Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
HarmSidh
Staff
Staff

Created on ‎08-05-2024 09:55 PM Edited on ‎02-23-2025 11:36 AM By Moderator

Article Id 330629

Technical Tip: Collect Indicators of Compromise (IoC) debugs on a FortiGate (VDOM and non-VDOM) manually

Description

This article describes how to collect indicators of compromise (IoC) debugs on a FortiGate (VDOM and non-VDOM) using automatic scripts. The debug aggregates a list of outputs: file trees and hashes to identify the presence of unknown artifacts in the filesystem.
Scope FortiGate (VM/physical) v7.0.x, v7.2.x, v7.4.x, v7.6.x.
Solution

If there is a suspicion that FortiGate may be compromised, use the following steps to collect information and open a new ticket with the technical support team. Once the output is attached to the ticket, an engineer will confirm if any indication of compromise is found or not.

 

The following information is expected for a complete evaluation.

 

  1. FortiGate Filesystem Integrity debug output (mandatory). 
  2. FortiGate SHA1 HASH Integrity debug output (mandatory). 
  3. Copy of the running configuration of the FortiGate.
  4. Copy of the unit 'Debug Log'.
  5. Copy of System Event Logs for the impacted unit.

 

Collecting: FortiGate Filesystem Integrity debug output (non-VDOM environment).

Use Putty to collect the output.

Step 1: Open a Putty session to start an SSH session to the FortiGate (Embedded CLI in the GUI session is not recommended to collect this information). Make sure to set up the putty session to log all output to a text file and run the following commands:

Step 2: Run the following command (each command after the output of the previous, one by one).

 

get system status
fnsysctl ls -la /
fnsysctl ls -la /bin
fnsysctl ls -la /sbin
fnsysctl ls -la /lib
fnsysctl ls -la /tmp
fnsysctl ls -la /usr
fnsysctl ls -la /usr/bin
fnsysctl ls -la /var
fnsysctl ls -la /data
fnsysctl ls -la /data2
fnsysctl ls -la /data/lib
fnsysctl ls -la /data/etc
fnsysctl ls -la /data/bin
fnsysctl ls -la /data/cmdb
fnsysctl ls -la /data/config
diagnose sys csum /data/rootfs.gz
diagnose sys csum /data/flatkc
diagnose sys csum /data/lib
diagnose sys csum /bin
diagnose sys csum /bin/sysctl
diagnose sys csum /bin/smit
diagnose sys csum /bin/init
diagnose sys csum /bin/smartctl
diagnose sys csum /bin/lspci
diagnose sys csum /sbin/init
fnsysctl ps
execute tac report 

 

Collecting: FortiGate SHA1 HASH Integrity debug output (non-VDOM environment).

Step 1: Open another Putty session to start a second SSH session on the FortiGate. Make sure it is set to log all output to a text file as well and run the following command (this command is only available from v7.0.13, v7.2.6, v7.4.1 onward)

 

diagnose sys filesystem hash

 

Collecting: FortiGate Filesystem Integrity debug output for (VDOM environment).

 

Step 1: Open a Putty session to start an SSH session to the FortiGate (Embedded CLI in the GUI session is not recommended to collect this information). Make sure to set up the putty session to log all output to a text file and run the following commands:

 

Step 2: Run the following command (each command after the output of the previous, one by one).

 

config global

get system status
fnsysctl ls -la /
fnsysctl ls -la /bin
fnsysctl ls -la /sbin
fnsysctl ls -la /lib
fnsysctl ls -la /tmp
fnsysctl ls -la /usr
fnsysctl ls -la /usr/bin
fnsysctl ls -la /var
fnsysctl ls -la /data
fnsysctl ls -la /data2
fnsysctl ls -la /data/lib
fnsysctl ls -la /data/etc
fnsysctl ls -la /data/bin
fnsysctl ls -la /data/cmdb
fnsysctl ls -la /data/config
diagnose sys csum /data/rootfs.gz
diagnose sys csum /data/flatkc
diagnose sys csum /data/lib
diagnose sys csum /bin
diagnose sys csum /bin/sysctl
diagnose sys csum /bin/smit
diagnose sys csum /bin/init
diagnose sys csum /bin/smartctl
diagnose sys csum /bin/lspci
diagnose sys csum /sbin/init
fnsysctl ps
execute tac report 

 

Collecting: FortiGate SHA1 HASH Integrity debug output (VDOM environment).

Step 1: Open another Putty session to start a second SSH session on the FortiGate. Make sure it is set to log all output to a text file as well and run the following command (this command is only available from v7.0.13, v7.2.6, v7.4.1 onward): 

 

config global

diagnose sys filesystem hash

 

Step 2: Describe why the FortiGate is compromised and attach any supporting logs/files to support the statement.

As an example, if unrecognized users/admin login events are visible, attach user event logs or admin login logs from system event logs or local event logs to the ticket. It is also recommended to attach a config file. Fortinet engineers can request further information if needed.


Additional Notes:

  1. Ensure that the SSH sessions remain connected throughout the data collection process to avoid incomplete log files.
  2. Confirm that the TAC report generation is completed fully, as an incomplete report may not capture all necessary data.
  3. If the FortiGate device has a high-availability (HA) setup, consider performing data collection on both primary and secondary devices.
  4. The 'fnsysctl' and 'execute tac report' commands are only available when logged in to the FortiGate using an administrator account with super_admin privilege. 
  5. For more accurate capture, it is possible to perform the process through PowerShell and with an automated script. See Technical Tip: Indicator of Compromise debug collector with automatic scripts.
  6. Do not modify the output of the log.

 

Related article:
Labels:
2190
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.