to 2147483647 packets.
deadline `seconds`	(Optional) The maximum time to continue sending packets when no response packets are received; pinging is terminated after this amount of time. The range is 1 to 60 seconds.
interval `seconds`	(Optional) The interval in seconds between ping packets. The range is 1 to 60 seconds; the default is 1 second.
packet-size `bytes`	(Optional) The number of data bytes to be added to the ping packet. The range is 1 to 65468 bytes. The default is 56 bytes, which results in a 64-byte packet when added to the 8-byte ICMP header.

Command Modes

connect local-mgmt

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Use this command to test basic IP connectivity from the chassis management interface to an external network by sending ICMP echo request packets to a specified host.

Examples

This example shows how to connect to the local management shell and then ping another device on the network twelve times:


firepower# connect local-mgmt
firepower(local-mgmt)# ping 198.51.100.10 count 12
PING 198.51.100.10 (198.51.100.10) from 203.0.113.5 eth0: 56(84) bytes of data.
64 bytes from 198.51.100.10: icmp_seq=1 ttl=61 time=0.264 ms
64 bytes from 198.51.100.10: icmp_seq=2 ttl=61 time=0.219 ms
64 bytes from 198.51.100.10: icmp_seq=3 ttl=61 time=0.234 ms
64 bytes from 198.51.100.10: icmp_seq=4 ttl=61 time=0.205 ms
64 bytes from 198.51.100.10: icmp_seq=5 ttl=61 time=0.216 ms
64 bytes from 198.51.100.10: icmp_seq=6 ttl=61 time=0.251 ms
64 bytes from 198.51.100.10: icmp_seq=7 ttl=61 time=0.223 ms
64 bytes from 198.51.100.10: icmp_seq=8 ttl=61 time=0.221 ms
64 bytes from 198.51.100.10: icmp_seq=9 ttl=61 time=0.227 ms
64 bytes from 198.51.100.10: icmp_seq=10 ttl=61 time=0.224 ms
64 bytes from 198.51.100.10: icmp_seq=11 ttl=61 time=0.261 ms
64 bytes from 198.51.100.10: icmp_seq=12 ttl=61 time=0.261 ms

--- 198.51.100.10 ping statistics ---
12 packets transmitted, 12 received, 0% packet loss, time 11104ms
rtt min/avg/max/mdev = 51.005/51.062/51.164/0.064 ms
firepower(local-mgmt)#

Related Commands


Command	Description
ping6	Tests basic network connectivity by pinging another device on the network with its IPv6 address.
traceroute	Traces the route to a specified destination (IPv4 address).

ping6 (connect local-mgmt)

To ping another device on the network using its IPv6 address, use the ping6 command.

ping6 { hostname| IPv6_address} [ count number_packets] | [ deadline seconds] | [ interval seconds] | [ mtu-hint { do| dont| want} ] | [ packet-size bytes]

Syntax Description


`hostname\|` `IPv6_address`	The host name or IP address of the network device to be contacted. The maximum number of characters allowed for the host name is 510.
count `number_packets`	(Optional) The number of ping packets to be sent. The range is 1 to 2147483647 packets.
deadline `seconds`	(Optional) The maximum time to continue sending packets when no response packets are received; pinging is terminated after this amount of time. The range is 1 to 60 seconds.
interval `seconds`	(Optional) The interval in seconds between ping packets. The range is 1 to 60 seconds; the default is 1 second.
mtu-hint`{`do`\|` dont`\|` want`}`	(Optional) Path MTU discovery strategy; hint may be: do—Prohibits fragmentation, even for local packets; sets a do-not-fragment (DF) flag. dont—Prohibits fragmentation; however, does not set DF flag. want—Performs PMTU discovery, fragments locally when packet size is large.
packet-size `bytes`	(Optional) The number of data bytes to be added to the ping packet. The range is 1 to 65468 bytes. The default is 56 bytes, which results in a 64-byte packet when added to the 8-byte ICMP header.

Command Modes

connect local-mgmt

Command History


Release	Modification
1.1(4)	Command added.

Usage Guidelines

Use this command to test basic IPv6 connectivity from the chassis management interface to an external network by sending ICMP echo request packets to a specified host.

Examples

This example shows how to connect to the local management shell and then ping another device on the network twelve times:


firepower# connect local-mgmt
firepower(local-mgmt)# ping6 2001:DB8:0:ABCD::1 count 12
PING 2001:DB8:0:ABCD::1 (2001:DB8:0:ABCD::1) from 2001:DB8:1::1 eth0: 56(84) bytes of data.
64 bytes from 2001:DB8:0:ABCD::1: icmp_seq=1 ttl=61 time=0.264 ms
64 bytes from 2001:DB8:0:ABCD::1: icmp_seq=2 ttl=61 time=0.219 ms
64 bytes from 2001:DB8:0:ABCD::1: icmp_seq=3 ttl=61 time=0.234 ms
64 bytes from 2001:DB8:0:ABCD::1: icmp_seq=4 ttl=61 time=0.205 ms
64 bytes from 2001:DB8:0:ABCD::1: icmp_seq=5 ttl=61 time=0.216 ms
64 bytes from 2001:DB8:0:ABCD::1: icmp_seq=6 ttl=61 time=0.251 ms
64 bytes from 2001:DB8:0:ABCD::1: icmp_seq=7 ttl=61 time=0.223 ms
64 bytes from 2001:DB8:0:ABCD::1: icmp_seq=8 ttl=61 time=0.221 ms
64 bytes from 2001:DB8:0:ABCD::1: icmp_seq=9 ttl=61 time=0.227 ms
64 bytes from 2001:DB8:0:ABCD::1: icmp_seq=10 ttl=61 time=0.224 ms
64 bytes from 2001:DB8:0:ABCD::1: icmp_seq=11 ttl=61 time=0.261 ms
64 bytes from 2001:DB8:0:ABCD::1: icmp_seq=12 ttl=61 time=0.261 ms

--- 2001:DB8:0:ABCD::1 ping statistics ---
12 packets transmitted, 12 received, 0% packet loss, time 11104ms
rtt min/avg/max/mdev = 51.005/51.062/51.164/0.064 ms
firepower(local-mgmt)#

Related Commands


Command	Description
ping	Tests basic network connectivity by pinging another device on the network with its IPv4 address.
traceroute6	Traces the route to a specified destination (IPv6 address).

power

To power a module off or on, use the power command.

power { down [ soft-followed-by-hard| soft-shut-down] | up}

Syntax Description


soft-followed-by-hard	(Optional) You can use this keyword to “gracefully” power down the module, waiting up to 45 minutes for the SSP operating system to shut down, after which the module is powered down regardless of the OS shut-down state.
soft-shut-down	(Optional) You can use this keyword to gracefully power down the module, with the system waiting indefinitely for the SSP operating system to shut down. The module is powered down only after the SSP OS is successfully shut down.

Command Modes

Service profile mode

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

If you do not include one of the optional keywords with the power down command, the module is powered down immediately, without gracefully shutting down the moduleʼs operating system.

We recommend backing up the module configuration before powering down.

Examples

This example shows how to enter service profile mode and then power down the module with a soft shut-down:

FP9300-A # scope service-profile server 1/1
FP9300-A /org/service-profile # power down soft-shut-down
FP9300-A /org/service-profile* # commit-buffer
FP9300-A /org/service-profile #

Related Commands


Command	Description
shutdown	Shuts down the device.

reboot

To restart the chassis or the fabric-interconnect, use the reboot command.

(local-mgmt)# reboot

/chassis # reboot [ no-prompt| reason]

Syntax Description


	In local management mode, this command has no arguments or keywords.
no-prompt	(Optional) In chassis mode, you can use this keyword to initiate reboot immediately. Otherwise, a commit-buffer is required to initiate reboot.
`reason`	(Optional) In chassis mode, you can enter a text string to be appended to the reboot log; can be up to 510 characters.

Command Modes

Chassis mode

Local management mode

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

We recommend backing up the system configuration before rebooting.

In local management mode, this command has no keywords or options.

Note

We recommend using this command in chassis mode, as it performs a “graceful” system shut-down and restart.

Examples

This example shows how to enter a local management shell and reboot the system:

FP9300-A # connect local-mgmt
FP9300-A (local-mgmt)# reboot
Before rebooting, please take a configuration backup.
Do you still want to reboot? (yes/no)::yes
nohup: ignoring input and appending output to `nohup.out'

Broadcast message from root (Fri Apr 13 17:12:49 2018):

All shells being terminated due to system /sbin/reboot

This example shows how to enter chassis mode and reboot the system:

FP9300-A # scope chassis 1
FP9300-A /chassis # reboot
This command will reboot the chassis when committed
FP9300-A /chassis* # commit-buffer
Starting chassis shutdown. Monitor progress with the command "show fsm status"
System is safe to power off after "System halted." message is seen 
FP9300-A /chassis # 
Broadcast message from root@DOC-FP9300-A (Fri Apr 13 16:27:04 2018):

All shells being terminated due to system /sbin/shutdown

Related Commands


Command	Description
shutdown	Shuts down the device.

reinstall

To modify bootstrap settings for a logical device, reinstall the application instance using the reinstall command.

reinstall

Syntax Description


This command has no arguments or keywords.

Command Modes

scope slot/scope app/

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

You can modify bootstrap settings for a logical device. You can reinstall the application instance using those new settings or save the changes and reinstall the application instance using those new settings at a later time.

Examples

This example shows how to enter license/licdebug mode and manually renew the Smart Software ID certificate and license entitlement.

FP9300-A # scope slot 2
FP9300-A /slot # scope app-instance asa cluster1
FP9300-A /slot/app-instance # reinstall app
FP9300-A /slot/app-instance # Do you want to reinstall the app now [Y/N]? Y
…

Related Commands


Command	Description
register	Modifies bootstrap settings for a logical device to restart the application instance.

register

To register a Smart Software Manager account on this Firepower 4100/9300 device, use the register command.

register idtoken id_token

Syntax Description


`id_token`	The registration token acquired from the Smart Software Manager Satellite.

Command Modes

License (/license) mode

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Request and copy the registration token from the Smart Software Manager or the Smart Software Manager Satellite. See the Cisco Smart Software Manager Satellite User Guide for more information.

Examples

This example shows how to register this device.

FP9300-A # scope license
FP9300-A /license # register idtoken ZGFmNWM5NjgtYmNjYS00ZWI3L
WE3NGItMWJkOGExZjIxNGQ0LTE0NjI2NDYx%0AMDIzNT
V8N3R0dXM1Z0NjWkdpR214eFZhMldBOS9CVnNEYnVKM1
FP9300-A /license #

Related Commands


Command	Description
deregister	Deregistering removes the device from your account; all license entitlements and certificates on the device are removed.

reinitialize

To completely reformat a module, use the reinitialize command.

reinitialize

Syntax Description


This command has no arguments or keywords.

Command Modes

Slot mode

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Reinitializing a module completely erases all stored application data. Please back up all running configuration files before issuing the commit-buffer command.

Examples

This example shows how to reinitialize the module in slot 2.

FP9300-A # scope ssa
FP9300-A /ssa # scope slot 2
FP9300-A /ssa/slot # reinitialize
Warning: Reinitializing blade takes a few minutes. All the application data on blade will get lost. Please backup application running config files before commit-buffer.
FP9300-A /ssa/slot* #

Related Commands


Command	Description
decommission	Decommissions a server.

remove server

To remove a previously decommissioned server from the device inventory, use the remove server command.

remove server { id| chassis_id/ blade_id}

Syntax Description

id

The slot number. The range of valid values is 1 to 255.

chassis_id/ blade_id

The server chassis and blade numbers, in n/n format.

Note

The chassis number is always 1.

Command Modes

Any command mode

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

When using this command in chassis mode, you need to specify only the slot ID number.

Examples

This example shows how to remove a decommissioned server:

FP9300-A# remove server 1/1
FP9300-A* # commit-buffer
FP9300-A#

Related Commands


Command	Description
decommission server	Decommissions a server.
show server decommissioned	Shows decommissioned server(s).

renew

To manually renew the Smart Software registration certificate and update the entitlements on all security modules, use the renew command.

renew

Syntax Description


This command has no arguments or keywords.

Command Modes

License debug (/license/licdebug) mode

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

By default, the ID certificate is automatically renewed every six months, and the license entitlement is renewed every 30 days. You might manually renew the registration for either of these items if you have a limited window for Internet access, for example, or if you make any licensing changes in the Smart Software Manager.

Examples

This example shows how to enter license/licdebug mode and manually renew the Smart Software ID certificate and license entitlement.

FP9300-A # scope license
FP9300-A /license # scope licdebug
FP9300-A /license/licdebug # renew
FP9300-A /license/licdebug #

Related Commands


Command	Description
register	Registers a Smart Software Manager account on this Firepower 4100/9300 device.

reset-password

To enforce the user to change the user password, use the reset-password command.

reset-password password

Syntax Description


`password`	The password to be used by the user when logging in.

Command Modes

scope security

Command History


Release	Modification
2.10(1)	Command added.

Usage Guidelines

You can enforce the user to change the user password at the next login.

Examples

This example shows how to enter security mode and then reset the password:

firepower# scope security 
firepower# create local-user admin2
firepower /security/local-user # set 
  account-status  Account status 
  email           Email 
  expiration      User account expiration 
  firstname       FirstName 
  lastname        LastName 
  password        Password 
  phone           Phone 
  reset-password  Change password at next login  

firepower /security/local-user # set reset-password 
  no   No 
  yes  Yes

Related Commands


Command	Description
set password	Sets a password for the user account.
generate password	Generates a password for the user account.

request universal

To generate a reservation request code, use the request universal command.

request universal

Syntax Description


This command has no arguments or keywords.

Command Modes

Reservation (/license/reservation) mode

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

Before you begin, you must purchase the permanent licenses so they are available in Smart Software Manager. Not all accounts are approved for permanent license reservation. Make sure you have approval from Cisco for this feature before you attempt to configure it.

Enable license reservation before attempting to assign a permanent license to your Firepower 4100/9300 chassis.

After issuing this command, use show license resvcode to view the generated reservation request, authorization and return codes.

Examples

This example shows how to generate a reservation request code and view the generated codes:

FP9300-A# scope license
FP9300-A /license # scope reservation
FP9300-A /license/reservation # request universal
FP9300-A /license/reservation # show license resvcode
Warning : generating the reservation code takes a few seconds.
Please run the 'show license resvcode' again if the code is not available.
Reservation request code :
<empty>
Reservation authorization code :
<empty>
Reservation return code :
<empty>

Related Commands


Command	Description
enable reservation	Enables permanent license reservation.
show license	Shows current license information.

restart

To modify bootstrap settings for a logical device, restart the application instance using the restart command.

restart

Syntax Description


This command has no arguments or keywords.

Command Modes

scope slot/scope app/

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

You can modify bootstrap settings for a logical device. You can then immediately restart the application instance using those new settings or save the changes and restart the application instance using those new settings at a later time.

Examples

This example shows how to restart an application:

FP9300-A # scope slot 2
FP9300-A /slot # scope app-instance asa cluster1
FP9300-A /slot /app-instance # restart app
FP9300-A /slot /app-instance # Do you want to restart now [Y/N]? Y

Related Commands


Command	Description
reinstall	Reinstalls the application instance.

return

To generate a permanent license return code, use the return command.

return[code]

Syntax Description


`code`	(Optional) A license code acquired from the Smart Software Manager.

Command Modes

Reservation (/license/reservation) mode

Command History


Release	Modification
1.1(1)	Command added.

Usage Guidelines

If you no longer need a permanent license, you must officially return it to the Smart Software Manager. If you do not, the license stays in an in-use state and cannot be used elsewhere.

When you enter this command, the Firepower 4100/9300 chassis immediately becomes unlicensed and moves to the Evaluation state.

To complete the return, go to https://software.cisco.com/#SmartLicensing-Inventory, locate your Firepower 4100/9300 chassis using its universal device identifier (UDI), and then remove the product instance.

Examples

This example shows how to return a permanent license:

FP9300-A# scope license
FP9300-A /license # scope reservation
FP9300-A /license/reservation # return
FP9300-A /license/reservation #

Related Commands


Command	Description
show license udi	Shows the FXOS universal device identifier (UDI) so you can find your FXOS instance in the Smart Software Manager.

Bias-Free Language

Results

Chapter: D – R Commands

D – R Commands

decommission

Syntax Description

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

decommission-secure

Syntax Description

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

delete hw-crypto

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

delete

Syntax Description

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

delete decommissioned server

Syntax Description

Command Modes

Command History

Examples

Related Commands

deregister

Syntax Description

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

disable (app-instance)

Syntax Description

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

disable (export-configuration)

Syntax Description

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

disable (interface)

Syntax Description

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

disable (port-channel)

Syntax Description

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

disable (security modes)

Syntax Description

Command Modes

Command History

Usage Guidelines

Examples

Related Commands