This article describes how to collect information, in case of suspicious activity on FortiGate and send it to the technical support team for review.
Scope
FortiGate.
Solution
If there is a suspicion that FortiGate may be compromised, use the following steps to collect information and open a new ticket with the technical support team. Once the output is attached to the ticket, an engineer will confirm if any indication of compromise is found or not.
Step 1: Open a Putty session to start an SSH session to the FortiGate (Embedded CLI in the GUI session is not recommended to collect this information). Make sure to set up the putty session to log all output to a text file and run the following commands:
get system status fnsysctl ls -la / fnsysctl ls -la /bin fnsysctl ls -la /sbin fnsysctl ls -la /lib fnsysctl ls -la /tmp fnsysctl ls -la /usr fnsysctl ls -la /usr/bin fnsysctl ls -la /var fnsysctl ls -la /data fnsysctl ls -la /data2 fnsysctl ls -la /data/lib fnsysctl ls -la /data/etc fnsysctl ls -la /data/bin fnsysctl ls -la /data/cmdb fnsysctl ls -la /data/config diagnose sys csum /data/rootfs.gz diagnose sys csum /data/flatkc diagnose sys csum /data/lib diagnose sys csum /bin diagnose sys csum /bin/sysctl diagnose sys csum /bin/smit diagnose sys csum /bin/init diagnose sys csum /bin/smartctl diagnose sys csum /bin/lspci diagnose sys csum /sbin/init fnsysctl ps execute tac report
Step 2: Open another Putty session to start a second SSH session to the FortiGate. Make sure, it is set to log all output to a text file as well and run the following command (this command only runs on 7.0.13, 7.2.6, 7.4.1:(
diagnose sys filesystem hash
Step 3: Describe why the FortiGate is compromised and attach any supporting logs/files to support the statement.
As an example, if unrecognized users/admin login events are visible, attach user event logs or admin login logs from system event logs or local events logs to the ticket. It is also recommended to attach a config file. Fortinet engineers can request further information if needed.