This article describes the steps to take when there is evidence of compromised device integrity on the Fortinet devices.

It’s possible that a device may become corrupted, for example due to power issues, abrupt turn-off, or maybe environmental anomalies, or in some cases of malicious activity. In such cases it is important to be able to restore device integrity.

This article explains what factors may lead to identifying such a scenario and how to proceed.

Since FortiOS 7.4.0, 7.2.5, 7.0.12 & 6.4.13, strong device integrity checks are incorporated into the boot process. A Fortigate with these versions will not boot if integrity is compromised.

Fortinet TAC can also help verify device integrity by confirming the FortiOS capability, and running filesystem integrity checks.

Note that inadvertent knowledge of device configuration entries do not constitute compromised device – these can be resolved by configuration changes.

Under other unlikely scenarios it may become necessary to re-format and fresh install FortiOS. The below outlines how to achieve this.

• Download firmware matching your configuration version from the Fortinet Support site and verify the firmware checksum using SHA512. See Technical Tip: How to verify downloaded firmware checksum.
• Disconnect the FortiGate unit from the network.
• Format the device's flash and perform a clean install. See Technical Tip: Loading a FortiGate firmware image using TFTP
• After completing the TFTP firmware reload, proceed to format the disk partition. See Technical Tip: Standard procedure to format a FortiGate Log Disk
• If not already at the latest version on the branch, upgrade being sure to follow recommended upgrade path, or using the GUI.
• Reconnect the FortiGate unit to the network.

In the event of inadvertent or unauthorized access to the device configuration, ensure the following changes are made, after upgrading to or reloading the most recent version of FortiOS:

1. Restore configuration from a known good backup, or create a clean configuration, validating the content. Beware that at this stage, any exposed information may need reconfiguring.  
2. Reset all admin, local users, and VPN users' credentials.
3. Reset RADIUS secrets and IPsec PSKs.
4. Replace certificates and revoke the potentially stolen ones.
5. Change the GUI administrative access to a non-default port.
6. Restrict logins to trusted hosts. See System administrator best practices - FortiGate documentation.
7. Disable administrative access to any external (Internet-facing) interface.
8. Perform administrative tasks over an out-of-band network.
9. Implement 2FA.
10. Change the LDAP user credentials used for FortiGate LDAP authentication.
11. Implement the recommendations in the FortiOS hardening guide.