FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
HarmSidh
Staff
Staff
Article Id 330629
Description This article describes how to collect information, in case of suspicious activity on FortiGate and send it to the technical support team for review.
Scope FortiGate.
Solution

If there is a suspicion that FortiGate may be compromised, use the following steps to collect information and open a new ticket with the technical support team. Once the output is attached to the ticket, an engineer will confirm if any indication of compromise is found or not.

Step 1: Open a Putty session to start an SSH session to the FortiGate (Embedded CLI in the GUI session is not recommended to collect this information). Make sure to set up the putty session to log all output to a text file and run the following commands:

get system status
fnsysctl ls -la /
fnsysctl ls -la /bin
fnsysctl ls -la /sbin
fnsysctl ls -la /lib
fnsysctl ls -la /tmp
fnsysctl ls -la /usr
fnsysctl ls -la /usr/bin
fnsysctl ls -la /var
fnsysctl ls -la /data
fnsysctl ls -la /data2
fnsysctl ls -la /data/lib
fnsysctl ls -la /data/etc
fnsysctl ls -la /data/bin
fnsysctl ls -la /data/cmdb
fnsysctl ls -la /data/config
diagnose sys csum /data/rootfs.gz
diagnose sys csum /data/flatkc
diagnose sys csum /data/lib
diagnose sys csum /bin
diagnose sys csum /bin/sysctl
diagnose sys csum /bin/smit
diagnose sys csum /bin/init
diagnose sys csum /bin/smartctl
diagnose sys csum /bin/lspci
diagnose sys csum /sbin/init
fnsysctl ps
execute tac report 


Step 2: Open another Putty session to start a second SSH session to the FortiGate. Make sure, it is set to log all output to a text file as well and run the following command (this command only runs on 7.0.13, 7.2.6, 7.4.1)

 

diagnose sys filesystem hash

 

Step 3: Describe why the FortiGate is compromised and attach any supporting logs/files to support the statement.

As an example, if unrecognized users/admin login events are visible, attach user event logs or admin login logs from system event logs or local events logs to the ticket. It is also recommended to attach a config file. Fortinet engineers can request further information if needed.

Note:

  • Ensure that the SSH sessions remain connected throughout the data collection process to avoid incomplete log files.
  • Confirm that the TAC report generation completes fully, as an incomplete report may not capture all necessary data.
  • If the FortiGate device has a high-availability (HA) setup, consider performing data collection on both primary and secondary devices.