Security Considerations; Limitations Of Remote Command Execution - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 14
Configuring Failover
Use the show failover exec command to display the command mode on the specified device in which
commands sent with the failover exec command are executed. The show failover exec command takes
the same keywords as the failover exec command: active, mate, or standby. The failover exec mode for
each device is tracked separately.
For example, the following is sample output from the show failover exec command entered on the
standby unit:
hostname(config)# failover exec active interface GigabitEthernet0/1
hostname(config)# sh failover exec active
Active unit Failover EXEC is at interface sub-command mode
hostname(config)# sh failover exec standby
Standby unit Failover EXEC is at config mode
hostname(config)# sh failover exec mate
Active unit Failover EXEC is at interface sub-command mode
Security Considerations
The failover exec command uses the failover link to send commands to and receive the output of the
command execution from the peer unit. You should use the failover key command to encrypt the failover
link to prevent eavesdropping or man-in-the-middle attacks.
Limitations of Remote Command Execution
•
•
•
•
•
•
•
•
OL-12172-03
If you upgrade one unit using the zero-downtime upgrade procedure and not the other, both units
must be running software that supports the failover exec command for the command to work.
Command completion and context help is not available for the commands in the cmd_string
argument.
In multiple context mode, you can only send commands to the peer context on the peer unit. To send
commands to a different context, you must first change to that context on the unit you are logged-in
to.
You cannot use the following commands with the failover exec command:
changeto
–
debug (undebug)
–
If the standby unit is in the failed state, it can still receive commands from the failover exec
command if the failure is due to a service card failure; otherwise, the remote command execution
will fail.
You cannot use the failover exec command to switch from privileged EXEC mode to global
configuration mode on the failover peer. For example, if the current unit is in privileged EXEC
mode, and you enter failover exec mate configure terminal, the show failover exec mate output
will show that the failover exec session is in global configuration mode. However, entering
configuration commands for the peer unit using failover exec will fail until you enter global
configuration mode on the current unit.
You cannot enter recursive failover exec commands, such as failover exec mate failover exec mate
command.
Commands that require user input or confirmation must use the /nonconfirm option.
Cisco Security Appliance Command Line Configuration Guide
Remote Command Execution
14-53
Advertisement
Table of Contents
Troubleshooting
