Summary: Commonly used FTD CLI commands across system health, interfaces, routing, NAT, connections, VPN, packet tracer, and captures, with notes on which CLI mode each command requires.
FTD exposes three distinct CLI contexts. Most operational commands run in the standard FTD CLI; some require dropping into diagnostic or expert mode.
| Mode | How to Enter | Prompt | Purpose |
|---|---|---|---|
| FTD CLI | SSH to management IP, or console | > |
Standard operational and show commands |
| Diagnostic CLI | system support diagnostic-cli from FTD CLI |
firepower# |
ASA-style CLI — debug commands, show failover |
| Expert (Linux shell) | expert from FTD CLI |
admin@firepower:~$ |
Direct Linux access, log files, process management |
⚠️ Diagnostic CLI Exit
Typeexitto return to FTD CLI from diagnostic mode. Changes made in diagnostic CLI are not persistent and do not affect running policy.
| Command | Notes |
|---|---|
show version |
Software version, model, uptime |
show managers |
FMC registration status and IP |
show disk |
Disk usage across partitions |
show memory |
Memory utilisation |
show cpu |
CPU usage by process |
show blocks |
Memory block usage — useful when investigating drops |
show high-availability info |
HA state, peer IP, last failover reason |
| Command | Notes |
|---|---|
show interface |
Full interface stats including errors and drops |
show interface ip brief |
Quick summary of interfaces, IPs, and state |
show route |
IPv4 routing table |
show route ipv6 |
IPv6 routing table |
show ospf neighbor |
OSPF adjacency state |
show bgp summary |
BGP peer summary and prefix counts |
| Command | Notes |
|---|---|
show conn |
Active connection table |
show conn count |
Total connection count |
show conn address <ip> |
Connections matching a specific IP |
show nat |
NAT rule hit counts |
show nat detail |
NAT translations with xlate pool usage |
show xlate |
Active NAT translations |
show access-list |
ACL hit counts across all rules |
show access-list <name> |
Hit counts for a specific ACL |
| Command | Notes |
|---|---|
show crypto ikev1 sa |
IKEv1 phase 1 SA status |
show crypto ikev2 sa |
IKEv2 SA status |
show crypto ipsec sa |
IPsec phase 2 SA status — includes encaps/decaps counters |
show crypto ipsec sa peer <ip> |
SA for a specific peer |
show vpn-sessiondb |
All active RA VPN sessions |
show vpn-sessiondb anyconnect |
AnyConnect sessions only |
show vpn-sessiondb summary |
Session count summary by type |
Simulates a packet through the FTD policy stack and shows which rules allow or drop it.
packet-tracer input <ingress-interface> <protocol> <src-ip> <src-port> <dst-ip> <dst-port> detail
Examples:
packet-tracer input outside tcp 203.0.113.10 1234 10.0.0.5 443 detail
packet-tracer input inside icmp 192.168.1.10 8 0 8.8.8.8 detail
The detail flag shows the full policy trace including prefilter, access control, NAT, and routing decisions. The final result is either Allow or Drop with the matching rule name.
capture <name> interface <interface> match <filter>
Common examples:
capture OUTSIDE_CAP interface outside match ip host 203.0.113.10 any
capture INSIDE_CAP interface inside match tcp any host 10.0.0.5 eq 443
| Command | Notes |
|---|---|
show capture |
List all active captures |
show capture <name> |
Display captured packets |
show capture <name> detail |
Detailed per-packet output |
no capture <name> |
Stop and delete a capture |
capture <name> interface <int> buffer <bytes> |
Set buffer size — default is small; increase for longer captures |
Captures can also be downloaded from FMC: Devices > Device Management > device > Troubleshoot > Packet Capture.
Enter with system support diagnostic-cli from the FTD CLI. Provides an ASA-style EXEC prompt.
| Command | Notes |
|---|---|
show failover |
HA state, role, peer status, failover history |
show failover history |
Log of previous failover events |
debug crypto ikev2 255 |
IKEv2 debug (disable immediately after capture: undebug all) |
debug crypto ipsec 255 |
IPsec debug |
debug conn |
Connection establishment debugging |
undebug all |
Disable all active debugs |
⚠️ Debug Commands
Debug output can be extremely verbose and impact device performance. Always disable withundebug allas soon as the required output is captured. Avoid running debugs on production devices under load.
Enter with expert from the FTD CLI. Provides a Linux bash shell.
sudo su -
Elevate to root for full access.
| Command / Path | Notes |
|---|---|
pmtool status |
Status of all FTD processes (Snort, lina, etc.) |
pmtool restartservice snort |
Restart the Snort process — causes a brief inspection gap; verify exact subcommand syntax for your FTD version before use |
tail -f /var/log/messages |
Live system log |
/ngfw/var/log/ |
FTD-specific log directory |
df -h |
Disk usage (human-readable) |
top |
Live CPU and memory by process |