Technical Tip: Best practice - Periodically do FortiGate files hashcheck

Use this command to get the FortiGate file hash, period run it, and compare hash differences to determine if FortiGate was compromised.

Command:

diagnose sys filesystem hash

Command usage:

SYNOPSIS:

diagnose sys fshash [OPTION...] [PATH...]

DESCRIPTION:

Compute the sha256 hash for each file in the directory specified by each PATH.

OPTIONS:

-d [depth]

Specify maximum depth of traversal.

Command example:

• Without any option:
  
  

diagnose sys filesystem hash

Check default directories files hash including /bin /data /lib /migadmin /sbin /usr/local.

• With option directory:
  
  

diagnose sys filesystem hash /bin

Only check /bin directory file. Include subdirectory.

• With option directory and -d:
  
  

diagnose sys filesystem hash migadmin -d 1

Only check migadmin directory, not include subdirectory.

Sample output:

diagnose sys filesystem hash migadmin -d 1
Hash contents: migadmin
ae88d4494f5a775c006cd205e34a50a719a100014cf9ce3dd0470c89f5be7d98 migadmin/6846.js.gz
...
4b942ffb35e0432aaae4f9c73d6bac4c1403e7d6636c86c01a49dfbfad713a57 migadmin/1007.js.gz
Filesystem hash complete. Hashed 189 files.

diagnose sys filesystem hash migadmin
Hash contents: migadmin
ae88d4494f5a775c006cd205e34a50a719a100014cf9ce3dd0470c89f5be7d98 migadmin/6846.js.gz
...
d1f4f91ac74e2d2647b6f677886fec93fcee5631aec07e0adbaa6400f2aa6b8a migadmin/custommessages-data/ftp/en_ftp-explicit-banner.txt
9d0b16ef6aaa5937b3347c9458c7a364147554ad8edecb62a8fc13a6ef6a8286 migadmin/custommessages-data/template-2

Filesystem hash complete. Hashed 1130 files.

Important:  

Collect this output from the Console or SSH terminal applications. Avoid collecting it from the GUI's CLI web console. 
Increase the terminal's 'width' to prevent long lines from being broken into multiple lines before capturing the output.