Hi,
a strange thing happened to me today.
My home firewall 40F (7.2.1) rebooted unexpectedly.
I looked in the log and found that the reboot was done by the user "fortigate-tech-support" and the reason was a firmware upgrade (7.2.1->7.2.2)
In system/Administrator this user was created and I don't know about it.
My admin password is set to 17 characters (including special characters) and another administrator has an equally strong password.
FortiGate is added to FortiCloud.
Passwords remained unchanged, all configuration looks ok.
How should I explain it? I'm assuming it's not a trusted event... or is it something to do with the new CVE?
Thank you.
Jirka
If you see "fortigate-tech-support" or have device with logs (type="event" subtype="system") and any of following properties:
user="Local_Process_Access"
ui="Node.js"
then open a technical ticket of Fortinet's Support for further steps and checks.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
@Jirka1please advise on the feedback from support if you reported ? i also experienced the same thing on the same date as you
Noticed these on some Fortigates as well, what was the feedback and recommendation from Fortinet to take on this?
Based on the information provided, the unexpected reboot of your FortiGate device and the existence of an unknown user "fortigate-tech-support" in the Administrator section raise several important points and potential concerns:
Unscheduled Firmware Upgrade: The reboot appears to have been triggered by a firmware upgrade (from version 7.2.1 to 7.2.2), which may indicate an automated update process, possibly managed through FortiCloud or a scheduled task. Normally, these updates should be controlled and approved by an authorized administrator, and any deviation from this process should be investigated.
Unrecognized User Account: The creation of a new user account "fortigate-tech-support" without your knowledge is a significant concern. It may indicate unauthorized access to your device, a potential security breach, or a misconfiguration issue.
FortiCloud Integration: Since the FortiGate device is integrated with FortiCloud, it's possible that Fortinet technical support may have access to the device for support purposes. However, this should be done only with explicit authorization and proper security measures in place.
Security Vulnerabilities (CVE): The mention of a potential CVE (Common Vulnerabilities and Exposures) may suggest that there was a known security flaw in the firmware version 7.2.1 that required patching. It's important to review the release notes and here is security advisories for the new firmware version (7.2.2) to understand if there was a known vulnerability being addressed.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.