Description
This article describes the typical circumstances behind the 'User shutdown of the device from Forticron. The reason is 'System file integrity check failed''.
Additionally, if the FortiGate had gone down without any action and with the following log:
logid=0100032200 type="event" subtype="system" level="critical" action="shutdown" msg="User shutdown the device from forticron. The reason is 'System file integrity check failed'" logdesc="Device shutdown" ui="forticron"
This message says the shutdown was caused by a system file-checking failure, indicating the system has been compromised.
Scope
FortiGate v7.0.12, v7.2.5 and above.
Solution
This can be an expected behavior depending on the BIOS security level. For level 1 and level 2, all file signatures are required to match their secure checksums. If the system file integrity check fails, it simply indicates that the system file may have been tampered with.
For more information regarding this new feature, refer to the following administration guide from FortiOS 7.2.5 (under 'BIOS-level signature and file integrity check'): BIOS-level signature and file integrity checking NEW.
To further check this behavior:
First, verify the firmware image build number which is used (or updated). If this is an interim build meant to address a known issue, then these special builds will fail the integrity checks. If this build is absolutely necessary, make sure to check the above article to lower the security level (not a recommended practice).
Secondly, check if the logs are not accompanied by the following entries: 'logdesc="FortiGate database signature invalid"'. If that is the case, a reboot may solve the problem.
Additionally, if this log is seen, 'msg="User shutdown the device from updated. The reason is 'System is at security risk as invalid AV/IPS engine detected'', the device is likely to have been compromised. For further analisys (if covered by the contract), contact TAC to further engage PSIRT. If a quick fix without further investigation is needed, proceed with the workaround below (clean install).
Workaround.
TFTP firmware reloads the firmware completely to erase the existing firmware and files from the hardware device if a quick solution is required without checking with Fortinet TAC (steps available here: Technical Tip: Installing firmware from system reboot). The factory reset command from the CLI will not achieve the same result (this only clears the configuration). Once TFTP reloaded the firmware, restore the backup configuration to resume service. Best practice before restoring the config in this specific case: check the list of local users for unknown or unrecognized entries, change all the admin passwords.
