Limited FMC Shell Access
post by: Moses Frost
From the Firepower 6.3.0 Release Notes
An CLI for the FMC supports a small set of basic commands (change password, show version, reboot/restart, and so on). By default the FMC CLI is disabled, and logging into FMC using SSH accesses the Linux shell.
New/Modified Classic CLI commands: The system lockdown-sensor command has changed to system lockdown . This command now works for both devices and FMCs.
New/Modified screens: System > Configuration > Console Configuration > Enable CLI Access check box
Supported platforms: FMC, including FMCv
What does this feature mean?
This one can be fairly confusing. By default, when you log into a FMC you will have access to a linux shell. For environments that consider tihs to be fairly loose, you can lockdown the CLI. This feature is configurable from the User Intrface in the FMC. Once you lockdown the CLI you will be in a limited shell just like on the sensors in which there are very few options.
Is this feature backwards compatible?
No, you need to be on 6.3.0 or higher to enable this feature, it is FMC only.
Should I change this value?
Unless you need to perform some type of advanced administrative functions on the manager I would always recommend locking down the manager CLI.
How can I configure this?
Firepower Management Center: System -> Configuration -> Console Configuration -> Enable CLI Access.
Below this is a screenshot of the new FMC Limited CLI Shell.