Cisco Firepower Threat Defense (FTD) has become one of the most widely deployed next-generation firewall (NGFW) platforms across enterprise networks, data centers, cloud environments, and branch offices. Although Cisco Secure Firewall Management Center (FMC) provides centralized policy management through a graphical interface, experienced firewall administrators know that the Command Line Interface (CLI) remains indispensable for troubleshooting, monitoring, diagnostics, recovery, and day-to-day operational tasks.
Whether you are investigating VPN connectivity issues, validating routing tables, analyzing interface statistics, collecting packet captures, checking Snort health, monitoring system resources, or recovering from configuration problems, the Cisco FTD CLI offers direct access to critical operational information that cannot always be obtained efficiently through the GUI.
This guide brings together 75 essential Cisco FTD CLI commands organized into logical operational categories. Instead of presenting only command syntax, every section explains where each command is used, why it matters, and how experienced engineers apply it during production troubleshooting. Throughout the article, you’ll also learn the differences between Operational CLI, Diagnostic CLI, Expert Mode, and FXOS, along with best practices for working safely on production firewalls.
By the end of this guide, you will be able to:
- Understand Cisco FTD CLI architecture.
- Navigate between different CLI modes.
- Monitor firewall health and performance.
- Troubleshoot routing, VPN, NAT, and interface issues.
- Perform packet captures from the CLI.
- Diagnose Snort and system processes.
- Work safely in Expert Mode.
- Build a practical troubleshooting workflow suitable for enterprise environments.
What Is Cisco FTD CLI?
Cisco FTD CLI (Command Line Interface) is the administrative command environment used to monitor, troubleshoot, and maintain Cisco Secure Firewall devices running Firepower Threat Defense. It provides direct access to operational information, diagnostics, system health, network connectivity, and low-level Linux utilities that complement centralized management through Cisco Secure Firewall Management Center (FMC).
Unlike the Cisco Adaptive Security Appliance (ASA), where almost every configuration task is performed through the CLI, Cisco FTD is primarily policy-driven. Most security policies, NAT rules, access control policies, SSL inspection settings, and intrusion policies are configured through FMC or Cisco Firewall Device Manager (FDM). The CLI focuses on operational visibility, diagnostics, and advanced maintenance.
In production environments, firewall administrators commonly use the CLI to:
- Verify interface status and IP addressing.
- Check routing and ARP tables.
- Monitor CPU, memory, and disk utilization.
- Troubleshoot VPN tunnels.
- Capture packets.
- Verify active connections.
- Review system logs.
- Restart services.
- Enter Linux Expert Mode when advanced diagnostics are required.
Because of these capabilities, mastering the CLI significantly reduces troubleshooting time during outages and maintenance windows.
Cisco FTD CLI Architecture
Understanding Cisco FTD begins with recognizing that it consists of multiple command environments, each designed for a different administrative purpose. Knowing when to use each mode is one of the most important operational skills for firewall engineers.
CLI Architecture Overview
| CLI Environment | Primary Purpose | Typical Usage |
|---|---|---|
| Operational CLI | Monitoring and diagnostics | Daily administration |
| Diagnostic CLI | Advanced troubleshooting | Packet-level analysis |
| Expert Mode | Linux shell access | Process and operating system diagnostics |
| FXOS CLI (supported hardware) | Chassis management | Hardware administration |
Each environment provides a different level of system access.
Operational CLI
The Operational CLI is the default interface presented after connecting through SSH or the console. It is the safest environment for routine operational tasks because it exposes monitoring and troubleshooting commands without granting unrestricted operating system access.
Administrators typically use this mode to:
- Display system information.
- Check interface status.
- Review routing tables.
- Examine VPN sessions.
- Verify connection tables.
- Monitor appliance health.
- Inspect running processes.
- Perform packet captures through supported utilities.
Most of the commands covered in this guide begin in Operational CLI.
Diagnostic CLI
Diagnostic CLI provides lower-level access for advanced troubleshooting. It includes commands inherited from the underlying networking stack and is particularly useful when investigating routing anomalies, packet forwarding behavior, interface statistics, and detailed connectivity problems.
Although many Operational CLI commands are sufficient for everyday tasks, Diagnostic CLI becomes valuable when TAC engineers or senior administrators require deeper visibility.
Typical use cases include:
- Advanced routing verification.
- Interface diagnostics.
- Packet forwarding analysis.
- Connection troubleshooting.
- Protocol-level inspection.
Because Diagnostic CLI operates closer to the underlying system, changes should only be made by administrators who understand their implications.
Expert Mode
Expert Mode provides direct access to the underlying Linux operating system. This environment is intended for advanced troubleshooting rather than routine firewall administration.
After entering Expert Mode, administrators can use familiar Linux utilities such as:
tophtop(where available)psnetstatsstcpdumpjournalctldfdusystemctl
Expert Mode is especially useful when diagnosing:
- High CPU utilization.
- Memory exhaustion.
- Disk usage issues.
- Hung processes.
- Log file analysis.
- Packet captures.
- Service failures.
Because Expert Mode bypasses the abstraction provided by the Operational CLI, avoid making unsupported operating system changes on production appliances.
FXOS CLI
Certain Cisco Secure Firewall appliances, particularly those built on Firepower hardware platforms, include Firepower eXtensible Operating System (FXOS). FXOS manages the hardware platform rather than the firewall software itself.
FXOS is responsible for:
| Component | Function |
|---|---|
| Chassis management | Hardware lifecycle |
| Power supplies | Hardware monitoring |
| Fan modules | Cooling management |
| SSD storage | Hardware health |
| Firmware | Platform updates |
| Interfaces | Hardware provisioning |
Administrators generally access FXOS only when performing hardware maintenance, firmware upgrades, or platform diagnostics.
How to Access Cisco FTD CLI
Before running any command, you need secure access to the firewall.
The most common access methods include:
| Method | Typical Scenario |
|---|---|
| SSH | Remote administration |
| Console cable | Initial deployment |
| Virtual console | VMware, Hyper-V, KVM |
| Cisco UCS console | Physical appliance management |
Access via SSH
Most administrators connect using SSH.
ssh admin@192.168.1.1 After successful authentication, the appliance displays the operational prompt.
Example:
> Entering Diagnostic CLI
When deeper troubleshooting is required, enter Diagnostic CLI.
system support diagnostic-cli This switches to the lower-level diagnostic environment without requiring direct Linux access.
Entering Expert Mode
Expert Mode is entered from the operational prompt.
expert Example output:
admin@firepower:~$ You are now working within the Linux operating system.
Returning to Operational CLI
Exit Expert Mode using:
exit The prompt returns to the operational CLI.
Command Syntax Basics
Before diving into the command reference, it is useful to understand the syntax conventions used throughout Cisco FTD.
Show Commands
Show commands retrieve operational information without modifying the firewall.
Examples include:
show version show interfaces show route These commands are safe for production use and form the foundation of routine monitoring.
Diagnostic Commands
Diagnostic commands provide deeper visibility into packet processing and protocol behavior.
Example:
system support diagnostic-cli From there, additional platform-specific diagnostic commands become available.
Linux Commands
Within Expert Mode, standard Linux utilities can be executed.
Example:
top df -h ps aux These commands help identify operating system resource constraints that may affect firewall performance.
Privilege Considerations
Not every user account has identical privileges. Organizations commonly integrate authentication with TACACS+, RADIUS, or LDAP to enforce role-based administrative access. Additionally, centralized identity services and AAA policies help ensure accountability and compliance with frameworks such as PCI DSS, ISO/IEC 27001, and the NIST Cybersecurity Framework.
As a best practice:
- Use least-privilege administrative accounts.
- Restrict Expert Mode access to senior engineers.
- Enable multi-factor authentication where supported.
- Log administrative sessions to a centralized SIEM such as Splunk, Microsoft Sentinel, or IBM QRadar.
- Synchronize system clocks with NTP to ensure accurate audit logs.
75 Essential Cisco FTD CLI Commands
The commands in this guide are grouped by operational function rather than alphabetically. This organization mirrors how experienced engineers troubleshoot production firewalls, allowing you to quickly locate the commands relevant to a specific issue.
The first category focuses on system information and appliance health—often the starting point for any diagnostic workflow.
System Information Commands
1. Show Software Version
Purpose
Displays the installed Cisco FTD software version, build number, and platform details.
Syntax
show version Example
> show version Cisco Firepower Threat Defense Version 7.4.x Build 172 When to Use
- Verify software version before upgrades.
- Confirm compatibility with FMC.
- Collect information for Cisco TAC cases.
- Validate release during maintenance windows.
Expert Tip
Always include the output of show version when opening a support case. It immediately identifies the software train, patch level, and appliance model, enabling faster troubleshooting and ensuring compatibility with recommended fixes.
2. Display System Information
Purpose
Shows general appliance information, including hostname, uptime, licensing status, hardware model, and operating details.
Syntax
show inventory Example
Hostname: Branch-FTD-01 Model: Secure Firewall 2130 Serial Number: FCHXXXXXXXX Practical Use Case
After replacing hardware or restoring from backup, use this command to verify that the expected appliance model and serial number are present before applying production policies.
3. Check Appliance Uptime
Purpose
Verifies how long the firewall has been running since the last reboot.
Syntax
show uptime Example
System Uptime: 164 Days 11 Hours Why It Matters
Unexpectedly low uptime may indicate unplanned reboots, software crashes, power events, or hardware instability. Reviewing uptime is often one of the first checks during incident response.
4. Display Running Processes
Purpose
Provides visibility into active system processes and their current state.
Syntax
show processes Example
Process Name State Snort Running Lina Running SFDataCorrelator Running Operational Insight
If users report intermittent connectivity or inspection failures, confirming that critical processes such as Snort and Lina are running can quickly narrow the scope of investigation before deeper diagnostics are required.
5. View System Health Summary
Purpose
Displays an overall health snapshot, including CPU utilization, memory consumption, disk status, and service health.
Syntax
show health Example
CPU Usage: 18% Memory Usage: 54% Disk Usage: 41% Health Status: Normal Best Practice
Establish a baseline during normal operating conditions. Comparing current values against known-good metrics makes it easier to identify abnormal resource consumption caused by traffic spikes, software defects, or misconfigurations.
6. Display Running Configuration Summary
Purpose
Provides a high-level overview of the active system configuration, allowing administrators to verify operational settings without navigating through the management interface.
Syntax
show running-config Example
> show running-config ... hostname Branch-FTD-01 management-interface Management1/1 dns server-group DefaultDNS ... Practical Use
Although Cisco FTD relies primarily on FMC or FDM for configuration management, reviewing portions of the active configuration is useful during migration validation, disaster recovery, and post-change verification.
7. Display Device Manager Status
Purpose
Verifies whether the appliance is managed locally through Firewall Device Manager (FDM) or centrally through Cisco Secure Firewall Management Center (FMC).
Syntax
show managers Example
Manager: 10.20.10.15 Registration Status: Completed Why It Matters
A failed manager registration prevents policy deployment, software updates, and centralized monitoring. Consequently, this command should be part of every post-deployment validation checklist.
8. Check Licensing Status
Purpose
Displays installed licenses and subscription status.
Syntax
show license Typical Output
Threat License : Enabled Malware License : Enabled URL Filtering : Enabled Smart Licensing : Registered Best Practice
Review licensing after appliance replacement, software upgrades, or Smart Licensing synchronization to avoid unexpected feature limitations.
9. Verify NTP Status
Purpose
Checks Network Time Protocol synchronization.
Syntax
show ntp Why It Is Important
Accurate timestamps are essential for:
- SIEM correlation
- Certificate validation
- VPN authentication
- Syslog analysis
- Compliance audits
Even a small clock drift can complicate forensic investigations.
10. Display DNS Configuration
Purpose
Shows configured DNS servers and resolution status.
Syntax
show dns Common Troubleshooting Scenario
If software updates, Cisco Talos lookups, Smart Licensing, or cloud integrations fail, DNS resolution should be verified before investigating higher-layer services.
Interface Commands
Network interfaces represent one of the most common troubleshooting areas in enterprise firewalls. Incorrect VLAN assignments, duplex mismatches, disabled interfaces, or failed link negotiation can interrupt connectivity across multiple business services.
The following commands help verify interface health quickly.
11. Display All Interfaces
Purpose
Lists every configured physical and logical interface.
Syntax
show interfaces Example
GigabitEthernet1/1 Status: Up Protocol: Up GigabitEthernet1/2 Status: Down Protocol: Down When to Use
- Initial deployment
- Interface troubleshooting
- Maintenance validation
- Hardware replacement
12. View Interface Details
Purpose
Displays detailed information for a specific interface.
Syntax
show interface GigabitEthernet1/1 Typical Information
- IP address
- MTU
- MAC address
- Speed
- Duplex
- Packet counters
- Error counters
Expert Recommendation
Rather than only checking whether an interface is “up,” always review error counters. CRC errors, giants, runts, and collisions often indicate physical cabling or switch negotiation problems.
13. Verify Interface IP Address
Purpose
Displays configured IP addressing.
Syntax
show ip Useful During
- IP migration
- Gateway verification
- Subnet validation
- Change control reviews
14. Display Interface Statistics
Purpose
Monitors packet transmission statistics.
Syntax
show interface statistics Example Output
Packets Received : 12457882 Packets Sent : 11683444 Input Errors : 0 Output Errors : 0 Operational Insight
A sudden increase in packet drops or interface errors often correlates with congestion, oversubscription, or failing network hardware.
15. Verify Interface MTU
Purpose
Displays Maximum Transmission Unit values.
Syntax
show interface mtu Common Use Case
MTU mismatches frequently cause:
- VPN fragmentation
- Slow applications
- TCP retransmissions
- Voice quality degradation
Checking MTU should therefore be part of every VPN troubleshooting workflow.
16. Display MAC Address Information
Purpose
Shows interface MAC addresses.
Syntax
show mac-address-table Why It Helps
Administrators often verify MAC addresses during switch migrations, hardware replacements, and Layer 2 troubleshooting.
17. Verify ARP Table
Purpose
Displays Address Resolution Protocol entries.
Syntax
show arp Example
10.10.10.1 MAC 00:50:56:AA:11:22 Best Practice
Missing ARP entries may indicate:
- Layer 2 connectivity failures
- Incorrect VLAN assignments
- Duplicate IP addresses
- Gateway communication issues
18. Monitor Interface Counters
Purpose
Displays packet counters and interface utilization.
Syntax
show interface counters Real-World Example
Suppose users report intermittent file transfer failures. Monitoring interface counters before and during the issue can reveal bursts of packet drops that would otherwise remain unnoticed.
19. Verify Link Status
Purpose
Confirms physical link state.
Syntax
show interface status Typical Values
Up Down Administratively Down Testing Operational Recommendation
Always distinguish between an administrative shutdown and a physical failure before escalating an incident.
20. Display VLAN Information
Purpose
Shows VLAN assignments associated with interfaces.
Syntax
show vlan Common Troubleshooting Scenario
Incorrect VLAN tagging remains one of the leading causes of failed firewall deployments after switch migrations.
Routing Commands
Routing verification is among the first tasks performed when investigating connectivity problems. Even perfectly configured firewall policies cannot compensate for incorrect routing decisions.
21. Display Routing Table
Purpose
Shows the active routing table.
Syntax
show route Example
S 0.0.0.0/0 via 10.1.1.1 O 192.168.20.0/24 C 10.10.10.0/24 Why It Matters
Administrators use this command to verify:
- Default routes
- Static routes
- Dynamic routing
- Route preferences
22. Verify Static Routes
Purpose
Displays configured static routes.
Syntax
show route static Typical Use
Review routing after WAN migrations or ISP failover testing.
23. Display Connected Routes
Purpose
Shows directly connected networks.
Syntax
show route connected Operational Value
Connected routes verify whether interface addressing has been configured correctly.
24. Display OSPF Routes
Purpose
Shows routes learned through OSPF.
Syntax
show ospf route Useful During
- Adjacency troubleshooting
- Route redistribution validation
- Area verification
25. Verify OSPF Neighbors
Purpose
Displays neighbor relationships.
Syntax
show ospf neighbor Expected Result
Neighbor ID State FULL Expert Tip
If a neighbor remains in the INIT or EXSTART state, investigate MTU consistency, authentication settings, and Layer 2 connectivity.
26. Display BGP Summary
Purpose
Shows BGP peer status.
Syntax
show bgp summary Typical Information
- Neighbor IP
- Remote ASN
- Prefix count
- Session state
Common Troubleshooting Scenario
If the state remains Active or Idle instead of Established, verify reachability, ASN configuration, authentication, and firewall policies.
27. Display BGP Routes
Purpose
Shows routes learned through Border Gateway Protocol.
Syntax
show bgp Practical Example
Enterprise internet edge deployments often rely on this command to validate route advertisements from multiple service providers.
28. Verify ECMP Routes
Purpose
Displays Equal-Cost Multi-Path routing information.
Syntax
show route ecmp Benefits
ECMP improves:
- Redundancy
- Load sharing
- High availability
29. Verify Gateway Reachability
Purpose
Tests gateway connectivity.
Syntax
ping 10.10.10.1 Example
Success rate is 100 percent Best Practice
Always test connectivity from the firewall itself before troubleshooting downstream hosts.
30. Perform Route Lookup
Purpose
Determines which route the firewall will use for a destination.
Syntax
show route lookup 172.16.100.10 Operational Value
This command helps explain why traffic follows a particular path when multiple routing protocols or overlapping routes exist.
NAT Commands
Network Address Translation is a frequent source of production issues. Misordered NAT rules, incorrect translation policies, or overlapping address pools can prevent applications from communicating correctly.
31. Display NAT Rules
Purpose
Shows configured NAT policies.
Syntax
show nat Typical Use
- Verify translation order.
- Confirm policy deployment.
- Review dynamic and static NAT entries.
32. Verify Active Translations
Purpose
Displays current NAT translation entries.
Syntax
show xlate Example
Inside: 10.1.10.15 Outside: 198.51.100.15 Why It Matters
Active translations confirm that packets are matching NAT rules as expected.
33. Verify Connection Table
Purpose
Displays active sessions traversing the firewall.
Syntax
show conn Operational Benefit
Connection tables are invaluable when determining whether traffic reaches the firewall and whether return traffic is being established successfully.
34. Display Translation Statistics
Purpose
Shows NAT utilization and translation counters.
Syntax
show nat statistics Typical Analysis
Review translation statistics during periods of heavy internet usage to identify exhaustion of address pools or unexpected translation growth.
35. Verify PAT Operation
Purpose
Confirms Port Address Translation functionality.
Syntax
show pat Real-World Example
Organizations using a single public IP for hundreds of users rely on PAT. Verifying translation behavior quickly identifies whether outbound internet failures are caused by address translation or another network component.
Access Control List (ACL) Commands
Access Control Policies (ACPs) in Cisco FTD are typically created and managed through Cisco Secure Firewall Management Center (FMC) or Firewall Device Manager (FDM). Nevertheless, the CLI remains invaluable for verifying policy deployment, connection behavior, hit counts, and rule matching during troubleshooting.
Rather than modifying access policies directly from the CLI, administrators use these commands to validate how the firewall is processing traffic.
36. Display Access Control Policies
Purpose
Displays the currently deployed Access Control Policy information.
Syntax
show access-control-config Example
Policy Name : Branch-Internet-Policy Version : 127 Deployment : Successful When to Use
- Verify successful policy deployment.
- Confirm the correct policy is active.
- Troubleshoot unexpected traffic behavior.
37. Display Access Rule Statistics
Purpose
Shows hit counts for access rules.
Syntax
show access-list Example
ACL: Branch-Users Hits: 854327 Operational Insight
Rule hit counts help identify unused rules, validate newly deployed policies, and troubleshoot unexpected traffic matches.
38. Verify Active Connections
Purpose
Displays active firewall sessions.
Syntax
show conn Example
TCP Outside:198.51.100.10:443 Inside:10.10.20.45:51582 ESTABLISHED Practical Use
If traffic is allowed by policy but users still experience connectivity issues, verifying whether a connection has been established provides valuable insight into the packet flow.
39. Display Connection Details
Purpose
Shows detailed information for active sessions.
Syntax
show conn detail Typical Information
- Source IP
- Destination IP
- NAT translation
- Session duration
- Idle timer
- Security zone
- Protocol
Best Practice
Use detailed session information when troubleshooting intermittent application failures or asymmetric routing.
40. Display Security Zone Information
Purpose
Verifies configured security zones associated with interfaces.
Syntax
show security-zone Why It Matters
Incorrect zone assignments frequently lead to access policy mismatches and blocked traffic after interface migrations.
VPN Commands
Virtual Private Networks remain one of the most common operational responsibilities for firewall administrators. Cisco FTD supports Site-to-Site IPsec VPNs, Remote Access VPNs using Cisco Secure Client, and IKEv1/IKEv2 negotiations.
The following commands help verify tunnel establishment, encryption status, and peer connectivity.
41. Display VPN Summary
Purpose
Shows an overview of configured VPN tunnels.
Syntax
show vpn-sessiondb summary Example
Site-to-Site VPN : 8 Active Remote Access VPN : 112 Active Use Case
Quickly determine whether VPN sessions are active before investigating specific users or peers.
42. Display Site-to-Site VPN Sessions
Purpose
Lists active IPsec tunnels.
Syntax
show vpn-sessiondb l2l Typical Output
Peer: 203.0.113.25 State: UP Expert Tip
If a tunnel is missing from the session database, verify IKE negotiation before reviewing firewall policies.
43. Display Remote Access VPN Sessions
Purpose
Displays active Cisco Secure Client VPN users.
Syntax
show vpn-sessiondb anyconnect Useful Information
- Username
- Assigned IP
- Login time
- Duration
- Client version
Operational Value
This command is especially useful for validating user authentication and identifying concurrent VPN sessions.
44. Verify IKE Security Associations
Purpose
Displays active IKE Phase 1 negotiations.
Syntax
show crypto ikev2 sa Example
IKEv2 SA: ESTABLISHED Troubleshooting Advice
If the security association is not established, verify:
- Peer reachability
- Certificates
- Pre-shared keys
- Encryption proposals
- Authentication settings
45. Verify IPsec Security Associations
Purpose
Displays Phase 2 tunnel information.
Syntax
show crypto ipsec sa Key Information
- Encrypted packets
- Decrypted packets
- SPI values
- Replay counters
- Lifetime
Practical Example
Packet counters increasing in only one direction usually indicate routing or firewall policy issues on one side of the tunnel.
46. Display Tunnel Statistics
Purpose
Shows operational statistics for VPN tunnels.
Syntax
show vpn-sessiondb detail Useful For
- Monitoring tunnel stability
- Detecting packet loss
- Identifying session resets
47. Verify Crypto Policies
Purpose
Displays configured cryptographic policies.
Syntax
show running-config crypto Best Practice
Verify that both VPN peers support identical encryption algorithms before troubleshooting connectivity.
48. Test Peer Reachability
Purpose
Tests connectivity to a VPN peer.
Syntax
ping 203.0.113.10 Expert Recommendation
Always confirm Layer 3 connectivity before investigating IKE or IPsec negotiations.
49. Verify Tunnel Routing
Purpose
Confirms routing toward remote VPN networks.
Syntax
show route Operational Insight
A perfectly healthy VPN tunnel cannot forward traffic if the routing table points packets toward an incorrect next hop.
50. Display Dead Peer Detection Status
Purpose
Verifies Dead Peer Detection (DPD) activity.
Syntax
show crypto ikev2 stats Why It Matters
DPD ensures failed VPN peers are detected promptly, allowing tunnels to recover more quickly after outages.
Logging Commands
Logs provide visibility into authentication events, policy decisions, interface changes, VPN negotiations, intrusion events, and system health. Reviewing logs early in the troubleshooting process often reduces the time required to isolate a problem.
51. Display System Logs
Purpose
Shows recent system log messages.
Syntax
show logging Example
%LINK-3-UPDOWN: Interface GigabitEthernet1/1 changed state to UP Best Practice
Look for log messages that coincide with the reported outage rather than reviewing unrelated historical events.
52. View Log Buffer
Purpose
Displays locally buffered logs.
Syntax
show logging buffer When to Use
- Immediate troubleshooting
- Short-term event review
- Validation after configuration changes
53. Verify Syslog Configuration
Purpose
Displays configured Syslog servers.
Syntax
show running-config logging Typical Information
- Syslog destination
- Transport protocol
- Severity level
- Source interface
Operational Recommendation
Forward logs to centralized platforms such as Splunk, Microsoft Sentinel, IBM QRadar, or other SIEM solutions to improve retention, compliance, and threat investigation capabilities.
54. Monitor Log Messages in Real Time
Purpose
Displays log messages as they are generated.
Syntax
system support diagnostic-cli Then execute:
terminal monitor Common Use Cases
- Policy deployment validation
- VPN troubleshooting
- Interface monitoring
- Security event analysis
55. Display Intrusion Events
Purpose
Shows intrusion detection and prevention events generated by the Snort inspection engine.
Syntax
show intrusion-events Example
Priority: High Action: Blocked Signature: SQL Injection Attempt Expert Insight
Intrusion events should always be analyzed alongside firewall connection logs, packet captures, and application behavior. Viewing these data sources together provides a much more accurate understanding of whether traffic was permitted, inspected, or blocked and helps distinguish genuine attacks from false positives.
Packet Capture Commands
Packet captures are among the most effective troubleshooting tools available on Cisco FTD. While logs and connection tables indicate how the firewall processes traffic, packet captures provide direct evidence of whether packets arrive at an interface, traverse inspection engines, undergo NAT translation, and exit toward their destination.
In production environments, packet captures are routinely used to diagnose intermittent connectivity, VPN issues, asymmetric routing, MTU problems, and application-specific failures.
56. Start a Packet Capture
Purpose
Creates a packet capture on a specified interface.
Syntax
capture CAP-IN interface GigabitEthernet1/1 match ip any any Example
Capture Name : CAP-IN Interface : GigabitEthernet1/1 Status : Active When to Use
- Verify whether traffic reaches the firewall.
- Troubleshoot application connectivity.
- Investigate packet drops.
- Validate firewall policy behavior.
Best Practice
Keep capture filters as specific as possible to reduce CPU utilization and simplify analysis.
57. Display Active Packet Captures
Purpose
Lists all currently running packet captures.
Syntax
show capture Typical Output
Capture Name : CAP-IN Packets : 2,347 Status : Running Operational Insight
Before creating a new capture, check for existing captures to avoid duplicate monitoring and unnecessary resource consumption.
58. View Captured Packets
Purpose
Displays captured packets directly from the CLI.
Syntax
show capture CAP-IN Practical Use
Administrators commonly review packet headers to verify:
- Source IP
- Destination IP
- Protocol
- TCP flags
- ICMP responses
- Initial packet flow
For larger investigations, export the capture and analyze it using Wireshark.
59. Clear Packet Capture
Purpose
Stops and removes an existing packet capture.
Syntax
no capture CAP-IN Why It Matters
Leaving unnecessary captures running can consume system resources, particularly on busy internet-facing firewalls.
60. Capture Packets Using Expert Mode
Purpose
Uses the Linux tcpdump utility for advanced packet analysis.
Syntax
tcpdump -i eth0 Example
tcpdump -i eth0 host 192.168.10.20 Expert Recommendation
tcpdump offers greater flexibility than standard capture commands and supports advanced filtering expressions, making it invaluable for complex troubleshooting scenarios.
Monitoring Commands
Continuous monitoring enables administrators to identify resource constraints before they affect production traffic. Cisco FTD provides multiple commands for observing CPU usage, memory utilization, disk health, session counts, and process status.
61. Display CPU Utilization
Purpose
Shows current processor usage.
Syntax
show cpu usage Example
CPU Utilization : 18% Operational Guidance
Sustained CPU utilization above normal operating baselines may indicate excessive inspection, unusually high traffic volumes, or resource-intensive security policies.
62. Display Memory Usage
Purpose
Shows memory consumption.
Syntax
show memory Typical Output
Total Memory : 32 GB Used Memory : 18 GB Free Memory : 14 GB Best Practice
Compare memory utilization against historical baselines rather than reacting to temporary spikes.
63. Verify Disk Usage
Purpose
Displays storage utilization.
Syntax
show disk Common Use Cases
- Log retention analysis
- Upgrade preparation
- Disk capacity planning
64. Display System Performance
Purpose
Provides a consolidated performance overview.
Syntax
show performance Typical Metrics
- CPU
- Memory
- Sessions
- Throughput
- Packet rate
Operational Value
This command offers a quick health assessment before deeper diagnostics begin.
65. Display Active Processes
Purpose
Shows currently running firewall services.
Syntax
show processes Typical Output
Snort Lina SFDataCorrelator Database Health Monitor Expert Tip
If expected services are absent or repeatedly restarting, investigate system logs before attempting manual intervention.
High Availability Commands
High Availability (HA) improves service continuity by maintaining synchronized firewall pairs. During troubleshooting, administrators frequently verify failover status, synchronization health, and peer communication.
66. Display High Availability Status
Purpose
Shows the current HA state.
Syntax
show failover Example
Primary : Active Secondary : Standby Ready Operational Importance
Confirm HA status immediately after maintenance, software upgrades, or failover testing.
67. Verify Synchronization Status
Purpose
Displays synchronization between HA peers.
Syntax
show failover state Why It Matters
Configuration synchronization issues can leave standby appliances unable to assume production traffic during failures.
68. Display HA Interface Status
Purpose
Shows failover interface health.
Syntax
show failover interface Typical Information
- Link status
- Heartbeat state
- Interface monitoring
69. Verify HA Statistics
Purpose
Displays operational statistics related to failover.
Syntax
show failover statistics Practical Use
Reviewing failover counters helps identify repeated failover events caused by unstable links or hardware issues.
70. Display Peer Communication Status
Purpose
Verifies communication between HA appliances.
Syntax
show failover history Best Practice
Unexpected communication failures should prompt verification of dedicated failover interfaces, switch connectivity, and heartbeat configuration.
Expert Mode Linux Commands
Expert Mode exposes the underlying Linux operating system, allowing experienced administrators to perform advanced diagnostics using familiar Linux tools. Although powerful, these commands should be used carefully in production environments.
71. Monitor System Resources
Purpose
Displays real-time CPU and memory utilization.
Syntax
top Operational Insight
The top utility quickly identifies processes consuming excessive resources and is often the first command used when investigating performance degradation.
72. Display Running Processes
Purpose
Lists active Linux processes.
Syntax
ps -ef Common Use
Verify that essential services remain operational before escalating issues to Cisco TAC.
73. Display File System Usage
Purpose
Shows available disk space.
Syntax
df -h Example
Filesystem Size Used Avail Use% /dev/sda1 64G 31G 30G 52% Best Practice
Review disk usage before software upgrades or large packet capture operations.
74. Display Network Sockets
Purpose
Shows active network connections.
Syntax
ss -tunap Typical Information
- TCP sessions
- UDP listeners
- Process ownership
- Listening ports
Operational Value
This command is particularly useful when validating management access or identifying unexpected listening services.
75. Review System Logs
Purpose
Displays Linux system logs.
Syntax
journalctl -xe When to Use
- Service failures
- Boot issues
- Process crashes
- Hardware-related events
Expert Recommendation
Combine journalctl, top, and tcpdump during complex troubleshooting to correlate system events with network behavior and application performance.
Real-World Troubleshooting Examples
Experienced firewall administrators rarely rely on a single command to diagnose production issues. Instead, they follow structured workflows that progressively narrow the root cause. The following examples illustrate practical command sequences commonly used in enterprise environments.
Scenario 1: Remote User Cannot Connect to VPN
Objective: Determine whether the problem is related to reachability, authentication, or IPsec negotiation.
Recommended Workflow
- Confirm the VPN peer or client can reach the firewall using
ping. - Review active Remote Access VPN sessions with:
show vpn-sessiondb anyconnect - Verify IKE Security Associations:
show crypto ikev2 sa - Check IPsec Security Associations:
show crypto ipsec sa - Review recent VPN-related log messages:
show logging - Capture packets on the outside interface if negotiation still fails.
Expected Outcome
This sequence quickly determines whether the issue lies with network reachability, authentication, policy mismatch, encryption negotiation, or packet forwarding.
Scenario 2: Users Report Internet Connectivity Issues
Objective: Identify whether the failure is caused by interfaces, routing, NAT, or firewall policy.
Recommended Workflow
| Step | Command | Purpose |
|---|---|---|
| 1 | show interfaces | Verify interface status |
| 2 | show route | Validate routing table |
| 3 | show arp | Confirm gateway resolution |
| 4 | show xlate | Verify NAT translations |
| 5 | show conn | Check active sessions |
| 6 | show logging | Review denied or failed connections |
| 7 | capture CAP-IN interface ... | Observe live traffic |
Following this structured approach reduces unnecessary troubleshooting and helps isolate the exact stage where traffic stops.
Scenario 3: Firewall Performance Degradation
Objective: Determine whether resource exhaustion is affecting packet processing.
Recommended Workflow
- Check CPU utilization.
show cpu usage - Review memory usage.
show memory - Verify running processes.
show processes - Enter Expert Mode.
expert - Monitor processes.
top - Review Linux logs.
journalctl -xe - Verify disk utilization.
df -h Operational Recommendation
Compare current performance metrics against historical baselines. Sudden increases in CPU or memory consumption often coincide with traffic spikes, policy changes, software defects, or unusually intensive intrusion inspection.
Cisco ASA vs Cisco FTD CLI
Many experienced firewall administrators transition from Cisco ASA to Cisco FTD and quickly notice that the CLI experience has changed significantly. While ASA relies heavily on CLI-based configuration, FTD emphasizes centralized policy management through Cisco Secure Firewall Management Center (FMC) or Firewall Device Manager (FDM), using the CLI primarily for monitoring, diagnostics, and troubleshooting.
The following comparison highlights the operational differences.
| Feature | Cisco ASA | Cisco FTD |
|---|---|---|
| Primary Management | CLI / ASDM | FMC / FDM |
| CLI Configuration | Extensive | Limited |
| Troubleshooting CLI | Excellent | Excellent |
| Intrusion Prevention | Separate FirePOWER Module | Native Snort Integration |
| Centralized Management | Limited | Native FMC |
| REST API Support | Available | Extensive |
| Security Intelligence | Limited | Native |
| URL Filtering | Add-on | Native |
| Malware Protection | Separate Module | Native Integration |
| Automation | Moderate | Excellent |
CLI Philosophy
Cisco ASA was designed around command-line administration. Almost every configuration task—including interfaces, NAT, VPNs, ACLs, routing, and failover—could be performed directly from the CLI.
Cisco FTD follows a different operational model:
- Policies are created in FMC or FDM.
- The CLI focuses on monitoring and diagnostics.
- Snort inspection is tightly integrated.
- REST APIs support enterprise automation.
- Centralized management simplifies large-scale deployments.
For organizations managing dozens or hundreds of firewalls, this architecture improves consistency, auditability, and operational efficiency.
Automation with Cisco FTD CLI
Modern enterprise networks increasingly rely on automation to reduce configuration drift, accelerate deployments, and improve operational consistency. Cisco FTD supports multiple automation methods that integrate with NetDevOps workflows.
REST API
The Cisco Secure Firewall REST API enables programmatic interaction with managed devices and FMC.
Common automation tasks include:
- Retrieving inventory information
- Deploying access policies
- Managing objects
- Updating NAT rules
- Creating VPN configurations
- Generating compliance reports
- Collecting health statistics
Ansible
Ansible provides agentless automation using SSH and APIs.
Typical enterprise use cases include:
- Firewall provisioning
- Policy deployment
- Backup automation
- Software upgrades
- Compliance validation
- Configuration consistency checks
Example Workflow
- Authenticate with FMC.
- Retrieve existing objects.
- Update security policies.
- Deploy changes.
- Validate deployment.
- Generate audit reports.
Python
Python remains one of the most widely adopted languages for network automation.
Common libraries include:
- requests
- netmiko
- paramiko
- urllib3
- pandas
- json
Typical automation tasks:
- Health monitoring
- Inventory collection
- Daily reporting
- Configuration validation
- API integration
- Change auditing
Infrastructure as Code (IaC)
Cisco Secure Firewall integrates well with Infrastructure as Code practices.
Recommended tools include:
| Tool | Purpose |
|---|---|
| Ansible | Configuration automation |
| Terraform | Infrastructure provisioning |
| Git | Version control |
| Jenkins | CI/CD pipelines |
| GitHub Actions | Automated workflows |
| Python | Custom automation |
| REST API | Integration platform |
Combining Git-based version control with automated deployment pipelines enables repeatable, auditable, and scalable firewall operations.
Best Practices
Managing Cisco FTD in production requires more than memorizing commands. Experienced administrators follow disciplined operational practices that improve stability, security, and troubleshooting efficiency.
Operational Best Practices
- Use FMC or FDM for policy configuration whenever possible.
- Reserve CLI access for monitoring and diagnostics.
- Restrict Expert Mode access to senior administrators.
- Implement Role-Based Access Control (RBAC).
- Enable Multi-Factor Authentication (MFA) for administrative access.
- Synchronize all devices with reliable NTP servers.
- Forward logs to a centralized SIEM.
- Establish performance baselines for CPU, memory, and session counts.
- Test software upgrades in a lab environment before production deployment.
- Regularly validate High Availability synchronization.
- Back up configurations before major changes.
- Keep Snort rules and security intelligence feeds up to date.
- Review unused firewall rules and remove obsolete objects.
- Document change windows and maintain rollback procedures.
Common Mistakes
Even experienced engineers can encounter avoidable issues when working with Cisco FTD.
1. Relying Exclusively on the GUI
The graphical interface provides excellent visibility, but many operational details are only available through the CLI.
2. Ignoring System Health
High CPU or memory utilization often appears long before users notice application issues.
3. Forgetting Routing Validation
Administrators sometimes focus exclusively on firewall policies while overlooking incorrect routing.
4. Leaving Packet Captures Running
Long-running captures consume resources and may affect performance on busy appliances.
5. Skipping Baseline Measurements
Without historical performance data, identifying abnormal behavior becomes significantly more difficult.
6. Excessive Expert Mode Changes
Direct modifications within the Linux operating system are generally unsupported unless explicitly recommended by Cisco documentation or TAC.
7. Inadequate Logging
Insufficient log retention limits forensic investigations and compliance reporting.
Frequently Asked Questions
Can Cisco FTD be fully configured from the CLI?
No. Most security policies, NAT rules, access control policies, and advanced configurations are managed through Cisco Secure Firewall Management Center (FMC) or Firewall Device Manager (FDM). The CLI is primarily intended for monitoring, diagnostics, and troubleshooting.
What is the difference between Operational CLI and Expert Mode?
Operational CLI provides firewall-specific monitoring and diagnostic commands. Expert Mode grants access to the underlying Linux operating system for advanced troubleshooting.
Is Diagnostic CLI safe to use?
Yes, when used for monitoring and diagnostics. However, administrators should avoid making unsupported changes that could affect system stability.
Which command is most useful during troubleshooting?
There is no single “best” command. A structured workflow typically combines commands such as:
show interfacesshow routeshow connshow xlateshow logging- Packet capture commands
Can Cisco FTD replace Cisco ASA?
Yes. Cisco Secure Firewall Threat Defense is Cisco’s strategic next-generation firewall platform and provides integrated intrusion prevention, advanced malware protection, URL filtering, Security Intelligence, and centralized management.
Does Cisco FTD support automation?
Yes. Cisco FTD supports REST APIs, Ansible, Python, Infrastructure as Code workflows, and integration with DevSecOps and NetDevOps pipelines.
How often should system health be monitored?
Mission-critical firewalls should be continuously monitored using centralized monitoring platforms and SIEM solutions. Health baselines should also be reviewed during routine maintenance.
Is Expert Mode required for everyday administration?
No. Most operational tasks can be completed using the standard Operational CLI. Expert Mode should be reserved for advanced diagnostics and troubleshooting.
Conclusion
Cisco Secure Firewall Threat Defense combines enterprise-grade security capabilities with a powerful command-line environment that remains indispensable for experienced firewall administrators. Although day-to-day policy management is performed through FMC or FDM, the CLI provides unmatched visibility into system health, routing, VPNs, NAT, High Availability, packet processing, and operating system diagnostics.
The 75 commands covered in this guide represent the core toolkit used by network and security engineers during deployment, maintenance, and incident response. More importantly, understanding when and why to use each command is far more valuable than memorizing syntax alone. By organizing commands into logical operational categories and following structured troubleshooting workflows, administrators can diagnose issues more efficiently, reduce downtime, and maintain resilient firewall environments.
As Cisco Secure Firewall continues to evolve, combining CLI expertise with automation through REST APIs, Python, Ansible, and Infrastructure as Code will become an increasingly important skill set. Organizations that adopt these practices benefit from improved consistency, faster deployments, stronger compliance, and more reliable operations.
Whether you are preparing for CCNP Security or CCIE Security certifications, supporting enterprise networks, or managing large-scale security infrastructures, mastering the Cisco FTD CLI will remain an essential competency for modern firewall administration.

