Technical Tip: Recommended steps to execute in case of a compromised host

This article describes the steps to take when evidence of compromised device integrity is detected on Fortinet devices.

A device may become corrupted, for example, due to power issues, abrupt shutdown, environmental anomalies, or, in some cases, due to malicious activity. In such cases, it is important to be able to restore device integrity.

This article explains what factors may lead to identifying such a scenario and how to proceed.

Since FortiOS v7.6.0, 7.4.0, v7.2.5, v7.0.12 & v6.4.13, strong device integrity checks are incorporated into the boot process. A FortiGate with these versions will not boot if integrity is compromised.

Fortinet TAC can also help verify device integrity by confirming the FortiOS capability and running filesystem integrity checks.

Note that inadvertent knowledge of device configuration entries does not constitute a compromised device; these can be resolved by configuration changes.

Under other unlikely scenarios, it may become necessary to reformat and fresh install FortiOS. The following outlines how to achieve this.

• Download firmware matching your configuration version from the Fortinet Support site and verify the firmware checksum using SHA512. See this article: Technical Tip: How to verify downloaded firmware checksum.
• Disconnect the FortiGate unit from the network.
• Format the device's flash and perform a clean install. See this article: Technical Tip: Formatting and loading FortiGate firmware image using TFTP
• After completing the TFTP firmware reload, proceed to format the disk partition. See this article: Technical Tip: Standard procedure to format a FortiGate Log Disk.
• If not already at the latest version on the branch, upgrade, being sure to follow the recommended upgrade path, or using the GUI.
• Reconnect the FortiGate unit to the network.

In the event of inadvertent or unauthorized access to the device configuration, ensure the following changes are made after upgrading to or reloading the most recent version of FortiOS:

1. Restore configuration from a known good backup, or create a clean configuration, validating the content. Beware that at this stage, any exposed information may need reconfiguring.  
2. Reset all admin, local users, and VPN users' credentials.
3. Reset RADIUS secrets and IPsec PSKs.
4. Replace certificates and revoke the potentially stolen ones.
5. Change the GUI administrative access to a non-default port.
6. Restrict logins to trusted hosts. See this document: System administrator best practices.
7. Disable administrative access to any external (Internet-facing) interface.
8. Perform administrative tasks over an out-of-band network.
9. Implement 2FA: Technical Tip: Add Two-Factor Authentication for FortiGate Administrators using FortiToken.
    

10. Change the LDAP user credentials used for FortiGate LDAP authentication.
11. Implement the recommendations in this document: Hardening.

Related article:

Technical Tip: Collect Indicators of Compromise (IoC) debugs on a FortiGate (VDOM and non-VDOM) manually