How to use the Threat Defense Diagnostic CLI from the Web Interface

You can execute the selected threat defense diagnostic CLI commands from the management center. The commands ping (except ping system ), traceroute , and select show commands run in the diagnostic CLI rather than the regular CLI.

When you run the show commands, if the message Unable to execute the command properly. Please see logs for more details is displayed, it means that the command is not valid in the diagnostic CLI. For example, show access-list works, but this message will be displayed if you enter show access-control-policy . To use non-diagnostic commands, use SSH to log in to a device outside management center.

For more information on the threat defense CLI, see the Cisco Secure Firewall Threat Defense Command Reference.

Before you begin

  • You must be an Admin, Maintenance, or Security Analyst to use the diagnostic CLI.

  • The purpose of diagnostic CLI is to enable the quick use of a few commands that are useful in troubleshooting a device. For access to the full range of commands, open an SSH session directly with the device.

  • In deployments using management center high availability,diagnostic CLI is available only in the active management center.

Procedure

Step 1

Choose Devices > Threat Defense CLI.

You can also access the CLI tool through the health monitor for the device (System (system gear icon) > Health > Monitor). From there, you can select the device, click the View System and Troubleshoot Details link, click Advanced Troubleshooting, then click Threat Defense CLI on that page.

Step 2

From the Device drop-down list, choose the device on which to execute the diagnostic command.

Step 3

From the Command drop-down list, choose the command that you want to execute.

Step 4

Enter the command parameters in the Parameters field.

See the Cisco Secure Firewall Threat Defense Command Reference for the valid parameters.

For example, to execute show access-list command, choose show from the Command drop-down list, then enter access-list in the Parameters field.

Note

Do not type the full command in the Parameters field. Type only the relevant keywords.

Step 5

Click Execute to view the command output.

If the message Unable to execute the command properly. Please see logs for more details. is displayed, examine the parameters closely. There might be syntax errors.

This message can also mean that the command you are trying to execute is not a valid command within the context of the diagnostic CLI (which you have accessed from the device using the system support diagnostic-cli command). Log in to the device using SSH to use these commands.