Description | This article describes the steps to take when there is evidence of malicious activity on the Fortinet devices. |
Scope | All FortiGates and FortiOS firmware versions. |
Solution |
It is recommended that a clean installation is performed on all devices: - Upgrade to the latest versions. - Download firmware from the Fortinet Support site and validate the file hash using SHA512. - Format the device's flash and disks and perform a clean install:
Fortinet does not recommend to use the existing configuration: - Restore the configuration from a known good backup or create a clean configuration validating the content. - Reset all admin, local users, and VPN users’ credentials. - Reset RADIUS secrets and IPSEC PSKs. - Replace certs and revoke the potentially stolen ones. - Change GUI administrative access to non-default port. - Restrict logins to trusted hosts: - Disable administrative access to any external (Internet-facing) interface. - Perform administrative tasks over an out-of-band network. - Implement 2FA. - Change the LDAP user credentials used for FortiGate LDAP authentication - Implement the recommendations in the FortiOS hardening guide: https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.