Troubleshooting Tip: Unable to access FortiGate GUI because of high CPU due to httpsd process

• Obtain physical access to the FortiGate and connect to it via console cable. Follow this article: Technical Tip: How to connect to the FortiGate and FortiAP console port to correctly connect to the console.
• Once connected, execute the command 'diagnose sys top'.

• Look at the output to see that the CPU is being maxed out by several httpsd. In some cases, http_authd is the top process. 

Starting in FortiOS v7.6.4, a new daemon named http_authd has been introduced to manage administrative authentication processes. 

The http_authd daemon centralizes all authentication activities related to administrative access on FortiGate devices. By consolidating these functions into a dedicated process, FortiOS improves the efficiency, consistency, and scalability of authentication handling.

• The httpsd process is responsible for handling HTTPS administrative access, including GUI management and API requests. Elevated CPU usage by these processes typically indicates increased management-plane activity, such as frequent GUI access, API polling, or authentication requests.

In FortiOS v7.6.4 and above output:

• Use the command 'diagnose alertconsole list' to confirm the reason behind the httpsd spawn process.

• Observe that there are several login attempts from various public IPs in the output.
• To address the issue and restore access to the FortiGate, ensure that the HTTP and HTTPS services are disabled for administrator access on any external or internet-facing interfaces (such as wan1 or wan2). See System Administrator best practices.
• While on console, execute the following command to disable HTTP and HTTPS to the internet-facing interfaces:

config system interface

    edit <interface_name>      <----- Internet-facing interface.

        unselect allowaccess https http

    next 

end

• Lastly, use the command below to restart the process.

fnsysctl killall httpsd

• If the CPU usage remained high despite restarting the 'httpsd' process, refer to the following article to know how to disable previous administrator login records, which were found to be causing this issue as well: Troubleshooting Tip: FortiGate High CPU Usage and Web GUI Accessibility Issues due to httpsd process.

Note:
If the issue persists, perform hardening steps. Ensure that the external interface is disconnected before accessing the GUI again. This helps reduce high CPU usage caused by external attacks. Then perform the following actions:

• Change the admin username and password.
• Change the HTTPS and SSH ports.
• Allow only HTTPS traffic for administrative access. This can be accomplished by using a local-in policy. Here is the guide to Technical Tip: Use local-in policy to restrict unauthorized login attempts to administrative access of FortiGate.
• Disable PING access on the external interface.
• Check for any sub-interfaces that allow HTTPS access and disable them as well.
• Reboot the firewall and reconnect the external interfaces.
• Check the CPU usage again (diag sys top), particularly for the httpsd process.
• Verify that there are no longer multiple attempts listed in 'diagnose alertconsole list'.

Related articles: 

Technical Tip: Regularly audit and restrict open ports on FortiGate public interfaces 

Technical Tip: System administrator best practices for FortiGate and FortiProxy

Troubleshooting Tip: High CPU usage due to httpsd daemon on FortiGate