Skip to content
Threat Feed
medium advisory

Detection of FortiGate Firewall Address Object Addition

This brief details the detection of firewall address objects being added on Fortinet FortiGate devices, a configuration change that, while potentially legitimate, can also indicate post-compromise activity or unauthorized access, especially when tied to vulnerabilities like FG-IR-24-535, enabling threat actors to bypass security controls or facilitate command and control.

This intelligence brief focuses on the detection of new firewall address objects being added to Fortinet FortiGate firewalls. While often a routine administrative task, such additions can also signal malicious activity, particularly in a post-compromise scenario where an attacker seeks to establish persistence, enable command and control (C2), or facilitate data exfiltration by modifying network access controls. The referenced FortiGuard PSIRT advisory (FG-IR-24-535) suggests that such changes might be associated with the exploitation of a vulnerability, though specific details of the exploit chain are not provided in this context. For defenders, timely detection of unauthorized configuration changes is crucial to preventing network security bypasses and containing potential breaches on critical network infrastructure like FortiGate devices.

Impact

Unauthorized addition of firewall address objects can have significant impact, enabling threat actors to undermine network segmentation and security policies. Attackers could add rules to allow inbound connections from their command and control infrastructure, permit outbound connections for data exfiltration, or open access to internal systems for lateral movement. The integrity and confidentiality of data traversing the network could be compromised, and the overall security posture of the organization could be severely degraded, potentially leading to financial losses, regulatory fines, and reputational damage. The true scale of impact depends on the specific rules added and the context of the underlying compromise, but such actions inherently increase the attack surface.

Recommendation

  • Deploy the provided Sigma rule "FortiGate - Firewall Address Object Added" to your SIEM and tune for your environment to detect unauthorized changes.
  • Investigate all alerts generated by the "FortiGate - Firewall Address Object Added" rule to differentiate between legitimate administrative changes and suspicious activity.
  • Refer to the FortiGuard PSIRT advisory FG-IR-24-535 for details on any associated vulnerabilities and apply patches or workarounds immediately.
  • Implement robust change management processes for firewall configurations to quickly identify and cross-reference legitimate changes against detected events.
  • Regularly review FortiGate access logs to identify suspicious logins or administrative actions that precede the addition of firewall address objects.

Detection coverage 1

FortiGate - Firewall Address Object Added

medium

Detects the addition of firewall address objects on a Fortinet FortiGate Firewall, which could indicate legitimate administrative action or unauthorized post-compromise activity related to defense impairment.

sigma tactics: defense_evasion sources: fortigate, event

Detection queries are available on the platform. Get full rules →