Here's a quick way to check the FortiGate NAT session count and filter the NAT IP pool via the get sys session list | grep -c CLI command. This command is found in the Fortinet Tech Tip link.
FGT# get sys session list | grep -c 216.1.1.50
2096
FGT# get sys session list | grep -c 216.1.1.51
1774
You can also filter using a Policy ID.
FGT# get sys session list | grep -c 106
1085
FGT# get sys session list | grep -c 137
673
Here's a Fortinet link for the FortiGate 1800F series data sheet. The FG-1800F front chassis has 1x RJ45 / USB CONSOLE port, 2x GigE RJ45 out-of-band management ports (MGMT1 and MGMT2), 2x 10 GigE fiber SFP/SFP+ HA1 and HA2 ports (2x fiber SFP are included in the box), 16x GigE RJ45 ports, 8x GE fiber SFP ports, 12x 25 SFP28 / 10 GigE fiber SFP+ / GE SFP ports, 4x 100 GigE QSFP28 / 40 GigE QSFP+ ports.
Here's a Fortinet link for the different types of copper and optical transceivers supported in a Fortinet appliance. Third party SFP/GBIC transceivers (such as a Cisco brand) would still work in a FortiGate SFP/SFP+ port. It's always best practice to use Fortinet brand SFP in a FortiGate appliance for optimum performance.
Here's a Fortinet link on how to check the SFP serial number and transmit/receive optic power level in a FortiGate firewall. You'll need to issue the get system interface transceiver to view all ports or get system interface transceiver <interface> to display the info for a specific interface including its fiber optic levels (Rx/Tx power). Notice port 17 uses a Fortinet brand SFP while port 18 uses a Cisco brand SFP.
FGT# get system interface transceiver
<intface> Interface name.
FGT # get system interface transceiver
Interface port17 - SFP/SFP+/SFP28, 10GBASE-SR
Vendor Name : FORTINET
Part No. : FTLX8574D3BCLABC
Serial No. : N88B123
Interface port18 - SFP/SFP+/SFP28, 10GBASE-SR
Vendor Name : CISCO-FINISAR
Part No. : FTLX8574D3DEF-CS
Serial No. : FNS21510456
Interface port19 -Transceiver is not detected.
Interface port20 - Transceiver is not detected.
<OUTPUT TRUNCATED>
FGT # get system interface transceiver port17
Interface port17 - SFP/SFP+/SFP28, 10GBASE-SR
Diagnostics : Implemented
Vendor Name : FORTINET
Part No. : FTLX8574D3BCLABC
Serial No. : N88B123
Measurement Unit Value High Alarm High Warning Low Warning Low Alarm
------------ ------------ ------------ ------------ ------------ ------------ ------------
Temperature (Celsius) 31.8 78.0 73.0 -8.0 -13.0
Voltage (Volts) 3.29 3.70 3.60 3.00 2.90
Tx Bias (mA) 5.98 13.00 12.50 5.00 4.00
++ : high alarm, + : high warning, - : low warning, -- : low alarm, ? : suspect.
You can also view the same info via web GUI, just go to Network > Interfaces > Transceiver(s) column > hover over a specific interface SFP serial number to view more details. Note the Cisco brand SFP was detected by the FortiGate but there's a warning: This transceiver is not certified by Fortinet.
Here's a Cisco link to improve SSH protocol in a Cisco device. One of our Cisco switch was flagged for using a weak SSH protocol. I hardened it using SSH version 2 and a Diffie Hellman key size of 2048. You can safely reconfigure SSH settings on the fly and it won't break your current remote SSH session.
Switch#show ip ssh
SSH Enabled - version 1.99 // SSH VERSION 1
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdoqJ5UlIngWqSE/OJ6KMdkWKnRNEhodLg9yr3oEnD
7RFvLOu1SA7+/h0lJ1bctxsIfhwuRyiGm+9pKNtQ/b6xSkt0ZA3USBxvsUBPlp5ZXcW3LbLKi3is1234
<OUTPUT TRUNCATED>
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#crypto key generate rsa general-keys modulus 2048
% You already have RSA keys defined named Switch.lab.com.
% They will be replaced.
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 10 seconds)
Switch(config)#ip ssh version 2
Switch(config)#ip ssh time-out 60
Switch(config)#ip ssh authentication-retries 3
Switch(config)#end
The DH key size is still 1024 bits. You need to configure the additional command ip ssh dh min size 2048 in order enforce it.
Switch#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 60 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdoqJ5UlIngWqSE/OJ6KMdkWKnRNEhodLg9yr3oEnD
7RFvLOu1SA7+/h0lJ1bctxsIfhwuRyiGm+9pKNtQ/b6xSkt0ZA3USBxvsUBPlp5ZXcW3LbLKi3is1234
<OUTPUT TRUNCATED>
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#ip ssh ?
authentication-retries Specify number of authentication retries
break-string break-string
client Configuration for client
dh Diffie-Hellman
dscp IP DSCP value for SSH traffic
logging Configure logging for SSH
maxstartups Maximum concurrent sessions allowed
port Starting (or only) Port number to listen on
precedence IP Precedence value for SSH traffic
pubkey-chain pubkey-chain
rekey Configure rekey values
rsa Configure RSA keypair name for SSH
server Configuration for server
source-interface Specify interface for source address in SSH connections
stricthostkeycheck Enable SSH Server Authentication
time-out Specify SSH time-out interval
version Specify protocol version to be supported
Switch(config)#ip ssh dh ?
min minimum
Switch(config)#ip ssh dh min ?
size key size
Switch(config)#ip ssh dh min size ?
1024 Diffie Group 1 1024-bit key
2048 Diffie Group 14 2048-bit key
4096 Diffie Group 16 4096-bit key
Switch(config)#ip ssh dh min size 2048
Switch(config)#end
Switch#write memory
Building configuration...
Compressed configuration from 14884 bytes to 7248 bytes[OK]
Switch#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 60 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdoqJ5UlIngWqSE/OJ6KMdkWKnRNEhodLg9yr3oEnD
7RFvLOu1SA7+/h0lJ1bctxsIfhwuRyiGm+9pKNtQ/b6xSkt0ZA3USBxvsUBPlp5ZXcW3LbLKi3is1234
<OUTPUT TRUNCATED>
Here's a Cisco link to properly configure SSH in a Cisco Nexus switch. The Nexus switch use a default 1024 bit SSH/RSA key. The correct way to configure a stronger SSH bit level key in a Cisco Nexus switch is using the ssh key rsa 2048 command. However, you can only do this in a new Nexus switch.
To reconfigure a new SSH key, you'll need to disable SSH feature first. If you're doing this remotely or without a console access, it's advisable to enable Telnet for remote access.
Nexus# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Nexus(config)# feature telnet
Open a new Telnet session to the Nexus switch, disable SSH, generate a new RSA key, re-enable SSH and disable Telnet.
Nexus# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Nexusconfig)# no feature ssh
XML interface to system may become unavailable since ssh is disabled
Nexus(config)# no ssh key
Nexus(config)# ssh key rsa 2048 force
generating rsa key(2048 bits).....
..
generated rsa key
Nexus(config)# feature ssh
Nexus(config)# no feature telnet
Couldn't disable telnet: Current user is logged in though telnet // OPEN A NEW SSH SESSION
Open a new SSH session to the Nexus switch to disable Telnet.
Nexus# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Nexus(config)# no feature telnet
Nexus# copy run start
[########################################] 100%
Copy complete.
Nexus# show ssh server
ssh version 2 is enabled // SSH VERSION 2 ENABLED BY DEFAULT
Nexus# show ssh key
**************************************
rsa Keys generated:Fri Sep 19 07:20:22 2025
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfzzzzz
bitcount:2048
fingerprint:
b1:36:76:0f:e7:fe:79:2f:ee:e3:77:da:3c:1234:56
**************************************
could not retrieve dsa key information
bitcount: 0
**************************************
The Cisco ASA firewall supports up to 5 concurrent SSH login or users. I've received a report that some users couldn't login to the ASA and encountered a connection refused error.
svr01 ~]$ ssh 192.168.1.254
ssh: connect to host 192.168.1.254 port 22: Connection refused
You can use the show ssh session command to view SSH users. Notice there's no available SSH session left.
ciscoasa# show ssh session
SID Client IP Version Mode Encryption Hmac State Username
0 svr02 2.0 IN aes128-ctr sha1 SessionStarted admin1
OUT aes128-ctr sha1 SessionStarted admin1
1 svr01 1.99 IN aes128-ctr sha1 SessionStarted admin2
OUT aes128-ctr sha1 SessionStarted admin2
2 svr01 1.99 IN aes128-ctr sha1 SessionStarted admin3
OUT aes128-ctr sha1 SessionStarted admin3
3 svr01 1.99 IN aes128-ctr sha1 SessionStarted admin4
OUT aes128-ctr sha1 SessionStarted admin4
4 svr01 1.99 IN aes128-ctr sha1 SessionStarted admin5
OUT aes128-ctr sha1 SessionStarted admin5
You can manually disconnect an SSH user using ssh disconnect <SESSION ID> privilege command. I was using SID 0 (admin1) so I can't disconnect my own SSH session.
ciscoasa# ssh ?
disconnect Specify SSH session id to be disconnected after this keyword
ciscoasa# ssh disconnect ?
<0-2147483647> SSH session id to be disconnected
ciscoasa# ssh disconnect 1
ciscoasa# ssh disconnect 2
ciscoasa# ssh disconnect 3
ciscoasa# ssh disconnect 4
ciscoasa# show ssh session
SID Client IP Version Mode Encryption Hmac State Username
0 svr02 2.0 IN aes128-ctr sha1 SessionStarted admin1
OUT aes128-ctr sha1 SessionStarted admin1
<BLANK>
Refer to this link regarding the Global ACL in a Cisco ASA firewall and below are some its caveats.
Global access policies are network policies that are applied to all the interfaces on an ASA. These policies are only applied to inbound network traffic. You can create a global access policy to ensure that a set of rules is applied uniformly to all the interfaces on an ASA.
Only one global access policy can be configured on an ASA. However, a global access policy can have more than one rule assigned to it, just like any other policy.
This is the order of rule-processing on the ASA:
ciscoasa(config)# access-list MY_GLOBAL_ACL extended permit ip any any
ciscoasa(config)# access-group MY_GLOBAL_ACL ?
configure mode commands/options:
global For traffic on all interfaces
in For input traffic
out For output traffic
<cr>
ciscoasa(config)# access-group MY_GLOBAL_ACL global
To factory reset a Cisco ASA firewall in Multiple context mode, you'll need to issue a "write erase" then "reload" under the "system" context. You can verify the current ASA mode using the "show mode" CLI command.
ciscoasa/admin# changeto system
ciscoasa# show mode
Security context mode: multiple
ciscoasa# write erase
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa# reload
Proceed with reload? [confirm]
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down sw-module
Shutting down License Controller
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting... (status 0x9)
<OUTPUT TRUNCATED>
You'll need to convert the ASA back to Single mode using the "mode single" global config command. It will auto reboot after the confirmation.
ciscoasa> enable
Password: <ENTER>
ciscoasa# show mode
Security context mode: multiple
ciscoasa# configure terminal
ciscoasa(config)# mode ?
configure mode commands/options:
multiple Multiple mode; mode with security contexts
noconfirm Do not prompt for confirmation
single Single mode; mode without security contexts
ciscoasa(config)# mode single
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Security context mode: single
ciscoasa(config)#
***
*** --- START GRACEFUL SHUTDOWN ---
***
*** Message to all terminals:
***
*** change mode
Shutting down isakmp
Shutting down sw-module
Shutting down License Controller
Shutting down File system
***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
*** change mode
Process shutdown finished
<OUTPUT TRUNCATED>
ERROR: MIGRATION - Could not get the startup configuration.
Cryptochecksum (changed): d41d8cd9 8f00b204 e9800998 ecf8427e
INFO: converting 'fixup protocol dns maximum-length 512' to MPF commands
ERROR: Inspect configuration of this type exists, first remove
that configuration and then add the new configuration
INFO: converting 'fixup protocol ftp 21' to MPF commands
INFO: converting 'fixup protocol h323_h225 1720' to MPF commands
INFO: converting 'fixup protocol h323_ras 1718-1719' to MPF commands
INFO: converting 'fixup protocol ip-options 1' to MPF commands
INFO: converting 'fixup protocol netbios 137-138' to MPF commands
INFO: converting 'fixup protocol rsh 514' to MPF commands
INFO: converting 'fixup protocol rtsp 554' to MPF commands
INFO: converting 'fixup protocol sip 5060' to MPF commands
INFO: converting 'fixup protocol skinny 2000' to MPF commands
INFO: converting 'fixup protocol smtp 25' to MPF commands
INFO: converting 'fixup protocol sqlnet 1521' to MPF commands
INFO: converting 'fixup protocol sunrpc 111' to MPF commands
INFO: converting 'fixup protocol sunrpc_udp 111' to MPF commands
INFO: converting 'fixup protocol tftp 69' to MPF commands
INFO: converting 'fixup protocol sip udp 5060' to MPF commands
INFO: converting 'fixup protocol xdmcp 177' to MPF commands
INFO: Power-On Self-Test in process.
.......................................................................
INFO: Power-On Self-Test complete.
INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
Pre-configure Firewall now through interactive prompts [yes]? CXSC module is no longer supported and was prevented from booting
Consider uninstalling the unsupported CXSC module with the command ‘sw-module module cxsc uninstall'
Firewall Mode [Routed]: <CTRL+C>
User enable_1 logged in to ciscoasa
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
ciscoasa> enable
Password:
ciscoasa# show mode
Security context mode: single
