FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
    This is a feature that exists to enable connecting to collectors from the supervisor when there is a firewall between the collector and the supervisor.
    Restricted user 'tunneluser' runs in a restricted shell that lets only that user create tunnel connections from the supervisor to the originating IP (i.e. enabling reverse-shell connections to the IP that initiated the connection).
    Customers who are not using the reverse tunnel feature are advised to disable SSH service on port 19999.

    Below the step-by-step procedure:

    1) Upload the attached file to your Super /tmp folder.

    2) Check the process with command:
    ps aux |grep 19999
    the result must be similar to:
      root 3384 0.0 0.0 66288 1224 ? Ss 11:24 0:00 /usr/sbin/sshd -p 19999 -f /etc/ssh/sshd_config.tunneluser
   root 9522 0.0 0.0 103324 916 pts/2 S+ 11:34 0:00 grep 19999
    3) Remove the tunneluser configuration file.
    rm -f /etc/ssh/sshd_config.tunneluser
    4.)copy the patched file over the original one and overwrite it.
    cp /tmp/ /etc/init.d/
    cp: overwrite `/etc/init.d/'? y
    5) Kill the existing process listening on port 19999.
    pkill -f '/usr/sbin/sshd -p 19999'
    6) Restart the system.
    shutdown -r now
    7) When Super restarted , check that tunneluser is not listening anymore on port 19999.
    ps aux |grep 19999
    the result must be similar to:
    root 10179 0.0 0.0 103320 912 pts/2 S+ 11:35 0:00 grep 19999

Problem Verification