Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎02-02-2025 10:00 AM

Determine if FortiOS (OS) is compromised

Hi FGT admins

Can FortiOS be compromised? I mean like any other OS by an attacker or a malware.

Have there been any known cases?

Is there any method to check if my FortiOS is compromised?

Does FortiOS checks itself for possible compromise?

Note: here I'm talking about FortiOS itself, not about FortiGate configuration.

AEK
AEK
Labels:
671
0 Kudos
2 Solutions
Dhruvin_patel
Staff
Staff

Created on ‎02-02-2025 01:04 PM

Greetings!

 

To check if your FortiOS is compromised, you can periodically perform a hash check on FortiGate files using the command "diagnose sys filesystem hash" to compare hash differences and determine if any files have been tampered with.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practice-Periodically-do-FortiGate-fi...

 

Regards!

Dhruvin Patel

View solution in original post

617
Carl_Windsor_FTNT
Staff
Staff

Created on ‎02-10-2025 05:45 PM

FortiOS takes multiple steps to check its integrity including BIOS controlled upgrade and boot-time firmware integrity checking:

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/249947/bios-level-signature-...

 

This is set in the BIOS and has 3 levels:

0 - Do not check

1 - Validate with the Fortinet Cert

2 - Validate with the Fortinet and Public CA Cert (Default)

 

Recent systems have a dip switch to prevent this setting from being modified unless you have physical access to the device

 

On recent systems containing the SP5 ASIC we also added this firmware integrity checking into hardware:

https://www.fortinet.com/corporate/about-us/newsroom/press-releases/2023/fortinet-unveils-new-asic-a...

 

Post boot we also support real-time filesystem integrity checking whereby the files are validated for integrity on every execution and the execution of unknown files is blocked.

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/226732/real-time-file-system...

 

Any failure of file integrity will trigger a device reboot to a known good state with he following log (others are possible depending on what failed).

 

fos_ima: fos_process_appraise 110: Executable File(/bin/node) doesn't match previous hash, it has been changed
Restarting system.

 

Dr. Carl Windsor
Chief Information Security Officer (CISO)
Fortinet

View solution in original post

375
8 REPLIES 8
dingjerry_FTNT
Staff
Staff

Created on ‎02-02-2025 12:05 PM

Hi @AEK ,

 

FortiOs is Linux kernel-based.  You may check the Linux OS info first.

Regards,

Jerry
647
0 Kudos
AEK
SuperUser
SuperUser
In response to dingjerry_FTNT

Created on ‎02-02-2025 12:24 PM

Hi Jerry

Yes it is Linux based.

Actually when I was Unix/Linux admin I had the opportunity to see few Unix and Linux systems that were compromised by rootkits, viruses, trojans and other malware types.

Thant's why I'm asking the above questions about FortiOS. Are there any known cases in FortiOS history? Does FOS check itself for compromise? Is there a procedure to check if my FortiOS is compromised (since it doesn't have a Linux like shell, like bash, sh, ksh, ...)?

AEK
AEK
636
0 Kudos
Dhruvin_patel
Staff
Staff

Created on ‎02-02-2025 01:04 PM

Greetings!

 

To check if your FortiOS is compromised, you can periodically perform a hash check on FortiGate files using the command "diagnose sys filesystem hash" to compare hash differences and determine if any files have been tampered with.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practice-Periodically-do-FortiGate-fi...

 

Regards!

Dhruvin Patel
618
AEK
SuperUser
SuperUser

Created on ‎02-02-2025 01:13 PM

Thanks to both.

It seems "diagnose sys filesystem hash" is some of what I'm looking for.

AEK
AEK
607
0 Kudos
FortiJ
New Contributor

Created on ‎02-06-2025 01:46 PM Edited on ‎02-06-2025 01:47 PM

Hi, you can ask Fortinet to check if you have some doubt. These are two guides to open a ticket for Integrity verification:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Collect-Indicators-of-Compromise-IoC-debug...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practice-Periodically-do-FortiGate-fi...

Regards.

464
0 Kudos
Carl_Windsor_FTNT
Staff
Staff

Created on ‎02-10-2025 05:45 PM

FortiOS takes multiple steps to check its integrity including BIOS controlled upgrade and boot-time firmware integrity checking:

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/249947/bios-level-signature-...

 

This is set in the BIOS and has 3 levels:

0 - Do not check

1 - Validate with the Fortinet Cert

2 - Validate with the Fortinet and Public CA Cert (Default)

 

Recent systems have a dip switch to prevent this setting from being modified unless you have physical access to the device

 

On recent systems containing the SP5 ASIC we also added this firmware integrity checking into hardware:

https://www.fortinet.com/corporate/about-us/newsroom/press-releases/2023/fortinet-unveils-new-asic-a...

 

Post boot we also support real-time filesystem integrity checking whereby the files are validated for integrity on every execution and the execution of unknown files is blocked.

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/226732/real-time-file-system...

 

Any failure of file integrity will trigger a device reboot to a known good state with he following log (others are possible depending on what failed).

 

fos_ima: fos_process_appraise 110: Executable File(/bin/node) doesn't match previous hash, it has been changed
Restarting system.

 

Dr. Carl Windsor
Chief Information Security Officer (CISO)
Fortinet

376
AEK
SuperUser
SuperUser
In response to Carl_Windsor_FTNT

Created on ‎02-11-2025 02:39 AM Edited on ‎02-11-2025 02:41 AM

Hi Carl

I appreciate your explanation.

This is definitely the answer I was looking for.

(And I notice it was introduced in 7.4.x)

AEK
AEK
338
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎02-12-2025 02:24 AM

@Carl_Windsor_FTNT 

One last question please, from my curiosity and so I can sleep peacefully..

Do you know if there have been any reported cases in Fortinet history where the FortiOS system has been compromised that way?

AEK
AEK
279
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.