← Back to Explore
elastichighTTP
FortiGate Overly Permissive Firewall Policy Created
This rule detects the creation or modification of a FortiGate firewall policy that permits all sources, all destinations, and all services. An overly permissive policy effectively bypasses all firewall protections. Threat actors exploiting CVE-2026-24858 have been observed creating such policies to allow unrestricted traffic flow through compromised FortiGate devices.
Detection Query
any where data_stream.dataset == "fortinet_fortigate.log" and
event.code == "0100044547" and
fortinet.firewall.cfgpath == "firewall.policy" and
fortinet.firewall.action in ("Add", "Edit") and
fortinet.firewall.cfgattr like~ "*srcaddr[all]*" and
fortinet.firewall.cfgattr like~ "*dstaddr[all]*" and
fortinet.firewall.cfgattr like~ "*service[all]*"
Author
Elastic
Created
2026/01/28
Data Sources
FortinetFortinet FortiGatelogs-fortinet_fortigate.*
References
- https://www.fortiguard.com/psirt/FG-IR-26-060
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
- https://www.elastic.co/docs/reference/integrations/fortinet_fortigate
- https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026
Tags
Use Case: Threat DetectionTactic: Defense EvasionResources: Investigation GuideDomain: NetworkData Source: FortinetData Source: Fortinet FortiGate
Raw Content
[metadata]
creation_date = "2026/01/28"
integration = ["fortinet_fortigate"]
maturity = "production"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
description = """
This rule detects the creation or modification of a FortiGate firewall policy that permits all sources, all
destinations, and all services. An overly permissive policy effectively bypasses all firewall protections. Threat actors
exploiting CVE-2026-24858 have been observed creating such policies to allow unrestricted traffic flow through
compromised FortiGate devices.
"""
from = "now-9m"
interval = "5m"
index = ["logs-fortinet_fortigate.*"]
language = "eql"
license = "Elastic License v2"
name = "FortiGate Overly Permissive Firewall Policy Created"
note = """## Triage and analysis
### Investigating FortiGate Overly Permissive Firewall Policy Created
This alert indicates that a firewall policy was created or modified on a FortiGate device with source address `all`, destination address `all`, and service `ALL`. This configuration effectively disables firewall enforcement for traffic matching the policy.
In the FG-IR-26-060 campaign, threat actors created these permissive policies to ensure their traffic could traverse the firewall without restriction.
### Possible investigation steps
- Review `source.user.name` to determine which account created or modified the policy and `fortinet.firewall.ui` for the source interface and IP address. Verify whether this administrator is authorized to make firewall policy changes.
- Examine `fortinet.firewall.cfgattr` for the full policy configuration including interfaces, NAT settings, and scheduling. Check `fortinet.firewall.cfgobj` for the affected policy ID and determine whether the policy is positioned to intercept traffic (policy ordering matters).
- Look for administrator account creation, SSO login events, or configuration exports preceding this change. Determine whether the administrator account itself was recently created.
- Identify which interfaces the policy applies to (srcintf/dstintf in cfgattr) and determine whether the policy enables inbound, outbound, or both directions of unrestricted traffic.
### False positive analysis
- Temporary troubleshooting policies created during network diagnostics (should be time-limited and removed).
- Initial device setup or lab environments where broad policies are intentionally configured.
- Migration or cutover scenarios where temporary permissive rules are needed.
### Response and remediation
- If unauthorized, immediately delete the permissive firewall policy and audit the administrator account that created it for compromise.
- Review all other firewall policies for unauthorized modifications and check for other indicators of compromise on the device (rogue admins, VPN users).
- Restore the policy configuration from a known-clean backup.
- If the activity is expected, document the business justification and ensure a removal timeline is defined. Replace with specific source/destination/service rules as soon as possible."""
references = [
"https://www.fortiguard.com/psirt/FG-IR-26-060",
"https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios",
"https://www.elastic.co/docs/reference/integrations/fortinet_fortigate",
"https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026",
]
risk_score = 73
rule_id = "896a0a38-eaa0-42e9-be35-dfcc3e3e90ae"
severity = "high"
tags = [
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Resources: Investigation Guide",
"Domain: Network",
"Data Source: Fortinet",
"Data Source: Fortinet FortiGate",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
any where data_stream.dataset == "fortinet_fortigate.log" and
event.code == "0100044547" and
fortinet.firewall.cfgpath == "firewall.policy" and
fortinet.firewall.action in ("Add", "Edit") and
fortinet.firewall.cfgattr like~ "*srcaddr[all]*" and
fortinet.firewall.cfgattr like~ "*dstaddr[all]*" and
fortinet.firewall.cfgattr like~ "*service[all]*"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.004"
name = "Disable or Modify System Firewall"
reference = "https://attack.mitre.org/techniques/T1562/004/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"