Created on
12-09-2024
02:54 AM
Edited on
02-09-2025
09:41 PM
By
Anthony_E
Description | This article describes how to collect indicators of compromise (IoC) debugs on a FortiGate (VDOM and non-VDOM) using automatic scripts. The script aggregates a list of debugs, file trees, and hashes to identify the presence of unknown artifacts in the filesystem. |
Scope | FortiGate (VM/physical) v7.0.x v7.2.x v7.4.x v7.6.x. |
Solution |
If there is a suspicion that FortiGate may be compromised, use the following steps to collect information and open a new ticket with the technical support team. Once the output is attached to the ticket, an engineer will confirm if any indication of compromise is found or not.
The following information is expected for a complete evaluation.
Before collecting the automated debugs: Enable SSH on the FortiGate, and each unit shall be accessed separately and verify the running port.
Method A: interactive prompt.
PS C:\Users\user\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debug.ps1
PS C:\Users\user\Desktop\FGT IoC Scripts> .\FGT-Hash_Debug.ps1
Method B: Predefined parameters.
Collect primary unit (no VDOM, no HA) executed from primary: PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "0"
Collect secondary unit (no VDOM with HA) executed from primary:
PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "1"
Collect primary unit (VDOM no HA) executed from primary:
PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "0"
Collect secondary unit (VDOM with HA) executed from primary:
PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "1"
2. Collecting: FortiGate SHA1 HASH Integrity debug output. Collect primary unit (no VDOM, no HA) executed from primary:
PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "0"
Collect secondary unit (no VDOM with HA) executed from the primary:
PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "1"
Collect primary unit (VDOM, no HA) executed from the primary:
PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "0"
Collect secondary unit (VDOM, with HA) executed from the primary:
PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "1"
Additional Notes:
Disclaimer:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.