Skip to main content
emete_FTNT
Staff
emete_FTNT
Staff
December 4, 2025

Troubleshooting Tip: Recommended steps to follow in case FortiWeb is compromised

  • December 4, 2025
  • 0 replies
  • 632 views
Description

This article outlines the recommended steps to be executed when a FortiWeb appliance is suspected or confirmed to have been compromised due to a vulnerability or post-exploit persistence mechanism. It covers the actions required to contain the incident, assess the compromise, restore trust in the device, and securely rebuild its configuration. The guidance reflects the assumption that malicious actors may have gained access to, altered, or persistently embedded themselves into the device’s configuration or file system.
Scope All FortiWeb VM & Hardware Devices
Solution

The recommended mitigation steps for compromised FortiWeb VM and hardware devices are listed below:

  1. Isolate the device to prevent active exploitation.
  2. Back up the configuration (System -> Maintenance -> Backup & Restore, CLI config) and log files, including event logs and debug files (System -> Maintenance -> Debug). First, enable the 'Debug' option from the  System -> Config -> Feature Visibility menu if it is not already enabled.
  3. If Threat Analytics is enabled, disable it before proceeding. 

 

config system global

    set threat-analytics disable

end

 

  1. Take a snapshot of the VM before shutting it down. Deploy a fresh VM with the same version of the configuration backup file available.
  2. Follow the Clean Install procedure for the hardware models.
  3. Before restoring the configuration, review it to ensure no attacker modifications, such as malicious admin accounts or policies, are in place. Restore only from a known clean backup config.
  4. Restore configuration (System -> Maintenance -> Backup & Restore) and then upgrade immediately to the latest patch of the active branch. If applicable, check recommendations for the vulnerabilities on FortiGuard PSIRT Advisories.
  5. Hardening after the upgrade:
  • Verify all users. Remove any unauthorized accounts.
  • Reset all admin passwords, and also reset all configured passwords used in backup/restore and other locations.
  • If a User/PKI User is configured, delete and renew the certificates.
  • If any User/Remote Server is configured (such as LDAP, RADIUS, TACACS, or reCAPTCHA), reset the associated passwords and also delete and renew the certificates.
  • Remove all SSH keys, and renew them if any were configured under the 'config system admin'.
  • Enable Trusted Hosts for all admin accounts (limit access by management IPs).
  • Reapply the valid license (ensure at least a 90 minutes gap if reusing the same license).
  • Do not use the Fortinet factory default certificate and renew any SSL certificates that may have been exposed.
      Terms & ConditionsAccessibility statement