How to find all Fortigates that truly need a disk scan?

whatz · ‎03-08-2021

When a fortigate reboots "unexpectedly" (aka power failure) then its disk system might be flagged as needing a disk scan when you login the next time to the GUI or CLI. This kind of situation also triggers a system event that FortiAnalyzer can catch and report on. However FortiAnalyzer only catches the event it collects, it does not collect that a hard drive might have had a disk scan performed and therefore no longer requires a disk scan. Since FortiOS 6.2 there is a feature that can be turned on in the Fortigates that if they detect a drive that needs a scan then they should auto scan the drive and reboot (Run a File System Check automatically (fortinet.com))

What I am looking for is a way to get a real-life report on all Fortigates that require a disk scan" and run FortiOS 6.0 (or older) OR FortiOS 6.2 (and higher) with the "auto file system check" disabled. How can this be accomplished?

Thanks.

rowan_kaag · ‎03-15-2021

As you've figured, FortiOS logs an Event Log-entry to notify administrators what happened (alongside the GUI notification). The Event Log-entry is listed under ID 0100020212, and includes Message "Unsafe reboot may have caused inconsistency in disk drive. Please run execute disk scan [digits]" and Log Description "Disk scan is needed". This log is repeated every 24 hours until the issue is resolved. Our MSSP service has an Event Handler set up for this Log ID (amongst others) that creates a ticket on our part to resolve.

AFAIK, there is no way of requesting any Power Failure flag-status via the API. There is an API endpoint to set the FSCK flag, but that's not what you're looking for: /api/v2/monitor/system/fsck/start.

MSSP Security Engineer