About the FXOS CLI

For the Firepower 1000, 2100, and Secure Firewall 1200/3100/4200 in Appliance mode, only show commands and advanced troubleshooting commands are available from the Secure Firewall eXtensible Operating System (FXOS) CLI.

For the Firepower 2100 in Platform mode, you must use FXOS to configure basic operating parameters and hardware interface settings. For more information about configuring the Secure Firewall ASA with FXOS, see the Firepower 2100 ASA Platform Mode FXOS Configuration Guide.

FXOS CLI Managed Object Model

FXOS uses a managed object model, where managed objects are abstract representations of physical or logical entities that can be managed. For example, chassis, network modules, ports, and processors are physical entities represented as managed objects, and licenses, user roles, and platform policies are logical entities represented as managed objects.

Four general commands are available for object management:

  • create object

  • delete object

  • enter object

  • scope object


Note

For Appliance mode, create and delete commands are not available.

You can use the scope command with any managed object, whether a permanent object or a user-instantiated object. The other commands allow you to create and manage user-instantiated objects. For every create object command, a corresponding delete object and enter object command exists. You can use the enter object command to create new objects and edit existing objects, so you can use it instead of the create object command, which will give an error if an object already exists.

At any time, you can enter the ? character to display the options available at the current state of the command syntax.

Access the ASA and FXOS CLI for Appliance Mode

You can use the ASA CLI to troubleshoot or configure the ASA instead of using ASDM. You can access the CLI by connecting to the console port. You can later configure SSH access to the ASA on any interface; SSH access is disabled by default. See the ASA general operations configuration guide for more information.

You can also access the FXOS CLI from the ASA CLI for troubleshooting purposes.

Procedure

Step 1

Connect your management computer to the console port. Be sure to install any necessary serial drivers for your operating system. Use the following serial settings:

  • 9600 baud

  • 8 data bits

  • No parity

  • 1 stop bit

You connect to the ASA CLI. There are no user credentials required for console access by default.

Step 2

Access privileged EXEC mode.

enable

You are prompted to change the password the first time you enter the enable command.

Example:


ciscoasa> enable
Password:
The enable password is not set. Please set it now.
Enter Password: ******
Repeat Password: ******
ciscoasa#

The enable password that you set on the ASA is also the FXOS admin user password if the ASA fails to boot up, and you enter FXOS failsafe mode.

All non-configuration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode.

To exit privileged EXEC mode, enter the disable , exit , or quit command.

Step 3

Access global configuration mode.

configure terminal

Example:


ciscoasa# configure terminal
ciscoasa(config)#

You can begin to configure the ASA from global configuration mode. To exit global configuration mode, enter the exit , quit , or end command.

Step 4

(Optional) Connect to the FXOS CLI.

connect fxos [admin]

  • admin —Provides admin-level access. Without this option, users have read-only access. Note that no configuration commands are available even in admin mode.

You are not prompted for user credentials. The current ASA username is passed through to FXOS, and no additional login is required. To return to the ASA CLI, enter exit or type Ctrl-Shift-6, x.

Within FXOS, you can view user activity using the scope security/show audit-logs command.

Example:


ciscoasa# connect fxos admin
Connecting to fxos.
Connected to fxos. Escape character sequence is 'CTRL-^X'.
firepower# 
firepower# exit
Connection with FXOS terminated.
Type help or '?' for a list of available commands.
ciscoasa#

Access the ASA and FXOS CLI in Platform Mode

This section describes how to connect to the FXOS and ASA console and how to connect to FXOS using SSH.

Connect to FXOS with SSH

You can connect to FXOS on Management 1/1 with the default IP address, 192.168.45.45. If you configure remote management, you can also connect to the data interface IP address on the non-standard port, by default, 3022.

To connect using SSH to the ASA, you must first configure SSH access according to the ASA general operations configuration guide.

You can connect to the ASA CLI from FXOS, and vice versa.

FXOS allows up to 8 SSH connections.

Procedure

Step 1

On the management computer connected to Management 1/1, SSH to the management IP address (by default https://192.168.45.45, with the username: admin and password: Admin123).

You can log in with any username if you added users in FXOS. If you configure remote management, SSH to the ASA data interface IP address on port 3022 (the default port).

Step 2

Connect to the ASA CLI.

connect asa

To return to the FXOS CLI, enter Ctrl+a, d.

Example:


firepower-2110# connect asa
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
ciscoasa>

Step 3

If you SSH to the ASA (after you configure SSH access in the ASA), connect to the FXOS CLI.

connect fxos

You are prompted to authenticate for FXOS; use the default username: admin and password: Admin123. To return to the ASA CLI, enter exit or type Ctrl-Shift-6, x.

Example:


ciscoasa# connect fxos
Connecting to fxos.
Connected to fxos. Escape character sequence is 'CTRL-^X'.

FXOS 2.2(2.32) kp2110

firepower-2110 login: admin
Password: Admin123
Last login: Sat Jan 23 16:20:16 UTC 2017 on pts/1
Successful login attempts for user 'admin' : 4
Cisco Firepower Extensible Operating System (FX-OS) Software

[…]

firepower-2110# 
firepower-2110# exit
Remote card closed command session. Press any key to continue.
Connection with fxos terminated.
Type help or '?' for a list of available commands.
ciscoasa#

Connect to the Console Port to Access FXOS and ASA CLI

The Firepower 2100 console port connects you to the FXOS CLI. From the FXOS CLI, you can then connect to the ASA console, and back again.

You can only have one console connection at a time. When you connect to the ASA console from the FXOS console, this connection is a persistent console connection, not like a Telnet or SSH connection.

Procedure

Step 1

Connect your management computer to the console port. The Firepower 2100 ships with a DB-9 to RJ-45 serial cable, so you will need a third party serial-to-USB cable to make the connection. Be sure to install any necessary USB serial drivers for your operating system. Use the following serial settings:

  • 9600 baud

  • 8 data bits

  • No parity

  • 1 stop bit

You connect to the FXOS CLI. Enter the user credentials; by default, you can log in with the admin user and the default password, Admin123. You are prompted to change the admin password when you first log in.

Step 2

Connect to the ASA:

connect asa

Example:


firepower-2110# connect asa
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
ciscoasa>

Step 3

To return to the FXOS console, enter Ctrl+a, d.

Save and Filter Show Command Output

You can save the output of show commands by redirecting the output to a text file. You can filter the output of show commands by piping the output to filtering commands.

Saving and filtering output are available with all show commands but are most useful when dealing with commands that produce a lot of text. For example, you can show all or parts of the configuration by using the show configuration command. Copying the configuration output provides a way to backup and restore a configuration.


Note

Show commands do not show the secrets (password fields), so if you want to paste a configuration into a new device, you will have to modify the show output to include the actual passwords.

Filter Show Command Output

To filter the output of a show command, use the following subcommands. Note that in the following syntax description, the initial vertical bar | after the show command is the pipe character and is part of the command, not part of the syntax description. The filtering options are entered after the command’s initial | character.

show command | { begin expression| count| cut expression| egrep expression| end expression| exclude expression| grep expression| head| include expression| last| less| no-more| sort expression| tr expression| uniq expression| wc}

Filtering Options

These are the filtering subcommands:

  • begin —Finds the first line that includes the specified pattern, and display that line and all subsequent lines.

  • count —Counts the number of lines.

  • cut —Removes (“cut”) portions of each line.

  • egrep —Displays only those lines that match the extended-type pattern.

  • end —Ends with the line that matches the pattern.

  • exclude —Excludes all lines that match the pattern and show all other lines.

  • grep —Displays only those lines that match the pattern.

  • head —Displays the first lines.

  • include —Displays only those lines that match the pattern.

  • last —Displays the last lines.

  • less —Filters for paging.

  • no-more —Turns off pagination for command output.

  • sort —Sorts the lines (stream sorter).

  • tr —Translates, squeezes, and/or deletes characters.

  • uniq —Discards all but one of successive identical lines.

  • wc —Displays a count of lines, words, and characters.

expression

An expression, or pattern, is typically a simple text string. Do not enclose the expression in single or double-quotes—these will be seen as part of the expression. Also, trailing spaces will be included in the expression.


Note

Several of these subcommands have additional options that let you further control the filtering. For example, with show configuration | head and show configuration | last, you can use the lines keyword to change the number of lines displayed; the default is 10. As another example, with show configuration | sort, you can add the option -u to remove duplicate lines from the output. (Complete descriptions of these options is beyond the scope of this document; refer to the FXOS help output for the various commands, and to the appropriate Linux help, for more information.)

Examples

The following example shows how to determine the number of lines currently in the system event log: 


FP9300-A# show sel 1/1 | count
3008
FP9300-A#

The following example shows how to display lines from the system event log that include the string “error”: 


FP9300-A# show sel 1/1 | include error
968 | 05/15/2016 16:46:25 | CIMC | System Event DDR4_P2_H2_EC
C #0x99 | Upper critical - going high | Asserted | Reading 20
000 >= Threshold 20000 error 
FP9300-A#

Related Topics

Save Show Command Output

Save Show Command Output

You can save the output of show commands by redirecting the output to a text file.

show command [ > { ftp:| scp:| sftp:| tftp:| volatile: | workspace:} ] | [ >> { volatile: | workspace:} ]

Syntax Description

> { ftp:| scp:| sftp:| tftp:| volatile: | workspace:}

Redirects the show command output to a specified text file using the selected transport protocol.

After you enter the command, you are queried for remote server name or IP address, user name, file path, and so on.

If you press Enter at this point, the output is saved locally.

>> { volatile: | workspace:}

Appends the show command output to the appropriate text file, which must already exist.

Example

The following example attempts to save the current configuration to the system workspace; a configuration file already exists, which you can choose to overwrite or not. 

FP9300-A# show configuration > workspace
File already exists, overwrite (y/n)?[n]n
Reissue command with >> if you want to append to existing file

FP9300-A#

Related Topics

Filter Show Command Output