Just as the title states I was wondering if it possible to retrieve a configuration file from a fgate firewall (800c) after it has been factory reset. (remotely from the WAN or physically inside the office)
Two years ago we went through a hardware refresh where we took down our old 800C's fgate's and shelved them. We built new configuration for the new fgate's replacing them from scratch.
Last week we took one of the old fgates out of storage for an emergency at a customer. We factory reset the device from CLI, reset was confirmed, we configured it from scratch and called it a day, this fgate's security bundle is expired so no features are turned on, it used as a temp 2 weeks solution.
Last night I received alerts for several failed SSL login attempts at our HQ for user accounts that were configured on that 800c but NOT on the replacement fgate, except one which the password actually matched and the mfa code was sent out to an email that also is mfa'd so at least it was stopped there.
I reviewed my old 800c configuration files and I see the password are encrypted of course for all user accounts. I'm a bit confused at the moment. I traced the IP trying to break in coming from Arizona next to a Honeywell Aerospace warehouse which I assume it a jump point for a compromised PC at that location or near by. Maybe I'm crazy?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Team,
I dont think its possible.
Lets confirm it from our team mates, if there is any way we can achieve it
No, Its not possible. There is no way to retrieve the configuration file.
anyways for waht should that be good? Once you executed a factory reset the device runs the factory default config anyways...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hey avicci,
can you confirm if we're understanding correctly?
- You reintroduced an old 800C temporarily (after a factoryreset) and reconfigured it from scratch
- there are some users on the 800C that do not exist on your regular FortiGates
- someone tried to access the FortiGate/your network via the 800C with credentials and only failed on MFA requirements?
-> should those users exist in 800C?
-> did they try to access the 800C itself, your other FortiGates (where the users should not even exist), or resources behind the FortiGates?
-> are you concerned that configuration snippets remained on the 800C post factory reset that somehow made the attempted compromise possible?
I don't quite understand the finer details of your post, my apologies. I understand the overall issue is that a compromise atttempt occurred (which luckily failed), but I don't quite understand how the details of the 800C, other FortiGates, and user credentials existing or not existing play into it, my apologies.
Backup is part of security
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.