FortiGate - New VPN SSL Web Portal Added
This brief details a detection for the addition of a new VPN SSL Web Portal on FortiGate Firewalls, a configuration change that could be utilized by attackers for establishing persistence or initial access to external remote services, as indicated by observed modifications of VPN SSL settings.
This brief focuses on detecting the addition of a new VPN SSL Web Portal on Fortinet FortiGate Firewalls. FortiGate firewalls are critical network security appliances, and VPN SSL portals are key components for secure remote access. The addition of such a portal, especially when observed alongside other modifications to VPN SSL settings, is a suspicious administrative action. This behavior could indicate an attacker, having gained initial access to the FortiGate device, is attempting to establish a new, potentially covert, access vector for persistence or to facilitate continued initial access through external remote services. While this specific activity is a configuration change, it aligns with techniques used by adversaries to maintain unauthorized access or to simplify re-entry into a compromised network. Organizations should investigate such changes promptly to prevent further compromise.
Impact
If an attacker successfully adds a new VPN SSL Web Portal to a FortiGate Firewall, they could establish a persistent backdoor for unauthorized access into the internal network, bypassing existing security controls. This allows them to maintain a foothold even if their initial access method is remediated. Such unauthorized access can lead to further malicious activities, including data exfiltration, deployment of malware, lateral movement within the network, or disruption of critical services, potentially impacting data confidentiality, integrity, and availability for the entire organization.
Recommendation
- Deploy the Sigma rule "FortiGate - New VPN SSL Web Portal Added" to your SIEM solution to detect suspicious configuration changes.
- Ensure comprehensive
fortigateeventlogs are collected and ingested from all FortiGate devices. - Investigate all alerts generated by this rule for
action: 'Add'andcfgpath: 'vpn.ssl.web.portal', verifying the legitimacy and authorization of the change. - Refer to the FortiGuard PSIRT advisory
FG-IR-24-535for related security vulnerabilities and mitigation guidance concerning FortiGate VPN SSL services.
Detection coverage 1
FortiGate - New VPN SSL Web Portal Added
mediumDetects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall, often observed in conjunction with other VPN SSL setting modifications, which could indicate persistence or initial access.
Detection queries are available on the platform. Get full rules →