Symptoms: GUI access becomes slow or unresponsive. High CPU usage reported in 'diagnose sys top'. Frequent daemon restarts in crash logs. Administrative login delays. Possible session instability. May include network instability or packet loss between VPN endpoints.
 Example logs:
Crash log output:
FortiGate-60F # diagnose debug crashlog read
4441: 2026-02-17 10:03:49 the killed daemon is /bin/http_authd: status=0x100
4442: 2026-02-17 10:05:53 the killed daemon is /bin/http_authd: status=0x100
4443: 2026-02-17 10:07:52 the killed daemon is /bin/http_authd: status=0x100
...
4455: 2026-02-17 10:35:53 the killed daemon is /bin/http_authd: status=0x100
 The repeated entries indicate that http_authd is being terminated and restarted approximately every 2 minutes.  CPU usage output:
Example output:
FortiGate-60F # diagnose sys top 5 99 6
10:38:55 AM up 1 days, 4 hours and 29 minutes
13U, 0N, 0S, 87I, 0WA, 0HI, 0SI, 0ST; 1933T, 372F
http_authd 4544 S 99.9 1.2 0 <----- 99% of CPU 0 plus other processes on other CPU cores.
node 205 S 9.2 4.2 7
httpsd 4569 S 1.4 1.3 7
newcli 4570 R 0.9 0.5 7
ipshelper 345 S 0.0 3.0 6
.........................................
http_authd 3332 S 0.0 0.3 4
http_authd 3349 S 0.0 0.3 7
http_authd 3428 S 0.0 0.3 3
http_authd 3888 S 0.0 0.3 2
http_authd 4325 S 0.0 0.3 3
http_authd 4523 S 0.0 0.3 2
 Cause: The http_authd daemon is responsible for handling administrative HTTP/HTTPS authentication requests. High CPU utilization may occur due to: Excessive administrative login attempts will cause fnbamd to use more resources. Authentication loops. Corrupted session handling. Configuration inconsistencies. Firmware-related defects. External scanning against the management interface.
 Recent FortiOS versions (v7.6.4 and later) introduce enhancements to administrative authentication and session monitoring that may impact behavior if misconfigured.  Recommended actions: Review general System Event logs for any malicious or unknown user failed login that may result to a brute force attack. See System Events log page. If signs of brute force attacks are visible implement countermeasures. Verify CPU Usage. Verify Crash Logs. Verify that the administrative access is only enabled on a trusted interface and use a trusted host. Use local-in policies on the FortiGate to restrict administrative access from untrusted or internet-facing interfaces. Refer to this article: Technical Tip: Use local-in policy to restrict unauthorized login attempts to administrative access of FortiGate. Restart the process using 'fnsysctl killall http_authd' after implementing the local-in policy or disabling HTTPS administrative access on the interface. Review Authentication Configuration.
 Conclusion: If the issue persists after configuration validation, open a TAC case with Fortinet Support and provide: The command output 'diagnose debug crashlog read'. The command output 'diagnose sys top-all 1 100 1'. The firmware version. The configuration backup.
 Related documents: | 
