Technical Tip: Indicator of Compromise debug collector with automatic scripts

IoC information is expected for a complete evaluation.

1. FortiGate Filesystem Integrity debug output (Mandatory).
2. FortiGate SHA1 HASH Integrity debug output (Mandatory).
3. Copy of the running configuration of the FortiGate.
4. Copy of the unit 'Debug Log'.
5. Copy of System Event Logs for the impacted unit.

Before collecting the Automated Debugs:

Enable SSH on the FortiGate and each unit shall be accessed separately and verify the running Port. 

Method A: Interactive Prompt.

1. Collecting: FortiGate Filesystem Integrity debug output.

• Before executing, it is necessary to install the Windows PowerShell module 'Posh-SSH'. See How to install Powershell module 'Posh-SSH'.

• The script is designed to run from Windows PowerShell, to execute run the following command: 
  
  

PS C:\Users\user\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debug.ps1

• A set of awareness banner messages will be displayed in yellow/cyan before script execution.
• Script prompts for FortiGate IP/ SSH Port/ Username/ Password (hidden) and  VDOM usage as a specific set of commands are executed for each environment.

• Commands are executed at specific times apart and output is displayed on the terminal in yellow.
• Debug Output File is stored on the same location of the script as 'FGT-SysIntegrity_yyyyMMdd_FGT-IP.log'.

2. Collecting: FortiGate SHA1 HASH Integrity debug output.

• The script is designed to run from Windows PowerShell, to execute run the following command:
  
  

PS C:\Users\user\Desktop\FGT IoC Scripts> .\FGT-Hash_Debug.ps1

• A set of awareness banner messages will be displayed in yellow/cyan before script execution.
• Script prompts for FortiGate IP/ SSH Port/ Username/ Password (hidden) and VDOM usage as a specific set of commands are executed for each environment.

• Commands are executed at specific times apart and output is displayed on the terminal in yellow. 
• Debug Output File is stored on the same location of the script as 'FGT-SHA1_HASH_YYYYMMDD_FGT-IP.log'.

Method B: Predefined Parameters.

• ip: IP of the primary unit of the cluster.
• port: SSH port default 22.
• username (administrator account with super_admin privilege).
• password (visible plaintext).
• vdom (yes 1 or no 0).
• ha (yes 1 or no 0).

1. Collecting: FortiGate Filesystem Integrity debug output.

• Before executing, it is necessary to install the Windows PowerShell module 'Posh-SSH'. See How to install Powershell module 'Posh-SSH'.
• The script is designed to run from Windows PowerShell with predefined parameters (-ha  using HA yes 1 or no 0  -vdom  using HA yes 1 or no 0).

Collect Primary unit (no VDOM no HA)  executed from primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "0"

Collect Secondary unit (no VDOM with HA) executed from primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "1"

Collect Primary unit  (VDOM  no HA) executed from primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "0"

Collect Secondary unit (VDOM with HA) executed from primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "1"

• The output will be saved FGT-SysIntg_yyyyMMdd-IP-HA0.log for -ha '0'.
• The output will be saved FGT-SysIntg_yyyyMMdd-IP-HA1.log for -ha '1'.

2. Collecting: FortiGate SHA1 HASH Integrity debug output. Collect Primary unit (no VDOM no HA)  executed from primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "0"

Collect Secondary unit (no VDOM with HA) executed from the primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "1"

Collect Primary unit  (VDOM  no HA) executed from the primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "0"

Collect Secondary unit (VDOM with HA) executed from the primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "1"

• The output will be saved FGT-SHA_HASH__yyyyMMdd-IP-HA0.log  for -ha '0'.
• The output will be saved FGT-SHA_HASH__yyyyMMdd-IP-HA1.log  for -ha '1'.

Additional Notes:

1. For the HA environment, the script Method A must be executed independently on each unit/member. 
2. Do not modify the script or the output of the log.
3. If the script method is not feasible and to execute the commands manually, follow this article: Technical Tip: Collect Indicators of Compromise (IoC) debugs on a FortiGate (VDOM and non-VDOM) manu... and each command must be executed one by one. 
4. The scripts are intended only for the FortiGate product (VM/physical).
5. Method B Predefined Parameters will attempt to execute 'exec ha manage 0' and 'exec ha manage 1' the ID of the unit is unknown so the password will be visible in the terminal and put out, it is recommended to run the command with a temporary administrator account with super_admin privilege).
6. The 'fnsysctl' and 'execute tac report' commands are only available when logged in to the FortiGate using an administrator account with super_admin privilege.

Disclaimer:

This script may be used without an Internet connection. The script does not gather any sensitive information except the FortiGate debug output. The debug output and the script code content can be verified with any text editor.