FortiGate - New VPN SSL Web Portal Added

Original Source: [Sigma source]
Title: FortiGate - New VPN SSL Web Portal Added
Status: experimental
Description:Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall. This behavior was observed in pair with modification of VPN SSL settings.
References:
  -https://www.fortiguard.com/psirt/FG-IR-24-535
   -https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
   -https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/113121765/config-vpn-ssl-web-portal
   -https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
 Author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
Date: 2025-11-01
modified:None
Tags:
  • -'attack.persistence'
  • -'attack.initial-access'
  • -'attack.t1133'
Logsource:
  • product: fortigate
  • service: event
Detection:
  selection:
    action: 'Add'
    cfgpath: 'vpn.ssl.web.portal'
  condition:selection
Falsepositives:
  -A VPN SSL Web Portal can be added for legitimate purposes.
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.