The vCNS(vShield) practical CLI use is limited from a configuration perspective, but you may need to interact with these from time to time.  Troubleshooting /debugging sessions/log purging come to mind.

The options for getting the job done:

1.  Interact with the vCNS Manager virtual machine console in vCenter (not great for debugging, or reading the long exception output)

2.  SSH (ssh server is enabled from the console: vsm> enable, vsm# ssh start)

Expect works well with the vtysh pseudo-terminal used for the vCNS Manager console.   I tried and failed (due to errors interacting with the terminal).   If you manage multiple vCNS environments, it makes sense to wrap the interactions into these expect scripts.  Here’s a small example expect script to change the CLI password from the default.

#!/usr/bin/expect -f
# Synop: SSH to vCNS Appliance console. Auth. Enter priv mode. Auth Enter global config. Change the 
# default password.
# SSH <vsm#ip> # enable [enter] # default [enter] # config t [enter]
# cli password %passwword> [enter] # end [enter] # wr mem
#
spawn ssh admin@1.2.3.4
expect "password: "
send "default\r"
expect ">"
send "en\r"
expect "Password: "
send "default\r"
expect "#"
send "config t\r"
expect "#"
send "cli password mYn3wp@ssw0rd\r"
expect "#"
send "\r"
send "exit\r"

If your operational policy is to update your password every few months; you will find yourself revisiting a script like this.  For passing commands to multiple vCNS Managers, you can extend the script to spawn connections based on a list (outside the scope of this post).

@gabe_rosas