Skip to content
Threat Feed
medium advisory

FortiGate - New VPN SSL Web Portal Added

This brief details a detection for the addition of a new VPN SSL Web Portal on FortiGate Firewalls, a configuration change that could be utilized by attackers for establishing persistence or initial access to external remote services, as indicated by observed modifications of VPN SSL settings.

This brief focuses on detecting the addition of a new VPN SSL Web Portal on Fortinet FortiGate Firewalls. FortiGate firewalls are critical network security appliances, and VPN SSL portals are key components for secure remote access. The addition of such a portal, especially when observed alongside other modifications to VPN SSL settings, is a suspicious administrative action. This behavior could indicate an attacker, having gained initial access to the FortiGate device, is attempting to establish a new, potentially covert, access vector for persistence or to facilitate continued initial access through external remote services. While this specific activity is a configuration change, it aligns with techniques used by adversaries to maintain unauthorized access or to simplify re-entry into a compromised network. Organizations should investigate such changes promptly to prevent further compromise.

Impact

If an attacker successfully adds a new VPN SSL Web Portal to a FortiGate Firewall, they could establish a persistent backdoor for unauthorized access into the internal network, bypassing existing security controls. This allows them to maintain a foothold even if their initial access method is remediated. Such unauthorized access can lead to further malicious activities, including data exfiltration, deployment of malware, lateral movement within the network, or disruption of critical services, potentially impacting data confidentiality, integrity, and availability for the entire organization.

Recommendation

  • Deploy the Sigma rule "FortiGate - New VPN SSL Web Portal Added" to your SIEM solution to detect suspicious configuration changes.
  • Ensure comprehensive fortigate event logs are collected and ingested from all FortiGate devices.
  • Investigate all alerts generated by this rule for action: 'Add' and cfgpath: 'vpn.ssl.web.portal', verifying the legitimacy and authorization of the change.
  • Refer to the FortiGuard PSIRT advisory FG-IR-24-535 for related security vulnerabilities and mitigation guidance concerning FortiGate VPN SSL services.

Detection coverage 1

FortiGate - New VPN SSL Web Portal Added

medium

Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall, often observed in conjunction with other VPN SSL setting modifications, which could indicate persistence or initial access.

sigma tactics: initial_access, persistence techniques: T1133, T1133 sources: fortigate, event

Detection queries are available on the platform. Get full rules →