Skip to main content
HernandezA
Staff
HernandezA
Staff
May 28, 2026

Technical Tip: Configure event handlers for failed login attempts on FortiGate and FortiAnalyzer devices

  • May 28, 2026
  • 0 replies
  • 50 views

Description

This article describes the steps to configure event handlers for failed login attempts on FortiGate and FortiAnalyzer devices.

Scope

FortiAnalyzer, FortiGate.

Solution

There are situations where it is needed to receive a notification when the admin user for FortiGate access or FortiAnalyzer access fails the credentials after several attempts. This could be considered a risk or be under brute force attack.


In order to have visibility in versions from v7.6.2, 2 event handlers help to detect failure attempts to log in FortiGate devices and FortiAnalyzer access.


To configure these event handlers for failed login attempts, the administrator can enable them in the following path:

Incident & events -> Event Handlers -> Enable handlers called 'Default-Brute-Force-Account-Login-Attack-FAZ' & 'Default-Brute-Force-Account-Login-Attack-FGT'.


1f3d49ab.jpg


In case it would also be needed to receive a notification via email. It could be configured as an SMTP server profile (Technical Tip: How to set up Email Notifications with notification.fortinet.net) in FortiAnalyzer and then linked to a Notification profile (Technical Tip: How to configure a handler to send an email for each triggered event) for these event handlers.


By default, in event handlers, the trigger is when there are 5 or more failed logging attempts in 1 day. In case it is needed to customize the number and time period, the administrator can clone (select the right button to display options) the handlers and set the values needed by editing the rules in the cloned handler.


7fdcd923.jpg


7a647b89.jpg


231661c0.jpg


After customizing the handlers and enabling them, each time the conditions are triggered, an event will be created, and in case a notification profile was linked, the e-mail will also be received.


Related documents:

Technical Tip: How to set up Email Notifications with notification.fortinet.net

Technical Tip: How to configure a handler to send an email for each triggered event

New event handlers for ZTNA login based breach detections

      Terms & ConditionsAccessibility statement