Hot!Pieces of configuration purged... what is the source...?

Author
Alby23
Gold Member
  • Total Posts : 165
  • Scores: 9
  • Reward points: 0
  • Joined: 2016/06/24 08:57:33
  • Status: offline
2016/09/14 14:08:38 (permalink)
0

Pieces of configuration purged... what is the source...?

I'm a little bit confused.
In a FortiOS 5.4.0 appliance I've suddendly lost firewall policies and routing and in event logs I see these entries (attached image).
 
Same second... 4 commands. Any ideas???

Attached Image(s)

#1

10 Replies Related Threads

    pyy
    Bronze Member
    • Total Posts : 26
    • Scores: 2
    • Reward points: 0
    • Joined: 2015/10/21 10:57:48
    • Status: offline
    Re: Pieces of configuration purged... what is the source...? 2016/09/23 12:58:00 (permalink)
    0
    Purge means that someone delete all the section config
     
    ex
    config firewall policy
    edit x
    next
    .
    .
    .
    edit y
    next
     
    edit 10
    mpla mpla
    next
    purge
     
    purge will delete x,y,10
     
    So the admin add a static route/fw policy and  instead of use delete in order to delete the entry he use the purge and delete all the section
     
     
    #2
    ede_pfau
    Expert Member
    • Total Posts : 5927
    • Scores: 466
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Pieces of configuration purged... what is the source...? 2016/09/24 08:26:02 (permalink)
    0
    Probably an upgrade gone wrong. Upgrades do not only comprise firmware code but transformation procedures as well. Somehow these went wild, that's where the 'purge' commands come in.
     
    The routes and OSPF config etc. is just the last part of a config file. The FGT will boot with a partial config file just fine, surprisingly.
     
    I'd rebuild the flash disk from scratch via the boot manager (connect via serial port, stop the boot process, reformat the disk, reload firmware via TFTP, reload the config).

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #3
    emnoc
    Expert Member
    • Total Posts : 5139
    • Scores: 330
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Pieces of configuration purged... what is the source...? 2016/09/24 15:02:35 (permalink)
    0
    I would use the cfg revision to see 'exactly' what was b4 and after. The log seems to show this was a "admin" event, so if that is true at least the log systems will have the address of the user.
     
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #4
    ede_pfau
    Expert Member
    • Total Posts : 5927
    • Scores: 466
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Pieces of configuration purged... what is the source...? 2016/09/25 01:59:02 (permalink)
    0
    Just because of the 'admin (unidentified)' message I am speculating that this is an automatic sequence of code transformation, not a manual user action. 'purge' does make sense if you want to wipe some part of the config to immediately overwrite with the intended commands.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #5
    emnoc
    Expert Member
    • Total Posts : 5139
    • Scores: 330
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Pieces of configuration purged... what is the source...? 2016/09/25 09:26:34 (permalink)
    0
    Could be but the detail event log will show "who" admin really was if it was a admin  for each and every transaction log id. 
     
    e.g 
    Event Log> System 
      ( apply a filter or not depending on how busy your firewall is )
     
     

    Attached Image(s)


    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #6
    Tiago Aquino
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/09/12 13:08:20
    • Status: offline
    Re: Pieces of configuration purged... what is the source...? 2017/09/13 09:58:38 (permalink)
    0
    The exact same issue happened to me. Have you found out anything about it?
    #7
    Alig0r
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/20 02:02:44
    • Status: offline
    Re: Pieces of configuration purged... what is the source...? 2019/03/20 02:06:07 (permalink)
    0
    Hi All,
     
    just to close this thread, to help others concerned by this weird issue.
     
    A customer of mine had got the same issue.
     
    After creating a case to the FORTINET support team, post incident, it appeared that maybe the customer used the wizard to make some things. We should not use the wizard on a already configured fortigate, as it could delete / purge entire conf parts, conclusions of FORTINET Support team.
     
    Best regards.
     
    Alig0r
     
     
    #8
    Tiago Aquino
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/09/12 13:08:20
    • Status: offline
    Re: Pieces of configuration purged... what is the source...? 2019/03/20 03:49:45 (permalink)
    0
    Hi.

    This might be true in your particular case. In ours, we use tacacs. A very few people know the admin password. And this admin user was the one, according to log, that did it. I suppose something not yet known, not someone, triggered the wizard events.
    #9
    Jasb
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/17 10:12:17
    • Status: offline
    Re: Pieces of configuration purged... what is the source...? 2019/05/08 11:02:18 (permalink)
    0
    I Just did this yesterday. Oops! I remember going through the wizard to see what it did. But I don't recall hitting finish or apply. I'm assuming the cancel but changed to finish on the last step and I clicked it. Either way the logs showed my IP and similar logs were produced. Apparently it deleted all the static routes and created two new default routes with the directly connected devices. Thanks to my counterpart --TD! Saved my (_)_)
     
    #10
    wangzhe
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/10 02:14:07
    • Status: offline
    Re: Pieces of configuration purged... what is the source...? 2019/05/10 02:19:14 (permalink)
    0
    help!help!
    A similar thing happened to me,but I didn't click the configuration wizard.
    This is Part of the log:
    date=2019-04-28 time=14:05:01 logid=0100044547 type=event subtype=system level=information vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(219.239.243.130)" action=Add cfgtid=3277401 cfgpath="router.static" cfgobj="1" cfgattr="gateway[111.206.169.65]device[wan1]" msg="Add router.static 1"
    date=2019-04-28 time=14:05:01 logid=0100044544 type=event subtype=system level=information vd="root" logdesc="Path configured" user="admin" ui="GUI(219.239.243.130)" action=Purge cfgtid=3276975 cfgpath="firewall.policy" msg="Purge firewall.policy "
    date=2019-04-28 time=14:05:00 logid=0100044544 type=event subtype=system level=information vd="root" logdesc="Path configured" user="admin" ui="GUI(219.239.243.130)" action=Purge cfgtid=3276974 cfgpath="router.static" msg="Purge router.static "
     
    #11
    Jump to:
    © 2019 APG vNext Commercial Version 5.5