If there is a suspicion that FortiGate may be compromised, use the following steps to collect information and open a new ticket with the technical support team. Once the output is attached to the ticket, an engineer will confirm if any indication of compromise is found or not.

The following information is expected for a complete evaluation.

1. FortiGate Filesystem Integrity debug output (mandatory generated by the script).
2. FortiGate SHA1 HASH Integrity debug output (mandatory generated by the script).
3. Copy of the running configuration of the FortiGate.
4. Copy of the unit 'Debug Log'.
5. Copy of System Event Logs for the impacted unit.

Before collecting the automated debugs, Methods A and B : 

1. Enable SSH on the FortiGate, and each unit shall be accessed separately and verify the running port. 

2. Prepare PowerShell to run the script: a. Verify that the execution level is 'Unrestricted.' by running PS.

C:\Windows\system32> Get-ExecutionPolicy

Set the execution level to 'Unrestricted' by running PS C:\Windows\system32> Set-ExecutionPolicy Unrestricted then type Y to confirm. 

• Verify again the execution level is set to 'Unrestricted'.
• Install Posh-SSH by running C:\Windows\system32> Install-Module -Name Posh-SSH.

Note:

To install the module, an internet connection is required. To install the module and change the execution level in PowerShell must be running as an Administrator to make the above changes.

Method A: interactive prompt.

1. Collecting: FortiGate System Integrity debug output.

• The script is designed to run from Windows PowerShell, to execute, run the following command: 

PS C:\Users\user\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debug.ps1

• A set of awareness banner messages will be displayed in yellow/cyan before script execution.
• Script prompts for FortiGate IP/ SSH Port/ Username/ Password (hidden) and  VDOM usage as a specific set of commands are executed for each environment.

• Commands are executed at specific times apart, and output is displayed on the terminal in yellow.
• The debug output file is stored at the same location of the script as 'FGT-SysIntegrity_yyyyMMdd_FGT-IP.log'.

2. Collecting: FortiGate SHA1 HASH debug output.

• The script is designed to run from Windows PowerShell, to execute, run the following command:
  
  

PS C:\Users\user\Desktop\FGT IoC Scripts> .\FGT-Hash_Debug.ps1

• A set of awareness banner messages will be displayed in yellow/cyan before script execution.
• Script prompts for FortiGate IP/SSH Port/Username/Password (hidden) and VDOM usage as a specific set of commands are executed for each environment.

• Commands are executed at specific times apart, and output is displayed on the terminal in yellow. 
• The debug output file is stored at the same location of the script as 'FGT-SHA1_HASH_YYYYMMDD_FGT-IP.log'.

Method B: Predefined parameters.

• ip: IP of the primary unit of the cluster.
• port: SSH port default 22.
• username (administrator account with super_admin privilege).
• password (visible plaintext).
• vdom (yes 1 or no 0).
• ha (yes 1 or no 0).

1. Collecting: FortiGate Filesystem Integrity debug output.

Before executing, the script is designed to run from Windows PowerShell with predefined parameters (-ha using HA yes 1 or no 0; -from using HA yes 1 or no 0).

Collect primary unit (no VDOM, no HA) executed from primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "0"

Collect secondary unit (no VDOM with HA) executed from primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "1"

Collect primary unit (VDOM no HA) executed from primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "0"

Collect secondary unit (VDOM with HA) executed from primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SysIntegrity_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "1"

• The output will be saved FGT-SysIntg_yyyyMMdd-IP-HA0.log for -ha '0'.
• The output will be saved FGT-SysIntg_yyyyMMdd-IP-HA1.log for -ha '1'.

2. Collecting: FortiGate SHA1 HASH Integrity debug output. Collect primary unit (no VDOM, no HA) executed from primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "0"

Collect secondary unit (no VDOM with HA) executed from the primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "0" -ha "1"

Collect primary unit (VDOM, no HA) executed from the primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "0"

Collect secondary unit (VDOM, with HA) executed from the primary:

PS C:\Users\rcaushi\Desktop\FGT IoC Scripts> .\FGT-SHA1-HASH_Debugv2.0.ps1 -ip "10.191.19.172" -port 22 -username "admin" -password "fortinet" -vdom "1" -ha "1"

• The output will be saved FGT-SHA_HASH__yyyyMMdd-IP-HA0.log  for -ha '0'.
• The output will be saved FGT-SHA_HASH__yyyyMMdd-IP-HA1.log  for -ha '1'.

Additional Notes:

1. For the HA environment, the script Method A must be executed independently on each unit/member. 
2. Do not modify the script or the output of the log.
3. If the script method is not feasible and to execute the commands manually, follow this article: Technical Tip: Collect Indicators of Compromise (IoC) debugs on a FortiGate (VDOM and non-VDOM) manu... and each command must be executed one by one. 
4. The scripts are intended only for the FortiGate product (VM/physical).
5. Method B Predefined parameters will attempt to execute 'exec ha manage 0' and 'exec ha manage 1'. The ID of the unit is unknown, so the password will be visible in the terminal and put out; it is recommended to run the command with a temporary administrator account with super_admin privilege.
6. The 'fnsysctl' and 'execute tac report' commands are only available when logged in to the FortiGate using an administrator account with super_admin privilege.

Disclaimer:

• This script may be used without an Internet connection (only enabling the necessary PowerShell modules requires a temporary Internet connection to complete installation).
• The script does not gather any sensitive information except the FortiGate debug output for IoC purposes.
• The debug output and the script code content can be verified with any text editor for internal security assessment (do not modify).