Friday, July 3, 2020

Cisco ASA Firewall Verify Command

I had an incident wherein an image was successfully transferred to a Cisco device but the file size was slightly different. You can use the ASA verify command in order to check the integrity of an image file and ensure it wasn't corrupted during the file transfer.


To view the ASA MD5 or SHA-512 hash published in Cisco's website, just hover on the file name (a hyperlink) > click on the clipboard icon. Below is the complete SHA-512 hash which should be the same output with the verify command.

8b77f39037e74bbcd396d78faf4f337c998bd7a8143ed599a48194597ffb064b70f2fb068be757109d80f2b3dcbc53ce9e2a944328ac95e8a4af9f4aa3e98e64

ciscoasa# dir

Directory of disk0:/

<SNIP>

159    -rwx  111919104    14:54:42 Jun 13 2019  asa992-52-smp-k8.bin

14 file(s) total size: 676519403 bytes
8238202880 bytes total (4337901568 bytes free/52% free)


The ASA verify command will perform a SHA-512 hash calculation by default.

ciscoasa# verify ?

  /md5      Compute an MD5 signature for a file
  /sha-512  Compute a SHA-512 signature for a file
  disk0:    File to be verified
  disk1:    File to be verified
  flash:    File to be verified

ciscoasa# verify disk0:/asa992-52-smp-k8.bin
Verifying file integrity of disk0:/asa992-52-smp-k8.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Done!
Embedded Hash SHA-512: 5c5c0b42f5d6dc467aee47df48fdc21ab64a47be2e8098c6579b0287094feed3d609849b423f1748432f5a0173934f395bd741fbd2a1464cc796e482b91300c9
Computed Hash SHA-512: 5c5c0b42f5d6dc467aee47df48fdc21ab64a47be2e8098c6579b0287094feed3d609849b423f1748432f5a0173934f395bd741fbd2a1464cc796e482b91300c9
CCO Hash      SHA-512:
8b77f39037e74bbcd396d78faf4f337c998bd7a8143ed599a48194597ffb064b70f2fb068be757109d80f2b3dcbc53ce9e2a944328ac95e8a4af9f4aa3e98e64
Signature Verified