failover exec mate <command>

Documentation

[ # ]

fw ctl arp

[ # ]

cpstat fw -f policy       !! Similar to 'fw stat' but with more information

Notes:

  • This provides connection counts, current policy name, last policy install time, interface based stats (such as accepted packets, drops, etc)

[ # ]

The following command will allow you to view CPU statistics, memory usage, hard drive usage, throughput, etc in real time through the firewall or management server

This command was added in R77. Older versions do not have this ability.

cpview

To start the cpviewd process:

cpwd_admin start -name CPVIEWD -path "$FWDIR/bin/cpviewd" -command "cpviewd"

To stop the cpviewd process

cpwd_admin stop -name CPVIEWD

Documentation

[ # ]

cpstat mg

[ # ]

cpca_client lscert -stat <Pending|Valid|Revoked|Expired|Renewed> -kind <SIC|IKE|User|LDAP>

!! Example to view valid SIC certs:
cpca_client lscert -stat Valid -kind SIC

Documentation

[ # ]

!! On Primary Firewall
interface <int>        !! configure each interface with standby ip
ip address <ip> <netmask> standby <standby-ip>

interface <failover-int>
description LAN Failover Interface
no shutdown
exit
failover
failover lan unit primary
failover lan interface failover <failover-int>
failover interface ip failover <failover-int-ip> 255.255.255.0 standby <failover-int-standby-ip>

!! On Secondary Firewall
failover
failover lan unit secondary
failover lan interface failover <failover-int>
failover interface ip failover <failover-int-ip> 255.255.255.0 standby <failover-int-standby-ip>

[ # ]

  1. Launch ASDM from a privilege 15 account
  2. Go to Configuration > Device Managment > Users/AAA > AAA Access > Authorization
  3. Click the button "Set ASDM Defined Roles"
  4. Select "Yes" to have ASDM configure the necessary Priv 3 and Priv 5 permissions
  5. Select "Apply" to set the configuration on the firewall

[ # ]

icmp permit host <ping from IP> <interface>
icmp permit <network ip> <netmask> <interface>

[ # ]

arp permit-nonconnected

Notes:

  • This is not recommended by Cisco due to security concerns
  • This was disabled by default in version 8.4(5). Prior to this, the firewall may ARP for non-directly-connected NAT IPs.

Documentation

[ # ]