Created on ‎08-05-2024 09:55 PM Edited on ‎01-02-2025 01:11 AM By Jean-Philippe_P
Description | This article describes how to collect information, in case of suspicious activity on FortiGate and send it to the technical support team for review. |
Scope | FortiGate (VM/physical) v7.0.x, v7.2.x, v7.4.x, v7.6.x. |
Solution |
If there is a suspicion that FortiGate may be compromised, use the following steps to collect information and open a new ticket with the technical support team. Once the output is attached to the ticket, an engineer will confirm if any indication of compromise is found or not.
IoC information expected for a complete evaluation:
Collecting: FortiGate Filesystem Integrity debug output (non-VDOM environment).
Step 1: Open a Putty session to start an SSH session to the FortiGate (Embedded CLI in the GUI session is not recommended to collect this information). Make sure to set up the putty session to log all output to a text file and run the following commands:
Step 2: Run the following command (each command after the output of the previous, one by one).
get system status
Collecting: FortiGate SHA1 HASH Integrity debug output (non-VDOM environment).
diagnose sys filesystem hash
Collecting: FortiGate Filesystem Integrity debug output for (VDOM environment).
Step 1: Open a Putty session to start an SSH session to the FortiGate (Embedded CLI in the GUI session is not recommended to collect this information). Make sure to set up the putty session to log all output to a text file and run the following commands:
Step 2: Run the following command (each command after the output of the previous, one by one).
config global get system status
Collecting: FortiGate SHA1 HASH Integrity debug output (VDOM environment).
config global diagnose sys filesystem hash
Step 2: Describe why the FortiGate is compromised and attach any supporting logs/files to support the statement. As an example, if unrecognized users/admin login events are visible, attach user event logs or admin login logs from system event logs or local events logs to the ticket. It is also recommended to attach a config file. Fortinet engineers can request further information if needed.
|