Skip to main content

 

 

Cisco Defense Orchestrator

ASA Bulk Command Line Interface

About the Bulk Command Line Interface

Cisco Defense Orchestrator (CDO) offers users the ability to manage ASAs using a command-line interface (CLI). Users can send commands to a single ASA or to multiple ASAs simultaneously. The CLI feature is currently only available for use with ASA devices. This article describes sending CLI commands to multiple devices at once.  

Note: For detailed documentation on the ASA CLI documentation, see ASA Command Line Interface Documentation.

Bulk CLI Interface

bulk_cli_tour_75_num.png

Number Description
1 Click the clock to expand or collapse the command history pane.
2 Command history. After you send a command, CDO records the command in this history pane so you can return to it, select it, and run it again.
3 Command pane. Enter your commands at the prompt in this pane. 
4

Response pane. CDO displays the ASAs' response to your command as well as CDO messages. If the response was the same for more than one ASA, the response pane displays the message "Showing Responses for X devices." Click X devices and CDO displays all the devices that returned the same response to the command.

Note: CDO displays the Done! message in two circumstances:

  • After a command has executed successfully without errors. 
  • When the command has no results to return. For example, you may issue a show command with a regular expression searching for a certain configuration entry. If there is no configuration entry that meets the criteria of the regular expression, CDO returns Done!.
5 My List tab displays the devices you chose from the Devices & Service table and allows you to include or exclude devices you want to send a command to.
6 The Execution tab, highlighted in the figure above, displays the devices in the command that is selected in the history pane. In this example, the show run | grep user command is selected in the history pane and the Execution tab shows that it was sent to 10.82.109.160, 10.82.109.181, and 10.82.10.9.187.
Clicking the By Response tab shows you the list of responses generated by the command. Identical responses are grouped together in one row. When you select a row in the By Response tab, CDO displays the response to that command in the response pane. 
8 Clicking the By Device tab displays individual responses from each device. Clicking one of the devices in the list allows you to see the response to the command from a specific ASA.

Send Commands in Bulk

  1. Open the Devices & Services page.
  2. Search and filter the device list for the ASAs you want to manage using the command line interface and select them.

Note: Make sure that the devices you choose are reachable and synced. Only the following commands are allowed when the device is not synced: show, ping, traceroute, vpn-sessiondb, changeto, and dir.

  1. Click Command Line Interface    in the details pane.
  2. Enter your commands in the command pane and click Send. The command output is displayed in the response pane, the command is logged in the Change Log, and the command CDO records your command in the History pane in the Bulk CLI window.

Tip on entering commands

A single command can be entered on a single line or several commands can be entered sequentially on several lines and CDO executes them in order as a batch. The following example sends to the ASA a batch of commands which creates three network objects and a network object group that contains those network objects.

cli_multi_command.png

Work with Bulk Command History

After you send a bulk CLI command, CDO records that command in the history pane on the Bulk CLI page. You can rerun the commands saved in the history pane or use the commands as a template. The commands in the history pane are associated with the original devices on which they were run. 

  1. On the Devices & Services page, select the devices you want to configure.
  2. Click Command Line Interface.
  3. Select the command in the History pane that you want to modify or resend. Note that the command you pick is associated with specific devices and not necessarily the ones you chose in the first step. 
  4. Look at the My List tab to make sure the command you intend to send will be sent to the devices you expect.
  5. Edit the command in the command pane and click Send. CDO displays the results of the command in the response pane.  

Work with Bulk Command Filters

After you run a bulk CLI command you can use the By Response filter and the By Device filter to continue to configure the ASAs 

By Response Filter

After running a bulk command, CDO populates the By Response tab with a list of responses returned by the ASAs that were sent the command. ASAs with identical responses are consolidated in a single row. Clicking a row in the By Response tab displays the response from the ASAs in the response pane. If the response pane shows a response for more than one device, it displays the message "Showing Responses for X devices." Click X devices and CDO displays all the devices that returned the same response to the command.

by_respnse_cli.png

To send a command to the list of devices associated with a command response, follow this procedure:

  1. Click the command symbol in a row in the By Response tab. 
  2. Review the command in the command pane and click Send to resend the command or click Clear to clear the command pane and enter a new command to send to the ASAs and then click Send.
  3. Review the responses you receive from your command. 
  4. If you are confident that the running configuration file on the devices you chose reflects your change, type write memory in the command pane and click Send. This saves your running configuration to the startup configuration.

By Device Filter

After running a bulk command, CDO populates the the Execution tab and the By Device tab with the list of devices that were sent the command. Clicking a row in the By Device tab displays the response from the ASA for those devices.  

To run a command on that same list of devices, follow this procedure:

  1. Click the By Device tab.
  2. Click >_Execute a command on these devices.
  3. Click Clear to clear the command pane and enter a new command.
  4. In the My List pane, specify the list of devices you want to send the command to by checking or unchecking individual devices in the list.
  5. Click Send. The response to the command is displayed in the response pane. If the response pane shows a response for more than one device, it displays the message "Showing Responses for X devices." Click X devices and CDO displays all the devices that returned the same response to the command.
  6. If you are confident that the running configuration file on the devices you chose reflects your change, type write memory in the command pane and click Send.

Use Cases

Show all users in the running configuration and then delete one of the users

  1. Open the Devices & Services page.
  2. Search and filter the device list for the devices from which you want to delete the user and select them. 

Note: Make sure that the devices you choose are synced. Only the following commands are allowed when the device is not synced: show, ping, traceroute, vpn-sessiondb, changeto, and dir.

  1. Click Command Line Interface  cli_button.png  in the details pane. CDO lists the devices you chose in the My List pane. If you decide to send the command to fewer devices, uncheck devices in that list.  
  2. In the command pane, enter show run | grep user and click Send.  All the lines in the running configuration file that contain the string user will be displayed in the response pane. The Execution tab opens to display the devices on which the command was executed.
  3. Click the By Response tab and review the responses to determine which devices have the user that you want to delete. 
  4. Click the My List tab and select the list of devices from which you want to delete the user.
  5. In the command pane, enter the no form of the user command to delete user2 and then click Send. For the sake of this example, you are going to delete user2:

no user user2 password reallyhardpassword privilege 10

  1. Look in the history panel for the instance of the show run | grep user  command, you used to search for the user name. Select that command, look at the list of devices in the Execution list and select Send. You should see that the username has been deleted from the devices you specified. 
  2. If you are satisfied that you have deleted the correct users from the running configuration and that the correct users remain in the running configuration:
    1. Select the no user user2 password reallyhardpassword privilege 10 command from the history pane. 
    2. Click the By Device tab and click Execute a command on these devices.
    3. In the command pane, click Clear to clear the command pane.
    4. Enter the command write memory and click Send

Find all SNMP configurations on selected ASAs

This procedure shows you all the SNMP configuration entries in the running configuration of the ASA. 

  1. Open the Devices & Services page.
  2. Filter and search for the devices on which you want to analyze the SNMP configuration in the running configuration and select them.

Note: Make sure that the devices you choose are synced. Only the following commands are allowed when the device is not synced: show, ping, traceroute, vpn-sessiondb, changeto, and dir.

  1. Click Command Line Interface  cli_button.png  in the details pane. The devices you chose are in the My List pane. If you decide to send the command to fewer devices, uncheck devices in the list.  
  2. In the command pane, enter show run | grep snmp and click Send. All the lines in the running configuration file that contain the string snmp will be displayed in the response pane. The Execution tab opens to display the devices on which the command was executed.
  3. Review the command output in the response pane. 
  • Was this article helpful?