Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FClient_User
New Contributor

Need help identifying if my system was accessed by intruders through forticlient

Hi,

 

I connect my home computer running windows 8 pro with forticlient to a network and then work on the computer there. Could someone please guide me if there is a possibility of my home computer getting accessed and files read or uploaded out? Can someone with my own forticlient password or administrator password gain access to my home computer? If yes is there a log where I can find it? I can upload the logs if you want. Much thanks!

 

 

 

Thanks,

FCUser

6 REPLIES 6
ede_pfau
SuperUser
SuperUser

hi,

 

there is no way to establish the tunnel from remote. But, if the tunnel already is up while you're working, you've essentially got a direct connection between your PC and the remote LAN.

FC has a built-in firewall and maybe you've got other security software on your PC like Kaspersky which features one. If that is active you can control access from remote.

If access from remote to your PC is allowed then one could create a connection to a local share ('net use x: \\myPC\share') and copy files from and to. That is independent of the VPN though.

Logging: there is no valuable log info from the FC regarding file copies. You may find these in the Windows logs if configured (file or folder monitoring).

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

Why do you ask? Want drove you to  this speculation? As far as logs are you looging anything on the fortigate? What's fw.policy for the remote-access? What network/server resource do you allow for the "remote users" ( SMB/CIFS, RDP,FTP, etc...) ? I would  be more incline to review the logs on the server resource if any than the firewall, since the logs at the firewall will just show you traffic and not failed logins,logins, etc....

 

YMMV

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
FClient_User

ede_pfau wrote:

hi,

 

there is no way to establish the tunnel from remote. But, if the tunnel already is up while you're working, you've essentially got a direct connection between your PC and the remote LAN.

FC has a built-in firewall and maybe you've got other security software on your PC like Kaspersky which features one. If that is active you can control access from remote.

If access from remote to your PC is allowed then one could create a connection to a local share ('net use x: \\myPC\share') and copy files from and to. That is independent of the VPN though.

Logging: there is no valuable log info from the FC regarding file copies. You may find these in the Windows logs if configured (file or folder monitoring).

Hi ede,

I dont have any other security software. So will the Fc's built in firewall prevent anyone in the remote LAN to access the files on my PC? I just checked, my PC has "Don't allow remote connections to this computer" checked.

Where are these windows logs for file and folder monitoring?

 

 

emnoc wrote:

Why do you ask? Want drove you to  this speculation? As far as logs are you looging anything on the fortigate? What's fw.policy for the remote-access? What network/server resource do you allow for the "remote users" ( SMB/CIFS, RDP,FTP, etc...) ? I would  be more incline to review the logs on the server resource if any than the firewall, since the logs at the firewall will just show you traffic and not failed logins,logins, etc....

 

YMMV

I have a strong suspicion someone in the remote LAN or someone connected to the remote LAN was spying on me. I think its a group effort of 2 or more people, with one having admin access. Can this admin delete the logs on the fortigate or will the logs be secure? Can they tamper with the server side logs?

Where can i view the firewall logs?

I've been trying desperately to find out what really happened. I really need help on this, please!

FClient_User

Anyone...?

emnoc
Esteemed Contributor III

Can this admin delete the logs on the fortigate or will the logs be secure? Can they tamper with the server side logs? Where can i view the firewall logs?

 

To answer the questions;

 

YES

YES

 

 and

 

execute log  filter  category 1

execute log   display 

 

The real question tho, if they have  access  they could  delete , tamper,remove, files and do you even having logging enabled? and  yes was it memory/disk or did  you enable remote-syslog?

 

This is way it's 100% preachable to have have off appliance logging ( FortiCloud, FAZ, Syslog )

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
FClient_User

emnoc wrote:

 

To answer the questions;

 

YES

YES

 

Not good.

 

 

The real question tho, if they have  access  they could  delete , tamper,remove, files and do you even having logging enabled? and  yes was it memory/disk or did  you enable remote-syslog?

 

This is way it's 100% preachable to have have off appliance logging ( FortiCloud, FAZ, Syslog )

 

Ken

I have no idea. Basically I want to resolve this without going to the admin and asking for the server logs. I want to resolve this with some logs within my PC itself. Because the worst case scenario is the admin himself is compromised and will not co-operate or will have tampered with the logs. If my PC does not have those logs, then I guess I'll go and ask them of those off appliance logging you have mentioned.

So, does my PC contain any worthwhile logs I should be looking at?

 

execute log  filter  category 1

execute log   display 

 

 

This is on the server side? Like I mentioned, I do not have access to the server. Will the Forticlient on my PC have these logs? If yes then how do I execute those commands?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors