Cisco FIREPOWER command cheat sheet v1







This list of binaries, processes,configuration files and log files has been created for anyone who actually wants to have a deeper insight into the system. WARNING: Keep in mind that this list is not a complete reference and only consists of elements I found useful . Before touching any binaries and processes in production environments make sure you really know what you are doing. Descriptions for various files may not be entirely correct since many of the listed tools are not documented by Cisco in any way for customers and partners. If you spot any errors just let me know.

Would you really know the real POWER behind Cisco FIREPOWER????
Then read this carefully! 

The appliances 2100, 4100 and 9300 can run either FTD or ASA codes, but not both at the same time. Regardless if they run FTD or ASA, the underlying operating system will always be the FXOS. Through the FXOS supervisor, you can manage the FTD or ASA codes, and configuring the initial settings for the appliances themselves such as physical interfaces, application deployment, traffic distribution, clustering with other appliances so on and so forth.

The FXOS command line is totally different than the ASA or even FTD. FXOS also allows to run third party applications such as Radware DDoS which runs in KVM mode on its security modules, on the other side ASA and FTD run in native mode. However, FTD software module on ASA allows the ASA to run its original code, in addition to the FTD software at the same time, from within the ASA you can access to the FTD and install/configure it and then you can redirect the traffic internally from the ASA to the FTD and filter it against the security policies you apply on the FTD module.


Since I had to use the root shell various times for troubleshooting on firepower systems, I decided to document some of the various binaries and logfiles that are available on FMC and firepower sensors.

The following list only containts an overview of the various tools you can find on FMC and FTD shell.
In the future posts I will write articles  for various tricks and features listed here to explain what they are doing in detail and how /when to use them each one of them.



FirePOWER Management Center

  • Processes & Binaries

Path                                                                                         Description

/usr/local/sf/bin/adi                                                                 Identity Process (Active Directory/pxGRID/User Agent)

/usr/local/sf/bin/                                                          HA Daemon for FMC High Availability

/usr/local/sf/bin/CloudAgent                                                     Cloud Agent (AMP, URL Filtering, SI)

/usr/local/sf/bin/sftunnel                                                          Management SSL Tunnel

/usr/local/sf/bin/                                            Check sftunnel status

/usr/local/sf/bin/pmtool                                                            FMC Management Binary (Control Processes, Display Process Health, etc.)

/usr/local/sf/bin/                                                Check sftunnel event transfer status

/usr/local/sf/bin/                                      Manage eStreamer

/usr/local/sf/bin/                                          Manage pruning (e.g. clear event db)

/usr/local/sf/bin/                                             Manage FMC High Availability

/usr/local/sf/bin/                                      Troubleshoot FMC High Availability

/usr/local/sf/bin/                                                  Connect to Sybase Database

/usr/local/sf/bin/                                        Check IDS event rate of the last hour

/usr/local/sf/bin/eo_tool                                                            Object Management Tool of FMC application. Do not edit objects if you                                                                                                        do not know what you are doing

/usr/local/sf/bin/pigtail                                                              Tail various logfiles for troubleshooting

/usr/local/sf/bin/u2dump                                                           Dump user identity mappings into a human readable format


  • Log Files

Path                                                                                            Description

/var/log/messages                                                                       Logging for various proccesses

/usr/local/sf/cloud_download/tmp/url_db_dl.log                          Brightcloud Database Download Log

/var/log/urldb_log                                                                        Brightcloud Database Download Log

/var/log/iprep.log                                                                         Security Intelligence Feed Download Status Log

/var/log/smart_agent                                                                    Smart Licensing Agent Log

/var/log/sch.log                                                                            Call Home Log

/var/log/ntp.log                                                                            NTP Server Connections

/var/log/process_stdout.log                                                           STDOUT Output of Processes

/var/log/process_stderr.log                                                            STDERR Output of Processes

/var/log/CSMAgent.log                                                                   CSM related access logs