Skip to main content
nevan
Staff
nevan
Staff
March 12, 2026

Troubleshooting Tip: Slow GUI access caused by Brute Force login attempts

  • March 12, 2026
  • 0 replies
  • 482 views
Description This article describes the reason and recommendations for slowness in GUI access, which may take approximately 60 seconds or more for HTTP/HTTPS access due to a brute force login attack.
Scope FortiOS.
Solution

FortiGate GUI login can be slow if there is Brute force login attempt is being performed from an anonymous source. A huge number of system event logs can appear with a log description 'Admin login failed'. Even though after a certain period, the admin login will be disabled, the login attempt may have a high buffer and can slow down the valid admin login process via the GUI.

Due to the high login attempts, the CPU may be observed as high.


get system performance status
CPU states: 13% user 10% system 0% nice 77% idle 0% iowait 0% irq 0% softirq
CPU1 states: 82% user 17% system 0% nice 1% idle 0% iowait 0% irq 0% softirq
CPU7 states: 22% user 70% system 0% nice 8% idle 0% iowait 0% irq 0% softirq

The HAR file may show a '404 error' and very high latency, even though the GET request eventually ends with 200 OK.

When this behavior occurs, the following debug for the HTTP authentication daemon can be captured to determine why the process is consuming high CPU.

HAR file.png

 
When this behavior occurs, the following debug for the HTTP authentication daemon can be captured to determine why the process is consuming high CPU.

CLI debug:

 

diagnose debug reset

diagnose debug application http_authd -1

diagnose debug console timestamp enable

diagnose debug enable

 

To disable:

 

diagnose debug disable

diagnose debug reset

 

Key points to check from the debug:


Received "login" request from x.x.x.x
login_attempt (method=6, vdom='root', name='admin'), result code: -102

Received "login" request from multiple public IPs
login_attempt ... result code: -100
login_attempt ... result code: -102

More detail from the debug output:


 ===============================================
2026-03-03 08:44:24 [http_authd 2294 - 1772527464 info] http_authd_login_attempt[942] -- entering vdom for login_attempt (vdom='root')
2026-03-03 08:44:29 [http_authd 2294 - 1772527469 info] http_authd_handler_main_loop[697] -- Received "login" request (seq: 20) from 195.178.146.10 (152 bytes)
2026-03-03 08:44:29 [http_authd 2294 - 1772527469 info] http_authd_login_attempt[1014] -- login_attempt (method=6, vdom='root', name='BERE7411301C1',admin_name='BERE7411301C1', auth_svr=''), result code: -100
2026-03-03 08:44:29 [http_authd 2294 - 1772527469 info] http_authd_request_handler[537] -- Successfully handled "login" request.
 ===============================================

 

The GUI slowness occurs because the HTTP authentication daemon, responsible for handling HTTPS administrator authentication in FortiOS, receives continuous brute force login requests from multiple external IP addresses. Each login attempt triggers CPU-intensive operations such as session creation, VDOM context switching, user lookup, password hash verification, and logging. As these requests arrive rapidly and concurrently, the HTTP authentication daemon process can consume more than 90% of the management CPU core. This saturation of the management plane delays legitimate GUI responses, resulting in slow or unresponsive access.

To prevent brute force attacks on administrator access ports, review the following article along with the related references: Technical Tip: How to prevent brute force attempts to a FortiGate administrator account login.
      Terms & ConditionsAccessibility statement