Firepower Management Center

Firepower Management Center access control policies, network objects, and REST API operations.

FTD CLI — Diagnostic Commands

FTD runs on top of FXOS. The diagnostic CLI (LINA) gives access to ASA-like commands.

Enter diagnostic CLI from FTD clish

system support diagnostic-cli

Show interface status from diagnostic CLI

show interface ip brief

Output

Interface           IP-Address      OK? Method Status    Protocol
Ethernet1/1         203.0.113.1     YES manual up        up
Ethernet1/2         10.50.1.1       YES manual up        up
Management1/1       192.168.45.10   YES manual up        up
Diagnostic0/0       0.0.0.0         YES unset  up        up

Show failover state — active/standby HA pair

show failover

Show access-list hit counts — verify FMC-pushed rules

show access-list

ACL names on FTD are auto-generated by FMC (e.g., CSM_FW_ACL_). Do not modify them directly.

Show active connections

show conn
show conn count

Show NAT translations active on FTD

show xlate

Show running Snort instances and status

show snort counters

Packet capture on FTD — works like ASA capture

capture CAP-INSIDE interface inside match tcp host 10.50.1.100 any
show capture CAP-INSIDE

FMC API — Authentication

Get authentication token — required for all API calls

curl -s -k -X POST \
  'https://fmc.example.com/api/fmc_platform/v1/auth/generatetoken' \
  -H 'Content-Type: application/json' \
  -u 'admin:password' \
  -D - -o /dev/null 2>&1 | grep -i 'x-auth-access-token\|x-auth-refresh-token\|DOMAIN_UUID'

Output — extract these headers for subsequent calls

X-auth-access-token: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
X-auth-refresh-token: yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy
DOMAIN_UUID: zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz

Token expires after 30 minutes (1800s). Refresh token valid for 3 sessions. Store in variable for scripting.

Store token in variable for subsequent calls

FMC_HOST="fmc.example.com"
TOKEN=$(curl -s -k -X POST \
  "https://${FMC_HOST}/api/fmc_platform/v1/auth/generatetoken" \
  -u 'admin:password' \
  -D - -o /dev/null 2>&1 | awk '/X-auth-access-token/{print $2}' | tr -d '\r')
DOMAIN=$(curl -s -k -X POST \
  "https://${FMC_HOST}/api/fmc_platform/v1/auth/generatetoken" \
  -u 'admin:password' \
  -D - -o /dev/null 2>&1 | awk '/DOMAIN_UUID/{print $2}' | tr -d '\r')

FMC API — Device Management

List all managed devices

curl -s -k \
  "https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN}/devices/devicerecords" \
  -H "X-auth-access-token: ${TOKEN}" | jq '.items[] | {name, id, type, hostName}'

Output

{
  "name": "FTD-01",
  "id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
  "type": "Device",
  "hostName": "10.50.1.5"
}

Get specific device details

DEVICE_ID="aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
curl -s -k \
  "https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN}/devices/devicerecords/${DEVICE_ID}" \
  -H "X-auth-access-token: ${TOKEN}" | jq '{name, model, sw_version: .softwareVersion, healthStatus}'

FMC API — Access Policies

List all access control policies

curl -s -k \
  "https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN}/policy/accesspolicies" \
  -H "X-auth-access-token: ${TOKEN}" | jq '.items[] | {name, id}'

Get rules within a specific access policy

ACP_ID="bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
curl -s -k \
  "https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN}/policy/accesspolicies/${ACP_ID}/accessrules?expanded=true" \
  -H "X-auth-access-token: ${TOKEN}" | jq '.items[] | {name, action, enabled}'

Output

{"name": "Allow-Web-Traffic", "action": "ALLOW", "enabled": true}
{"name": "Block-Malware", "action": "BLOCK", "enabled": true}
{"name": "Default-Block", "action": "BLOCK", "enabled": true}

FMC API — Deploy Policies

Get list of devices with pending deployments

curl -s -k \
  "https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN}/deployment/deployabledevices?expanded=true" \
  -H "X-auth-access-token: ${TOKEN}" | jq '.items[] | {name, device: .device.name, canBeDeployed}'

Deploy to a specific device — POST with device ID and version

curl -s -k -X POST \
  "https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN}/deployment/deploymentrequests" \
  -H "X-auth-access-token: ${TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "DeploymentRequest",
    "version": "1234567890",
    "forceDeploy": false,
    "ignoreWarning": true,
    "deviceList": ["aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"]
  }' | jq

Always check deployable devices first. The version field comes from the deployable devices response. Deploy during maintenance windows.

Health Monitoring

Check FMC system status from CLI

show managers

FMC API — get health alerts

curl -s -k \
  "https://${FMC_HOST}/api/fmc_config/v1/domain/${DOMAIN}/health/alerts" \
  -H "X-auth-access-token: ${TOKEN}" | jq '.items[] | {module: .healthModuleName, status: .alertStatus, description}'

FlexConfig — Custom CLI on FTD

FlexConfig pushes ASA-like commands that FMC does not natively support.

FlexConfig use cases

# Things FMC cannot configure natively that require FlexConfig:
# - WCCP (Web Cache Communication Protocol)
# - Policy-based routing (PBR) with route-maps
# - Advanced TCP normalization
# - Custom SNMP community strings
# - EEM (Embedded Event Manager) scripts

FlexConfig deployment order

1. Write FlexConfig object in FMC (Objects > FlexConfig > FlexConfig Object)
2. Assign to FlexConfig Policy
3. Assign FlexConfig Policy to device
4. Deploy — FlexConfig runs AFTER standard policy deployment

FlexConfig is append-only per deploy. If you need to remove a command, create a negation FlexConfig (no <command>) and deploy, then remove both FlexConfig objects.