Normally you are not allowed to go to configure mode via CLI of a Cisco FTD which is managed by FMC. But following commands will enable a backdoor access to do that. Here is an example configuration adding to increase the mac address aging time which is not even supported by FMC Flex Configs currently.
Go to the LINA mode and get the serial number
> system support diagnostic-cli
Firepower> enable
Firepower# show version
Enter to FTD expert mode and gain sudo su access
> expert
$ sudo su
#
Enter command below command. Where "XXXXXXXX" is the serial number you found from "show version". Replace XXXXXXXX with the collected serial number from step 1.
# echo -n "1111222233334444XXXXXXXX" | md5sum > /mnt/disk0/enable_configure
Go back to LINA and enter "debug menu file-system 7" command
> system support-diagnostic-cli
Firepower> enable
Firepower# debug menu file-system 7
Now you are able to go to Configure mode just like in a regular ASA.
I am just changing the mac-address aging timer
configure terminal
mac-address-table aging-time 720
exit
wr
Go back to expert mode and run the following command:
> expert
$ sudo su
# rm /mnt/disk0/enable_configure
Notes
This is a temporary fix to a problem where this will be flushed once a new policy deployed from FMC.
Use this for troubleshooting purposes only.
