<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>FortiGate Firewall - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/fortigate-firewall/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 13:55:23 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/fortigate-firewall/feed.xml" rel="self" type="application/rss+xml"/><item><title>FortiGate - New VPN SSL Web Portal Added</title><link>https://feed.craftedsignal.io/briefs/2026-07-fortigate-vpn-ssl-web-portal-added/</link><pubDate>Fri, 03 Jul 2026 13:55:23 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-fortigate-vpn-ssl-web-portal-added/</guid><description>This brief details a detection for the addition of a new VPN SSL Web Portal on FortiGate Firewalls, a configuration change that could be utilized by attackers for establishing persistence or initial access to external remote services, as indicated by observed modifications of VPN SSL settings.</description><content:encoded><![CDATA[<p>This brief focuses on detecting the addition of a new VPN SSL Web Portal on Fortinet FortiGate Firewalls. FortiGate firewalls are critical network security appliances, and VPN SSL portals are key components for secure remote access. The addition of such a portal, especially when observed alongside other modifications to VPN SSL settings, is a suspicious administrative action. This behavior could indicate an attacker, having gained initial access to the FortiGate device, is attempting to establish a new, potentially covert, access vector for persistence or to facilitate continued initial access through external remote services. While this specific activity is a configuration change, it aligns with techniques used by adversaries to maintain unauthorized access or to simplify re-entry into a compromised network. Organizations should investigate such changes promptly to prevent further compromise.</p>
<h2 id="impact">Impact</h2>
<p>If an attacker successfully adds a new VPN SSL Web Portal to a FortiGate Firewall, they could establish a persistent backdoor for unauthorized access into the internal network, bypassing existing security controls. This allows them to maintain a foothold even if their initial access method is remediated. Such unauthorized access can lead to further malicious activities, including data exfiltration, deployment of malware, lateral movement within the network, or disruption of critical services, potentially impacting data confidentiality, integrity, and availability for the entire organization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;FortiGate - New VPN SSL Web Portal Added&quot; to your SIEM solution to detect suspicious configuration changes.</li>
<li>Ensure comprehensive <code>fortigate</code> <code>event</code> logs are collected and ingested from all FortiGate devices.</li>
<li>Investigate all alerts generated by this rule for <code>action: 'Add'</code> and <code>cfgpath: 'vpn.ssl.web.portal'</code>, verifying the legitimacy and authorization of the change.</li>
<li>Refer to the FortiGuard PSIRT advisory <code>FG-IR-24-535</code> for related security vulnerabilities and mitigation guidance concerning FortiGate VPN SSL services.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>fortigate</category><category>vpn</category><category>configuration-change</category><category>network-device</category><category>persistence</category><category>initial-access</category></item><item><title>FortiGate - New Administrator Account Created</title><link>https://feed.craftedsignal.io/briefs/2026-07-fortigate-new-admin-account/</link><pubDate>Fri, 03 Jul 2026 13:52:26 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-fortigate-new-admin-account/</guid><description>This brief describes how to detect the creation of new administrator accounts on Fortinet FortiGate firewalls, a behavior often used by attackers for persistence (ATT&amp;CK T1136.001) or to maintain unauthorized access after initial compromise.</description><content:encoded><![CDATA[<p>This detection brief focuses on identifying the creation of new administrator accounts on Fortinet FortiGate firewall devices. Attackers frequently use the creation of new user accounts, particularly those with administrative privileges, as a post-exploitation technique to establish persistence and ensure continued access to compromised environments. While legitimate administrator accounts are routinely created for operational purposes, an unauthorized account creation can signify a successful breach, an insider threat, or the escalation of privileges within the network. This alert is crucial for defenders to identify suspicious activity that could lead to unauthorized configuration changes, data exfiltration, or further network compromise. The provided Sigma rule leverages FortiGate's event logs to pinpoint these critical configuration changes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<p>[The source material for this brief focuses on a specific detection capability rather than detailing a full attack chain. Therefore, a complete attack chain cannot be constructed.]</p>
<h2 id="impact">Impact</h2>
<p>If an unauthorized administrator account is successfully created on a FortiGate firewall, attackers gain full control over the network's security perimeter. This can lead to a wide range of devastating impacts, including the disablement of security features (e.g., VPNs, IPS, antivirus), creation of rogue network access rules, redirection of traffic, exfiltration of sensitive data, or complete disruption of network services. Such an event provides attackers with a stealthy and persistent foothold, making detection and remediation significantly more challenging and potentially leading to extensive financial and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;FortiGate - New Administrator Account Created&quot; to your SIEM and tune for your environment to detect unauthorized account creations.</li>
<li>Ensure FortiGate event logging is properly configured and integrated with your SIEM to capture <code>cfgpath: 'system.admin'</code> events.</li>
<li>Regularly review FortiGate access logs for unusual login patterns, especially from newly created accounts.</li>
<li>Implement multi-factor authentication for all administrative accounts on FortiGate devices.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>attack.persistence</category><category>attack.t1136.001</category><category>network-device</category><category>fortinet</category></item></channel></rss>