Hi FGT admins
Can FortiOS be compromised? I mean like any other OS by an attacker or a malware.
Have there been any known cases?
Is there any method to check if my FortiOS is compromised?
Does FortiOS checks itself for possible compromise?
Note: here I'm talking about FortiOS itself, not about FortiGate configuration.
Solved! Go to Solution.
Greetings!
To check if your FortiOS is compromised, you can periodically perform a hash check on FortiGate files using the command "diagnose sys filesystem hash" to compare hash differences and determine if any files have been tampered with.
Regards!
FortiOS takes multiple steps to check its integrity including BIOS controlled upgrade and boot-time firmware integrity checking:
This is set in the BIOS and has 3 levels:
0 - Do not check
1 - Validate with the Fortinet Cert
2 - Validate with the Fortinet and Public CA Cert (Default)
Recent systems have a dip switch to prevent this setting from being modified unless you have physical access to the device
On recent systems containing the SP5 ASIC we also added this firmware integrity checking into hardware:
Post boot we also support real-time filesystem integrity checking whereby the files are validated for integrity on every execution and the execution of unknown files is blocked.
Any failure of file integrity will trigger a device reboot to a known good state with he following log (others are possible depending on what failed).
fos_ima: fos_process_appraise 110: Executable File(/bin/node) doesn't match previous hash, it has been changed Restarting system.
Dr. Carl Windsor
Chief Information Security Officer (CISO)
Fortinet
Hi Jerry
Yes it is Linux based.
Actually when I was Unix/Linux admin I had the opportunity to see few Unix and Linux systems that were compromised by rootkits, viruses, trojans and other malware types.
Thant's why I'm asking the above questions about FortiOS. Are there any known cases in FortiOS history? Does FOS check itself for compromise? Is there a procedure to check if my FortiOS is compromised (since it doesn't have a Linux like shell, like bash, sh, ksh, ...)?
Greetings!
To check if your FortiOS is compromised, you can periodically perform a hash check on FortiGate files using the command "diagnose sys filesystem hash" to compare hash differences and determine if any files have been tampered with.
Regards!
Thanks to both.
It seems "diagnose sys filesystem hash" is some of what I'm looking for.
Hi, you can ask Fortinet to check if you have some doubt. These are two guides to open a ticket for Integrity verification:
Regards.
FortiOS takes multiple steps to check its integrity including BIOS controlled upgrade and boot-time firmware integrity checking:
This is set in the BIOS and has 3 levels:
0 - Do not check
1 - Validate with the Fortinet Cert
2 - Validate with the Fortinet and Public CA Cert (Default)
Recent systems have a dip switch to prevent this setting from being modified unless you have physical access to the device
On recent systems containing the SP5 ASIC we also added this firmware integrity checking into hardware:
Post boot we also support real-time filesystem integrity checking whereby the files are validated for integrity on every execution and the execution of unknown files is blocked.
Any failure of file integrity will trigger a device reboot to a known good state with he following log (others are possible depending on what failed).
fos_ima: fos_process_appraise 110: Executable File(/bin/node) doesn't match previous hash, it has been changed Restarting system.
Dr. Carl Windsor
Chief Information Security Officer (CISO)
Fortinet
Created on 02-11-2025 02:39 AM Edited on 02-11-2025 02:41 AM
Hi Carl
I appreciate your explanation.
This is definitely the answer I was looking for.
(And I notice it was introduced in 7.4.x)
One last question please, from my curiosity and so I can sleep peacefully..
Do you know if there have been any reported cases in Fortinet history where the FortiOS system has been compromised that way?
User | Count |
---|---|
1922 | |
1144 | |
769 | |
447 | |
277 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.