- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
- Basic CLI Commands
- Show Commands
- access-control-config
- alarms
- arp-tables
- audit-log
- bypass
- clustering
- cpu
- database
- device-settings
- disk
- disk-manager
- dns
- expert
- fan-status
- fastpath-rules
- gui
- hostname
- hosts
- hyperthreading
- iab
- inline-sets
- interfaces
- ifconfig
- lcd
- link-aggregation
- link-state
- log-ips-connection
- managers
- memory
- model
- mpls-depth
- NAT
- netstat
- network
- network-modules
- network-static-routes
- ntp
- perfstats
- portstats
- power-supply-status
- process-tree
- processes
- route
- routing-table
- serial-number
- ssl-policy-config
- stacking
- summary
- time
- traffic-statistics
- user
- users
- version
- virtual-routers
- virtual-switches
- vmware-tools
- VPN
- clustering
- bypass
- gui
- iab
- lcd
- log-ips-connections
- manager
- mpls-depth
- network
- dns searchdomains
- dns servers
- hostname
- http-proxy
- http-proxy-disable
- ipv4 delete
- ipv4 dhcp
- ipv4 manual
- ipv6 delete
- ipv6 dhcp
- ipv6 router
- ipv6 manual
- management-interface disable
- management-interface disable-event-channel
- management-interface disable-management-channel
- management-interface enable
- management-interface enable-event-channel
- management-interface enable-management-channel
- management-interface tcpport
- management-port
- static-routes ipv4 add
- static-routes ipv4 delete
- static-routes ipv6 add
- static-routes ipv6 delete
- password
- stacking disable
- user
- vmware-tools
Command Line Reference
This reference explains the command line interface (CLI) for FirePOWER appliances, virtual devices, and the ASA FirePOWER modules of ASA FirePOWER devices. You can use the CLI to view, configure, and troubleshoot your FireSIGHT System.
Note
The command line interface is not supported on Defense Centers, Series 2 appliances, Cisco NGIPS for Blue Coat X-Series, or the ASA module of ASA FirePOWER devices.
There are numerous CLI modes, such as show and configure, that contain sets of commands beginning with the mode name. You may enter a mode and then enter valid commands within that mode, or you may enter an entire full command from any mode. For example, to display information about a user account called Analyst1, you can enter the following at the CLI prompt:
If you have previously entered show mode, enter the following at the CLI prompt:
Within each mode, the commands available to a user depend on the user’s CLI access. When you create a user account, you can assign it one of the following CLI access levels:
The user has read-only access and cannot run commands that impact system performance.
The user has read-write access and can run commands that impact system performance.
The user is unable to log in to the shell.
On Series 3 devices, you can assign command line permissions on the User Management page in the web interface; see Managing Users for more information. On virtual devices and ASA FirePOWER devices, you assign command line permissions through the CLI itself.
Note If you reboot a Series 3 device and then log in to the CLI as soon as you are able, any commands you execute are not recorded in the audit log until the web interface is available.
Note that CLI commands are case-insensitive with the exception of parameters whose text is not part of the CLI framework, such as user names and search filters.
For information about logging into the command line, see Logging into the Appliance.
Basic CLI Commands
The basic CLI commands provide the ability to interact with the CLI. These commands do not affect the operation of the device. Basic commands are available to all CLI users.
The following sections describe the basic commands:
configure password
Allows the current user to change their password. After issuing the command, the CLI prompts the user for their current (or old) password, then prompts the user to enter the new password twice.
end
Returns the user to the default mode. (Moves the user up to the default mode from any lower-level CLI context.)
exit
Moves the CLI context up to the next highest CLI context level. Issuing this command from the default mode logs the user out of the current CLI session, and is equivalent to issuing the logout CLI command.
help
Displays an overview of the CLI syntax.
history
Displays the command line history for the current session.
where limit sets the size of the history list. To set the size to unlimited, enter zero.
logout
Logs the current user out of the current CLI console session.
? (question mark)
Displays context-sensitive help for CLI commands and parameters. Use the question mark ( ?) command as follows:
- To display help for the commands that are available within the current CLI context, enter a question mark (
?) at the command prompt. - To display a list of the available commands that start with a particular character set, enter the abbreviated command immediately followed by a question mark (
?). - To display help for a command’s legal arguments, enter a question mark (
?) in place of an argument at the command prompt.
Note that the question mark ( ?) is not echoed back to the console.
?? (double question marks)
Displays detailed context-sensitive help for CLI commands and parameters.
Show Commands
Show commands provide information about the state of the device. These commands do not change the operational mode of the device and running them has minimal impact on system operation. Most show commands are available to all CLI users; however, only users with configuration CLI access can issue the show user command.
The following sections describe the show commands:
- access-control-config
- alarms
- arp-tables
- audit-log
- bypass
- clustering
- cpu
- database
- device-settings
- disk
- disk-manager
- dns
- expert
- fan-status
- fastpath-rules
- gui
- hostname
- hosts
- hyperthreading
- iab
- ifconfig
- inline-sets
- interfaces
- lcd
- link-state
- log-ips-connection
- managers
- memory
- model
- mpls-depth
- NAT
- netstat
- network
- network-modules
- network-static-routes
- ntp
- perfstats
- portstats
- power-supply-status
- process-tree
- processes
- route
- routing-table
- serial-number
- ssl-policy-config
- stacking
- summary
- time
- traffic-statistics
- user
- users
- version
- virtual-routers
- virtual-switches
- vmware-tools
access-control-config
Displays the currently applied access control configurations, including: Security Intelligence settings; the name of referenced SSL, network analysis, intrusion, and file policies; intrusion variable set data; logging settings; and other advanced settings, including policy-level performance, preprocessing, and general settings.
Also displays policy-related connection information, such as source and destination port data (including type and code for ICMP entries) and the number of connections that matched each access control rule (hit counts).
alarms
Displays currently active (failed/down) hardware alarms on the device. This command is not available on virtual devices and ASA FirePOWER devices.
arp-tables
Displays the Address Resolution Protocol tables applicable to your network. This command is not available on virtual devices and ASA FirePOWER devices.
audit-log
Displays the audit log in reverse chronological order; the most recent audit log events are listed first.
bypass
On Series 3 devices, lists the inline sets in use and shows the bypass mode status of those sets as one of the following:
-
armed—the interface pair is configured to go into hardware bypass if it fails, or has been forced into fail-close with theconfigure bypass closecommand -
engaged—the interface pair has failed open or has been forced into hardware bypass with theconfigure bypass opencommand -
off—the interface pair is set to fail-close ( Bypass Mode: Non-Bypass); packets are blocked if the interface pair fails
clustering
Displays information about device clustering configuration, status, and member stacks. This command is not available on virtual devices and ASA FirePOWER devices.
config
Displays the clustering configuration on the device.
clustering ha-statistics
Displays state sharing statistics for a device in a cluster.
cpu
Displays the current CPU usage statistics appropriate for the platform for all CPUs on the device. For managed devices, the following values are displayed:
The CPU utilization, represented as a number from 0 to 100. 0 is not loaded and 100 is completely loaded.
For virtual devices and ASA FirePOWER devices, the following values are displayed:
Percentage of CPU utilization that occurred while executing at the user level (application).
Percentage of CPU utilization that occurred while executing at the user level with nice priority.
Percentage of CPU utilization that occurred while executing at the system level (kernel). This does not include time spent servicing interrupts or softirqs. A softirq (software interrupt) is one of up to 32 enumerated software interrupts that can run on multiple CPUs at once.
Percentage of time that the CPUs were idle when the system had an outstanding disk I/O request.
Percentage of time spent by the CPUs to service interrupts.
Percentage of time spent by the CPUs to service softirqs.
Percentage of time spent in involuntary wait by the virtual CPUs while the hypervisor was servicing another virtual processor.
Percentage of time spent by the CPUs to run a virtual processor.
Percentage of time that the CPUs were idle and the system did not have an outstanding disk I/O request.
where procnum is the number of the processor for which you want the utilization information displayed. Valid values are 0 to one less than the total number of processors on the system. If procnum is used for a managed device, it is ignored because for that platform, utilization information can only be displayed for all processors.
database
The show database commands configure the device’s management interface.
processes
Displays a list of running database queries.
slow-query-log
Displays the slow query log of the database.
device-settings
Displays information about application bypass settings specific to the current device.
disk
Displays the current disk usage.
disk-manager
Displays detailed disk usage information for each part of the system, including silos, low watermarks, and high watermarks.
dns
Displays the current DNS server addresses and search domains.
expert
fan-status
Displays the current status of hardware fans. This command is not available on virtual devices and ASA FirePOWER devices.
fastpath-rules
Displays the currently configured fastpath rules. This command is not available on virtual devices and ASA FirePOWER devices.
gui
Displays the current state of the web interface. This command is not available on virtual devices and ASA FirePOWER devices.
hostname
Displays the device’s host name and appliance UUID. If you edit the host name of a device using the CLI, confirm that the changes are reflected on the managing Defense Center. In some cases, you may need to edit the device management settings manually. For more information, see Editing Device Management Settings.
hosts
Displays the contents of an ASA FirePOWER module’s /etc/hosts file.
hyperthreading
Displays whether hyperthreading is enabled or disabled. This command is not available on ASA FirePOWER devices.
iab
Displays the current Intelligent Application Bypass (IAB) configuration. This command requires Version 5.4.0.10 or later on the managed device. The Defense Center requires Version 5.4.1.9 or later to implement IAB functionality, and Version 5.4.1.10 or later to provide IAB events.
inline-sets
Displays configuration data for all inline security zones and associated interfaces. This command is not available on ASA FirePOWER devices.
interfaces
If no parameters are specified, displays a list of all configured interfaces. If a parameter is specified, displays detailed information about the specified interface.
where interface is the specific interface for which you want the detailed information.
ifconfig
Displays the interface configuration for an ASA FirePOWER module.
lcd
Displays whether the LCD hardware display is enabled or disabled. This command is not available on virtual devices and ASA FirePOWER devices.
link-aggregation
The show link-aggregation commands display configuration and statistics information for link aggregation groups (LAGs). This command is not available on virtual devices and ASA FirePOWER devices.
configuration
Displays configuration details for each configured LAG, including LAG ID, number of interfaces, configuration mode, load-balancing mode, LACP information, and physical interface type.
statistics
Displays statistics, per interface, for each configured LAG, including status, link state and speed, configuration mode, counters for received and transmitted packets, and counters for received and transmitted bytes.
link-state
Displays type, link, speed, duplex state, and bypass mode of the ports on the device. This command is not available on ASA FirePOWER devices.
log-ips-connection
Displays whether the logging of connection events that are associated with logged intrusion events is enabled or disabled.
managers
Displays the configuration and communication status of the Defense Center. Registration key and NAT ID are only displayed if registration is pending. If a device is registered to a high availability pair, information about both managing Defense Centers is displayed. If a device is configured as a secondary device in a stacked configuration, information about both the managing Defense Center and the primary device is displayed.
memory
Displays the total memory, the memory in use, and the available memory for the device.
model
Displays model information for the device.
mpls-depth
Displays the number of MPLS layers configured on the management interface, from 0 to 6. This command is not available on virtual devices and ASA FirePOWER devices.
NAT
The show nat commands display NAT data and configuration information for the management interface. This command is not available on virtual devices and ASA FirePOWER devices.
active-dynamic
Displays NAT flows translated according to dynamic rules. These entries are displayed when a flow matches a rule, and persist until the rule has timed out. Therefore, the list can be inaccurate. Timeouts are protocol dependent: ICMP is 5 seconds, UDP is 120 seconds, TCP is 3600 seconds, and all other protocols are 60 seconds.
show nat active-dynamic
show nat active-dynamic
active-static
Displays NAT flows translated according to static rules. These entries are displayed as soon as you apply the rule to the device, and the list does not indicate active flows that match a static NAT rule.
show nat active-static
show nat active-static
allocators
Displays information for all NAT allocators, the pool of translated addresses used by dynamic rules.
show nat allocators
show nat allocators
config
Displays the current NAT policy configuration for the management interface.
show nat config
show nat config
dynamic-rules
Displays dynamic NAT rules that use the specified allocator ID.
show nat dynamic-rules allocator_id
show nat dynamic-rules 9
flows
Displays the number of flows for rules that use the specified allocator ID.
show nat flows allocator-id
show nat flows 81
static-rules
Displays all static NAT rules.
show nat static-rules
show nat static-rules
netstat
Displays the active network connections for an ASA FirePOWER module.
network
Displays the IPv4 and IPv6 configuration of the management interface, its MAC address, and HTTP proxy address, port, and username if configured.
network-modules
Displays all installed modules and information about them, including serial numbers. This command is not available on virtual devices and ASA FirePOWER devices.
network-static-routes
Displays all configured network static routes and information about them, including interface, destination address, network mask, and gateway address.
ntp
Displays the ntp configuration.
perfstats
Displays performance statistics for the device.
portstats
Displays port statistics for all installed ports on the device. This command is not available on virtual devices and ASA FirePOWER devices.
where copper specifies for all copper ports, fiber specifies for all fiber ports, internal specifies for all internal ports, external specifies for all external (copper and fiber) ports, and all specifies for all ports (external and internal).
power-supply-status
Displays the current state of hardware power supplies. This command is not available on virtual devices and ASA FirePOWER devices.
process-tree
Displays processes currently running on the device, sorted in tree format by type.
processes
Displays processes currently running on the device, sorted by descending CPU usage.
where sort-flag can be -m to sort by memory (descending order), -u to sort by username rather than the process name, or verbose to display the full name and path of the command. The filter parameter specifies the search term in the command or username by which results are filtered. The header row is still displayed.
route
Displays the routing information for an ASA FirePOWER module.
routing-table
If no parameters are specified, displays routing information for all virtual routers. If parameters are specified, displays routing information for the specified router and, as applicable, its specified routing protocol type. All parameters are optional. This command is not available on virtual devices and ASA FirePOWER devices.
where name is the name of the specific router for which you want information, and ospf, rip, and static specify the routing protocol type.
serial-number
Displays the chassis serial number. This command is not available on virtual devices.
ssl-policy-config
Displays the currently applied SSL policy configuration, including policy description, default logging settings, all enabled SSL rules and rule configurations, trusted CA certificates, and undecryptable traffic actions.
stacking
Shows the stacking configuration and position on managed devices; on devices configured as primary, also lists data for all secondary devices. For clustered stacks, this command also indicates that the stack is a member of a cluster. The user must use the web interface to enable or (in most cases) disable stacking; if stacking is not enabled, the command will return Stacking not currently configured. This command is not available on virtual devices and ASA FirePOWER devices.
summary
Displays a summary of the most commonly used information (version, type, UUID, and so on) about the device. For more detailed information, see the following show commands: version, interfaces, device-settings, and access-control-config.
time
Displays the current date and time in UTC and in the local time zone configured for the current user.
traffic-statistics
If no parameters are specified, displays details about bytes transmitted and received from all ports. If a port is specified, displays that information only for the specified port. You cannot specify a port for ASA FirePOWER devices, and the system displays only the data plane interfaces.
port]
where port is the specific port for which you want information.
user
Applicable to virtual devices only. Displays detailed configuration information for the specified user(s). The following values are displayed:
- Login — the login name
- UID — the numeric user ID
- Auth (
LocalorRemote) — how the user is authenticated - Access (
BasicorConfig) — the user's privilege level - Enabled (
EnabledorDisabled) — whether the user is active - Reset (
YesorNo) — whether the user must change password at next login - Exp (
Neveror a number) — the number of days until the user's password must be changed - Warn (
N/Aor a number) — the number of days a user is given to change their password before it expires - Str (
YesorNo) — whether the user's password must meet strength checking criteria - Lock (
YesorNo) — whether the user's account has been locked due to too many login failures - Max (
N/Aor a number) — the maximum number of failed logins before the user's account is locked
where username specifies the name of the user and the usernames are space-separated.
users
Applicable to virtual devices only. Displays detailed configuration information for all local users. The following values are displayed:
- Login — the login name
- UID — the numeric user ID
- Auth (
LocalorRemote) — how the user is authenticated - Access (
BasicorConfig) — the user's privilege level - Enabled (
EnabledorDisabled) — whether the user is active - Reset (
YesorNo) — whether the user must change password at next login - Exp (
Neveror a number) — the number of days until the user's password must be changed - Warn (
N/Aor a number) — the number of days a user is given to change their password before it expires - Str (
YesorNo) — whether the user's password must meet strength checking criteria - Lock (
YesorNo) — whether the user's account is locked due to too many login failures - Max (
N/Aor a number) — the maximum number of failed logins before the user's account is locked
version
Displays the product version and build. If the detail parameter is specified, displays the versions of additional components.
virtual-routers
If no parameters are specified, displays a list of all currently configured virtual routers with DHCP relay, OSPF, and RIP information. If parameters are specified, displays information for the specified router, limited by the specified route type. All parameters are optional. This command is not available on virtual devices and ASA FirePOWER devices.
where dhcprelay, ospf, and rip specify for route types, and name is the name of the specific router for which you want information. If you specify ospf, you can then further specify neighbors, topology, or lsadb between the route type and (if present) the router name.
virtual-switches
If no parameters are specified, displays a list of all currently configured virtual switches. If parameters are specified, displays information for the specified switch. This command is not available on virtual devices and ASA FirePOWER devices.
vmware-tools
Indicates whether VMware Tools are currently enabled on a virtual device. This command is available only on virtual devices.
VMware Tools is a suite of utilities intended to enhance the performance of the virtual machine. These utilities allow you to make full use of the convenient features of VMware products. The system supports the following plugins on all virtual appliances:
For more information about VMware Tools and the supported plugins, see the VMware website ( http://www.vmware.com).
VPN
The show VPN commands display VPN status and configuration information for VPN connections. This command is not available on virtual devices and ASA FirePOWER devices.
config
Displays the configuration of all VPN connections.
show vpn config
show vpn config
config by virtual router
Displays the configuration of all VPN connections for a virtual router.
show vpn config [virtual router]
show vpn config VRouter1
status
Displays the status of all VPN connections.
show vpn status
show vpn status
status by virtual router
Displays the status of all VPN connections for a virtual router.
show vpn status [virtual router]
show vpn status VRouter1
counters
Displays the counters for all VPN connections.
show vpn counters
show vpn counters
counters by virtual router
Displays the counters of all VPN connections for a virtual router.
show vpn counters [virtual router]
show vpn counters VRouter1
Configuration Commands
The configuration commands enable the user to configure and manage the system. These commands affect system operation; therefore, with the exception of Basic-level configure password, only users with configuration CLI access can issue these commands.
The following sections describe the configuration commands:
- clustering
- bypass
- gui
- iab
- lcd
- log-ips-connections
- manager
- mpls-depth
- network
- password
- stacking disable
- user
- vmware-tools
clustering
Disables or configures bypass for clustering on the device. This command is not available on virtual devices, ASA FirePOWER devices, or on devices configured as secondary stack members.
bypass
On Series 3 devices, places an inline pair in fail-open (hardware bypass) or fail-close mode. You can use this command only when the Bypass Mode inline set option is set to Bypass.
You cannot apply an access control policy or reapply an intrusion policy to a managed device where this command has put an inline set into fail-open mode.
Note that rebooting a device takes an interface pair out of fail-open made.
where interface is the name of either hardware port in the inline pair.
gui
Enables or disables the device web interface, including the streamlined upgrade web interface that appears during major updates to the system. This command is not available on virtual devices and ASA FirePOWER devices.
iab
Configure Intelligent Application Bypass (IAB). This command requires Version 5.4.0.10 or later on the managed device. The Defense Center requires Version 5.4.1.9 or later to implement IAB functionality, and Version 5.4.1.10 or later to provide IAB events.
IAB trusts traffic to traverse your network without further inspection if performance and flow thresholds are exceeded. The system implements IAB on traffic allowed by access control rules or the access control policy's default action, before the traffic is subject to deep inspection. A test mode allows you to determine whether thresholds are exceeded and, if so, to identify the flows that would have been trusted if you had actually enabled IAB. You must deploy your access control policy to the managed device after configuring IAB.
|
|
|
|---|---|
Performance and Flow Thresholds
You must set a performance scan interval and configure at least one of four inspection performance thresholds and one of four flow bypass thresholds. When a performance threshold is exceeded, the system examines flow thresholds and, if a flow threshold is exceeded, trusts traffic. If you configure more than one of either type of threshold, only one of each must be exceeded. All thresholds are disabled (set to 0) by default.
Inspection performance thresholds—provide intrusion inspection performance limits that, if exceeded, trigger the inspection of flow thresholds. IAB does not use inspection performance thresholds set to 0.
Flow bypass thresholds—provide flow limits that, if exceeded, trigger IAB to trust traffic in active mode or allow traffic subject to further inspection in test mode. IAB does not use flow bypass thresholds set to 0.
|
|
|
|
|
|---|---|---|---|
You configure all parameters at the same time and in order. The system prompts you for the next parameter if you enter fewer than the maximum number of parameters.
lcd
Enables or disables the LCD display on the front of the device. This command is not available on virtual devices and ASA FirePOWER devices.
log-ips-connections
Enables or disables logging of connection events that are associated with logged intrusion events.
manager
The configure manager commands configure the device’s connection to its managing Defense Center.
add
Configures the device to accept a connection from a managing Defense Center. This command works only if the device is not actively managed.
A unique alphanumeric registration key is always required to register a device to a Defense Center. In most cases, you must provide the hostname or the IP address along with the registration key. However, if the device and the Defense Center are separated by a NAT device, you must enter a unique NAT ID, along with the registration key, and specify DONTRESOLVE instead of the hostname.
configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE} regkey [nat_id]
where { hostname | IPv4_address | IPv6_address | DONTRESOLVE} specifies the DNS host name or IP address (IPv4 or IPv6) of the Defense Center that manages this device. If the Defense Center is not directly addressable, use DONTRESOLVE. If you use DONTRESOLVE, nat_id is required. regkey is the unique alphanumeric registration key required to register a device to the Defense Center. nat_id is an optional alphanumeric string used during the registration process between the Defense Center and the device. It is required if the hostname is set to DONTRESOLVE.
configure manager add DONTRESOLVE abc123 efg456
delete
Removes the Defense Center’s connection information from the device. This command only works if the device is not actively managed.
configure manager delete
configure manager delete
mpls-depth
Configures the number of MPLS layers on the management interface. This command is not available on virtual devices and ASA FirePOWER devices.
where depth is a number between 0 and 6.
network
The configure network commands configure the device’s management interface.
dns searchdomains
Replaces the current list of DNS search domains with the list specified in the command.
where searchlist is a comma-separated list of domains.
dns servers
Replaces the current list of DNS servers with the list specified in the command.
where dnslist is a comma-separated list of DNS servers.
hostname
Sets the hostname for the device.
where name is the new hostname.
http-proxy
On Series 3 and virtual devices, configures an HTTP proxy. After issuing the command, the CLI prompts the user for the HTTP proxy address and port, whether proxy authentication is required, and if it is required, the proxy username, proxy password, and confirmation of the proxy password.
Use this command on a virtual device to configure an HTTP proxy server so the virtual device can submit files to the Collective Security Intelligence Cloud for dynamic analysis.
http-proxy-disable
On Series 3 and virtual devices, deletes any HTTP proxy configuration.
ipv4 delete
Disables the IPv4 configuration of the device’s management interface.
ipv4 dhcp
Sets the IPv4 configuration of the device’s management interface to DHCP. The management interface communicates with the DHCP server to obtain its configuration information.
ipv4 manual
Manually configures the IPv4 configuration of the device’s management interface.
where ipaddr is the IP address, netmask is the subnet mask, and gw is the IPv4 address of the default gateway.
ipv6 delete
Disables the IPv6 configuration of the device’s management interface.
ipv6 dhcp
Sets the IPv6 configuration of the device’s management interface to DHCP. The management interface communicates with the DHCP server to obtain its configuration information.
ipv6 router
Sets the IPv6 configuration of the device’s management interface to Router. The management interface communicates with the IPv6 router to obtain its configuration information.
ipv6 manual
Manually configures the IPv6 configuration of the device’s management interface.
]
where ip6addr/ip6prefix is the IP address and prefix length and ip6 gw is the IPv6 address of the default gateway.
management-interface disable
Disables the specified management interface.
where n is the number of the management interface you want to disable.
management-interface disable-event-channel
Disables event transmission over the specified management interface.
where n is the number of the management interface you want to disable.
management-interface disable-management-channel
Disables management transmission over the specified management interface.
where n is the number of the management interface you want to disable.
management-interface enable
Enables the specified management interface.
where n is the number of the management interface you want to enable.
management-interface enable-event-channel
Enables event transmission over the specified management interface.
where n is the number of the management interface you want to enable.
management-interface enable-management-channel
Enables management transmission over the specified management interface.
where n is the number of the management interface you want to enable.
management-interface tcpport
Changes the value of the TCP port for management.
where port is the management port value you want to configure.
management-port
Sets the value of the device’s TCP management port.
where number is the management port value you want to configure.
static-routes ipv4 add
Adds an IPv4 static route for the specified management interface.
where interface is the management interface, destination is the destination IP address, netmask is the network mask address, and gateway is the gateway address you want to add.
static-routes ipv4 delete
Deletes an IPv4 static route for the specified management interface.
where interface is the management interface, destination is the destination IP address, netmask is the network mask address, and gateway is the gateway address you want to delete.
static-routes ipv6 add
Adds an IPv6 static route for the specified management interface.
where interface is the management interface, destination is the destination IP address, prefix is the IPv6 prefix length, and gateway is the gateway address you want to add.
static-routes ipv6 delete
Deletes an IPv6 static route for the specified management interface.
where interface is the management interface, destination is the destination IP address, prefix is the IPv6 prefix length, and gateway is the gateway address you want to delete.
password
Allows the current user to change their password. After issuing the command, the CLI prompts the user for their current (or old) password, then prompts the user to enter the new password twice.
stacking disable
On managed devices, removes any stacking configuration present on that device: on devices configured as primary, the stack is removed entirely; on devices configured as secondary, that device is removed from the stack. This command is not available on virtual devices or ASA FirePOWER devices and you cannot use it to break a clustered stack.
Use this command when you cannot establish communication with appliances higher in the stacking hierarchy. If the Defense Center is available for communication, a message appears instructing you to use the Defense Center web interface instead; likewise, if you enter stacking disable on a device configured as secondary when the primary device is available, a message appears instructing you to enter the command from the primary device.
user
Applicable only to virtual devices, the configure user commands manage the device’s local user database.
Modifies the access level of the specified user. This command takes effect the next time the specified user logs in.
configure user access username [basic | config]
configure user access jdoe basic
where username specifies the name of the user for which you want to modify access, basic indicates basic access, and config indicates configuration access.
add
Creates a new user with the specified name and access level. This command prompts for the user’s password.
configure user add username [basic | config]
where username specifies the name of the new user, basic indicates basic access, and config indicates configuration access.
configure user add jdoe basic
aging
Forces the expiration of the user’s password.
configure user aging username max_days warn_days
where username specifies the name of the user, max_days indicates the maximum number of days that the password is valid, and warn_days indicates the number of days that the user is given to change the password before it expires.
configure user aging jdoe 100 3
delete
Deletes the user and the user’s home directory.
configure user delete username
where username specifies the name of the user.
configure user delete jdoe
disable
Disables the user. Disabled users cannot login.
configure user disable username
where username specifies the name of the user.
configure user disable jdoe
enable
configure user enable username
where username specifies the name of the user.
configure user enable jdoe
forcereset
Forces the user to change their password the next time they login. When the user logs in and changes the password, strength checking is automatically enabled.
configure user forcereset username
where username specifies the name of the user.
configure user forcereset jdoe
maxfailedlogins
Sets the maximum number of failed logins for the specified user.
configure user maxfailedlogins username number
where username specifies the name of the user and number specifies the maximum number of failed logins.
configure user maxfailedlogins jdoe 3
password
Sets the user’s password. This command prompts for the user’s password.
configure user password username
where username specifies the name of the user.
configure user pasword jdoe
strengthcheck
Enables or disables the strength requirement for a user’s password. When a user’s password expires or if the configure user forcereset command is used, this requirement is automatically enabled the next time the user logs in.
configure user strengthcheck username {enable | disable}
where username specifies the name of the user, enable sets the requirement for the specified users password, and disable removes the requirement for the specified user’s password.
configure user strengthcheck jdoe enable
unlock
Unlocks a user that has exceeded the maximum number of failed logins.
configure user unlock username
where username specifies the name of the user.
configure user unlock jdoe
vmware-tools
Enables or disables VMware Tools functionality on a virtual device. This command is available only on virtual devices.
VMware Tools is a suite of utilities intended to enhance the performance of the virtual machine. These utilities allow you to make full use of the convenient features of VMware products. The system supports the following plugins on all virtual appliances:
For more information about VMware Tools and the supported plugins, see the VMware website ( http://www.vmware.com).
System Commands
The system commands enable the user to manage system-wide files and access control settings. Only users with configuration CLI access can issue commands in system mode.
The following sections describe the system commands:
- access-control
- disable-http-user-cert
- file
- generate-troubleshoot
- ldapsearch
- lockdown-sensor
- nat rollback
- reboot
- restart
- shutdown
access-control
The system access-control commands enable the user to manage the access control configuration on the device.
archive
Saves the currently applied access control policy as a text file on /var/common.
clear-rule-counts
Resets the access control rule hit count to 0.
rollback
Reverts the system to the previously applied access control configuration. You cannot use this command with clustered or stacked devices.
disable-http-user-cert
Removes all HTTP user certification present on the system.
file
The system file commands enable the user to manage the files in the common directory on the device.
copy
Uses FTP to transfer files to a remote location on the host using the login username. The local files must be located in the common directory.
system file copy hostname username path filenames filenames...
where hostname specifies the name or ip address of the target remote host, username specifies the name of the user on the remote host, path specifies the destination path on the remote host, and filenames specifies the local files to transfer; the file names are space-separated.
system file copy sfrocks jdoe /pub *
delete
Removes the specified files from the common directory.
system file delete filenames filenames...
where filenames specifies the files to delete; the file names are space-separated.
system file delete *
list
If no file names are specified, displays the modification time, size, and file name for all the files in the common directory. If file names are specified, displays the modification time, size, and file name for files that match the specified file names.
system file list {filenames filenames...}
where filenames specifies the files to display; the file names are space-separated.
system file list
secure-copy
Uses SCP to transfer files to a remote location on the host using the login username. The local files must be located in the /var/common directory.
system file secure-copy hostname username path filenames filenames...
where hostname specifies the name or ip address of the target remote host, username specifies the name of the user on the remote host, path specifies the destination path on the remote host, and filenames specifies the local files to transfer; the file names are space-separated.
system file secure-copy 10.123.31.1 jdoe /tmp *
generate-troubleshoot
Generates troubleshooting data for analysis by Cisco.
This syntax displays a list of optional parameters to specify what troubleshooting data should be displayed.
ldapsearch
Enables the user to perform a query of the specified LDAP server. Note that all parameters are required.
where host specifies the LDAP server domain, port specifies the LDAP server port, baseDN specifies the DN (distinguished name) that you want to search under, userDN specifies the DN of the user who binds to the LDAP directory, and basefilter specifies the record or records you want to search for.
dc=example,dc=com cn=user1,cn=users,dc=example,dc=com, cn=user2
lockdown-sensor
Removes the expert command and access to the bash shell on the device.
This command is irreversible without a hotfix from Support. Use with care.
nat rollback
Reverts the system to the previously applied NAT configuration. This command is not available on virtual devices and ASA FirePOWER devices. You cannot use this command with clustered or stacked devices.
reboot
restart
Restarts the device application.
shutdown
Shuts down the device. This command is not available on ASA FirePOWER modules.
Feedback