Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
avicci
New Contributor

Can you retrieve a configuration file after the Fortigate has been factory reset?

Just as the title states I was wondering if it possible to retrieve a configuration file from a fgate firewall (800c) after it has been factory reset. (remotely from the WAN or physically inside the office)

Two years ago we went through a hardware refresh where we took down our old 800C's fgate's and shelved them. We built new configuration for the new fgate's replacing them from scratch.

Last week we took one of the old fgates out of storage for an emergency at a customer. We factory reset the device from CLI, reset was confirmed, we configured it from scratch and called it a day, this fgate's security bundle is expired so no features are turned on, it used as a temp 2 weeks solution.

Last night I received alerts for several failed SSL login attempts at our HQ for user accounts that were configured on that 800c but NOT on the replacement fgate, except one which the password actually matched and the mfa code was sent out to an email that also is mfa'd so at least it was stopped there.

I reviewed my old 800c configuration files and I see the password are encrypted of course for all user accounts. I'm a bit confused at the moment. I traced the IP trying to break in coming from Arizona next to a Honeywell Aerospace warehouse which I assume it a jump point for a compromised PC at that location or near by. Maybe I'm crazy?

5 REPLIES 5
seshuganesh
Staff
Staff

Hi Team,

 

I dont think its possible.

Lets confirm it from our team mates, if there is any way we can achieve it

warshad
Staff
Staff

No, Its not possible. There is no way to retrieve the configuration file.

 

Waqas Arshad
Fortinet
sw2090
Honored Contributor

anyways for waht should that be good? Once you executed a factory reset the device runs the factory default config anyways...


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Debbie_FTNT
Staff
Staff

Hey avicci,

can you confirm if we're understanding correctly?

- You reintroduced an old 800C temporarily (after a factoryreset) and reconfigured it from scratch

- there are some users on the 800C that do not exist on your regular FortiGates

- someone tried to access the FortiGate/your network via the 800C with credentials and only failed on MFA requirements?

-> should those users exist in 800C?

-> did they try to access the 800C itself, your other FortiGates (where the users should not even exist), or resources behind the FortiGates?

-> are you concerned that configuration snippets remained on the 800C post factory reset that somehow made the attempted compromise possible?

I don't quite understand the finer details of your post, my apologies. I understand the overall issue is that a compromise atttempt occurred (which luckily failed), but I don't quite understand how the details of the 800C, other FortiGates, and user credentials existing or not existing play into it, my apologies.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
AEK
Contributor II

Backup is part of security