FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
srajapratap
Staff
Staff
Description This article describes the steps to take when there is evidence of malicious activity on the Fortinet devices.
Scope All FortiGates and FortiOS firmware versions.
Solution

It is recommended that a clean installation is performed on all devices:

- Upgrade to the latest versions.

- Download firmware from the Fortinet Support site and validate the file hash using SHA512.

- Format the device's flash and disks and perform a clean install:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Loading-FortiGate-firmware-image-using-TFT...

 

Fortinet does not recommend to use the existing configuration:

- Restore the configuration from a known good backup or create a clean configuration validating the content.

- Reset all admin, local users, and VPN users’ credentials.

- Reset RADIUS secrets and IPSEC PSKs.

- Replace certs and revoke the potentially stolen ones.

- Change GUI administrative access to non-default port.

- Restrict logins to trusted hosts:

https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/582009/system-administra...

- Disable administrative access to any external (Internet-facing) interface.

- Perform administrative tasks over an out-of-band network.

- Implement 2FA.

- Change the LDAP user credentials used for FortiGate LDAP authentication

- Implement the recommendations in the FortiOS hardening guide: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate