We have some Cisco Firepower firewalls which we administer and generally in the past for ASA's we will review the config files locally on our machine, simply because it's easier than viewing it via a console connection.
However if you export the config from the Firepower device itself via the web gui, you get a XML dump which while useful in some ways, doesn't give any real information about the ACL rule base that's in use.
How can we get access to the ACL in a form that's similar to that exported from a ASA?
Best Answer
NOTE: seems while this config was upto date when I wrote this answer, it hasn't since been updated.
It took me awhile to figure this out, as in the ASA mode (accessed via
system support diagnostic-cli) doesn't give you any way to copy (via tftp, scp etc) which you'd normally use to make this kind of backup of the config.Instead of the diagnostic-cli, go into expert mode
> expert- hitting enter if you've not set a password.This drops you into a linux like shell (it appears to be busybox)
admin@FIREPOWER01:~$From here, you can call scp via ssh along with the path we find the config files stored at (busybox has find built in!).
admin@FIREPOWER01:~$ sudo scp /opt/cisco/csp/applications/cisco-ftd.6.2.3.83__ftd_001_*/app_data/disk0/startup-config user@scp-host:This will copy the startup-config from the virtual-ASA in your firepower device, to the scp host of your choice!