Enter Cisco Firepower CLI (Read-Only)

Share on:

You have the FMC installed and connect to FTD device with configuration deployed but for what ever reason there is a problem and you need to enter the CLI on the Firepower device to troubleshoot the equipment and although you can't configure anything you can do show and debug commands to troubleshoot via the CLI. We have to enter the Diagnostic CLI and we can do this in two ways:

  • Once logged into the Firepower default prompt type system support diagnostic-cli command.
1> system support diagnostic-cli
2Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
3Type help or '?' for a list of available commands.
  • The other way is to go into expert mode followed by using the sudo lina_cli command.
 1host-172-16-1-187 login: admin
 3Last login: Sun Jul 23 17:30:34 UTC 2017 on ttyS0
 4> expert
 5admin@host-172-16-1-187:~$ sudo lina_cli
 7We trust you have received the usual lecture from the local System
 8Administrator. It usually boils down to these three things:
10    #1) Respect the privacy of others.
11    #2) Think before you type.
12    #3) With great power comes great responsibility.
15Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
16Type help or '?' for a list of available commands.
18firepower> en
19Password: ********
20Invalid password

If we look at the show version we can see in this example we are running ASA code with FXOS running with it.

 1firepower# show version
 2---------------[ host-172-16-1-187 ]----------------
 3Model                     : Cisco Firepower Threat Defense for KVM (75) Version (Build 51)
 4UUID                      : 3b5ca718-6fc3-11e7-a879-c553f010958b
 5Rules update version      : 2017-06-07-001-vrt
 6VDB version               : 281
 9Cisco Adaptive Security Appliance Software Version 9.7(1)10
10Firepower Extensible Operating System Version 2.1(1.66)
12Compiled on Wed 10-May-17 09:41 PDT by builders
13System image file is "(hd0,0)/asa971-4-smp-k8.bin"
14Config file at boot was "startup-config"
16firepower up 37 mins 39 secs
18Hardware:   ASAv, 8192 MB RAM, CPU Pentium II 3600 MHz, 1 CPU (4 cores)
19Model Id:   ASAv30
20BIOS Flash Firmware Hub @ 0x0, 0KB
22 0: Int: Internal-Data0/0    : address is fa16.3ee6.43df, irq 11
23 1: Ext: GigabitEthernet0/0  : address is fa16.3ebf.f299, irq 10
24 2: Ext: GigabitEthernet0/1  : address is fa16.3e8b.53bc, irq 10
25 3: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
26 4: Int: Internal-Data0/0    : address is 0000.0000.0000, irq 0
27 5: Ext: Management0/0       : address is fa16.3ee6.43df, irq 0
28 6: Int: Internal-Data0/1    : address is 0000.0000.0000, irq 0
30Serial Number: 9AXESJTCR3F
32Image type          : Release
33Key version         : A
35Configuration last modified by enable_1 at 18:24:33.151 UTC Sun Jul 23 2017

If you worked in the Cisco ASA world before you might find the CLI a refreshing memory because all of your debugs, show outputs and the packet tracer troubleshooting tool are all there. You might be asking well its good to see the configuration but how do I configure something that may not be in the FMC? Well we can use something called FlexConfig and is available from FMC 6.2.0 and onward.