Cisco ACI Scan Requirements

The following describes scan requirements when using the Cisco ACI plugin.


The plugin requires SSH credentials for online scanning. It does not require or support any escalation method.


You must have sufficient permissions needed to run a show running-config all command.

Some audits may have requirements to run additional commands.

Offline Scanning

The plugin supports offline scanning of Firepower Threat Defense configurations. No permissions or credentials are required for offline scanning, but the results produced will not be associated directly with any asset. Instead, the results display the name of the configuration filename in the Hosts field.

To run an offline scan, upload the Cisco ACI configuration as a .txt file to the scan or policy.

To upload a file for offline scanning:

  1. Log in to an existing ACI (APIC) target (for example, via SSH).
  2. Run the following command:

    show running-config all

  3. Copy the output to a .txt file.
  4. (Optional) To analyze multiple configurations, place each file in a .zip file.
  5. In the scan or policy with the Cisco Firepower audit, upload the .txt or .zip file to ACI config file(s).
  6. Save and launch the scan or policy.