Secure Firewall Management Center command line reference

This reference explains the command line interface (CLI) for the Secure Firewall Management Center.


Note
For Secure Firewall Threat Defense, see the Cisco Secure Firewall Threat Defense Command Reference.

About the Secure Firewall Management Center CLI

The Secure Firewall Management Center CLI provides access to view and troubleshoot your Secure Firewall Management Center.

When you use SSH to log into the Firewall Management Center, you access the CLI. You can then access the Linux shell using the expert command, but this is strongly discouraged.


Caution

We strongly recommend that you do not access the Linux shell unless directed by Cisco TAC or explicit instructions in the Secure Firewall user documentation.


Caution

Users with Linux shell access can obtain root privileges, which can present a security risk. For system security reasons, we strongly recommend:

  • If you establish external authentication, make sure that you restrict the list of users with Linux shell access appropriately.

  • Do not establish Linux shell users in addition to the pre-defined admin user.

You can use the commands described in this appendix to view and troubleshoot your Secure Firewall Management Center. You can also perform limited configuration operations.

Firewall Management Center CLI modes

The CLI encompasses four modes. The default mode, CLI Management, includes commands for navigating within the CLI itself. The remaining modes contain commands addressing three different areas of Firewall Management Center functionality; the commands within these modes begin with the mode name: system, show, or configure.

When you enter a mode, the CLI prompt changes to reflect the current mode. For example, to display version information about system components, you can enter the full command at the standard CLI prompt:

> show version

If you have previously entered show mode, you can enter the command without the show keyword at the show mode CLI prompt:

show> version

Secure Firewall Management Center CLI management commands

The CLI management commands provide the ability to interact with the CLI. These commands do not affect the operation of the device.

exit command

This command moves the CLI context up to the next highest CLI context level. Issuing this command from the default mode logs the user out of the current CLI session.

Syntax: exit

Example:
system> exit
>

expert command

This command invokes the Linux shell.

Syntax: expert

Example:

> expert

? (question mark) command

This command displays context-sensitive help for CLI commands and parameters. Use the question mark (?) command in these ways:

  • To display help for the commands that are available within the current CLI context, enter a question mark (?) at the command prompt.

  • To display a list of the available commands that start with a particular character set, enter the abbreviated command immediately followed by a question mark (?).

  • To display help for a command’s legal arguments, enter a question mark (?) in place of an argument at the command prompt.


Note

The question mark (?) is not echoed back to the console.

Syntax:
?
abbreviated_command ?
command [arguments] ?

Example: > ?

Secure Firewall Management Center CLI show commands

Show commands provide information about the state of the appliance. These commands do not change the operational mode of the appliance and running them has minimal impact on system operation.

version command

Displays the product version and build, the UUID, and other information.

Syntax: 

show version

Example: 


> show version
-------------------[ fmc-austin ]-------------------
Model                     : Cisco Secure Firewall Management Center for VMware (66) Version 7.6.0 (Build 1385)
UUID                      : a904b8b2-ca9a-11ee-a583-5e804c16b2fd
Rules update version      : 2024-05-13-001-vrt
LSP version               : lsp-rel-20240513-1955
VDB version               : 380
----------------------------------------------------

Secure Firewall Management Center CLI configuration commands

The configuration commands enable the user to configure and manage the system. These commands affect system operation.

password command

Allows the current CLI user to change their password.


Caution

For system security reasons, we strongly recommend that you do not establish Linux shell users in addition to the pre-defined admin on any appliance.

After issuing the command, the CLI prompts the user for their current (or old) password, then prompts the user to enter the new password twice.

Syntax:

configure password
Example:

> configure password
Changing password for admin.
(current) UNIX password: 
New UNIX password:
Retype new UNIX password:
passwd: password updated successfully

Secure Firewall Management Center CLI system commands

The system commands enable the user to manage system-wide files and access control settings.

Following sections describes the Secure Firewall Management Center CLI system commands:

generate-troubleshoot command

Generates troubleshooting data for analysis by Cisco.

Syntax:

system generate-troubleshoot option1 optionN

Where options are one or more of the following, space-separated:

  • SYS: System Configuration, Policy, and Logs

  • PER: Hardware Performance and Logs

  • NET: Interface and Network Related Data

  • UPG: Upgrade Data and Logs

  • SNT: Snort Performance and Configuration

  • DES: Detection Configuration, Policy, and Logs

  • VDB: Discover, Awareness, VDB Data, and Logs

  • DBO: All Database Data

  • LOG: All Log Data

  • NMP: Network Map Information

  • ALL: Run all of the following options.

Example: 

> system generate-troubleshoot VDB NMP
starting /usr/local/sf/bin/sf_troubleshoot.pl…
Please, be patient. This may take several minutes.
The troubleshoot options codes specified are VDB,NMP.
Getting filenames from [usr/local/sf/etc/db_updates/index]
Getting filenames from [usr/local/sf/etc/db_updates/base-6.2.3]
Troubleshooting information successfully created at /var/common/results-06-14-2018—222027.tar.gz

lockdown command

Removes the expert command and access to the Linux shell on the device.


Caution

This command is irreversible without a hotfix from Support. Use with care.

Syntax: system lockdown

Example:

> system lockdown

reboot command

Reboots the appliance.

Syntax: system reboot

Example:

> system reboot

restart command

Restarts the appliance application.

Syntax: system restart

Example:

> system restart

show max-logins command

Displays the maximum number of parallel logins for one user.

Syntax: show max-logins

Command default: The default value for the number of parallel/concurrent sessions for a single user is zero.

Example:

> show max-logins

configure max-logins command

Configures the maximum number of parallel logins for one user.

Syntax: configure max-logins

Example:

> configure max-logins [0-1024]

shutdown command

Shuts down the appliance.

Syntax: system shutdown

Example: 

> system shutdown

Secure-erase command

Permanently erases the hard drive data.

Before you use this command, you must connect to the management center using the serial port. When you execute this command, the device reboots and all data is removed permanently. The process may take a few hours to complete; larger drives take longer. Ensure you have the power supply to prevent disruptions during the secure erase process. After the erase is completed, you can install a fresh software image.


Caution

Erasing your hard drive results in the loss of all data on the appliance, including the ISO image.

Supported devices

  • Firepower Management Center 1600, 2600, 4600

  • Firewall Management Center 1700, 2700, 4700

Syntax

secure-erase

Example

> secure-erase
****************************** Caution ********************************

 If you run this command:
     - The management center hard drive data, including configurations
       and bootable images, will be permanently erased.
     - The device will reboot and reinitialize.

Note: Do not power off your device during this procedure.

***********************************************************************

Do you want to proceed? (Yes/No)

History for the Secure Firewall Management Center CLI

This reference provides the chronological history of CLI features for the Secure Firewall Management Center, including version information, supported platforms, and implementation details.

Feature

Minimum Firewall Management Center

Minimum Firewall Threat Defense

Details

Automatic CLI access for the Firewall Management Center

6.5

Any

 When you use SSH to log into the Firewall Management Center, you automatically access the CLI. Although strongly discouraged, you can then use the CLI expert command to access the Linux shell.

Note

 

This feature deprecates the Version 6.3 ability to enable and disable CLI access for the Firewall Management Center. As a consequence of deprecating this option, the virtual Firewall Management Center no longer displays the System > Configuration > Console Configuration page, which still appears on physical Firewall Management Centers.

Ability to enable and disable CLI access for the Firewall Management Center

6.3

Any

New/Modified screens:

A new check box available to administrators in Firewall Management Center web interface: Enable CLI Access on the System > Configuration > Console Configuration page.

  • Checked: Logging into the Firewall Management Center using SSH accesses the CLI.

  • Unchecked: Logging into Firewall Management Center using SSH provides access the Linux shell. This is the default state for fresh Version 6.3 installations as well as upgrades to Version 6.3 from a previous release.

Supported platforms: Firewall Management Center

Firewall Management Center CLI

6.3

Any

Feature introduced.

Initially supports the following commands:

  • exit

  • expert

  • ?

  • show version

  • configure password

  • system generate-troubleshoot

  • system lockdown

  • system reboot

  • system restart

  • system shutdown

Supported platforms: Firewall Management Center