Can you retrieve a configuration file after the Fortigate has been factory reset?
Just as the title states I was wondering if it possible to retrieve a configuration file from a fgate firewall (800c) after it has been factory reset. (remotely from the WAN or physically inside the office)
Two years ago we went through a hardware refresh where we took down our old 800C's fgate's and shelved them. We built new configuration for the new fgate's replacing them from scratch.
Last week we took one of the old fgates out of storage for an emergency at a customer. We factory reset the device from CLI, reset was confirmed, we configured it from scratch and called it a day, this fgate's security bundle is expired so no features are turned on, it used as a temp 2 weeks solution.
Last night I received alerts for several failed SSL login attempts at our HQ for user accounts that were configured on that 800c but NOT on the replacement fgate, except one which the password actually matched and the mfa code was sent out to an email that also is mfa'd so at least it was stopped there.
I reviewed my old 800c configuration files and I see the password are encrypted of course for all user accounts. I'm a bit confused at the moment. I traced the IP trying to break in coming from Arizona next to a Honeywell Aerospace warehouse which I assume it a jump point for a compromised PC at that location or near by. Maybe I'm crazy?
- You reintroduced an old 800C temporarily (after a factoryreset) and reconfigured it from scratch
- there are some users on the 800C that do not exist on your regular FortiGates
- someone tried to access the FortiGate/your network via the 800C with credentials and only failed on MFA requirements?
-> should those users exist in 800C?
-> did they try to access the 800C itself, your other FortiGates (where the users should not even exist), or resources behind the FortiGates?
-> are you concerned that configuration snippets remained on the 800C post factory reset that somehow made the attempted compromise possible?
I don't quite understand the finer details of your post, my apologies. I understand the overall issue is that a compromise atttempt occurred (which luckily failed), but I don't quite understand how the details of the 800C, other FortiGates, and user credentials existing or not existing play into it, my apologies.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.