Cisco FTD CLI Commands: 75 Essential Commands Every Firewall Administrator Should Know (2026 Guide)

Cisco Secure Firewall FTD command-line interface displaying essential CLI commands for firewall administration, troubleshooting, VPN, routing, NAT, High Availability, monitoring, and packet capture.

Cisco Firepower Threat Defense (FTD) has become one of the most widely deployed next-generation firewall (NGFW) platforms across enterprise networks, data centers, cloud environments, and branch offices. Although Cisco Secure Firewall Management Center (FMC) provides centralized policy management through a graphical interface, experienced firewall administrators know that the Command Line Interface (CLI) remains indispensable for troubleshooting, monitoring, diagnostics, recovery, and day-to-day operational tasks.

Whether you are investigating VPN connectivity issues, validating routing tables, analyzing interface statistics, collecting packet captures, checking Snort health, monitoring system resources, or recovering from configuration problems, the Cisco FTD CLI offers direct access to critical operational information that cannot always be obtained efficiently through the GUI.

This guide brings together 75 essential Cisco FTD CLI commands organized into logical operational categories. Instead of presenting only command syntax, every section explains where each command is used, why it matters, and how experienced engineers apply it during production troubleshooting. Throughout the article, you’ll also learn the differences between Operational CLI, Diagnostic CLI, Expert Mode, and FXOS, along with best practices for working safely on production firewalls.

By the end of this guide, you will be able to:

  • Understand Cisco FTD CLI architecture.
  • Navigate between different CLI modes.
  • Monitor firewall health and performance.
  • Troubleshoot routing, VPN, NAT, and interface issues.
  • Perform packet captures from the CLI.
  • Diagnose Snort and system processes.
  • Work safely in Expert Mode.
  • Build a practical troubleshooting workflow suitable for enterprise environments.

What Is Cisco FTD CLI?

Cisco FTD CLI (Command Line Interface) is the administrative command environment used to monitor, troubleshoot, and maintain Cisco Secure Firewall devices running Firepower Threat Defense. It provides direct access to operational information, diagnostics, system health, network connectivity, and low-level Linux utilities that complement centralized management through Cisco Secure Firewall Management Center (FMC).

Unlike the Cisco Adaptive Security Appliance (ASA), where almost every configuration task is performed through the CLI, Cisco FTD is primarily policy-driven. Most security policies, NAT rules, access control policies, SSL inspection settings, and intrusion policies are configured through FMC or Cisco Firewall Device Manager (FDM). The CLI focuses on operational visibility, diagnostics, and advanced maintenance.

In production environments, firewall administrators commonly use the CLI to:

  • Verify interface status and IP addressing.
  • Check routing and ARP tables.
  • Monitor CPU, memory, and disk utilization.
  • Troubleshoot VPN tunnels.
  • Capture packets.
  • Verify active connections.
  • Review system logs.
  • Restart services.
  • Enter Linux Expert Mode when advanced diagnostics are required.

Because of these capabilities, mastering the CLI significantly reduces troubleshooting time during outages and maintenance windows.

Cisco FTD CLI Architecture

Understanding Cisco FTD begins with recognizing that it consists of multiple command environments, each designed for a different administrative purpose. Knowing when to use each mode is one of the most important operational skills for firewall engineers.

CLI Architecture Overview

CLI EnvironmentPrimary PurposeTypical Usage
Operational CLIMonitoring and diagnosticsDaily administration
Diagnostic CLIAdvanced troubleshootingPacket-level analysis
Expert ModeLinux shell accessProcess and operating system diagnostics
FXOS CLI (supported hardware)Chassis managementHardware administration

Each environment provides a different level of system access.

Operational CLI

The Operational CLI is the default interface presented after connecting through SSH or the console. It is the safest environment for routine operational tasks because it exposes monitoring and troubleshooting commands without granting unrestricted operating system access.

Administrators typically use this mode to:

  • Display system information.
  • Check interface status.
  • Review routing tables.
  • Examine VPN sessions.
  • Verify connection tables.
  • Monitor appliance health.
  • Inspect running processes.
  • Perform packet captures through supported utilities.

Most of the commands covered in this guide begin in Operational CLI.

Diagnostic CLI

Diagnostic CLI provides lower-level access for advanced troubleshooting. It includes commands inherited from the underlying networking stack and is particularly useful when investigating routing anomalies, packet forwarding behavior, interface statistics, and detailed connectivity problems.

Although many Operational CLI commands are sufficient for everyday tasks, Diagnostic CLI becomes valuable when TAC engineers or senior administrators require deeper visibility.

Typical use cases include:

  • Advanced routing verification.
  • Interface diagnostics.
  • Packet forwarding analysis.
  • Connection troubleshooting.
  • Protocol-level inspection.

Because Diagnostic CLI operates closer to the underlying system, changes should only be made by administrators who understand their implications.

Expert Mode

Expert Mode provides direct access to the underlying Linux operating system. This environment is intended for advanced troubleshooting rather than routine firewall administration.

After entering Expert Mode, administrators can use familiar Linux utilities such as:

  • top
  • htop (where available)
  • ps
  • netstat
  • ss
  • tcpdump
  • journalctl
  • df
  • du
  • systemctl

Expert Mode is especially useful when diagnosing:

  • High CPU utilization.
  • Memory exhaustion.
  • Disk usage issues.
  • Hung processes.
  • Log file analysis.
  • Packet captures.
  • Service failures.

Because Expert Mode bypasses the abstraction provided by the Operational CLI, avoid making unsupported operating system changes on production appliances.

FXOS CLI

Certain Cisco Secure Firewall appliances, particularly those built on Firepower hardware platforms, include Firepower eXtensible Operating System (FXOS). FXOS manages the hardware platform rather than the firewall software itself.

FXOS is responsible for:

ComponentFunction
Chassis managementHardware lifecycle
Power suppliesHardware monitoring
Fan modulesCooling management
SSD storageHardware health
FirmwarePlatform updates
InterfacesHardware provisioning

Administrators generally access FXOS only when performing hardware maintenance, firmware upgrades, or platform diagnostics.

How to Access Cisco FTD CLI

Before running any command, you need secure access to the firewall.

The most common access methods include:

MethodTypical Scenario
SSHRemote administration
Console cableInitial deployment
Virtual consoleVMware, Hyper-V, KVM
Cisco UCS consolePhysical appliance management

Access via SSH

Most administrators connect using SSH.

ssh admin@192.168.1.1

After successful authentication, the appliance displays the operational prompt.

Example:

>

Entering Diagnostic CLI

When deeper troubleshooting is required, enter Diagnostic CLI.

system support diagnostic-cli

This switches to the lower-level diagnostic environment without requiring direct Linux access.

Entering Expert Mode

Expert Mode is entered from the operational prompt.

expert

Example output:

admin@firepower:~$

You are now working within the Linux operating system.

Returning to Operational CLI

Exit Expert Mode using:

exit

The prompt returns to the operational CLI.

Command Syntax Basics

Before diving into the command reference, it is useful to understand the syntax conventions used throughout Cisco FTD.

Show Commands

Show commands retrieve operational information without modifying the firewall.

Examples include:

show version
show interfaces
show route

These commands are safe for production use and form the foundation of routine monitoring.

Diagnostic Commands

Diagnostic commands provide deeper visibility into packet processing and protocol behavior.

Example:

system support diagnostic-cli

From there, additional platform-specific diagnostic commands become available.

Linux Commands

Within Expert Mode, standard Linux utilities can be executed.

Example:

top
df -h
ps aux

These commands help identify operating system resource constraints that may affect firewall performance.

Privilege Considerations

Not every user account has identical privileges. Organizations commonly integrate authentication with TACACS+, RADIUS, or LDAP to enforce role-based administrative access. Additionally, centralized identity services and AAA policies help ensure accountability and compliance with frameworks such as PCI DSS, ISO/IEC 27001, and the NIST Cybersecurity Framework.

As a best practice:

  • Use least-privilege administrative accounts.
  • Restrict Expert Mode access to senior engineers.
  • Enable multi-factor authentication where supported.
  • Log administrative sessions to a centralized SIEM such as Splunk, Microsoft Sentinel, or IBM QRadar.
  • Synchronize system clocks with NTP to ensure accurate audit logs.

75 Essential Cisco FTD CLI Commands

The commands in this guide are grouped by operational function rather than alphabetically. This organization mirrors how experienced engineers troubleshoot production firewalls, allowing you to quickly locate the commands relevant to a specific issue.

The first category focuses on system information and appliance health—often the starting point for any diagnostic workflow.

System Information Commands

1. Show Software Version

Purpose

Displays the installed Cisco FTD software version, build number, and platform details.

Syntax

show version

Example

> show version Cisco Firepower Threat Defense Version 7.4.x Build 172

When to Use

  • Verify software version before upgrades.
  • Confirm compatibility with FMC.
  • Collect information for Cisco TAC cases.
  • Validate release during maintenance windows.

Expert Tip

Always include the output of show version when opening a support case. It immediately identifies the software train, patch level, and appliance model, enabling faster troubleshooting and ensuring compatibility with recommended fixes.

2. Display System Information

Purpose

Shows general appliance information, including hostname, uptime, licensing status, hardware model, and operating details.

Syntax

show inventory

Example

Hostname: Branch-FTD-01 Model: Secure Firewall 2130 Serial Number: FCHXXXXXXXX

Practical Use Case

After replacing hardware or restoring from backup, use this command to verify that the expected appliance model and serial number are present before applying production policies.

3. Check Appliance Uptime

Purpose

Verifies how long the firewall has been running since the last reboot.

Syntax

show uptime

Example

System Uptime: 164 Days 11 Hours

Why It Matters

Unexpectedly low uptime may indicate unplanned reboots, software crashes, power events, or hardware instability. Reviewing uptime is often one of the first checks during incident response.

4. Display Running Processes

Purpose

Provides visibility into active system processes and their current state.

Syntax

show processes

Example

Process Name State Snort Running Lina Running SFDataCorrelator Running

Operational Insight

If users report intermittent connectivity or inspection failures, confirming that critical processes such as Snort and Lina are running can quickly narrow the scope of investigation before deeper diagnostics are required.

5. View System Health Summary

Purpose

Displays an overall health snapshot, including CPU utilization, memory consumption, disk status, and service health.

Syntax

show health

Example

CPU Usage: 18% Memory Usage: 54% Disk Usage: 41% Health Status: Normal

Best Practice

Establish a baseline during normal operating conditions. Comparing current values against known-good metrics makes it easier to identify abnormal resource consumption caused by traffic spikes, software defects, or misconfigurations.

6. Display Running Configuration Summary

Purpose

Provides a high-level overview of the active system configuration, allowing administrators to verify operational settings without navigating through the management interface.

Syntax

show running-config

Example

> show running-config ... hostname Branch-FTD-01 management-interface Management1/1 dns server-group DefaultDNS ...

Practical Use

Although Cisco FTD relies primarily on FMC or FDM for configuration management, reviewing portions of the active configuration is useful during migration validation, disaster recovery, and post-change verification.

7. Display Device Manager Status

Purpose

Verifies whether the appliance is managed locally through Firewall Device Manager (FDM) or centrally through Cisco Secure Firewall Management Center (FMC).

Syntax

show managers

Example

Manager: 10.20.10.15 Registration Status: Completed

Why It Matters

A failed manager registration prevents policy deployment, software updates, and centralized monitoring. Consequently, this command should be part of every post-deployment validation checklist.

8. Check Licensing Status

Purpose

Displays installed licenses and subscription status.

Syntax

show license

Typical Output

Threat License : Enabled Malware License : Enabled URL Filtering : Enabled Smart Licensing : Registered

Best Practice

Review licensing after appliance replacement, software upgrades, or Smart Licensing synchronization to avoid unexpected feature limitations.

9. Verify NTP Status

Purpose

Checks Network Time Protocol synchronization.

Syntax

show ntp

Why It Is Important

Accurate timestamps are essential for:

  • SIEM correlation
  • Certificate validation
  • VPN authentication
  • Syslog analysis
  • Compliance audits

Even a small clock drift can complicate forensic investigations.

10. Display DNS Configuration

Purpose

Shows configured DNS servers and resolution status.

Syntax

show dns

Common Troubleshooting Scenario

If software updates, Cisco Talos lookups, Smart Licensing, or cloud integrations fail, DNS resolution should be verified before investigating higher-layer services.

Interface Commands

Network interfaces represent one of the most common troubleshooting areas in enterprise firewalls. Incorrect VLAN assignments, duplex mismatches, disabled interfaces, or failed link negotiation can interrupt connectivity across multiple business services.

The following commands help verify interface health quickly.

11. Display All Interfaces

Purpose

Lists every configured physical and logical interface.

Syntax

show interfaces

Example

GigabitEthernet1/1 Status: Up Protocol: Up GigabitEthernet1/2 Status: Down Protocol: Down

When to Use

  • Initial deployment
  • Interface troubleshooting
  • Maintenance validation
  • Hardware replacement

12. View Interface Details

Purpose

Displays detailed information for a specific interface.

Syntax

show interface GigabitEthernet1/1

Typical Information

  • IP address
  • MTU
  • MAC address
  • Speed
  • Duplex
  • Packet counters
  • Error counters

Expert Recommendation

Rather than only checking whether an interface is “up,” always review error counters. CRC errors, giants, runts, and collisions often indicate physical cabling or switch negotiation problems.

13. Verify Interface IP Address

Purpose

Displays configured IP addressing.

Syntax

show ip

Useful During

  • IP migration
  • Gateway verification
  • Subnet validation
  • Change control reviews

14. Display Interface Statistics

Purpose

Monitors packet transmission statistics.

Syntax

show interface statistics

Example Output

Packets Received : 12457882 Packets Sent : 11683444 Input Errors : 0 Output Errors : 0

Operational Insight

A sudden increase in packet drops or interface errors often correlates with congestion, oversubscription, or failing network hardware.

15. Verify Interface MTU

Purpose

Displays Maximum Transmission Unit values.

Syntax

show interface mtu

Common Use Case

MTU mismatches frequently cause:

  • VPN fragmentation
  • Slow applications
  • TCP retransmissions
  • Voice quality degradation

Checking MTU should therefore be part of every VPN troubleshooting workflow.

16. Display MAC Address Information

Purpose

Shows interface MAC addresses.

Syntax

show mac-address-table

Why It Helps

Administrators often verify MAC addresses during switch migrations, hardware replacements, and Layer 2 troubleshooting.

17. Verify ARP Table

Purpose

Displays Address Resolution Protocol entries.

Syntax

show arp

Example

10.10.10.1 MAC 00:50:56:AA:11:22

Best Practice

Missing ARP entries may indicate:

  • Layer 2 connectivity failures
  • Incorrect VLAN assignments
  • Duplicate IP addresses
  • Gateway communication issues

18. Monitor Interface Counters

Purpose

Displays packet counters and interface utilization.

Syntax

show interface counters

Real-World Example

Suppose users report intermittent file transfer failures. Monitoring interface counters before and during the issue can reveal bursts of packet drops that would otherwise remain unnoticed.

19. Verify Link Status

Purpose

Confirms physical link state.

Syntax

show interface status

Typical Values

Up Down Administratively Down Testing

Operational Recommendation

Always distinguish between an administrative shutdown and a physical failure before escalating an incident.

20. Display VLAN Information

Purpose

Shows VLAN assignments associated with interfaces.

Syntax

show vlan

Common Troubleshooting Scenario

Incorrect VLAN tagging remains one of the leading causes of failed firewall deployments after switch migrations.

Routing Commands

Routing verification is among the first tasks performed when investigating connectivity problems. Even perfectly configured firewall policies cannot compensate for incorrect routing decisions.

21. Display Routing Table

Purpose

Shows the active routing table.

Syntax

show route

Example

S 0.0.0.0/0 via 10.1.1.1 O 192.168.20.0/24 C 10.10.10.0/24

Why It Matters

Administrators use this command to verify:

  • Default routes
  • Static routes
  • Dynamic routing
  • Route preferences

22. Verify Static Routes

Purpose

Displays configured static routes.

Syntax

show route static

Typical Use

Review routing after WAN migrations or ISP failover testing.

23. Display Connected Routes

Purpose

Shows directly connected networks.

Syntax

show route connected

Operational Value

Connected routes verify whether interface addressing has been configured correctly.

24. Display OSPF Routes

Purpose

Shows routes learned through OSPF.

Syntax

show ospf route

Useful During

  • Adjacency troubleshooting
  • Route redistribution validation
  • Area verification

25. Verify OSPF Neighbors

Purpose

Displays neighbor relationships.

Syntax

show ospf neighbor

Expected Result

Neighbor ID State FULL

Expert Tip

If a neighbor remains in the INIT or EXSTART state, investigate MTU consistency, authentication settings, and Layer 2 connectivity.

26. Display BGP Summary

Purpose

Shows BGP peer status.

Syntax

show bgp summary

Typical Information

  • Neighbor IP
  • Remote ASN
  • Prefix count
  • Session state

Common Troubleshooting Scenario

If the state remains Active or Idle instead of Established, verify reachability, ASN configuration, authentication, and firewall policies.

27. Display BGP Routes

Purpose

Shows routes learned through Border Gateway Protocol.

Syntax

show bgp

Practical Example

Enterprise internet edge deployments often rely on this command to validate route advertisements from multiple service providers.

28. Verify ECMP Routes

Purpose

Displays Equal-Cost Multi-Path routing information.

Syntax

show route ecmp

Benefits

ECMP improves:

  • Redundancy
  • Load sharing
  • High availability

29. Verify Gateway Reachability

Purpose

Tests gateway connectivity.

Syntax

ping 10.10.10.1

Example

Success rate is 100 percent

Best Practice

Always test connectivity from the firewall itself before troubleshooting downstream hosts.

30. Perform Route Lookup

Purpose

Determines which route the firewall will use for a destination.

Syntax

show route lookup 172.16.100.10

Operational Value

This command helps explain why traffic follows a particular path when multiple routing protocols or overlapping routes exist.

NAT Commands

Network Address Translation is a frequent source of production issues. Misordered NAT rules, incorrect translation policies, or overlapping address pools can prevent applications from communicating correctly.

31. Display NAT Rules

Purpose

Shows configured NAT policies.

Syntax

show nat

Typical Use

  • Verify translation order.
  • Confirm policy deployment.
  • Review dynamic and static NAT entries.

32. Verify Active Translations

Purpose

Displays current NAT translation entries.

Syntax

show xlate

Example

Inside: 10.1.10.15 Outside: 198.51.100.15

Why It Matters

Active translations confirm that packets are matching NAT rules as expected.

33. Verify Connection Table

Purpose

Displays active sessions traversing the firewall.

Syntax

show conn

Operational Benefit

Connection tables are invaluable when determining whether traffic reaches the firewall and whether return traffic is being established successfully.

34. Display Translation Statistics

Purpose

Shows NAT utilization and translation counters.

Syntax

show nat statistics

Typical Analysis

Review translation statistics during periods of heavy internet usage to identify exhaustion of address pools or unexpected translation growth.

35. Verify PAT Operation

Purpose

Confirms Port Address Translation functionality.

Syntax

show pat

Real-World Example

Organizations using a single public IP for hundreds of users rely on PAT. Verifying translation behavior quickly identifies whether outbound internet failures are caused by address translation or another network component.

Access Control List (ACL) Commands

Access Control Policies (ACPs) in Cisco FTD are typically created and managed through Cisco Secure Firewall Management Center (FMC) or Firewall Device Manager (FDM). Nevertheless, the CLI remains invaluable for verifying policy deployment, connection behavior, hit counts, and rule matching during troubleshooting.

Rather than modifying access policies directly from the CLI, administrators use these commands to validate how the firewall is processing traffic.

36. Display Access Control Policies

Purpose

Displays the currently deployed Access Control Policy information.

Syntax

show access-control-config

Example

Policy Name : Branch-Internet-Policy Version : 127 Deployment : Successful

When to Use

  • Verify successful policy deployment.
  • Confirm the correct policy is active.
  • Troubleshoot unexpected traffic behavior.

37. Display Access Rule Statistics

Purpose

Shows hit counts for access rules.

Syntax

show access-list

Example

ACL: Branch-Users Hits: 854327

Operational Insight

Rule hit counts help identify unused rules, validate newly deployed policies, and troubleshoot unexpected traffic matches.

38. Verify Active Connections

Purpose

Displays active firewall sessions.

Syntax

show conn

Example

TCP Outside:198.51.100.10:443 Inside:10.10.20.45:51582 ESTABLISHED

Practical Use

If traffic is allowed by policy but users still experience connectivity issues, verifying whether a connection has been established provides valuable insight into the packet flow.

39. Display Connection Details

Purpose

Shows detailed information for active sessions.

Syntax

show conn detail

Typical Information

  • Source IP
  • Destination IP
  • NAT translation
  • Session duration
  • Idle timer
  • Security zone
  • Protocol

Best Practice

Use detailed session information when troubleshooting intermittent application failures or asymmetric routing.

40. Display Security Zone Information

Purpose

Verifies configured security zones associated with interfaces.

Syntax

show security-zone

Why It Matters

Incorrect zone assignments frequently lead to access policy mismatches and blocked traffic after interface migrations.

VPN Commands

Virtual Private Networks remain one of the most common operational responsibilities for firewall administrators. Cisco FTD supports Site-to-Site IPsec VPNs, Remote Access VPNs using Cisco Secure Client, and IKEv1/IKEv2 negotiations.

The following commands help verify tunnel establishment, encryption status, and peer connectivity.

41. Display VPN Summary

Purpose

Shows an overview of configured VPN tunnels.

Syntax

show vpn-sessiondb summary

Example

Site-to-Site VPN : 8 Active Remote Access VPN : 112 Active

Use Case

Quickly determine whether VPN sessions are active before investigating specific users or peers.

42. Display Site-to-Site VPN Sessions

Purpose

Lists active IPsec tunnels.

Syntax

show vpn-sessiondb l2l

Typical Output

Peer: 203.0.113.25 State: UP

Expert Tip

If a tunnel is missing from the session database, verify IKE negotiation before reviewing firewall policies.

43. Display Remote Access VPN Sessions

Purpose

Displays active Cisco Secure Client VPN users.

Syntax

show vpn-sessiondb anyconnect

Useful Information

  • Username
  • Assigned IP
  • Login time
  • Duration
  • Client version

Operational Value

This command is especially useful for validating user authentication and identifying concurrent VPN sessions.

44. Verify IKE Security Associations

Purpose

Displays active IKE Phase 1 negotiations.

Syntax

show crypto ikev2 sa

Example

IKEv2 SA: ESTABLISHED

Troubleshooting Advice

If the security association is not established, verify:

  • Peer reachability
  • Certificates
  • Pre-shared keys
  • Encryption proposals
  • Authentication settings

45. Verify IPsec Security Associations

Purpose

Displays Phase 2 tunnel information.

Syntax

show crypto ipsec sa

Key Information

  • Encrypted packets
  • Decrypted packets
  • SPI values
  • Replay counters
  • Lifetime

Practical Example

Packet counters increasing in only one direction usually indicate routing or firewall policy issues on one side of the tunnel.

46. Display Tunnel Statistics

Purpose

Shows operational statistics for VPN tunnels.

Syntax

show vpn-sessiondb detail

Useful For

  • Monitoring tunnel stability
  • Detecting packet loss
  • Identifying session resets

47. Verify Crypto Policies

Purpose

Displays configured cryptographic policies.

Syntax

show running-config crypto

Best Practice

Verify that both VPN peers support identical encryption algorithms before troubleshooting connectivity.

48. Test Peer Reachability

Purpose

Tests connectivity to a VPN peer.

Syntax

ping 203.0.113.10

Expert Recommendation

Always confirm Layer 3 connectivity before investigating IKE or IPsec negotiations.

49. Verify Tunnel Routing

Purpose

Confirms routing toward remote VPN networks.

Syntax

show route

Operational Insight

A perfectly healthy VPN tunnel cannot forward traffic if the routing table points packets toward an incorrect next hop.

50. Display Dead Peer Detection Status

Purpose

Verifies Dead Peer Detection (DPD) activity.

Syntax

show crypto ikev2 stats

Why It Matters

DPD ensures failed VPN peers are detected promptly, allowing tunnels to recover more quickly after outages.

Logging Commands

Logs provide visibility into authentication events, policy decisions, interface changes, VPN negotiations, intrusion events, and system health. Reviewing logs early in the troubleshooting process often reduces the time required to isolate a problem.

51. Display System Logs

Purpose

Shows recent system log messages.

Syntax

show logging

Example

%LINK-3-UPDOWN: Interface GigabitEthernet1/1 changed state to UP

Best Practice

Look for log messages that coincide with the reported outage rather than reviewing unrelated historical events.

52. View Log Buffer

Purpose

Displays locally buffered logs.

Syntax

show logging buffer

When to Use

  • Immediate troubleshooting
  • Short-term event review
  • Validation after configuration changes

53. Verify Syslog Configuration

Purpose

Displays configured Syslog servers.

Syntax

show running-config logging

Typical Information

  • Syslog destination
  • Transport protocol
  • Severity level
  • Source interface

Operational Recommendation

Forward logs to centralized platforms such as Splunk, Microsoft Sentinel, IBM QRadar, or other SIEM solutions to improve retention, compliance, and threat investigation capabilities.

54. Monitor Log Messages in Real Time

Purpose

Displays log messages as they are generated.

Syntax

system support diagnostic-cli

Then execute:

terminal monitor

Common Use Cases

  • Policy deployment validation
  • VPN troubleshooting
  • Interface monitoring
  • Security event analysis

55. Display Intrusion Events

Purpose

Shows intrusion detection and prevention events generated by the Snort inspection engine.

Syntax

show intrusion-events

Example

Priority: High Action: Blocked Signature: SQL Injection Attempt

Expert Insight

Intrusion events should always be analyzed alongside firewall connection logs, packet captures, and application behavior. Viewing these data sources together provides a much more accurate understanding of whether traffic was permitted, inspected, or blocked and helps distinguish genuine attacks from false positives.

Packet Capture Commands

Packet captures are among the most effective troubleshooting tools available on Cisco FTD. While logs and connection tables indicate how the firewall processes traffic, packet captures provide direct evidence of whether packets arrive at an interface, traverse inspection engines, undergo NAT translation, and exit toward their destination.

In production environments, packet captures are routinely used to diagnose intermittent connectivity, VPN issues, asymmetric routing, MTU problems, and application-specific failures.

56. Start a Packet Capture

Purpose

Creates a packet capture on a specified interface.

Syntax

capture CAP-IN interface GigabitEthernet1/1 match ip any any

Example

Capture Name : CAP-IN Interface : GigabitEthernet1/1 Status : Active

When to Use

  • Verify whether traffic reaches the firewall.
  • Troubleshoot application connectivity.
  • Investigate packet drops.
  • Validate firewall policy behavior.

Best Practice

Keep capture filters as specific as possible to reduce CPU utilization and simplify analysis.

57. Display Active Packet Captures

Purpose

Lists all currently running packet captures.

Syntax

show capture

Typical Output

Capture Name : CAP-IN Packets : 2,347 Status : Running

Operational Insight

Before creating a new capture, check for existing captures to avoid duplicate monitoring and unnecessary resource consumption.

58. View Captured Packets

Purpose

Displays captured packets directly from the CLI.

Syntax

show capture CAP-IN

Practical Use

Administrators commonly review packet headers to verify:

  • Source IP
  • Destination IP
  • Protocol
  • TCP flags
  • ICMP responses
  • Initial packet flow

For larger investigations, export the capture and analyze it using Wireshark.

59. Clear Packet Capture

Purpose

Stops and removes an existing packet capture.

Syntax

no capture CAP-IN

Why It Matters

Leaving unnecessary captures running can consume system resources, particularly on busy internet-facing firewalls.

60. Capture Packets Using Expert Mode

Purpose

Uses the Linux tcpdump utility for advanced packet analysis.

Syntax

tcpdump -i eth0

Example

tcpdump -i eth0 host 192.168.10.20

Expert Recommendation

tcpdump offers greater flexibility than standard capture commands and supports advanced filtering expressions, making it invaluable for complex troubleshooting scenarios.

Monitoring Commands

Continuous monitoring enables administrators to identify resource constraints before they affect production traffic. Cisco FTD provides multiple commands for observing CPU usage, memory utilization, disk health, session counts, and process status.

61. Display CPU Utilization

Purpose

Shows current processor usage.

Syntax

show cpu usage

Example

CPU Utilization : 18%

Operational Guidance

Sustained CPU utilization above normal operating baselines may indicate excessive inspection, unusually high traffic volumes, or resource-intensive security policies.

62. Display Memory Usage

Purpose

Shows memory consumption.

Syntax

show memory

Typical Output

Total Memory : 32 GB Used Memory : 18 GB Free Memory : 14 GB

Best Practice

Compare memory utilization against historical baselines rather than reacting to temporary spikes.

63. Verify Disk Usage

Purpose

Displays storage utilization.

Syntax

show disk

Common Use Cases

  • Log retention analysis
  • Upgrade preparation
  • Disk capacity planning

64. Display System Performance

Purpose

Provides a consolidated performance overview.

Syntax

show performance

Typical Metrics

  • CPU
  • Memory
  • Sessions
  • Throughput
  • Packet rate

Operational Value

This command offers a quick health assessment before deeper diagnostics begin.

65. Display Active Processes

Purpose

Shows currently running firewall services.

Syntax

show processes

Typical Output

Snort Lina SFDataCorrelator Database Health Monitor

Expert Tip

If expected services are absent or repeatedly restarting, investigate system logs before attempting manual intervention.

High Availability Commands

High Availability (HA) improves service continuity by maintaining synchronized firewall pairs. During troubleshooting, administrators frequently verify failover status, synchronization health, and peer communication.

66. Display High Availability Status

Purpose

Shows the current HA state.

Syntax

show failover

Example

Primary : Active Secondary : Standby Ready

Operational Importance

Confirm HA status immediately after maintenance, software upgrades, or failover testing.

67. Verify Synchronization Status

Purpose

Displays synchronization between HA peers.

Syntax

show failover state

Why It Matters

Configuration synchronization issues can leave standby appliances unable to assume production traffic during failures.

68. Display HA Interface Status

Purpose

Shows failover interface health.

Syntax

show failover interface

Typical Information

  • Link status
  • Heartbeat state
  • Interface monitoring

69. Verify HA Statistics

Purpose

Displays operational statistics related to failover.

Syntax

show failover statistics

Practical Use

Reviewing failover counters helps identify repeated failover events caused by unstable links or hardware issues.

70. Display Peer Communication Status

Purpose

Verifies communication between HA appliances.

Syntax

show failover history

Best Practice

Unexpected communication failures should prompt verification of dedicated failover interfaces, switch connectivity, and heartbeat configuration.

Expert Mode Linux Commands

Expert Mode exposes the underlying Linux operating system, allowing experienced administrators to perform advanced diagnostics using familiar Linux tools. Although powerful, these commands should be used carefully in production environments.

71. Monitor System Resources

Purpose

Displays real-time CPU and memory utilization.

Syntax

top

Operational Insight

The top utility quickly identifies processes consuming excessive resources and is often the first command used when investigating performance degradation.

72. Display Running Processes

Purpose

Lists active Linux processes.

Syntax

ps -ef

Common Use

Verify that essential services remain operational before escalating issues to Cisco TAC.

73. Display File System Usage

Purpose

Shows available disk space.

Syntax

df -h

Example

Filesystem Size Used Avail Use% /dev/sda1 64G 31G 30G 52%

Best Practice

Review disk usage before software upgrades or large packet capture operations.

74. Display Network Sockets

Purpose

Shows active network connections.

Syntax

ss -tunap

Typical Information

  • TCP sessions
  • UDP listeners
  • Process ownership
  • Listening ports

Operational Value

This command is particularly useful when validating management access or identifying unexpected listening services.

75. Review System Logs

Purpose

Displays Linux system logs.

Syntax

journalctl -xe

When to Use

  • Service failures
  • Boot issues
  • Process crashes
  • Hardware-related events

Expert Recommendation

Combine journalctl, top, and tcpdump during complex troubleshooting to correlate system events with network behavior and application performance.

Real-World Troubleshooting Examples

Experienced firewall administrators rarely rely on a single command to diagnose production issues. Instead, they follow structured workflows that progressively narrow the root cause. The following examples illustrate practical command sequences commonly used in enterprise environments.

Scenario 1: Remote User Cannot Connect to VPN

Objective: Determine whether the problem is related to reachability, authentication, or IPsec negotiation.

Recommended Workflow

  1. Confirm the VPN peer or client can reach the firewall using ping.
  2. Review active Remote Access VPN sessions with:
show vpn-sessiondb anyconnect
  1. Verify IKE Security Associations:
show crypto ikev2 sa
  1. Check IPsec Security Associations:
show crypto ipsec sa
  1. Review recent VPN-related log messages:
show logging
  1. Capture packets on the outside interface if negotiation still fails.

Expected Outcome

This sequence quickly determines whether the issue lies with network reachability, authentication, policy mismatch, encryption negotiation, or packet forwarding.

Scenario 2: Users Report Internet Connectivity Issues

Objective: Identify whether the failure is caused by interfaces, routing, NAT, or firewall policy.

Recommended Workflow

StepCommandPurpose
1show interfacesVerify interface status
2show routeValidate routing table
3show arpConfirm gateway resolution
4show xlateVerify NAT translations
5show connCheck active sessions
6show loggingReview denied or failed connections
7capture CAP-IN interface ...Observe live traffic

Following this structured approach reduces unnecessary troubleshooting and helps isolate the exact stage where traffic stops.

Scenario 3: Firewall Performance Degradation

Objective: Determine whether resource exhaustion is affecting packet processing.

Recommended Workflow

  1. Check CPU utilization.
show cpu usage
  1. Review memory usage.
show memory
  1. Verify running processes.
show processes
  1. Enter Expert Mode.
expert
  1. Monitor processes.
top
  1. Review Linux logs.
journalctl -xe
  1. Verify disk utilization.
df -h

Operational Recommendation

Compare current performance metrics against historical baselines. Sudden increases in CPU or memory consumption often coincide with traffic spikes, policy changes, software defects, or unusually intensive intrusion inspection.

Cisco ASA vs Cisco FTD CLI

Many experienced firewall administrators transition from Cisco ASA to Cisco FTD and quickly notice that the CLI experience has changed significantly. While ASA relies heavily on CLI-based configuration, FTD emphasizes centralized policy management through Cisco Secure Firewall Management Center (FMC) or Firewall Device Manager (FDM), using the CLI primarily for monitoring, diagnostics, and troubleshooting.

The following comparison highlights the operational differences.

FeatureCisco ASACisco FTD
Primary ManagementCLI / ASDMFMC / FDM
CLI ConfigurationExtensiveLimited
Troubleshooting CLIExcellentExcellent
Intrusion PreventionSeparate FirePOWER ModuleNative Snort Integration
Centralized ManagementLimitedNative FMC
REST API SupportAvailableExtensive
Security IntelligenceLimitedNative
URL FilteringAdd-onNative
Malware ProtectionSeparate ModuleNative Integration
AutomationModerateExcellent

CLI Philosophy

Cisco ASA was designed around command-line administration. Almost every configuration task—including interfaces, NAT, VPNs, ACLs, routing, and failover—could be performed directly from the CLI.

Cisco FTD follows a different operational model:

  • Policies are created in FMC or FDM.
  • The CLI focuses on monitoring and diagnostics.
  • Snort inspection is tightly integrated.
  • REST APIs support enterprise automation.
  • Centralized management simplifies large-scale deployments.

For organizations managing dozens or hundreds of firewalls, this architecture improves consistency, auditability, and operational efficiency.

Automation with Cisco FTD CLI

Modern enterprise networks increasingly rely on automation to reduce configuration drift, accelerate deployments, and improve operational consistency. Cisco FTD supports multiple automation methods that integrate with NetDevOps workflows.

REST API

The Cisco Secure Firewall REST API enables programmatic interaction with managed devices and FMC.

Common automation tasks include:

  • Retrieving inventory information
  • Deploying access policies
  • Managing objects
  • Updating NAT rules
  • Creating VPN configurations
  • Generating compliance reports
  • Collecting health statistics

Ansible

Ansible provides agentless automation using SSH and APIs.

Typical enterprise use cases include:

  • Firewall provisioning
  • Policy deployment
  • Backup automation
  • Software upgrades
  • Compliance validation
  • Configuration consistency checks

Example Workflow

  1. Authenticate with FMC.
  2. Retrieve existing objects.
  3. Update security policies.
  4. Deploy changes.
  5. Validate deployment.
  6. Generate audit reports.

Python

Python remains one of the most widely adopted languages for network automation.

Common libraries include:

  • requests
  • netmiko
  • paramiko
  • urllib3
  • pandas
  • json

Typical automation tasks:

  • Health monitoring
  • Inventory collection
  • Daily reporting
  • Configuration validation
  • API integration
  • Change auditing

Infrastructure as Code (IaC)

Cisco Secure Firewall integrates well with Infrastructure as Code practices.

Recommended tools include:

ToolPurpose
AnsibleConfiguration automation
TerraformInfrastructure provisioning
GitVersion control
JenkinsCI/CD pipelines
GitHub ActionsAutomated workflows
PythonCustom automation
REST APIIntegration platform

Combining Git-based version control with automated deployment pipelines enables repeatable, auditable, and scalable firewall operations.

Best Practices

Managing Cisco FTD in production requires more than memorizing commands. Experienced administrators follow disciplined operational practices that improve stability, security, and troubleshooting efficiency.

Operational Best Practices

  • Use FMC or FDM for policy configuration whenever possible.
  • Reserve CLI access for monitoring and diagnostics.
  • Restrict Expert Mode access to senior administrators.
  • Implement Role-Based Access Control (RBAC).
  • Enable Multi-Factor Authentication (MFA) for administrative access.
  • Synchronize all devices with reliable NTP servers.
  • Forward logs to a centralized SIEM.
  • Establish performance baselines for CPU, memory, and session counts.
  • Test software upgrades in a lab environment before production deployment.
  • Regularly validate High Availability synchronization.
  • Back up configurations before major changes.
  • Keep Snort rules and security intelligence feeds up to date.
  • Review unused firewall rules and remove obsolete objects.
  • Document change windows and maintain rollback procedures.

Common Mistakes

Even experienced engineers can encounter avoidable issues when working with Cisco FTD.

1. Relying Exclusively on the GUI

The graphical interface provides excellent visibility, but many operational details are only available through the CLI.

2. Ignoring System Health

High CPU or memory utilization often appears long before users notice application issues.

3. Forgetting Routing Validation

Administrators sometimes focus exclusively on firewall policies while overlooking incorrect routing.

4. Leaving Packet Captures Running

Long-running captures consume resources and may affect performance on busy appliances.

5. Skipping Baseline Measurements

Without historical performance data, identifying abnormal behavior becomes significantly more difficult.

6. Excessive Expert Mode Changes

Direct modifications within the Linux operating system are generally unsupported unless explicitly recommended by Cisco documentation or TAC.

7. Inadequate Logging

Insufficient log retention limits forensic investigations and compliance reporting.

Frequently Asked Questions

Can Cisco FTD be fully configured from the CLI?

No. Most security policies, NAT rules, access control policies, and advanced configurations are managed through Cisco Secure Firewall Management Center (FMC) or Firewall Device Manager (FDM). The CLI is primarily intended for monitoring, diagnostics, and troubleshooting.

What is the difference between Operational CLI and Expert Mode?

Operational CLI provides firewall-specific monitoring and diagnostic commands. Expert Mode grants access to the underlying Linux operating system for advanced troubleshooting.

Is Diagnostic CLI safe to use?

Yes, when used for monitoring and diagnostics. However, administrators should avoid making unsupported changes that could affect system stability.

Which command is most useful during troubleshooting?

There is no single “best” command. A structured workflow typically combines commands such as:

  • show interfaces
  • show route
  • show conn
  • show xlate
  • show logging
  • Packet capture commands

Can Cisco FTD replace Cisco ASA?

Yes. Cisco Secure Firewall Threat Defense is Cisco’s strategic next-generation firewall platform and provides integrated intrusion prevention, advanced malware protection, URL filtering, Security Intelligence, and centralized management.

Does Cisco FTD support automation?

Yes. Cisco FTD supports REST APIs, Ansible, Python, Infrastructure as Code workflows, and integration with DevSecOps and NetDevOps pipelines.

How often should system health be monitored?

Mission-critical firewalls should be continuously monitored using centralized monitoring platforms and SIEM solutions. Health baselines should also be reviewed during routine maintenance.

Is Expert Mode required for everyday administration?

No. Most operational tasks can be completed using the standard Operational CLI. Expert Mode should be reserved for advanced diagnostics and troubleshooting.

Conclusion

Cisco Secure Firewall Threat Defense combines enterprise-grade security capabilities with a powerful command-line environment that remains indispensable for experienced firewall administrators. Although day-to-day policy management is performed through FMC or FDM, the CLI provides unmatched visibility into system health, routing, VPNs, NAT, High Availability, packet processing, and operating system diagnostics.

The 75 commands covered in this guide represent the core toolkit used by network and security engineers during deployment, maintenance, and incident response. More importantly, understanding when and why to use each command is far more valuable than memorizing syntax alone. By organizing commands into logical operational categories and following structured troubleshooting workflows, administrators can diagnose issues more efficiently, reduce downtime, and maintain resilient firewall environments.

As Cisco Secure Firewall continues to evolve, combining CLI expertise with automation through REST APIs, Python, Ansible, and Infrastructure as Code will become an increasingly important skill set. Organizations that adopt these practices benefit from improved consistency, faster deployments, stronger compliance, and more reliable operations.

Whether you are preparing for CCNP Security or CCIE Security certifications, supporting enterprise networks, or managing large-scale security infrastructures, mastering the Cisco FTD CLI will remain an essential competency for modern firewall administration.

Picture of Martin Kelly
Martin Kelly

We hired CWNx to revamp our company website and run a few ad campaigns. The new design is sleek and professional, and the campaigns brought in a noticeable uptick in qualified leads. Communication was smooth throughout the project. I'm docking one star only because the initial timeline slipped by a few days, but the final output was absolutely worth the wait.

Leave a Reply

Your email address will not be published. Required fields are marked *