Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jirka1
Contributor III

Created on ‎10-16-2022 09:22 AM

fortigate-tech-support user

Hi,

a strange thing happened to me today.


My home firewall 40F (7.2.1) rebooted unexpectedly.
I looked in the log and found that the reboot was done by the user "fortigate-tech-support" and the reason was a firmware upgrade (7.2.1->7.2.2)

In system/Administrator this user was created and I don't know about it.
My admin password is set to 17 characters (including special characters) and another administrator has an equally strong password.
FortiGate is added to FortiCloud.
Passwords remained unchanged, all configuration looks ok.

 

How should I explain it? I'm assuming it's not a trusted event... or is it something to do with the new CVE?

 

Thank you.

Jirka
log2.pnglog1.png

Labels:
9456
14 REPLIES 14
kanes391
New Contributor

Created on ‎10-19-2022 12:27 AM

Hi @Amar1 ,

 

Is this legitimate? I am seeing the same issue as well.

 

2134
0 Kudos
xsilver_FTNT
Staff
Staff
In response to kanes391

Created on ‎10-19-2022 05:39 AM

If you see "fortigate-tech-support" or have device with logs (type="event" subtype="system") and any of following properties:
user="Local_Process_Access"
ui="Node.js"

then open a technical ticket of Fortinet's Support for further steps and checks.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

2037
0 Kudos
Zamokuhle
New Contributor

Created on ‎11-03-2022 12:53 AM

@Jirka1please advise on the feedback from support if you reported ? i also experienced the same thing on the same date as you

1628
0 Kudos
esec
New Contributor III

Created on ‎12-14-2022 05:02 AM

Noticed these on some Fortigates as well, what was the feedback and recommendation from Fortinet to take on this?

1292
0 Kudos
keithramsey
Visitor

Created on ‎04-16-2024 10:40 PM

Based on the information provided, the unexpected reboot of your FortiGate device and the existence of an unknown user "fortigate-tech-support" in the Administrator section raise several important points and potential concerns:

  1. Unscheduled Firmware Upgrade: The reboot appears to have been triggered by a firmware upgrade (from version 7.2.1 to 7.2.2), which may indicate an automated update process, possibly managed through FortiCloud or a scheduled task. Normally, these updates should be controlled and approved by an authorized administrator, and any deviation from this process should be investigated.

  2. Unrecognized User Account: The creation of a new user account "fortigate-tech-support" without your knowledge is a significant concern. It may indicate unauthorized access to your device, a potential security breach, or a misconfiguration issue.

  3. FortiCloud Integration: Since the FortiGate device is integrated with FortiCloud, it's possible that Fortinet technical support may have access to the device for support purposes. However, this should be done only with explicit authorization and proper security measures in place.

  4. Security Vulnerabilities (CVE): The mention of a potential CVE (Common Vulnerabilities and Exposures) may suggest that there was a known security flaw in the firmware version 7.2.1 that required patching. It's important to review the release notes and here is security advisories for the new firmware version (7.2.2) to understand if there was a known vulnerability being addressed.

17
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.