My Network Security Journal

Sunday, March 15, 2026

Cisco Firepower SNMP OID Bug (CSCvd33367)

We've been trying to poll our Cisco Firepower 2100 (ASA) and Cisco Secure 3100 (ASA) to monitor the device power supply, fan and temperature sensor in our NMS via SNMP. Currently, we can only monitor device CPU and memory. Cisco TAC has confirmed that there's a bug (CSCvd33367) and it seem an engineering bug (Severity 6/Enhancement). Cisco TAC haven't resolved this issue in a long time (since February 2017) and there's no workaround.

We've raised this to our Cisco Account Manager to raise this to their engineering hoping this would resolved anytime soon. Below is a snippet from the said bug:

SNMP OID's for Disk, Fan and power supply

Description:

SNMP monitoring on the firepower is based on OID's. Actually firepower manages basic linux OIDs, customer would like to use also those OID's for monitoring Firepower status. Moreover, there is a more stringent need to have storage OIDs for pure ASAs which are not FMC managed to have disk monitoring in FMC.

Symptom:

The customer would like to use SNMP to monitor Fan, power supply and Raid disk status with the OID's for those features on the FP. He would like to know if those OID's can be included in future releases and that way he can monitor tose features using OIDs.

Conditions:

Firepower does not have OID's available for monitoring fan, power supply and Raid disk status.

Workaround: N/A

Further Problem Description: N/A

Note that its Severity is “6 Enhancement”, which means that Cisco Engineering is not looking at this behavior as a “bug” per se. That is, from Engineering’s viewpoint, the product is working as designed and this CDETS ID represents a request to enhance the original behavior. Feature enhancements are pushed by Sales account teams into Product Marketing, which prioritizes enhancement requests back to Engineering.

Sunday, February 1, 2026

Check the FortiGate NAT Session Count Using Filters

Here's a quick way to check the FortiGate NAT session count and filter the NAT IP pool via the get sys session list | grep -c CLI command. This command is found in the Fortinet Tech Tip link.

FGT# get sys session list | grep -c 216.1.1.50

2096

FGT# get sys session list | grep -c 216.1.1.51

1774

You can also filter using a Policy ID.

FGT# get sys session list | grep -c 106

1085

FGT# get sys session list | grep -c 137

673

Saturday, January 3, 2026

FortiGate 1800F and How to Check Transceiver Serial Number

Here's a Fortinet link for the FortiGate 1800F series data sheet. The FG-1800F front chassis has 1x RJ45 / USB CONSOLE port, 2x GigE RJ45 out-of-band management ports (MGMT1 and MGMT2), 2x 10 GigE fiber SFP/SFP+ HA1 and HA2 ports (2x fiber SFP are included in the box), 16x GigE RJ45 ports, 8x GE fiber SFP ports, 12x 25 SFP28 / 10 GigE fiber SFP+ / GE SFP ports, 4x 100 GigE QSFP28 / 40 GigE QSFP+ ports.

The rear chassis has the serial number sticker (on the far left), redundant fans and 2x hot-swappable power supply: PSU1 on the right and PSU2 on the left.

Here's a Fortinet link for the different types of copper and optical transceivers supported in a Fortinet appliance. Third party SFP/GBIC transceivers (such as a Cisco brand) would still work in a FortiGate SFP/SFP+ port. It's always best practice to use Fortinet brand SFP in a FortiGate appliance for optimum performance.

Here's a Fortinet link on how to check the SFP serial number and transmit/receive optic power level in a FortiGate firewall. You'll need to issue the get system interface transceiver to view all ports or get system interface transceiver <interface> to display the info for a specific interface including its fiber optic levels (Rx/Tx power). Notice port 17 uses a Fortinet brand SFP while port 18 uses a Cisco brand SFP.

FGT# get system interface transceiver

<intface> Interface name.

FGT # get system interface transceiver

Interface port17 - SFP/SFP+/SFP28, 10GBASE-SR

Vendor Name : FORTINET

Part No. : FTLX8574D3BCLABC

Serial No. : N88B123

Interface port18 - SFP/SFP+/SFP28, 10GBASE-SR

Vendor Name : CISCO-FINISAR

Part No. : FTLX8574D3DEF-CS

Serial No. : FNS21510456

Interface port19 -Transceiver is not detected.

Interface port20 - Transceiver is not detected.

FGT # get system interface transceiver port17

Interface port17 - SFP/SFP+/SFP28, 10GBASE-SR

Diagnostics : Implemented

Vendor Name : FORTINET

Part No. : FTLX8574D3BCLABC

Serial No. : N88B123

Measurement Unit Value High Alarm High Warning Low Warning Low Alarm

------------ ------------ ------------ ------------ ------------ ------------ ------------

Temperature (Celsius) 31.8 78.0 73.0 -8.0 -13.0

Voltage (Volts) 3.29 3.70 3.60 3.00 2.90

Tx Bias (mA) 5.98 13.00 12.50 5.00 4.00

Rx Power (dBm) -26.8 -- 0.0 -1.0 -18.0 -20.0
Tx Power (dBm) -2.3 0.0 -1.0 -5.0 -6.0

++ : high alarm, + : high warning, - : low warning, -- : low alarm, ? : suspect.

You can also view the same info via web GUI, just go to Network > Interfaces > Transceiver(s) column > hover over a specific interface SFP serial number to view more details. Note the Cisco brand SFP was detected by the FortiGate but there's a warning: This transceiver is not certified by Fortinet.

Friday, December 5, 2025

Configure Cisco SSH Diffie Hellman Size

Here's a Cisco link to improve SSH protocol in a Cisco device. One of our Cisco switch was flagged for using a weak SSH protocol. I hardened it using SSH version 2 and a Diffie Hellman key size of 2048. You can safely reconfigure SSH settings on the fly and it won't break your current remote SSH session.

Switch#show ip ssh

SSH Enabled - version 1.99 // SSH VERSION 1

Authentication methods:publickey,keyboard-interactive,password

Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

MAC Algorithms:hmac-sha1,hmac-sha1-96

Authentication timeout: 120 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 1024 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdoqJ5UlIngWqSE/OJ6KMdkWKnRNEhodLg9yr3oEnD

7RFvLOu1SA7+/h0lJ1bctxsIfhwuRyiGm+9pKNtQ/b6xSkt0ZA3USBxvsUBPlp5ZXcW3LbLKi3is1234

Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#crypto key generate rsa general-keys modulus 2048

% You already have RSA keys defined named Switch.lab.com.

% They will be replaced.

% The key modulus size is 2048 bits

% Generating 2048 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 10 seconds)

Switch(config)#ip ssh version 2

Switch(config)#ip ssh time-out 60

Switch(config)#ip ssh authentication-retries 3

Switch(config)#end

The DH key size is still 1024 bits. You need to configure the additional command ip ssh dh min size 2048 in order enforce it.

Switch#sh ip ssh

SSH Enabled - version 2.0

Authentication methods:publickey,keyboard-interactive,password

Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

MAC Algorithms:hmac-sha1,hmac-sha1-96

Authentication timeout: 60 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 1024 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdoqJ5UlIngWqSE/OJ6KMdkWKnRNEhodLg9yr3oEnD

7RFvLOu1SA7+/h0lJ1bctxsIfhwuRyiGm+9pKNtQ/b6xSkt0ZA3USBxvsUBPlp5ZXcW3LbLKi3is1234

Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#ip ssh ?

authentication-retries Specify number of authentication retries

break-string break-string

client Configuration for client

dh Diffie-Hellman

dscp IP DSCP value for SSH traffic

logging Configure logging for SSH

maxstartups Maximum concurrent sessions allowed

port Starting (or only) Port number to listen on

precedence IP Precedence value for SSH traffic

pubkey-chain pubkey-chain

rekey Configure rekey values

rsa Configure RSA keypair name for SSH

server Configuration for server

source-interface Specify interface for source address in SSH connections

stricthostkeycheck Enable SSH Server Authentication

time-out Specify SSH time-out interval

version Specify protocol version to be supported

Switch(config)#ip ssh dh ?

min minimum

Switch(config)#ip ssh dh min ?

size key size

Switch(config)#ip ssh dh min size ?

1024 Diffie Group 1 1024-bit key

2048 Diffie Group 14 2048-bit key

4096 Diffie Group 16 4096-bit key

Switch(config)#ip ssh dh min size 2048

Switch(config)#end

Switch#write memory

Building configuration...

Compressed configuration from 14884 bytes to 7248 bytes[OK]

Switch#show ip ssh

SSH Enabled - version 2.0

Authentication methods:publickey,keyboard-interactive,password

Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

MAC Algorithms:hmac-sha1,hmac-sha1-96

Authentication timeout: 60 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 2048 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdoqJ5UlIngWqSE/OJ6KMdkWKnRNEhodLg9yr3oEnD

7RFvLOu1SA7+/h0lJ1bctxsIfhwuRyiGm+9pKNtQ/b6xSkt0ZA3USBxvsUBPlp5ZXcW3LbLKi3is1234

Friday, October 3, 2025

Configure SSH Key in Cisco Nexus Switch

Here's a Cisco link to properly configure SSH in a Cisco Nexus switch. The Nexus switch use a default 1024 bit SSH/RSA key. The correct way to configure a stronger SSH bit level key in a Cisco Nexus switch is using the ssh key rsa 2048 command. However, you can only do this in a new Nexus switch.

To reconfigure a new SSH key, you'll need to disable SSH feature first. If you're doing this remotely or without a console access, it's advisable to enable Telnet for remote access.

Nexus# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Nexus(config)# feature telnet

Open a new Telnet session to the Nexus switch, disable SSH, generate a new RSA key, re-enable SSH and disable Telnet.

Nexus# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Nexusconfig)# no feature ssh

XML interface to system may become unavailable since ssh is disabled

Nexus(config)# no ssh key

Nexus(config)# ssh key rsa 2048 force

generating rsa key(2048 bits).....

generated rsa key

Nexus(config)# feature ssh

Nexus(config)# no feature telnet

Couldn't disable telnet: Current user is logged in though telnet // OPEN A NEW SSH SESSION

Open a new SSH session to the Nexus switch to disable Telnet.

Nexus# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Nexus(config)# no feature telnet

Nexus# copy run start

[########################################] 100%

Copy complete.

Nexus# show ssh server

ssh version 2 is enabled // SSH VERSION 2 ENABLED BY DEFAULT

Nexus# show ssh key

**************************************

rsa Keys generated:Fri Sep 19 07:20:22 2025

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfzzzzz

bitcount:2048

fingerprint:

b1:36:76:0f:e7:fe:79:2f:ee:e3:77:da:3c:1234:56

**************************************

could not retrieve dsa key information

bitcount: 0

**************************************

Saturday, September 6, 2025

Disconnect SSH Session in Cisco ASA

The Cisco ASA firewall supports up to 5 concurrent SSH login or users. I've received a report that some users couldn't login to the ASA and encountered a connection refused error.

svr01 ~]$ ssh 192.168.1.254

ssh: connect to host 192.168.1.254 port 22: Connection refused

You can use the show ssh session command to view SSH users. Notice there's no available SSH session left.

ciscoasa# show ssh session

SID Client IP Version Mode Encryption Hmac State Username

0 svr02 2.0 IN aes128-ctr sha1 SessionStarted admin1

OUT aes128-ctr sha1 SessionStarted admin1

1 svr01 1.99 IN aes128-ctr sha1 SessionStarted admin2

OUT aes128-ctr sha1 SessionStarted admin2

2 svr01 1.99 IN aes128-ctr sha1 SessionStarted admin3

OUT aes128-ctr sha1 SessionStarted admin3

3 svr01 1.99 IN aes128-ctr sha1 SessionStarted admin4

OUT aes128-ctr sha1 SessionStarted admin4

4 svr01 1.99 IN aes128-ctr sha1 SessionStarted admin5

OUT aes128-ctr sha1 SessionStarted admin5

You can manually disconnect an SSH user using ssh disconnect <SESSION ID> privilege command. I was using SID 0 (admin1) so I can't disconnect my own SSH session.

ciscoasa# ssh ?

disconnect Specify SSH session id to be disconnected after this keyword

ciscoasa# ssh disconnect ?

<0-2147483647> SSH session id to be disconnected

ciscoasa# ssh disconnect 1

ciscoasa# ssh disconnect 2

ciscoasa# ssh disconnect 3

ciscoasa# ssh disconnect 4

ciscoasa# show ssh session

SID Client IP Version Mode Encryption Hmac State Username
0 svr02 2.0 IN aes128-ctr sha1 SessionStarted admin1
OUT aes128-ctr sha1 SessionStarted admin1

<BLANK>

Sunday, August 3, 2025

Cisco ASA Firewall Global ACL

Refer to this link regarding the Global ACL in a Cisco ASA firewall and below are some its caveats.

Global access policies are network policies that are applied to all the interfaces on an ASA. These policies are only applied to inbound network traffic. You can create a global access policy to ensure that a set of rules is applied uniformly to all the interfaces on an ASA.

Only one global access policy can be configured on an ASA. However, a global access policy can have more than one rule assigned to it, just like any other policy.

This is the order of rule-processing on the ASA:

Interface access rules
Bridge Virtual Interface (BVI) access rules
Global access rules
Implicit deny rules

ciscoasa(config)# access-list MY_GLOBAL_ACL extended permit ip any any

ciscoasa(config)# access-group MY_GLOBAL_ACL ?

configure mode commands/options:

global For traffic on all interfaces

in For input traffic

out For output traffic

<cr>

ciscoasa(config)# access-group MY_GLOBAL_ACL global