With the FTDs being managed by FMC everything is now configured via GUI. There is no longer the option of configuring via CLI like the ASAs. You can still access the CLI but Cisco does not officially support configuration using the CLI. Obviously, there are pros and cons to this. You no long need to remember syntax and which command does what. You just need to know how to navigate the GUI menus within FMC. With the move to GUI based only management some control functions are lost. Also, migrating from an ASA to FTD you lose some commands that were once available in the ASA. This is where FLexConfig comes in.
What is FlexConfig?
FlexConfig basically, take commands that were once available in the ASA, convert and apply them to the FTD. Realizing the limitations FTD code, Cisco even included pre-configured FlexConfig templates that can be duplicated and modified for use. Cisco also included predefined FlexConfig Text objects are reference by the FlexConfig Objects.
- Knowledge of the ASA or FTD CLI
- Understand what the command is used for and how it affects the system.
Blacklisted CLI Commands
Not all ASA commands are supported. Below is the list of commands that are not supported.
To access Flexconfig:
Go to Objects > Object Management, then select FlexConfig
Look through the predefined FlexConfig objects and see if one meets the requirement. Make a copy of the FlexcConfig object and edit the contents since the predefined objects cannot be modified.
Example FlexConfig Policy
In this example. We will create a Flexconfig Policy to adjust the tcp mss for connections through the FTD.
- Make a copy of the Sysopt_Basic FLexConfig Object and modify it.
The FlexConfig Object is modified and renamed.
- Next click the validate icon to validate the syntax and save the changes.
Go to Devices > FlexConfig
- Create a new policy, assigned it to an FTD and save.
Select the user defined policy and assigned it to the Append FlexConfig section.
- Preview the configuration. Look in the Append section of the configuration.
Save the policy and deploy to the selected FTD.
Verify the configuration from the FMC using Advanced Troubleshooting and Threat Defence CLI.
- You can also SSH to the FTD CLI and verified the FLexConfig Policy was applied.
So that's is how you set up FlexConfig. As always if you have any questions on FTD FlexConfig and would like to schedule a free consultation with us, please reach out to us at firstname.lastname@example.org and we’ll be happy to help!
Rick Wong, Network Engineer