Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rcaushi_ftnt
Staff
Staff

Created on ‎12-09-2024 02:54 AM Edited on ‎02-09-2025 09:41 PM By Community Manager

Article Id 363160

Technical Tip: Indicator of Compromise debug collector with automatic scripts

Description This article describes how to collect indicators of compromise (IoC) debugs on a FortiGate (VDOM and non-VDOM) using automatic scripts. The script aggregates a list of debugs, file trees, and hashes to identify the presence of unknown artifacts in the filesystem.
Scope FortiGate (VM/physical) v7.0.x v7.2.x v7.4.x v7.6.x.
Solution

If there is a suspicion that FortiGate may be compromised, use the following steps to collect information and open a new ticket with the technical support team. Once the output is attached to the ticket, an engineer will confirm if any indication of compromise is found or not.

 

The following information is expected for a complete evaluation.

  1. FortiGate Filesystem Integrity debug output (mandatory). > generated by the script
  2. FortiGate SHA1 HASH Integrity debug output (mandatory). > generated by the script
  3. Copy of the running configuration of the FortiGate.
  4. Copy of the unit 'Debug Log'.
  5. Copy of System Event Logs for the impacted unit.

 

Before collecting the automated debugs:

Enable SSH on the FortiGate, and each unit shall be accessed separately and verify the running port. 

 

image.png

 

image.png

 

Method A: interactive prompt.

 

  1. Collecting: FortiGate Filesystem Integrity debug output.
  • The script is designed to run from Windows PowerShell, to execute, run the following command: 

PS C:\Users\user\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debug.ps1

 

image.png

 

  • A set of awareness banner messages will be displayed in yellow/cyan before script execution.
  • Script prompts for FortiGate IP/ SSH Port/ Username/ Password (hidden) and  VDOM usage as a specific set of commands are executed for each environment.

 

image.png

 

  • Commands are executed at specific times apart, and output is displayed on the terminal in yellow.
  • The debug output file is stored at the same location of the script as 'FGT-SysIntegrity_yyyyMMdd_FGT-IP.log'.

 

image.png

 

  1. Collecting: FortiGate SHA1 HASH Integrity debug output.
  • The script is designed to run from Windows PowerShell, to execute, run the following command:

PS C:\Users\user\Desktop\FGT IoC Scripts> .\FGT-Hash_Debug.ps1

 

image.png

 

  • A set of awareness banner messages will be displayed in yellow/cyan before script execution.
  • Script prompts for FortiGate IP/SSH Port/Username/Password (hidden) and VDOM usage as a specific set of commands are executed for each environment.
 

image.png

 

  • Commands are executed at specific times apart, and output is displayed on the terminal in yellow. 
  • The debug output file is stored at the same location of the script as 'FGT-SHA1_HASH_YYYYMMDD_FGT-IP.log'.

 

image.png

 

Method B: Predefined parameters.

  • ip: IP of the primary unit of the cluster.
  • port: SSH port default 22.
  • username (administrator account with super_admin privilege).
  • password (visible plaintext).
  • vdom (yes 1 or no 0).
  • ha (yes 1 or no 0).

 

  1. Collecting: FortiGate Filesystem Integrity debug output.
  • Before executing, it is necessary to install the Windows PowerShell module 'Posh-SSH'. See How to Install Powershell Module 'Posh-SSH'.
  • The script is designed to run from Windows PowerShell with predefined parameters (-ha using HA yes 1 or no 0; -vdom using HA yes 1 or no 0).

Collect primary unit (no VDOM, no HA) executed from primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "0"

 

image.png

 

Collect secondary unit (no VDOM with HA) executed from primary:

 

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "1"

 

image.png

 

Collect primary unit (VDOM no HA) executed from primary:

 

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "0"

 

image.png

 

Collect secondary unit (VDOM with HA) executed from primary:

 

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "1"

 

image.png

 

  • The output will be saved FGT-SysIntg_yyyyMMdd-IP-HA0.log for -ha '0'.
  • The output will be saved FGT-SysIntg_yyyyMMdd-IP-HA1.log for -ha '1'.

 

2. Collecting: FortiGate SHA1 HASH Integrity debug output. Collect primary unit (no VDOM, no HA) executed from primary:

 

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "0"

 

image.png

 

Collect secondary unit (no VDOM with HA) executed from the primary:

 

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "1"

 

image.png

 

Collect primary unit (VDOM, no HA) executed from the primary:

 

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "0"

 

image.png

 

 

Collect secondary unit (VDOM, with HA) executed from the primary:

 

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "1"

 

image.png

 

  • The output will be saved FGT-SHA_HASH__yyyyMMdd-IP-HA0.log  for -ha '0'.
  • The output will be saved FGT-SHA_HASH__yyyyMMdd-IP-HA1.log  for -ha '1'.

 

Additional Notes:

  1. For the HA environment, the script Method A must be executed independently on each unit/member. 
  2. Do not modify the script or the output of the log.
  3. If the script method is not feasible and to execute the commands manually, follow this article: Technical Tip: Collect Indicators of Compromise (IoC) debugs on a FortiGate (VDOM and non-VDOM) manu... and each command must be executed one by one
  4. The scripts are intended only for the FortiGate product (VM/physical).
  5. Method B Predefined parameters will attempt to execute 'exec ha manage 0' and 'exec ha manage 1'. The ID of the unit is unknown, so the password will be visible in the terminal and put out; it is recommended to run the command with a temporary administrator account with super_admin privilege.
  6. The 'fnsysctl' and 'execute tac report' commands are only available when logged in to the FortiGate using an administrator account with super_admin privilege.

 

Disclaimer:

  • This script may be used without an Internet connection.
  • The script does not gather any sensitive information except the FortiGate debug output.
  • The debug output and the script code content can be verified with any text editor for security assessment. 
FGT_IOCScripts MethodA.zip
FGT_IOCScripts MethodB.zip
597
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.