A Backdoor Access to Cisco FTD LINA Configure Mode from CLI

Normally you are not allowed to go to configure mode via CLI of a Cisco FTD which is managed by FMC. But following commands will enable a backdoor access to do that. Here is an example configuration adding to increase the mac address aging time which is not even supported by FMC Flex Configs currently.

Go to the LINA mode and get the serial number

> system support diagnostic-cli

Firepower> enable

Firepower# show version

Enter to FTD expert mode and gain sudo su access

> expert

$ sudo su

#

Enter command below command. Where "XXXXXXXX" is the serial number you found from "show version". Replace XXXXXXXX with the collected serial number from step 1.

# echo -n "1111222233334444XXXXXXXX" | md5sum > /mnt/disk0/enable_configure 

Go back to LINA and enter "debug menu file-system 7" command 

> system support-diagnostic-cli

Firepower> enable

Firepower# debug menu file-system 7

Now you are able to go to Configure mode just like in a regular ASA.

I am just changing the mac-address aging timer 

configure terminal

mac-address-table aging-time 720

exit

wr

Go back to expert mode and run the following command:

> expert

$ sudo su

# rm /mnt/disk0/enable_configure

Notes

This is a temporary fix to a problem where this will be flushed once a new policy deployed from FMC.

Use this for troubleshooting purposes only.