Cisco Firepower 4100, Firepower 9300 Command Reference Manual
Cisco Firepower 4100/9300 FXOS Command Reference
First Published: 2017-08-28
Last Modified: 2019-01-15
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright©1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com
go trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any
other company. (1721R)
©
2017–2019 Cisco Systems, Inc. All rights reserved.
About the FXOS CLI Command Reference Guide
This guide represents an on-going effort to document the many CLI commands in FXOS, and as such, should
be viewed as a work-in-progress. The guide will be republished periodically as new command descriptions
are added and existing descriptions updated or corrected.
Cisco Firepower 4100/9300 FXOS Command Reference
1
About the FXOS CLI Command Reference Guide
Cisco Firepower 4100/9300 FXOS Command Reference
2
CLI Overview
• Managed Objects, on page 4
• Command Modes, on page 5
• Object Commands, on page 7
• Complete a Command, on page 8
• Command History, on page 9
• Commit, Discard, and View Pending Commands, on page 10
• Inline Help for the CLI, on page 11
• CLI Session Limits, on page 12
Cisco Firepower 4100/9300 FXOS Command Reference
3
Managed Objects
Managed Objects
The Firepower eXtensible Operating System (FXOS) uses a managed object model, where managed objects
are abstract representations of physical or logical entities that can be managed. For example, chassis, security
modules, network modules, ports, and processors are physical entities represented as managed objects, and
licenses, user roles, and platform policies are logical entities represented as managed objects.
Managed objects may have one or more associated properties that can be configured.
CLI Overview
Cisco Firepower 4100/9300 FXOS Command Reference
4
CLI Overview
Command Modes
The CLI is organized into a hierarchy of command modes, with EXEC mode being the highest-level mode
of the hierarchy. Higher-level modes branch into lower-level modes. You use create, enter, and scope
commands to move from higher-level modes to modes in the next lower level, and you use the up command
to move up one level in the mode hierarchy. You can also use the top command to move to the top level in
the mode hierarchy.
Note
Most command modes are associated with managed objects, so you must create an object before you can
access the mode associated with that object. You use create and enter commands to create managed objects
for the modes being accessed. The scope commands do not create managed objects and can only access modes
for which managed objects already exist.
Each mode contains a set of commands that can be entered in that mode. Most of the commands available in
each mode pertain to the associated managed object.
Command Modes
The CLI prompt for each mode shows the full path down the mode hierarchy to the current mode. This helps
you to determine where you are in the command mode hierarchy, and it can be an invaluable tool when you
need to navigate through the hierarchy.
The following table lists the main command modes, the commands used to access each mode, and the CLI
prompt associated with each mode.
Table 1: Main Command Modes and Prompts
Mode PromptCommands Used to AccessMode Name
#top command from any modeEXEC
/adapter #scope adapter command from EXEC modeAdapter
/cabling #scope cabling command from EXEC modeCabling
/chassis #scope chassis command from EXEC modeChassis
Ethernet server domain
/eth-server #scope eth-server command from EXEC
mode; this command and all subcommands
are currently not supported
Ethernet uplink
/eth-uplink #scope eth-uplink command from EXEC
mode
Fabric interconnect
/fabric-interconnect #scope fabric-interconnect command from
EXEC mode
Firmware
/firmware #scope firmware command from EXEC
mode
Cisco Firepower 4100/9300 FXOS Command Reference
5
Command Modes
CLI Overview
Mode PromptCommands Used to AccessMode Name
Host Ethernet interface
Monitoring
Packet capture
Service profile
mode
Note
This command and all
subcommands are not supported
at this level; the Host Ethernet
interface commands are available
in /adapter # mode.
mode
EXEC mode
mode
Note
Do not alter or configure service
profiles; that is, do not use the
create, set, or delete
subcommand sets.
/host-eth-if #scope host-eth-if command from EXEC
/license #scope license command from EXEC modeLicense
/monitoring #scope monitoring command from EXEC
/org #scope org command from EXEC modeOrganization
/packet-capture #scope packet-capture command from
/security #scope security command from EXEC modeSecurity
/server #scope server command from EXEC modeServer
/service-profile #scope service-profile command from EXEC
/ssa #scope ssa command from EXEC modeSSA
/system #scope system command from EXEC modeSystem
Virtual HBA
Note
This command and all
/vhba #scope vhba command from EXEC mode
subcommands are currently not
supported.
/vnic #scope vnic command from EXEC modeVirtual NIC
Cisco Firepower 4100/9300 FXOS Command Reference
6
CLI Overview
Object Commands
Four general commands are available for object management:
• create object
• delete object
• enter object
• scope object
You can use the scope command with any managed object, whether a permanent object or a user-instantiated
object. The other commands allow you to create and manage user-instantiated objects. For every create object
command, a corresponding delete object and enter object command exists.
In the management of user-instantiated objects, the behavior of these commands depends on whether the
object exists, as described in the following tables:
Table 2: Command Behavior If The Object Does Not Exist
Object Commands
create object
delete object
enter object
scope object
Table 3: Command Behavior If The Object Exists
create object
delete object
enter object
scope object
BehaviorCommand
The object is created and its configuration mode, if applicable, is entered.
An error message is generated.
The object is created and its configuration mode, if applicable, is entered.
An error message is generated.
BehaviorCommand
An error message is generated.
The object is deleted.
The configuration mode, if applicable, of the object is entered.
The configuration mode of the object is entered.
Cisco Firepower 4100/9300 FXOS Command Reference
7
Complete a Command
Complete a Command
You can use the Tab key in any mode to complete a command. Partially typing a command name and pressing
Tab causes the command to be displayed in full or to the point where you must enter another keyword or an
argument value.
CLI Overview
Cisco Firepower 4100/9300 FXOS Command Reference
8
CLI Overview
Command History
The CLI stores all commands used in the current session. You can step through the previously used commands
by using the up-arrow or down-arrow keys. The up-arrow key moves to the previous command in the history,
and the down-arrow key moves to the next command in the history. When you get to the end of the history,
pressing the down-arrow key does nothing.
You can enter any command in the history again by stepping through the history to recall that command and
then pressing Enter. The command is entered as if you had manually typed it. You can also recall a command
and change it before you press Enter.
Command History
Cisco Firepower 4100/9300 FXOS Command Reference
9
Commit, Discard, and View Pending Commands
Commit, Discard, and View Pending Commands
When you enter a configuration command in the CLI, the command is not applied until you enter the
commit-buffer command. Until committed, a configuration command is pending and can be discarded by
entering a discard-buffer command.
You can accumulate pending changes in multiple command modes and apply them together with a single
commit-buffer command. You can view the pending commands by entering the show configuration pending
command in any command mode.
Note
All pending commands are checked for validity. However, if any queued command fails during commit, the
remaining commands are applied; failed commands are reported in an error message.
While any commands are pending, an asterisk (*) appears before the command prompt. The asterisk disappears
when you enter the commit-buffer command.
The following example shows how the prompts change during the command entry process:
Firepower# scope system
Firepower /system # scope services
Firepower /system/services # create ntp-server 192.168.200.101
Firepower /system/services* # show configuration pending
scope services
+ create ntp-server 192.168.200.101
exit
Firepower /system/services* # commit-buffer
Firepower /system/services #
CLI Overview
Cisco Firepower 4100/9300 FXOS Command Reference
10
CLI Overview
Inline Help for the CLI
At any time, you can enter the ? character to display the options available at the current state of the command
syntax.
If you have not entered anything at the prompt, entering ? lists all available commands for the mode you are
in. With a partially entered command, entering ? lists all keywords and arguments available at your current
position in the command syntax.
Inline Help for the CLI
Cisco Firepower 4100/9300 FXOS Command Reference
11
CLI Session Limits
CLI Session Limits
FXOS limits the number of CLI sessions that can be active at one time to 32 total sessions. This value is not
configurable.
CLI Overview
Cisco Firepower 4100/9300 FXOS Command Reference
12
Filter and Save Show Output
• Save and Filter Show Command Output, on page 14
Cisco Firepower 4100/9300 FXOS Command Reference
13
Save and Filter Show Command Output
Save and Filter Show Command Output
You can save the output of show commands by redirecting the output to a text file. You can filter the output
of show commands by piping the output to filtering commands.
Saving and filtering output are available with all show commands but are most useful when dealing with
commands that produce a lot of text.
Filter Show Command Output
To filter the output of a show command, use the following subcommands. Note that in the following syntax
description, the initial vertical bar | after the show command is the pipe character and is part of the command,
not part of the syntax description. The filtering options are entered after the command’s initial | character.
show command | {begin expression|count|cut expression|egrep expression|end expression|exclude
expression|grep expression|head|include expression|last|less|no-more|sort expression|tr
expression|uniq expression|wc}
Filter and Save Show Output
Filtering Options
These are the filtering subcommands:
• begin—Finds the first line that includes the specified pattern, and display that line and all subsequent
lines.
• count—Counts the number of lines.
• cut—Removes (“cut”) portions of each line.
• egrep—Displays only those lines that match the extended-type pattern.
• end—Ends with the line that matches the pattern.
• exclude—Excludes all lines that match the pattern and show all other lines.
• grep—Displays only those lines that match the pattern.
• head—Displays the first lines.
• include—Displays only those lines that match the pattern.
• last—Displays the last lines.
• less—Filters for paging.
• no-more—Turns off pagination for command output.
• sort—Sorts the lines (stream sorter).
• tr—Translates, squeezes, and/or deletes characters.
• uniq—Discards all but one of successive identical lines.
• wc—Displays a count of lines, words, and characters.
expression
Cisco Firepower 4100/9300 FXOS Command Reference
14
Filter and Save Show Output
Note
Several of these subcommands have additional options that let you further control the filtering. For example,
with show configuration | head and show configuration | last, you can use the lines keyword to change the
number of lines displayed; the default is 10. As another example, with show configuration | sort, you can
add the option -u to remove duplicate lines from the output. (Complete descriptions of these options is beyond
the scope of this document; refer to the FXOS help output for the various commands, and to the appropriate
Linux help, for more information.)
Examples
The following example shows how to determine the number of lines currently in the system event log:
FP9300-A# show sel 1/1 | count
3008
FP9300-A#
Save Show Command Output
An expression, or pattern, is typically a simple text string. Do not enclose the expression in single or
double-quotes—these will be seen as part of the expression. Also, trailing spaces will be included in the
expression.
The following example shows how to display lines from the system event log that include the string “error”:
FP9300-A# show sel 1/1 | include error
968 | 05/15/2016 16:46:25 | CIMC | System Event DDR4_P2_H2_EC
C #0x99 | Upper critical - going high | Asserted | Reading 20
000 >= Threshold 20000 error
FP9300-A#
Related Topics
Save Show Command Output, on page 15
Save Show Command Output
You can save the output of show commands by redirecting the output to a text file.
show command [ > {ftp:|scp:|sftp:|tftp:|volatile: |workspace:}]|[ >> {volatile: |workspace:}]
Syntax Description
> {ftp:|scp:|sftp:|tftp:|volatile:
|workspace:}
Redirects the show command output to a specified text file
using the selected transport protocol.
After you enter the command, you are queried for remote
server name or IP address, user name, file path, and so on.
If you press Enter at this point, the output is saved locally.
>> {volatile: | workspace:}
Appends the show command output to the appropriate text
file, which must already exist.
Example
The following example attempts to save the current configuration to the system workspace; a configuration
file already exists, which you can choose to overwrite or not.
Cisco Firepower 4100/9300 FXOS Command Reference
15
Save Show Command Output
FP9300-A# show configuration > workspace
File already exists, overwrite (y/n)?[n]n
Reissue command with >> if you want to append to existing file
FP9300-A#
Related Topics
Filter Show Command Output, on page 14
Filter and Save Show Output
Cisco Firepower 4100/9300 FXOS Command Reference
16
Unsupported and Restricted Commands
• Unsupported Commands, on page 18
• Restricted Commands, on page 22
Cisco Firepower 4100/9300 FXOS Command Reference
17
Unsupported Commands
Unsupported Commands
The following commands, while visible in the CLI, are not supported. Entering any of these commands has
no effect.
EXEC (Top-level) Commands
# restore-check
# scope eth-server (and all subcommands)
# scope host-eth-if (the host-eth-if subcommands are available in /adapter mode)
# scope nh-test (and all subcommands)
# set nh-test
# show nh-test
# show registry-repository
Unsupported and Restricted Commands
# show ucspe-tech-support
# ucspe-copy
# vhba (and all subcommands)
Chassis Mode Commands
/chassis # scope iom
/chassis # show iom
/chassis # show post
Fabric Interconnect Mode Commands
/fabric-interconnect # scope fan
/fabric-interconnect # scope fan-module
/fabric-interconnect # scope psu
/fabric-interconnect # scope sw-uplink
/fabric-interconnect # show fan
/fabric-interconnect # show fan-module
/fabric-interconnect # show lan-neighbors
/fabric-interconnect # show psu
/fabric-interconnect # show san-neighbors
/fabric-interconnect # show sw-uplink
Organization Mode Commands
/org # scope auth-profile
Cisco Firepower 4100/9300 FXOS Command Reference
18
Unsupported and Restricted Commands
/org # scope fc-policy
/org # scope iqn-pool
/org # scope iscsi-policy
/org # scope kvm-mgmt-policy
/org # scope rackserver-disc-policy
/org # scope rackserver-mgmt-policy
/org # scope san-connectivity-policy
/org # scope storage-connection-policy
/org # scope udld-link-policy
/org # scope udld-system-settings
/org # scope uuid-suffix-pool
/org # scope vhba-beh-policy
/org # scope vhba-templ
Unsupported Commands
/org # scope vmq-conn-policy
/org # scope wwn-pool
/org # show fc-policy
/org # show fc-zone
/org # show iqn-pool
/org # show rackserver-disc-policy
/org # show rackserver-mgmt-policy
/org # show san-connectivity-policy
/org # show udld-link-policy
/org # show udld-system-settings
/org # show uuid-suffix-pool
/org # show vhba-beh-policy
/org # show vhba-templ
/org # show vmq-conn-policy
/org # show wwn-pool
Packet Capture Mode Commands
/packet-capture # show nh-test
Security Mode Commands
/security # create role
/security # delete role
Cisco Firepower 4100/9300 FXOS Command Reference
19
Unsupported Commands
Unsupported and Restricted Commands
Server Mode Commands
/server # show flexflash-controller
Service Profile Mode Commands
/service-profile # disassociate
/service-profile # rename-to
/service-profile # scope dynamic-vnic-conn
/service-profile # scope ext-pooled-ip
/service-profile # scope ext-static-ip
/service-profile # scope fc-zone
/service-profile # scope iscsi-boot
/service-profile # scope vhba
/service-profile # set dynamic-vnic-conn-policy
/service-profile # set ext-mgmt-ip-pool-name
/service-profile # set ext-mgmt-ip-state
/service-profile # set iscsi-identity
/service-profile # set kvm-mgmt-policy
/service-profile # set san-connectivity-policy-name
/service-profile # set src-templ-name
/service-profile # show dynamic-vnic-conn
/service-profile # show dynamic-vnic-conn-policy
/service-profile # show ext-pooled-ip
/service-profile # show ext-static-ip
/service-profile # show fc-zone
/service-profile # show initiator-group
/service-profile # show iscsi-boot
/service-profile # show iscsi-identity
/service-profile # show mgmt-iface
/service-profile # show vhba
/service-profile # show vnic-iscsi
System Mode Commands
/system # scope control-ep
/system # scope environment-features
/system # scope storage-features
Cisco Firepower 4100/9300 FXOS Command Reference
20
Unsupported and Restricted Commands
/system # scope vm-mgmt
/system # set virtual-ip
/system # show control-ep
Unsupported Commands
Cisco Firepower 4100/9300 FXOS Command Reference
21
Restricted Commands
Restricted Commands
Use of the following commands is restricted. Do not use any of these commands unless instructed to do so
by a member of the Cisco Technical Assistance Center (TAC).
Service Profile Mode Commands
Do not change any service profile configurations; specifically do not use any of the /service-profile #
create, /service-profile # delete or /service-profile # set subcommands.
Unsupported and Restricted Commands
Cisco Firepower 4100/9300 FXOS Command Reference
22
PART I
A – R Commands
• A – C Commands, on page 25
• D – R Commands, on page 81
A – C Commands
• acknowledge fault, on page 27
• acknowledge server, on page 28
• acknowledge slot, on page 29
• activate firmware, on page 30
• backup sel, on page 31
• cancel, on page 32
• clear lock-status, on page 33
• clear password-history, on page 34
• clear sel, on page 35
• commit-buffer, on page 36
• connect adapter, on page 37
• connect asa, on page 38
• connect cimc, on page 40
• connect ftd, on page 42
• connect fxos, on page 44
• connect local-mgmt, on page 46
• connect module, on page 48
• connect vdp, on page 50
• create app-instance, on page 52
• create bootstrap-key FIREWALL_MODE, on page 53
• create bootstrap-key PERMIT_EXPERT_MODE, on page 54
• create certreq, on page 55
• create connection, on page 57
• create destination, on page 58
• create ip-block, on page 60
• create ipv6-block, on page 62
• create keyring, on page 64
• create local-user, on page 65
• create policy (callhome), on page 67
• create policy (flow control), on page 70
• create profile, on page 71
• create resource-profile, on page 73
• create ssh-server, on page 75
Cisco Firepower 4100/9300 FXOS Command Reference
25
• create subinterface, on page 76
• create trustpoint, on page 79
• cycle, on page 80
A – R Commands
Cisco Firepower 4100/9300 FXOS Command Reference
26
A – R Commands
acknowledge fault
To acknowledge a system fault, use the acknowledge fault command.
acknowledge fault id
acknowledge fault
Syntax Description
Command Modes
Command History
Usage Guidelines
Related Commands
fault id
The fault identification number. The range of valid values is 0 to
18446744073709551615.
Multiple modes
ModificationRelease
Command added.1.1(1)
Use the acknowledge fault command to acknowledge the existence of a fault.
Example
The following example shows how to acknowledge a fault:
firepower # acknowledge fault 11347599
firepower* # commit-buffer
firepower #
DescriptionCommand
Acknowledges a server on the device.acknowledge server
Acknowledges the existence of a slot in the device.acknowledge slot
Shows fault policy information.show fault
Cisco Firepower 4100/9300 FXOS Command Reference
27
acknowledge server
acknowledge server
To acknowledge a server, use the acknowledge server command.
acknowledge server {id|chassis/blade_id}
A – R Commands
Syntax Description
Command Modes
Command History
Usage Guidelines
server
{id|chassis/blade_id}
To use the server identification number to identify the server to acknowledge,
provide the id.
To use the chassis and blade identification numbers to identify the server to
acknowledge, enter chassis/blade_id in n/n format.
Note
The chassis ID number is always 1.
EXEC
scope chassis/
ModificationRelease
Command added.1.1(1)
Use the acknowledge server command to verify the existence of a server in your network. For example, you
can acknowledge a server that was recently commissioned to ensure that it exists.
In chassis mode, you can use only the id variable to identify the server to be acknowledged.
Example
The following example shows how to acknowledge a server in module 2 while in chassis mode:
firepower# scope chassis 1
firepower /chassis # acknowledge server 2
firepower /chassis* # commit-buffer
firepower /chassis #
Related Commands
28
DescriptionCommand
Acknowledges a system fault.acknowledge fault
Verifies the existence of a slot that was recently commissioned.acknowledge slot
show server
The show server commands display a variety of server-related configuration
information.
Cisco Firepower 4100/9300 FXOS Command Reference
Loading...