It is recommended that a clean installation is performed on all devices:
- Upgrade to the latest versions.
- Download firmware from the Fortinet Support site and validate the file hash using SHA512.
- Format the device's flash and disks and perform a clean install:
Fortinet does not recommend to use the existing configuration:
- Restore the configuration from a known good backup or create a clean configuration validating the content.
- Reset all admin, local users, and VPN users’ credentials.
- Reset RADIUS secrets and IPSEC PSKs.
- Replace certs and revoke the potentially stolen ones.
- Change GUI administrative access to non-default port.
- Restrict logins to trusted hosts:
- Disable administrative access to any external (Internet-facing) interface.
- Perform administrative tasks over an out-of-band network.
- Implement 2FA.
- Change the LDAP user credentials used for FortiGate LDAP authentication
- Implement the recommendations in the FortiOS hardening guide: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate