cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Cisco FTD - Simple script to download configuration

Just trying to write a simple automated script that will download the running-config from a Cisco FTD Firewall. 

The process is :

ssh to device

login with username/password

type command : system support diagnostic

type command : show run

Tags (1)
0 Kudos
16 Replies
Level 8

0 Kudos
Level 8

Of course, if I import that, and assign that template to our FTD and do a connection test it succeeds, however, downloading the configuration just spins on "downloading" in the transfer status.  We need FTD polling and NCM support ASAP!

Anyone able to get Solarwinds to be able to download configuration and monitor interfaces?

0 Kudos
Level 11

I downloaded and imported the device template that you posted. I was successful in connecting for NCM management and was able to then download the FTD configuration without a problem. I am also able to monitor the interfaces too through SNMP.

0 Kudos
Level 8

that's good news --- i'm still unable to do either so I'm wondering what I'm doing wrong.

0 Kudos
Level 7

I have same issue and what I observed that this script is working for FTD version 6.2.3.X. This version I can backup with it. But for example version 6.4.X and 6.5.X its as you saying - stuck at Downloading and nothing happening.

I confimed that I can login to SSH from NPM machine and even when I do test on FTD properties at NPM - its working. So there must be something that is preventing NCM to download running config.

0 Kudos

Have updated the device template as suggested in the thread, experiencing the constant spinning wheel and "Downloading...".  FTD v 6.5.0

Has anybody worked out a fix for this yet?

 

0 Kudos
Level 8

I worked with support and was able to resolve the issue.  The problem is in the device template script, for the "show" command show is spelled with a capital S.  FTD firewalls dont like capitalized letters in commands and it fails because of that.  As soon as we fixed the capital S, i was able to download the configs again. 

 

<Configuration-Management Device="Cisco Firepower Threat Defense FTD" SystemOID="1.3.6.1.4.1.9.1.2320" AutoDetectType="BySystemOid" SystemDescriptionRegex="">
<Commands>
<Command Name="RESET" Value="" />
<Command Name="Reboot" Value="reload noconfirm" />
<Command Name="EnterConfigMode" Value="config terminal" />
<Command Name="ExitConfigMode" Value="quit" />
<Command Name="Startup" Value="startup-config" />
<Command Name="Running" Value="running-config" />
<Command Name="DownloadConfig" Value="Show ${ConfigType}" />
<Command Name="UploadConfig" Value="${EnterConfigMode}${CRLF}${ConfigText}${CRLF}${ExitConfigMode}" />
<Command Name="DownloadConfigIndirect" Value="write net ${StorageAddress}:/${StorageFilename}" />
<Command Name="UploadConfigIndirect" Value="" />
<Command Name="EraseConfig" Value="write erase${CRLF}Yes" />
<Command Name="SaveConfig" Value="write memory" />
<Command Name="Version" Value="show version" />
<Command Name="Disconnect" Value="exit"/>
</Commands>
</Configuration-Management>

Level 7

Hi,

I am also facing issue in having config backup of cisco FTD device.

My device version :- Cisco Firepower Threat Defense,Version 6.2.3.4 (Build 42), ASA Version 9.9(2)15

OID :- 1.3.6.1.4.1.9.1.2404

We have got the port 22 open, credentials are working fine, I am able to login from my server using putty. But my NCM test is failing with error "Connection Refused by host abc"

Can someone please help me here.

0 Kudos
Level 8

This is the process that works access an ASA5525x running FTD code (6.2.3):

ssh to device (on management port)

login with username/password

type command : system support diagnostic

type command : enable

type command : show run

type command : ctrl+a then d

type command : exit

I have not scriptified (tech jargon), since NCM cannot manage firewalls running FTD code (yet). We are using the Firepower Management Console for these new devices.

Note: the SSH console is read only and is for diagnostics.

0 Kudos
Level 12

Ok, I've got it figured out.

If you go into your 'Device Templates Management' you can copy one of the Cisco templates that exists.

In there you can remove the first line under commands the tries to do a 'terminal width 0'

You will also need to edit the lines that define the command names for 'startup' and 'running'. Just edit them to read as Value="startup-config" and Value="running-config".

Lastly, you will need to remove the line toward the bottom where it defines the write memory. Apparently this is not supported in the CLI and handled by the FMC.

Here's my config I'm using for my nightly backup on my configs. It has been tested and works for me.

<!-- edited with XML Spy v4.4 U (http://www.xmlspy.com) by () -->

<!--SolarWinds Network Management Tools-->

<!--Copyright 2005 SolarWinds.Net All rights reserved-->

<Configuration-Management Device="Cisco Devices" SystemOID=" 1.3.6.1.4.1.9">

    <Commands>

        <Command Name="Reboot" Value="reload${CRLF}y${CRLF}y"/>

        <Command Name="EnterConfigMode" Value="config terminal"/>   <=====(Not sure this works)

        <Command Name="ExitConfigMode" Value="end"/>

        <Command Name="Startup" Value="startup-config"/>

        <Command Name="Running" Value="running-config"/>

        <Command Name="DownloadConfig" Value="Show ${ConfigType}"/>

        <Command Name="UploadConfig" Value="${EnterConfigMode}${CRLF}${ConfigText}${CRLF}${ExitConfigMode}"/>

        <Command Name="DownloadConfigIndirect" Value="copy ${ConfigType} ${TransferProtocol}://${StorageAddress}/${StorageFilename}${CRLF}${CRLF}${CRLF}"/>

        <Command Name="UploadConfigIndirect" Value="copy ${TransferProtocol}://${StorageAddress}/${StorageFilename}  ${ConfigType}${CRLF}${CRLF}"/>

        <Command Name="DownloadConfigIndirectSCP" Value="copy ${ConfigType} ${TransferProtocol}://${SCPServerUserName}@${SCPStorageAddress}/${StorageFilename}${CRLF}${CRLF}${CRLF}${CRLF}${SCPServerPassword}"/>

        <Command Name="UploadConfigIndirectSCP" Value="copy ${TransferProtocol}://${SCPServerUserName}@${SCPStorageAddress}/${StorageFilename}  ${ConfigType}${CRLF}${CRLF}${SCPServerPassword}"/>

        <Command Name="EraseConfig" Value="write erase${CRLF}Y"/>

        <Command Name="Version" Value="show version"/>

        <Command Name="Disconnect" Value="exit"/>

    </Commands>

</Configuration-Management>

Hope this helps.

Level 12

Thanks for sharing this, much appreciated. I am going to try it.

We're going to replace all of our ASA's with the FTDs.

I wish NCM was better at this, but maybe on a feature request.

I'll let you know what happens!

Thanks again!
Cheryl

0 Kudos
Community Manager
Community Manager

If the FTD devices use a unique SystemOID (which is different from other Cisco devices), you can use that in the beginning of the template to uniquely identify these as they "appear" in your environment.  That way you can use the "AutoDetect" feature in NCM.

"Shoot for the stars to reach the moon"
0 Kudos
Level 12

Will your FTD let you do just a 'show run'? On mine it does not recognize that command. I have to do the full 'show running-config'.

I'm having the same issue trying to get my configs backed up.

I created a specific connection profile for the FTD's and I can get connected. My problem is that SolarWinds is initially sending a 'terminal width 0' command, which the FTD can't understand.

Anyone know how to tell NCM to not send that command when it initially connects to an FTD?

0 Kudos
Community Manager
Community Manager

Does this not work via NCM?  (Sorry, I don't have firsthand experience with the FTD devices)

"Shoot for the stars to reach the moon"
0 Kudos
Level 7

Did you get it to work - im running into the same problem and support does not seem to be able to assist me.

0 Kudos
Level 7

Nothing yet.

0 Kudos