FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
Ahmed_Mohamed
Article Id 328493
Description This article describes how to remotely access Linux protected servers using FortiEDR Connect (remote shell).
Scope FortiEDR 5.2 and above. Linux Collector 5.1.8.1047 +
Solution

FortiEDR Connect is a feature that opens a console which grants direct access to a protected device running FortiEDR Collector through a terminal connection.

Refer to FortiEDR Admin Guide for further information.

 

FortiEDR_connect1.png

 

The FortiEDR Connect window supports the following types of commands:
1.The predefined commands: To run such a command, simply type it (for example, %ls) with its parameters and then press <Enter>. When entering a path, make sure to enter the full path. For example: /MyDirectory or /MyDirectory/MyFile

 

List of predefined commands:
Command Parameters Description
%ls Folder of file path Returns information about a specific file or folder
%ip   Returns IP information
%ip_all   Returns extended IP information
%download_file
File path
Download the file into the default brower's download folder, returns the new files name
%upload_file
Path to upload to, including the file name. File name
Upload the file from the File library to the specified path
 
%sha1_file
File path
Return the SHA1 of a file
%md5_file
File path
Returns the md5 of a file
%list_services
 
Return the running services
%list_commands
File path
Returns the list commands that can be used
%delete_file
 
Deletes the specified file
%get_cwd
 
Returns the current directory
%hostname
 
Shows device name
%ps_aux
 
Runs “ps_aux”
%kill_process
Process PID
Terminates the process its PID is provided
%netstat
 
Runs “netstat -nao”
%start_process
Process path and name
Runs the provided process

 

2.Linux Command line commands: To run such a command, type %bash or %sh and press <Enter>. At the prompt, you can then run any Linux command line commands
3.Python commands.

 

Notes:

  • The FortiEDR Audit trail feature records the connection of a FortiEDR Connect session and every action that was performed in the session.
  • Only users with the Establish FortiEDR Connect sessions checkbox in the user profile selected can lunch remote shell using FortiEDR Connect functionality.
  • Not all compatible Linux distros supports FortiEDR Connect feature yet. It is rolled out gradually. Refer to latest release notes or contact support for full list.
  • Use absolute paths when specifying path parameter.
  • FortiEDR connect shell supports copy and paste.
  • Remote shell logins to Linux server as root user.
  • if the %download_file parameters contain whitespace, please, use '%20' instead of whitespace, i.e.:

    To download file '/tmp/new file' execute command: %download_file /tmp/new%20file

Contributors