You can directly SSH to the Cisco FirePOWER Module IP address or issue the session sfr console from the ASA privileged EXEC mode. Below are some useful Cisco FirePOWER Module troubleshooting commands via the command line interface (CLI). These commands are also the same on the Firepower Threat Defense (FTD) device.
$ ssh -l admin 172.27.5.18
The authenticity of host '172.27.5.18 (172.27.5.18)' can't be established.
RSA key fingerprint is b7:d4:2e:76:c3:2a:1d:46:a5:a2:f0:7e:73:d1:12:34.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.27.5.18' (RSA) to the list of known hosts.
Password:
Last login: Thu Dec 21 04:15:09 2017
Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5506H v6.2.0 (build 362)
>
ciscoasa# session ?
Available module ID(s):
sfr Module ID
ongc-11high-FW02# session sfr ?
console Login to console port on another module.
do Execute a command on another module.
ip Configure Module logging port ip addresses
<cr>
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
>
Displaying the Access Control Policy Details
You can use the show access-control-config command to view the access control policy configuration.
> show
access-control-config Show Current Access-Control Configuration
audit-cert Display audit_log cert if any
audit-log Show audit log
cpu Show CPU utilization
database Change to Show Database Mode
device-settings Show device settings
disk Show disk usage
disk-manager Display current status of local disk(s)
dns Show DNS configuration
hostname Show hostname
hosts Show hosts
ifconfig Show currently configured interfaces
interfaces Show interface configuration
kdump Display status of kernel crash dump feature
log-events-to-ramdisk Display Logging of Events to hard disk
log-ips-connection Display Logging of Connection Events setting
managers Show managing Defense Centers
memory Show available memory
model Show model
netstat Show network connections
network Show configuration of management interface
network-static-routes Show static routes for management interfaces
ntp Show NTP configuration
perfstats Show perfstats
process-tree Show processes in tree format
processes Show processes
route Show configured routes
serial-number Show serial number
ssl-policy-config Show Current SSL Policy Configuration
summary Show summary
syslog Show syslog <filter> <max lines per page>
time Show time
traffic-statistics Show traffic statistics
user Show specified users
users Show all users
version Show versions
Show> access-control-config
===========[ Default Allow All Traffic ]============
Description :
=================[ Default Action ]=================
Default Action : Fast-path
Logging Configuration
DC : Disabled
Beginning : Disabled
End : Disabled
Rule Hits : 0
Variable Set : Default-Set
===[ Security Intelligence - Network Whitelist ]====
Name : Global-Whitelist (List)
IP Count : 0
Zone : any
===[ Security Intelligence - Network Blacklist ]====
Logging Configuration : Enabled
DC : Enabled
---------------------[ Block ]----------------------
Name : Global-Blacklist (List)
IP Count : 0
Zone : any
=====[ Security Intelligence - URL Whitelist ]======
Name : Global-Whitelist-for-URL (List)
URL Count : 0
Zone : any
=====[ Security Intelligence - URL Blacklist ]======
Logging Configuration : Enabled
DC : Enabled
---------------------[ Block ]----------------------
Name : Global-Blacklist-for-URL (List)
URL Count : 0
Zone : any
=======[ Security Intelligence - DNS Policy ]=======
Name : Default DNS Policy
Logging Configuration : Enabled
DC : Enabled
======[ Rule Set: admin_category (Built-in) ]=======
=====[ Rule Set: standard_category (Built-in) ]=====
=======[ Rule Set: root_category (Built-in) ]=======
===============[ Advanced Settings ]================
General Settings
Maximum URL Length : 1024
Interactive Block Bypass Timeout : 600
Do not retry URL cache miss lookup : No
Inspect Traffic During Apply : Yes
Network Analysis and Intrusion Policies
Initial Intrusion Policy : No Rules Active
Initial Variable Set : Default-Set
Default Network Analysis Policy : Balanced Security and Connectivity
Files and Malware Settings
File Type Inspect Limit : 1460
Cloud Lookup Timeout : 2
Minimum File Capture Size : 6144
Maximum File Capture Size : 1048576
Min Dynamic Analysis Size : 15360
Max Dynamic Analysis Size : 2097152
Malware Detection Limit : 10485760
Transport/Network Layer Preprocessor Settings
Detection Settings
Ignore VLAN Tracking Connections : No
Maximum Active Responses : No Maximum
Minimum Response Seconds : No Minimum
Session Termination Log Threshold : 1048576
Detection Enhancement Settings
Adaptive Profile : Disabled
Performance Settings
Event Queue
Maximum Queued Events : 5
Disable Reassembled Content Checks: False
Performance Statistics
Sample time (seconds) : 300
Minimum number of packets : 10000
Summary : False
Log Session/Protocol Distribution : False
Regular Expression Limits
Match Recursion Limit : Default
Match Limit : Default
Rule Processing Configuration
Logged Events : 5
Maximum Queued Events : 8
Events Ordered By : Content Length
Intelligent Application Bypass Settings
State : Off
Bypassable Applications and Filters : 0 Applications/Filters
Latency-Based Performance Settings
Packet Handling : Disabled
=============[ Interactive Block HTML ]=============
HTTP/1.1 200 OK
Connection: close
Content-Length: 869
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<title>Access Denied</title>
<style type="text/css">body {margin:0;font-family:verdana,sans-serif;} h1 {margin:0;padding:12px 25px;background-
color:#343434;color
:#ddd} p {margin:12px 25px;} strong {color:#E0042D;}</style>
</head>
<body>
<h1>Access Denied</h1>
<p>
<strong>You are attempting to access a forbidden site.</strong><br/><br/>
You may continue to the site by clicking on the button below.<br/>
<em>Note:</em> You must have cookies enabled in your browser to continue.</br><br/>
Consult your system administrator for details.<br/><br/>
<noscript><em>This page uses Javascript. Your browser either doesn't support Javascript or you have it turned off.<br/>
To continue to the site, please use a Javascript enabled browser.</em></noscript>
</p>
</body>
</html>
Displaying the Network Configuration
There are several ways to view the network configuration on a Cisco FirePOWER Module.
> show network
===============[ System Information ]===============
Hostname : firepower
Domains : example.net
Management port : 8305
IPv4 Default route
Gateway : 172.27.5.19
======================[ eth0 ]======================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 50:0F:80:80:AB:CD
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 172.27.5.18
Netmask : 255.255.255.224
Broadcast : 172.27.5.19
----------------------[ IPv6 ]----------------------
Configuration : Disabled
===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled
> show ifconfig // SIMILAR TO LINUX ifconfig COMMAND
cplane Link encap:Ethernet HWaddr 00:00:00:02:00:01
inet addr:127.0.2.1 Bcast:127.0.255.255 Mask:255.255.0.0
inet6 addr: fe80::200:ff:fe02:1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7593492 errors:0 dropped:3777883 overruns:0 frame:0
TX packets:1908174 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:478730921 (456.5 Mb) TX bytes:175547469 (167.4 Mb)
eth0 Link encap:Ethernet HWaddr 50:0F:80:80:AD:DC
inet addr:172.27.5.18 Bcast:172.27.5.19 Mask:255.255.255.0
inet6 addr: fe80::520f:80ff:fe80:addc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:41729 errors:0 dropped:0 overruns:0 frame:0
TX packets:63173 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5891158 (5.6 Mb) TX bytes:58229136 (55.5 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.255.255.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:355317 errors:0 dropped:0 overruns:0 frame:0
TX packets:355317 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:45879853 (43.7 Mb) TX bytes:45879853 (43.7 Mb)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:169.254.0.1 P-t-P:169.254.0.1 Mask:255.255.0.0
inet6 addr: fdcc::bd:0:ffff:a9fe:1/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
> show interfaces
--------------------[ outside ]---------------------
Physical Interface : GigabitEthernet1/1
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ inside ]---------------------
Physical Interface : GigabitEthernet1/2
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ cplane ]---------------------
IPv4 Address : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface : eth0
Type : Management
Status : Enabled
MDI/MDIX : Auto
MTU : 1500
MAC Address : 50:0F:80:80:12:34
IPv4 Address : 172.27.5.18
----------------------[ tun1 ]----------------------
IPv6 Address : fdcc::bd:0:ffff:a9fe:1/64
---------------------[ tunl0 ]----------------------
----------------------------------------------------
Analyzing Running Processes
> show disk // TO CHECK DISK USAGE; SIMILAR TO LINUX df COMMAND
Filesystem Size Used Avail Use% Mounted on
/dev/root 3.7G 777M 2.8G 22% /
devtmpfs 1.1G 80K 1.1G 1% /dev
/dev/sda1 99M 6.1M 88M 7% /boot
/dev/vda7 38G 6.9G 29G 20% /var
none 1.1G 340K 1.1G 1% /dev/shm
tmpfs 1.1G 0 1.1G 0% /dev/cgroups
> show processes // SIMILAR TO LINUX ps COMMAND
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
23195 sfsnort 1 -19 815m 12m 3704 S 6 0.6 274:40.56 snort
3464 root 20 0 30124 788 736 S 2 0.0 1664:41 UEChanneld
3465 root 20 0 2055m 409m 1808 S 2 18.5 702:23.82 java
21094 root 20 0 2157m 56m 1432 S 2 2.6 24:02.67 SFDataCorrelato
31825 admin 20 0 17428 1332 976 R 2 0.1 0:00.02 top
1 root 20 0 4220 672 624 S 0 0.0 0:51.49 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:05.25 ksoftirqd/0
5 root 0 -20 0 0 0 S 0 0.0 0:00.00 kworker/0:0H
7 root RT 0 0 0 0 S 0 0.0 0:36.82 migration/0
8 root 20 0 0 0 0 S 0 0.0 15:14.21 rcu_preempt
9 root 20 0 0 0 0 S 0 0.0 0:00.00 rcu_bh
10 root 20 0 0 0 0 S 0 0.0 0:00.00 rcu_sched
<OUTPUT TRUNCATED>
> show process-tree // SIMILAR TO LINUX pstree COMMAND
init(1)-+-acpid(2369)
|-agetty(3418)
|-agetty(3419)
|-agetty(3420)
|-crond(1729)
|-login(22993)---clish(23050)---{clish}(23053)
|-nscd(20395)-+-{nscd}(20396)
| |-{nscd}(20397)
| |-{nscd}(20398)
| |-{nscd}(20399)
| |-{nscd}(20400)
| `-{nscd}(20401)
|-pm(3433)-+-ASAConfig.pl(3452)
| |-ActionQueueScra(3615)
| |-CloudAgent(3463)-+-{CloudAgent}(3529)
| | |-{CloudAgent}(3530)
| | |-{CloudAgent}(3531)
| | |-{CloudAgent}(3532)
| | `-{CloudAgent}(3533)
| |-Pruner.pl(3614)
| |-SFDataCorrelato(21094)-+-{SFDataCorrelato}(21103)
| | |-{SFDataCorrelato}(21104)
| | |-{SFDataCorrelato}(21105)
| | |-{SFDataCorrelato}(21107)
| | |-{SFDataCorrelato}(21108)
| | |-{SFDataCorrelato}(21109)
| | |-{SFDataCorrelato}(21110)
| | |-{SFDataCorrelato}(21111)
| | |-{SFDataCorrelato}(21112)
| | |-{SFDataCorrelato}(21113)
| | |-{SFDataCorrelato}(21134)
| | |-{SFDataCorrelato}(21137)
| | |-{SFDataCorrelato}(21138)
| | |-{SFDataCorrelato}(21140)
| | |-{SFDataCorrelato}(21141)
| | |-{SFDataCorrelato}(21142)
| | |-{SFDataCorrelato}(21143)
| | |-{SFDataCorrelato}(21144)
| | |-{SFDataCorrelato}(21145)
| | |-{SFDataCorrelato}(21146)
| | |-{SFDataCorrelato}(21147)
| | |-{SFDataCorrelato}(21148)
| | |-{SFDataCorrelato}(21149)
| | |-{SFDataCorrelato}(21150)
| | |-{SFDataCorrelato}(21152)
| | |-{SFDataCorrelato}(21156)
| | |-{SFDataCorrelato}(21157)
| | |-{SFDataCorrelato}(21158)
| | |-{SFDataCorrelato}(21160)
| | `-{SFDataCorrelato}(23205)
<OUTPUT TRUNCATED>
Using the System Log (Syslog)
> expert // GO TO EXPERT MODE
admin@firepower:~$ cd / // CHANGE TO ROOT DIRECTORY
admin@firepower:/$ ls
DBCheck.log Volume bin boot cisco dev etc home lib lib64 lost+found mnt proc root sbin sys tmp usr var
admin@firepower:/$ cd /var/log
admin@firepower:/var/log$ ls
action_queue.log firstboot.S50install-remediation-modules process_stdout.log
action_queue.log.1.gz firstboot.S51install_health_policy.pl process_stdout.log.1.gz
action_queue.log.2.gz firstboot.S52install_system_policy.pl process_stdout.log.2.gz
action_queue.log.3.gz firstboot.S53change_reconciliation_baseline.pl process_stdout.log.3.gz
action_queue.log.4.gz firstboot.S53createcsds.pl process_stdout.log.4.gz
asacx_init.log firstboot.S70remove_casuser.pl pruner.log
audit firstboot.S70update_sensor_objects.sh pruner.log.1.gz
btmp firstboot.S85patch_history-init pruner.log.2.gz
cc-integrity.log firstboot.S90banner-init pruner.log.3.gz
cisco firstboot.S95copy-crontab pruner.log.4.gz
configure-model.log firstboot.S96grow_var.sh query_engine.log
configure.log firstboot.S96install_sf_whitelist query_engine.log.1.gz
configure.log.old firstboot.S96install_vmware_tools.pl query_engine.log.2.gz
cron firstboot.S96localize-templates query_engine.log.3.gz
cron.1.gz firstboot.S96ovf-data.pl query_engine.log.4.gz
cron.2.gz firstboot.S97compress-client-resources reconfigure.45update-sensor.pl
cron.3.gz firstboot.S97create_platinum_forms.pl reconfigure.55recalculate_arc.pl
cron.4.gz firstboot.S97install_cas remove_old_var.log
diskmanager.log firstboot.S97install_cloud_support.pl removed_packages
dmesg firstboot.S97install_geolocation.pl removed_scripts
eth0.down.log firstboot.S97install_ssl_inspection.pl sa
eth0.down.log.old firstboot.S97update_modprobe.pl sam.log
eth0.up.log firstboot.S98check-db-integrity.sh sam.log.1.gz
eth0.up.log.old firstboot.S98htaccess-init sam.log.2.gz
eth1.down.log firstboot.S98is-sru-finished.sh sam.log.3.gz
eth1.down.log.old firstboot.S99_z_cc-integrity.sh sam.log.4.gz
eth1.up.log firstboot.S99correct_ipmi.pl scripts
eth1.up.log.old firstboot.S99start-system seshat
faillog firstboot.S99z_db_restore setup
firesight-query.log firstboot.control sf
firesight-query.log.1.gz httpd snapshot_manager.log
firesight-query.log.2.gz ifup-static-route.log syncd.log
firesight-query.log.3.gz init_cgroups.log syncd.log.1.gz
firesight-query.log.4.gz initialize.log syncd.log.2.gz
firstboot.S01reset_failopen_if lastlog syncd.log.3.gz
firstboot.S01virtual-machine-reconfigure lo.down.log syncd.log.4.gz
firstboot.S02aws-pull-cfg lo.down.log.old time_series.log
firstboot.S04fix-httpd.sh lo.up.log time_series.log.1.gz
firstboot.S05set-default-ipv4.pl lo.up.log.old time_series.log.2.gz
firstboot.S05set-mgmnt-port messages time_series.log.3.gz
firstboot.S06addusers messages.1.gz time_series.log.4.gz
firstboot.S07uuid-init messages.2.gz top.log
firstboot.S08configure_mysql messages.3.gz top.log.1.gz
firstboot.S09database-init messages.4.gz top.log.10.gz
firstboot.S10database.15vulndb-init.log model_info_log top.log.11.gz
firstboot.S11database-populate mojo top.log.12.gz
firstboot.S12install_infodb myisamchk.log top.log.13.gz
firstboot.S15set-locale.sh nscd.log top.log.14.gz
firstboot.S16update-sensor.pl nscd.log.1.gz top.log.2.gz
firstboot.S19cert-tun-init nscd.log.2.gz top.log.3.gz
firstboot.S20cert-init nscd.log.3.gz top.log.4.gz
firstboot.S21disable_estreamer nscd.log.4.gz top.log.5.gz
firstboot.S25create_default_des.pl ntp.log top.log.6.gz
firstboot.S30init_lights_out_mgmt.pl openssl-selftest.log top.log.7.gz
firstboot.S40install_default_filters.pl packages top.log.8.gz
firstboot.S42install_default_dashboards.pl process_stderr.log top.log.9.gz
firstboot.S43install_default_report_templates.pl process_stderr.log.1.gz umpd_stderr.log
firstboot.S44install_default_app_filters.pl process_stderr.log.2.gz urldb_log
firstboot.S45install_default_realms.pl process_stderr.log.3.gz wtmp
firstboot.S47install_default_sandbox_EO.pl process_stderr.log.4.gz wtmp.1
admin@firepower:/var/log$ cat eth0.down.log // USE cat TO VIEW DETAILED LOGS
Clearing static routes
Unconfiguring default route
Ignoring -device
Ignoring eth0
(5) No device specified
Command [clear_default_route -device eth0 -4] succeeded!
Unconfiguring address on eth0
Unconfiguring IPv4 on eth0
Command [/sbin/ip -4 addr flush dev eth0] succeeded!
Successfully unconfigure eth0 for IPv4
Command [unconfigure_ip -4 -device eth0] succeeded!
Unconfiguring IPv6
Command [/usr/sbin/dhclient -6 -x eth0 -sf /etc/sysconfig/network-scripts/dhclient-script] succeeded!
Ignoring -device
Ignoring eth0
Command [/sbin/ip -6 route delete default dev eth0] succeeded!
Unconfiguring IPv6 on eth0
Stoping ipv6
Command [/sbin/ip -6 addr flush dev eth0 scope global] succeeded!
Command [/sbin/ip -6 addr flush dev eth0 scope global] succeeded!
Successfully unconfigure eth0 for IPv6
Command [/sbin/ip -6 addr flush dev eth0 scope global] succeeded!
Command [total_unconfigure -device eth0 -6] succeeded!
Downing interface
Command [/sbin/ip link set dev eth0 down] succeeded!
Command [down_interface -device eth0] succeeded!
Generating Advanced Troubleshooting Logs
> system generate-troubleshoot
system generate-troubleshoot options ...
Run troubleshoot
options ... Selectable Troubleshoot Options
> system generate-troubleshoot
One or more subset options required. Displaying list of options:
ALL - Run ALL Of The Following Options
SNT - Snort Performance and Configuration
PER - Hardware Performance and Logs
SYS - System Configuration, Policy, and Logs
DES - Detection Configuration, Policy, and Logs
NET - Interface and Network Related Data
VDB - Discovery, Awareness, VDB Data, and Logs
UPG - Upgrade Data and Logs
DBO - All Database Data
LOG - All Log Data
NMP - Network Map Information
> system generate-troubleshoot all // TAKE SEVERAL MINUTES TO FINISH; CISCO TAC WILL USUALLY ASK YOU TO RUN AND SEND THE OUTPUT TO THEM FOR FURTHER ANALYSIS
> system support
application-identification-debug Generate application identification debug messages
bootloader Display bootloader information
capture-traffic Display traffic or save to specified file
debug-DAQ Debug for DAQ functionality
debug-DAQ-reset Reset DAQ debug configuration file
dump-table Dump specified database tables to common file repository
eotool Change to Enterprise Object Tool Mode
file-malware-debug Generate file malware debug messages
firewall-engine-debug Generate firewall debug messages
firewall-engine-dump-user-identity-data Generate a file containing the current state of user identity within the firewall
firewall-httpmod-debug Generate http_mod preprocessor debug messages
fstab Display the file systems table
iptables Display IP packet filter rules
network-options Display network options
nslookup Look up an IP address or host name with the DNS servers
ntp Show NTP configuration
partitions Display partition information
pigtail Tail log files for debugging (pigtail)
ping Ping a host to check reachability
platform Display platform information
pmtool Change to PMTool Mode
repair-table Repair specified database tables
rpms Display RPM information
run-rule-profiling Run Rule Profiling
scsi Show SCSI device information
set-arc-mode Set the Automatic Resource Configuration optimization mode
sftunnel-status Show sftunnel status
show-arc-mode Show the Automatic Resource Configuration optimization mode value
silo-drain Assists with Disk Management
ssl-client-hello-display Display SSL Client Hello configuration settings
ssl-client-hello-enabled SSL Client Hello Enabled Settings
ssl-client-hello-force-reset Reset SSL Client Hello configuration file without user confirmation
ssl-client-hello-reset Reset SSL Client Hello configuration file
ssl-client-hello-tuning SSL Client Hello Detailed Tuning
ssl-debug Debugging for SSL functionality
ssl-debug-reset Reset SSL Debug configuration file
ssl-tuning Tune aspects of SSL functionality
ssl-tuning-reset Reset SSL Tuning configuration file
swap Display swap information
tail-logs Tails the logs selected by the user
trace Generate debug trace messages for packets
traceroute Find route to remote network
utilization Display current system utilization
view-files View files in the system
> system support firewall-engine-debug // DEBUG ACCESS CONTROL RULE IN REAL TIME
$ ssh -l admin 172.27.5.18
The authenticity of host '172.27.5.18 (172.27.5.18)' can't be established.
RSA key fingerprint is b7:d4:2e:76:c3:2a:1d:46:a5:a2:f0:7e:73:d1:12:34.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.27.5.18' (RSA) to the list of known hosts.
Password:
Last login: Thu Dec 21 04:15:09 2017
Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5506H v6.2.0 (build 362)
>
ciscoasa# session ?
Available module ID(s):
sfr Module ID
ongc-11high-FW02# session sfr ?
console Login to console port on another module.
do Execute a command on another module.
ip Configure Module logging port ip addresses
<cr>
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
>
Displaying the Access Control Policy Details
You can use the show access-control-config command to view the access control policy configuration.
> show
access-control-config Show Current Access-Control Configuration
audit-cert Display audit_log cert if any
audit-log Show audit log
cpu Show CPU utilization
database Change to Show Database Mode
device-settings Show device settings
disk Show disk usage
disk-manager Display current status of local disk(s)
dns Show DNS configuration
hostname Show hostname
hosts Show hosts
ifconfig Show currently configured interfaces
interfaces Show interface configuration
kdump Display status of kernel crash dump feature
log-events-to-ramdisk Display Logging of Events to hard disk
log-ips-connection Display Logging of Connection Events setting
managers Show managing Defense Centers
memory Show available memory
model Show model
netstat Show network connections
network Show configuration of management interface
network-static-routes Show static routes for management interfaces
ntp Show NTP configuration
perfstats Show perfstats
process-tree Show processes in tree format
processes Show processes
route Show configured routes
serial-number Show serial number
ssl-policy-config Show Current SSL Policy Configuration
summary Show summary
syslog Show syslog <filter> <max lines per page>
time Show time
traffic-statistics Show traffic statistics
user Show specified users
users Show all users
version Show versions
Show> access-control-config
===========[ Default Allow All Traffic ]============
Description :
=================[ Default Action ]=================
Default Action : Fast-path
Logging Configuration
DC : Disabled
Beginning : Disabled
End : Disabled
Rule Hits : 0
Variable Set : Default-Set
===[ Security Intelligence - Network Whitelist ]====
Name : Global-Whitelist (List)
IP Count : 0
Zone : any
===[ Security Intelligence - Network Blacklist ]====
Logging Configuration : Enabled
DC : Enabled
---------------------[ Block ]----------------------
Name : Global-Blacklist (List)
IP Count : 0
Zone : any
=====[ Security Intelligence - URL Whitelist ]======
Name : Global-Whitelist-for-URL (List)
URL Count : 0
Zone : any
=====[ Security Intelligence - URL Blacklist ]======
Logging Configuration : Enabled
DC : Enabled
---------------------[ Block ]----------------------
Name : Global-Blacklist-for-URL (List)
URL Count : 0
Zone : any
=======[ Security Intelligence - DNS Policy ]=======
Name : Default DNS Policy
Logging Configuration : Enabled
DC : Enabled
======[ Rule Set: admin_category (Built-in) ]=======
=====[ Rule Set: standard_category (Built-in) ]=====
=======[ Rule Set: root_category (Built-in) ]=======
===============[ Advanced Settings ]================
General Settings
Maximum URL Length : 1024
Interactive Block Bypass Timeout : 600
Do not retry URL cache miss lookup : No
Inspect Traffic During Apply : Yes
Network Analysis and Intrusion Policies
Initial Intrusion Policy : No Rules Active
Initial Variable Set : Default-Set
Default Network Analysis Policy : Balanced Security and Connectivity
Files and Malware Settings
File Type Inspect Limit : 1460
Cloud Lookup Timeout : 2
Minimum File Capture Size : 6144
Maximum File Capture Size : 1048576
Min Dynamic Analysis Size : 15360
Max Dynamic Analysis Size : 2097152
Malware Detection Limit : 10485760
Transport/Network Layer Preprocessor Settings
Detection Settings
Ignore VLAN Tracking Connections : No
Maximum Active Responses : No Maximum
Minimum Response Seconds : No Minimum
Session Termination Log Threshold : 1048576
Detection Enhancement Settings
Adaptive Profile : Disabled
Performance Settings
Event Queue
Maximum Queued Events : 5
Disable Reassembled Content Checks: False
Performance Statistics
Sample time (seconds) : 300
Minimum number of packets : 10000
Summary : False
Log Session/Protocol Distribution : False
Regular Expression Limits
Match Recursion Limit : Default
Match Limit : Default
Rule Processing Configuration
Logged Events : 5
Maximum Queued Events : 8
Events Ordered By : Content Length
Intelligent Application Bypass Settings
State : Off
Bypassable Applications and Filters : 0 Applications/Filters
Latency-Based Performance Settings
Packet Handling : Disabled
=============[ Interactive Block HTML ]=============
HTTP/1.1 200 OK
Connection: close
Content-Length: 869
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<title>Access Denied</title>
<style type="text/css">body {margin:0;font-family:verdana,sans-serif;} h1 {margin:0;padding:12px 25px;background-
color:#343434;color
:#ddd} p {margin:12px 25px;} strong {color:#E0042D;}</style>
</head>
<body>
<h1>Access Denied</h1>
<p>
<strong>You are attempting to access a forbidden site.</strong><br/><br/>
You may continue to the site by clicking on the button below.<br/>
<em>Note:</em> You must have cookies enabled in your browser to continue.</br><br/>
Consult your system administrator for details.<br/><br/>
<noscript><em>This page uses Javascript. Your browser either doesn't support Javascript or you have it turned off.<br/>
To continue to the site, please use a Javascript enabled browser.</em></noscript>
</p>
</body>
</html>
Displaying the Network Configuration
There are several ways to view the network configuration on a Cisco FirePOWER Module.
> show network
===============[ System Information ]===============
Hostname : firepower
Domains : example.net
Management port : 8305
IPv4 Default route
Gateway : 172.27.5.19
======================[ eth0 ]======================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 50:0F:80:80:AB:CD
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 172.27.5.18
Netmask : 255.255.255.224
Broadcast : 172.27.5.19
----------------------[ IPv6 ]----------------------
Configuration : Disabled
===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled
> show ifconfig // SIMILAR TO LINUX ifconfig COMMAND
cplane Link encap:Ethernet HWaddr 00:00:00:02:00:01
inet addr:127.0.2.1 Bcast:127.0.255.255 Mask:255.255.0.0
inet6 addr: fe80::200:ff:fe02:1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7593492 errors:0 dropped:3777883 overruns:0 frame:0
TX packets:1908174 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:478730921 (456.5 Mb) TX bytes:175547469 (167.4 Mb)
eth0 Link encap:Ethernet HWaddr 50:0F:80:80:AD:DC
inet addr:172.27.5.18 Bcast:172.27.5.19 Mask:255.255.255.0
inet6 addr: fe80::520f:80ff:fe80:addc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:41729 errors:0 dropped:0 overruns:0 frame:0
TX packets:63173 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5891158 (5.6 Mb) TX bytes:58229136 (55.5 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.255.255.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:355317 errors:0 dropped:0 overruns:0 frame:0
TX packets:355317 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:45879853 (43.7 Mb) TX bytes:45879853 (43.7 Mb)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:169.254.0.1 P-t-P:169.254.0.1 Mask:255.255.0.0
inet6 addr: fdcc::bd:0:ffff:a9fe:1/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
> show interfaces
--------------------[ outside ]---------------------
Physical Interface : GigabitEthernet1/1
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ inside ]---------------------
Physical Interface : GigabitEthernet1/2
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ cplane ]---------------------
IPv4 Address : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface : eth0
Type : Management
Status : Enabled
MDI/MDIX : Auto
MTU : 1500
MAC Address : 50:0F:80:80:12:34
IPv4 Address : 172.27.5.18
----------------------[ tun1 ]----------------------
IPv6 Address : fdcc::bd:0:ffff:a9fe:1/64
---------------------[ tunl0 ]----------------------
----------------------------------------------------
Analyzing Running Processes
> show disk // TO CHECK DISK USAGE; SIMILAR TO LINUX df COMMAND
Filesystem Size Used Avail Use% Mounted on
/dev/root 3.7G 777M 2.8G 22% /
devtmpfs 1.1G 80K 1.1G 1% /dev
/dev/sda1 99M 6.1M 88M 7% /boot
/dev/vda7 38G 6.9G 29G 20% /var
none 1.1G 340K 1.1G 1% /dev/shm
tmpfs 1.1G 0 1.1G 0% /dev/cgroups
> show processes // SIMILAR TO LINUX ps COMMAND
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
23195 sfsnort 1 -19 815m 12m 3704 S 6 0.6 274:40.56 snort
3464 root 20 0 30124 788 736 S 2 0.0 1664:41 UEChanneld
3465 root 20 0 2055m 409m 1808 S 2 18.5 702:23.82 java
21094 root 20 0 2157m 56m 1432 S 2 2.6 24:02.67 SFDataCorrelato
31825 admin 20 0 17428 1332 976 R 2 0.1 0:00.02 top
1 root 20 0 4220 672 624 S 0 0.0 0:51.49 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:05.25 ksoftirqd/0
5 root 0 -20 0 0 0 S 0 0.0 0:00.00 kworker/0:0H
7 root RT 0 0 0 0 S 0 0.0 0:36.82 migration/0
8 root 20 0 0 0 0 S 0 0.0 15:14.21 rcu_preempt
9 root 20 0 0 0 0 S 0 0.0 0:00.00 rcu_bh
10 root 20 0 0 0 0 S 0 0.0 0:00.00 rcu_sched
<OUTPUT TRUNCATED>
> show process-tree // SIMILAR TO LINUX pstree COMMAND
init(1)-+-acpid(2369)
|-agetty(3418)
|-agetty(3419)
|-agetty(3420)
|-crond(1729)
|-login(22993)---clish(23050)---{clish}(23053)
|-nscd(20395)-+-{nscd}(20396)
| |-{nscd}(20397)
| |-{nscd}(20398)
| |-{nscd}(20399)
| |-{nscd}(20400)
| `-{nscd}(20401)
|-pm(3433)-+-ASAConfig.pl(3452)
| |-ActionQueueScra(3615)
| |-CloudAgent(3463)-+-{CloudAgent}(3529)
| | |-{CloudAgent}(3530)
| | |-{CloudAgent}(3531)
| | |-{CloudAgent}(3532)
| | `-{CloudAgent}(3533)
| |-Pruner.pl(3614)
| |-SFDataCorrelato(21094)-+-{SFDataCorrelato}(21103)
| | |-{SFDataCorrelato}(21104)
| | |-{SFDataCorrelato}(21105)
| | |-{SFDataCorrelato}(21107)
| | |-{SFDataCorrelato}(21108)
| | |-{SFDataCorrelato}(21109)
| | |-{SFDataCorrelato}(21110)
| | |-{SFDataCorrelato}(21111)
| | |-{SFDataCorrelato}(21112)
| | |-{SFDataCorrelato}(21113)
| | |-{SFDataCorrelato}(21134)
| | |-{SFDataCorrelato}(21137)
| | |-{SFDataCorrelato}(21138)
| | |-{SFDataCorrelato}(21140)
| | |-{SFDataCorrelato}(21141)
| | |-{SFDataCorrelato}(21142)
| | |-{SFDataCorrelato}(21143)
| | |-{SFDataCorrelato}(21144)
| | |-{SFDataCorrelato}(21145)
| | |-{SFDataCorrelato}(21146)
| | |-{SFDataCorrelato}(21147)
| | |-{SFDataCorrelato}(21148)
| | |-{SFDataCorrelato}(21149)
| | |-{SFDataCorrelato}(21150)
| | |-{SFDataCorrelato}(21152)
| | |-{SFDataCorrelato}(21156)
| | |-{SFDataCorrelato}(21157)
| | |-{SFDataCorrelato}(21158)
| | |-{SFDataCorrelato}(21160)
| | `-{SFDataCorrelato}(23205)
<OUTPUT TRUNCATED>
Using the System Log (Syslog)
> expert // GO TO EXPERT MODE
admin@firepower:~$ cd / // CHANGE TO ROOT DIRECTORY
admin@firepower:/$ ls
DBCheck.log Volume bin boot cisco dev etc home lib lib64 lost+found mnt proc root sbin sys tmp usr var
admin@firepower:/$ cd /var/log
admin@firepower:/var/log$ ls
action_queue.log firstboot.S50install-remediation-modules process_stdout.log
action_queue.log.1.gz firstboot.S51install_health_policy.pl process_stdout.log.1.gz
action_queue.log.2.gz firstboot.S52install_system_policy.pl process_stdout.log.2.gz
action_queue.log.3.gz firstboot.S53change_reconciliation_baseline.pl process_stdout.log.3.gz
action_queue.log.4.gz firstboot.S53createcsds.pl process_stdout.log.4.gz
asacx_init.log firstboot.S70remove_casuser.pl pruner.log
audit firstboot.S70update_sensor_objects.sh pruner.log.1.gz
btmp firstboot.S85patch_history-init pruner.log.2.gz
cc-integrity.log firstboot.S90banner-init pruner.log.3.gz
cisco firstboot.S95copy-crontab pruner.log.4.gz
configure-model.log firstboot.S96grow_var.sh query_engine.log
configure.log firstboot.S96install_sf_whitelist query_engine.log.1.gz
configure.log.old firstboot.S96install_vmware_tools.pl query_engine.log.2.gz
cron firstboot.S96localize-templates query_engine.log.3.gz
cron.1.gz firstboot.S96ovf-data.pl query_engine.log.4.gz
cron.2.gz firstboot.S97compress-client-resources reconfigure.45update-sensor.pl
cron.3.gz firstboot.S97create_platinum_forms.pl reconfigure.55recalculate_arc.pl
cron.4.gz firstboot.S97install_cas remove_old_var.log
diskmanager.log firstboot.S97install_cloud_support.pl removed_packages
dmesg firstboot.S97install_geolocation.pl removed_scripts
eth0.down.log firstboot.S97install_ssl_inspection.pl sa
eth0.down.log.old firstboot.S97update_modprobe.pl sam.log
eth0.up.log firstboot.S98check-db-integrity.sh sam.log.1.gz
eth0.up.log.old firstboot.S98htaccess-init sam.log.2.gz
eth1.down.log firstboot.S98is-sru-finished.sh sam.log.3.gz
eth1.down.log.old firstboot.S99_z_cc-integrity.sh sam.log.4.gz
eth1.up.log firstboot.S99correct_ipmi.pl scripts
eth1.up.log.old firstboot.S99start-system seshat
faillog firstboot.S99z_db_restore setup
firesight-query.log firstboot.control sf
firesight-query.log.1.gz httpd snapshot_manager.log
firesight-query.log.2.gz ifup-static-route.log syncd.log
firesight-query.log.3.gz init_cgroups.log syncd.log.1.gz
firesight-query.log.4.gz initialize.log syncd.log.2.gz
firstboot.S01reset_failopen_if lastlog syncd.log.3.gz
firstboot.S01virtual-machine-reconfigure lo.down.log syncd.log.4.gz
firstboot.S02aws-pull-cfg lo.down.log.old time_series.log
firstboot.S04fix-httpd.sh lo.up.log time_series.log.1.gz
firstboot.S05set-default-ipv4.pl lo.up.log.old time_series.log.2.gz
firstboot.S05set-mgmnt-port messages time_series.log.3.gz
firstboot.S06addusers messages.1.gz time_series.log.4.gz
firstboot.S07uuid-init messages.2.gz top.log
firstboot.S08configure_mysql messages.3.gz top.log.1.gz
firstboot.S09database-init messages.4.gz top.log.10.gz
firstboot.S10database.15vulndb-init.log model_info_log top.log.11.gz
firstboot.S11database-populate mojo top.log.12.gz
firstboot.S12install_infodb myisamchk.log top.log.13.gz
firstboot.S15set-locale.sh nscd.log top.log.14.gz
firstboot.S16update-sensor.pl nscd.log.1.gz top.log.2.gz
firstboot.S19cert-tun-init nscd.log.2.gz top.log.3.gz
firstboot.S20cert-init nscd.log.3.gz top.log.4.gz
firstboot.S21disable_estreamer nscd.log.4.gz top.log.5.gz
firstboot.S25create_default_des.pl ntp.log top.log.6.gz
firstboot.S30init_lights_out_mgmt.pl openssl-selftest.log top.log.7.gz
firstboot.S40install_default_filters.pl packages top.log.8.gz
firstboot.S42install_default_dashboards.pl process_stderr.log top.log.9.gz
firstboot.S43install_default_report_templates.pl process_stderr.log.1.gz umpd_stderr.log
firstboot.S44install_default_app_filters.pl process_stderr.log.2.gz urldb_log
firstboot.S45install_default_realms.pl process_stderr.log.3.gz wtmp
firstboot.S47install_default_sandbox_EO.pl process_stderr.log.4.gz wtmp.1
admin@firepower:/var/log$ cat eth0.down.log // USE cat TO VIEW DETAILED LOGS
Clearing static routes
Unconfiguring default route
Ignoring -device
Ignoring eth0
(5) No device specified
Command [clear_default_route -device eth0 -4] succeeded!
Unconfiguring address on eth0
Unconfiguring IPv4 on eth0
Command [/sbin/ip -4 addr flush dev eth0] succeeded!
Successfully unconfigure eth0 for IPv4
Command [unconfigure_ip -4 -device eth0] succeeded!
Unconfiguring IPv6
Command [/usr/sbin/dhclient -6 -x eth0 -sf /etc/sysconfig/network-scripts/dhclient-script] succeeded!
Ignoring -device
Ignoring eth0
Command [/sbin/ip -6 route delete default dev eth0] succeeded!
Unconfiguring IPv6 on eth0
Stoping ipv6
Command [/sbin/ip -6 addr flush dev eth0 scope global] succeeded!
Command [/sbin/ip -6 addr flush dev eth0 scope global] succeeded!
Successfully unconfigure eth0 for IPv6
Command [/sbin/ip -6 addr flush dev eth0 scope global] succeeded!
Command [total_unconfigure -device eth0 -6] succeeded!
Downing interface
Command [/sbin/ip link set dev eth0 down] succeeded!
Command [down_interface -device eth0] succeeded!
Generating Advanced Troubleshooting Logs
> system generate-troubleshoot
system generate-troubleshoot options ...
Run troubleshoot
options ... Selectable Troubleshoot Options
> system generate-troubleshoot
One or more subset options required. Displaying list of options:
ALL - Run ALL Of The Following Options
SNT - Snort Performance and Configuration
PER - Hardware Performance and Logs
SYS - System Configuration, Policy, and Logs
DES - Detection Configuration, Policy, and Logs
NET - Interface and Network Related Data
VDB - Discovery, Awareness, VDB Data, and Logs
UPG - Upgrade Data and Logs
DBO - All Database Data
LOG - All Log Data
NMP - Network Map Information
> system generate-troubleshoot all // TAKE SEVERAL MINUTES TO FINISH; CISCO TAC WILL USUALLY ASK YOU TO RUN AND SEND THE OUTPUT TO THEM FOR FURTHER ANALYSIS
> system support
application-identification-debug Generate application identification debug messages
bootloader Display bootloader information
capture-traffic Display traffic or save to specified file
debug-DAQ Debug for DAQ functionality
debug-DAQ-reset Reset DAQ debug configuration file
dump-table Dump specified database tables to common file repository
eotool Change to Enterprise Object Tool Mode
file-malware-debug Generate file malware debug messages
firewall-engine-debug Generate firewall debug messages
firewall-engine-dump-user-identity-data Generate a file containing the current state of user identity within the firewall
firewall-httpmod-debug Generate http_mod preprocessor debug messages
fstab Display the file systems table
iptables Display IP packet filter rules
network-options Display network options
nslookup Look up an IP address or host name with the DNS servers
ntp Show NTP configuration
partitions Display partition information
pigtail Tail log files for debugging (pigtail)
ping Ping a host to check reachability
platform Display platform information
pmtool Change to PMTool Mode
repair-table Repair specified database tables
rpms Display RPM information
run-rule-profiling Run Rule Profiling
scsi Show SCSI device information
set-arc-mode Set the Automatic Resource Configuration optimization mode
sftunnel-status Show sftunnel status
show-arc-mode Show the Automatic Resource Configuration optimization mode value
silo-drain Assists with Disk Management
ssl-client-hello-display Display SSL Client Hello configuration settings
ssl-client-hello-enabled SSL Client Hello Enabled Settings
ssl-client-hello-force-reset Reset SSL Client Hello configuration file without user confirmation
ssl-client-hello-reset Reset SSL Client Hello configuration file
ssl-client-hello-tuning SSL Client Hello Detailed Tuning
ssl-debug Debugging for SSL functionality
ssl-debug-reset Reset SSL Debug configuration file
ssl-tuning Tune aspects of SSL functionality
ssl-tuning-reset Reset SSL Tuning configuration file
swap Display swap information
tail-logs Tails the logs selected by the user
trace Generate debug trace messages for packets
traceroute Find route to remote network
utilization Display current system utilization
view-files View files in the system
> system support firewall-engine-debug // DEBUG ACCESS CONTROL RULE IN REAL TIME
No comments:
Post a Comment