Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ydong01
Staff
Staff

Created on ‎06-25-2024 11:02 PM Edited on ‎09-02-2025 01:17 AM By Moderator

Article Id 322502

Technical Tip: Best practice: Periodically do FortiGate files hashcheck

Description This article describes how to collect FortiGate file hash to check whether FortiGate was compromised.
Scope FortiOS v7.0.13, v7.2.6, v7.4.0, and above.
Solution

Use this command to get the hash of each file present on the FortiGate's filesystem. It is important to note that this command does not do any comparison on its own; it will simply provide the hashes. It is possible to take a known good hash from the unit and save it in a secure place, then run this command periodically to compare against the known good file. 
See more details here: Command to compute file hashes.

Command:

 

diagnose sys filesystem hash

 

Command usage:

 

Synopsis:


diagnose sys fshash [OPTION...] [PATH...]

 

Description:

Compute the sha256 hash for each file in the directory specified by each PATH.

 

Options:


-d [depth]


Specify the maximum depth of traversal.

 

Command example:

 

  • Without any option:

diagnose sys filesystem hash

 

Check default directories' files hash, including /bin /data /lib /migadmin /sbin /usr/local.

 

  • With the option directory:

diagnose sys filesystem hash /bin

 

Only check the /bin directory file. Include a subdirectory.

 

  • With the option directory and -d:

diagnose sys filesystem hash migadmin -d 1

 

Only check the migadmin directory; do not include subdirectories.

 

Sample output:

 

diagnose sys filesystem hash migadmin -d 1
Hash contents: migadmin
ae88d4494f5a775c006cd205e34a50a719a100014cf9ce3dd0470c89f5be7d98 migadmin/6846.js.gz
...
4b942ffb35e0432aaae4f9c73d6bac4c1403e7d6636c86c01a49dfbfad713a57 migadmin/1007.js.gz
Filesystem hash complete. Hashed 189 files.

 

diagnose sys filesystem hash migadmin
Hash contents: migadmin
ae88d4494f5a775c006cd205e34a50a719a100014cf9ce3dd0470c89f5be7d98 migadmin/6846.js.gz
...
d1f4f91ac74e2d2647b6f677886fec93fcee5631aec07e0adbaa6400f2aa6b8a migadmin/custommessages-data/ftp/en_ftp-explicit-banner.txt
9d0b16ef6aaa5937b3347c9458c7a364147554ad8edecb62a8fc13a6ef6a8286 migadmin/custommessages-data/template-2

Filesystem hash complete. Hashed 1130 files.

 

Important:  

 

Collect this output from the Console or SSH terminal applications. Avoid collecting it from the GUI's CLI web console. 
Increase the terminal's 'width' to prevent long lines from being broken into multiple lines before capturing the output.  

putty_width.png
2781
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.