Professional Documents
Culture Documents
by you or by Fortinet, we recommend you clean up the device by following below recommendations.
• Download the firmware from Fortinet Support site and validate the file hash using SHA512
• Format the devices flash and disks to perform a clean install. The procedure to perform clean install on
FortiGate is explained in the article below.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Loading-FortiGate-firmware-imageusing-
TFTP/ta-p/197600
2. IMMEDIATELY remove the “fortigate-tech-support” admin account or any other admin accounts which
are not created by you, which is most
likely created by an attacker. After deletion, verify if there are any unauthorized FortiGate admin accounts
in the configuration.
3. Fortinet does not recommend using the existing configuration. Restore the configuration from a known
good backup or create a clean configuration validating
the content in the configuration file.
4. Change GUI/CLI administrative access to non-default TCP ports (instead of 22, 80, 443).
https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/582009/systemadministrator-
best-practices
OR
Disable HTTP/HTTPS administrative access on Internet facing interfaces. Perform administrative
tasks over an out-of-band network.
OR
Limit IP addresses that can reach the administrative interface using local-in-policies. Refer to
https://www.fortiguard.com/psirt/FG-IR-22-377
7. Change the LDAP user credentials used for FortiGate/FortiProxy LDAP authentication with Active
Directory.
9. Assuming configuration of the device is exposed, replace LOCAL certificates and revoke the potentially
stolen certificates.
11. Review and Implement other applicable recommendations from the FortiOS hardening guide:
https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/