FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
HarmSidh
Staff
Staff
Article Id 330629
Description This article describes how to collect information, in case of suspicious activity on FortiGate and send it to the technical support team for review.
Scope FortiGate (VM/physical) v7.0.x, v7.2.x, v7.4.x, v7.6.x.
Solution

If there is a suspicion that FortiGate may be compromised, use the following steps to collect information and open a new ticket with the technical support team. Once the output is attached to the ticket, an engineer will confirm if any indication of compromise is found or not.

 

IoC information expected for a complete evaluation:

 

  1. FortiGate Filesystem Integrity debug output. 
  2. FortiGate SHA1 HASH Integrity debug output.
  3. Copy of the running configuration of the FortiGate.
  4. Copy of the unit 'Debug Log'.
  5. Copy of System Event Logs for the impacted unit.

 

Collecting: FortiGate Filesystem Integrity debug output (non-VDOM environment).

Use Putty to collect the output.

 

Step 1: Open a Putty session to start an SSH session to the FortiGate (Embedded CLI in the GUI session is not recommended to collect this information). Make sure to set up the putty session to log all output to a text file and run the following commands:

 

Step 2: Run the following command (each command after the output of the previous, one by one).

 

get system status
fnsysctl ls -la /
fnsysctl ls -la /bin
fnsysctl ls -la /sbin
fnsysctl ls -la /lib
fnsysctl ls -la /tmp
fnsysctl ls -la /usr
fnsysctl ls -la /usr/bin
fnsysctl ls -la /var
fnsysctl ls -la /data
fnsysctl ls -la /data2
fnsysctl ls -la /data/lib
fnsysctl ls -la /data/etc
fnsysctl ls -la /data/bin
fnsysctl ls -la /data/cmdb
fnsysctl ls -la /data/config
diagnose sys csum /data/rootfs.gz
diagnose sys csum /data/flatkc
diagnose sys csum /data/lib
diagnose sys csum /bin
diagnose sys csum /bin/sysctl
diagnose sys csum /bin/smit
diagnose sys csum /bin/init
diagnose sys csum /bin/smartctl
diagnose sys csum /bin/lspci
diagnose sys csum /sbin/init
fnsysctl ps
execute tac report 

 

Collecting: FortiGate SHA1 HASH Integrity debug output (non-VDOM environment).


Step 1: Open another Putty session to start a second SSH session to the FortiGate. Make sure, it is set to log all output to a text file as well and run the following command (this command is only available from v7.0.13, v7.2.6, v7.4.1 onward)

 

diagnose sys filesystem hash

 

Collecting: FortiGate Filesystem Integrity debug output for (VDOM environment).

 

Step 1: Open a Putty session to start an SSH session to the FortiGate (Embedded CLI in the GUI session is not recommended to collect this information). Make sure to set up the putty session to log all output to a text file and run the following commands:

 

Step 2: Run the following command (each command after the output of the previous, one by one).

 

config global

get system status
fnsysctl ls -la /
fnsysctl ls -la /bin
fnsysctl ls -la /sbin
fnsysctl ls -la /lib
fnsysctl ls -la /tmp
fnsysctl ls -la /usr
fnsysctl ls -la /usr/bin
fnsysctl ls -la /var
fnsysctl ls -la /data
fnsysctl ls -la /data2
fnsysctl ls -la /data/lib
fnsysctl ls -la /data/etc
fnsysctl ls -la /data/bin
fnsysctl ls -la /data/cmdb
fnsysctl ls -la /data/config
diagnose sys csum /data/rootfs.gz
diagnose sys csum /data/flatkc
diagnose sys csum /data/lib
diagnose sys csum /bin
diagnose sys csum /bin/sysctl
diagnose sys csum /bin/smit
diagnose sys csum /bin/init
diagnose sys csum /bin/smartctl
diagnose sys csum /bin/lspci
diagnose sys csum /sbin/init
fnsysctl ps
execute tac report 

 

Collecting: FortiGate SHA1 HASH Integrity debug output (VDOM environment).


Step 1: Open another Putty session to start a second SSH session to the FortiGate. Make sure, it is set to log all output to a text file as well and run the following command (this command is only available from v7.0.13, v7.2.6, v7.4.1 onward): 

 

config global

diagnose sys filesystem hash

 

Step 2: Describe why the FortiGate is compromised and attach any supporting logs/files to support the statement.

As an example, if unrecognized users/admin login events are visible, attach user event logs or admin login logs from system event logs or local events logs to the ticket. It is also recommended to attach a config file. Fortinet engineers can request further information if needed.


Additional Notes:

  • Ensure that the SSH sessions remain connected throughout the data collection process to avoid incomplete log files.
  • Confirm that the TAC report generation is completed fully, as an incomplete report may not capture all necessary data.
  • If the FortiGate device has a high-availability (HA) setup, consider performing data collection on both primary and secondary devices.
  • The 'fnsysctl' and 'execute tac report' commands are only available when logged in to the FortiGate using an administrator account with super_admin privilege.