Created on
06-25-2024
11:02 PM
Edited on
09-02-2025
01:17 AM
By
Jean-Philippe_P
Description | This article describes how to collect FortiGate file hash to check whether FortiGate was compromised. |
Scope | FortiOS v7.0.13, v7.2.6, v7.4.0, and above. |
Solution |
Use this command to get the hash of each file present on the FortiGate's filesystem. It is important to note that this command does not do any comparison on its own; it will simply provide the hashes. It is possible to take a known good hash from the unit and save it in a secure place, then run this command periodically to compare against the known good file. Command:
diagnose sys filesystem hash
Command usage:
Synopsis:
Description: Compute the sha256 hash for each file in the directory specified by each PATH.
Options:
Command example:
diagnose sys filesystem hash
Check default directories' files hash, including /bin /data /lib /migadmin /sbin /usr/local.
diagnose sys filesystem hash /bin
Only check the /bin directory file. Include a subdirectory.
diagnose sys filesystem hash migadmin -d 1
Only check the migadmin directory; do not include subdirectories.
Sample output:
diagnose sys filesystem hash migadmin -d 1
diagnose sys filesystem hash migadmin Filesystem hash complete. Hashed 1130 files.
Important:
Collect this output from the Console or SSH terminal applications. Avoid collecting it from the GUI's CLI web console. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.