FortiGate Overly Permissive Firewall Policy Created

 1[metadata]
 2creation_date = "2026/01/28"
 3integration = ["fortinet_fortigate"]
 4maturity = "production"
 5updated_date = "2026/01/28"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects the creation or modification of a FortiGate firewall policy that permits all sources, all
11destinations, and all services. An overly permissive policy effectively bypasses all firewall protections. Threat actors
12exploiting CVE-2026-24858 have been observed creating such policies to allow unrestricted traffic flow through
13compromised FortiGate devices.
14"""
15from = "now-9m"
16interval = "5m"
17index = ["logs-fortinet_fortigate.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "FortiGate Overly Permissive Firewall Policy Created"
21note = """## Triage and analysis
22
23### Investigating FortiGate Overly Permissive Firewall Policy Created
24
25This alert indicates that a firewall policy was created or modified on a FortiGate device with source address `all`, destination address `all`, and service `ALL`. This configuration effectively disables firewall enforcement for traffic matching the policy.
26
27In the FG-IR-26-060 campaign, threat actors created these permissive policies to ensure their traffic could traverse the firewall without restriction.
28
29### Possible investigation steps
30
31- Review `source.user.name` to determine which account created or modified the policy and `fortinet.firewall.ui` for the source interface and IP address. Verify whether this administrator is authorized to make firewall policy changes.
32- Examine `fortinet.firewall.cfgattr` for the full policy configuration including interfaces, NAT settings, and scheduling. Check `fortinet.firewall.cfgobj` for the affected policy ID and determine whether the policy is positioned to intercept traffic (policy ordering matters).
33- Look for administrator account creation, SSO login events, or configuration exports preceding this change. Determine whether the administrator account itself was recently created.
34- Identify which interfaces the policy applies to (srcintf/dstintf in cfgattr) and determine whether the policy enables inbound, outbound, or both directions of unrestricted traffic.
35
36### False positive analysis
37
38- Temporary troubleshooting policies created during network diagnostics (should be time-limited and removed).
39- Initial device setup or lab environments where broad policies are intentionally configured.
40- Migration or cutover scenarios where temporary permissive rules are needed.
41
42### Response and remediation
43
44- If unauthorized, immediately delete the permissive firewall policy and audit the administrator account that created it for compromise.
45- Review all other firewall policies for unauthorized modifications and check for other indicators of compromise on the device (rogue admins, VPN users).
46- Restore the policy configuration from a known-clean backup.
47- If the activity is expected, document the business justification and ensure a removal timeline is defined. Replace with specific source/destination/service rules as soon as possible."""
48references = [
49    "https://www.fortiguard.com/psirt/FG-IR-26-060",
50    "https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios",
51    "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
52    "https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026",
53]
54risk_score = 73
55rule_id = "896a0a38-eaa0-42e9-be35-dfcc3e3e90ae"
56severity = "high"
57tags = [
58    "Use Case: Threat Detection",
59    "Tactic: Defense Evasion",
60    "Resources: Investigation Guide",
61    "Domain: Network",
62    "Data Source: Fortinet",
63    "Data Source: Fortinet FortiGate",
64]
65timestamp_override = "event.ingested"
66type = "eql"
67
68query = '''
69any where event.dataset == "fortinet_fortigate.log" and
70    event.code == "0100044547" and
71    fortinet.firewall.cfgpath == "firewall.policy" and
72    fortinet.firewall.action in ("Add", "Edit") and
73    fortinet.firewall.cfgattr like~ "*srcaddr[all]*" and
74    fortinet.firewall.cfgattr like~ "*dstaddr[all]*" and
75    fortinet.firewall.cfgattr like~ "*service[all]*"
76'''
77
78
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81[[rule.threat.technique]]
82id = "T1562"
83name = "Impair Defenses"
84reference = "https://attack.mitre.org/techniques/T1562/"
85[[rule.threat.technique.subtechnique]]
86id = "T1562.004"
87name = "Disable or Modify System Firewall"
88reference = "https://attack.mitre.org/techniques/T1562/004/"
89
90
91
92[rule.threat.tactic]
93id = "TA0005"
94name = "Defense Evasion"
95reference = "https://attack.mitre.org/tactics/TA0005/"