FortiGate - New Firewall Policy Added
This brief describes a detection for the addition of new firewall policies on Fortinet FortiGate devices, a behavior that can indicate defense impairment or unauthorized network access by a malicious actor.
This intelligence focuses on the detection of new firewall policies being added to Fortinet FortiGate firewalls. While the source provided is a detection rule, the underlying behavior signifies a critical activity for defenders. An adversary, having gained administrative access to a FortiGate device, may add or modify firewall policies to facilitate their objectives, such as establishing command and control (C2), enabling lateral movement, or exfiltrating data. This action directly impacts network defenses by altering traffic flow rules, potentially bypassing existing security controls, and creating new pathways for malicious activity. This detection is crucial for identifying unauthorized changes that could signal a compromise and prevent further adversarial actions within the network.
Attack Chain
(The provided source is a detection rule for a specific event and does not detail a full attack chain from initial access to impact. Therefore, a complete attack chain cannot be constructed based solely on this information.)
Impact
Successful unauthorized addition of firewall policies on FortiGate devices can lead to severe consequences. Attackers could establish new outbound connections for data exfiltration, open inbound ports for remote access or C2, or redirect internal traffic to malicious destinations, effectively bypassing network segmentation and security policies. This could result in a complete compromise of the affected network, leading to significant data breaches, system unavailability, and compliance violations. While no specific victims or sectors are mentioned in the source, any organization utilizing FortiGate devices is susceptible to this form of defense impairment if an attacker gains administrative control.
Recommendation
- Deploy the provided Sigma rule "FortiGate - New Firewall Policy Added" to your SIEM solution to detect new firewall policy additions on FortiGate devices.
- Ensure FortiGate logging is configured to capture
eventservice logs, specifically actions related tocfgpath: 'firewall.policy', to enable the detection rule. - Review any alerts generated by the "FortiGate - New Firewall Policy Added" rule for legitimacy. Investigate suspicious policy additions immediately to determine if they are unauthorized or malicious.
- Implement strong access controls and multi-factor authentication for administrative access to all FortiGate devices to prevent unauthorized configuration changes.
Detection coverage 1
FortiGate - New Firewall Policy Added
mediumDetects the addition of a new firewall policy on a Fortinet FortiGate Firewall, which can indicate defense impairment or unauthorized network modification.
Detection queries are available on the platform. Get full rules →