Skip to main content
soldanes
soldanes
New Member
March 13, 2026
Question

Best strategy to block brute-force login attempts on Management Interface?

  • March 13, 2026
  • 3 replies
  • 1078 views

Hello Fortinet Community,

I would like to share a scenario we are facing with a customer's FortiGate 40F (v7.2.13) and seek your advice on the best security strategy to implement.

The Situation: We are seeing persistent and constant "Admin login failed" events in our logs. These are brute-force attempts targeting the WebGUI from various IP ranges and multiple countries.

Current Approach: So far, my mitigation strategy has been:

  1. Creating Address Objects (Type: Subnet) for each attacking IP range.

  2. Grouping them into an Address Group.

  3. Applying a Local-In Policy to drop traffic from that group:

This has turned into a "cat and mouse" game. As soon as I block one range, new ones appear. I considered Geographical Blocking, but it feels too aggressive since many attacking IPs originate from the USA, and I am concerned about inadvertently blocking essential services or legitimate traffic.

 

I also researched this Technical Tip: Technical Tip: Block FortiGate Administrator Login with an automated script

 

However, the bots seem coordinated enough to pace their attempts, often avoiding the thresholds that trigger automated lockout scripts.

 

Also, the admin interface has to be open to internet because we need to access without the VPN.

 

What would be the most effective and professional strategy to stop these login attempts?

Thank you in advance!

3 replies

ede_pfau
SuperUser
ede_pfau
SuperUser
March 13, 2026

NO way....!

 

But, as I have learned never to say "never", may I suggest to "whitelist"? Only allow a (small) group of IP addresses for admins, deny the rest.

And filter on the admin port, of course.

And set the allowed attempts to 2, and the blocking duration to a couple of days.

 

If you still want to keep admin access open from anywhere, without using a VPN, you can't be helped. I couldn't really take responsability for such a setup.

Maybe, just maybe, close HTTPS access, open SSH access, move the SSH port, and if an admin really needed GUI access, he'd have to temporarily enable it after logging in to the CLI.

But all of these are not security measures.

soldanes
soldanesAuthor
New Member
March 13, 2026

thanks for the answer

But this is the situation. In my case, and in the case of others, we dont have public ip address, for example, i have starlink,.

funkylicious
SuperUser
funkylicious
SuperUser
March 13, 2026

just enable/configure trusted host for every admin created and/or create local-in policies allowing access to http/https/ssh on the "wan" only from certain hosts/subnets.

"jack of all trades, master of none"
ede_pfau
SuperUser
ede_pfau
SuperUser
March 13, 2026

and Starlink is not public?

The way to go is to set up a (dial-in) VPN, letting the FGT register it's public IP via dynamic DNS. Or the other way around, let the FGT dial-in to some central FGT, and use the tunnel from there.

 

IMHO it's way more worthwhile to put the grease into this than into whack-a-mole games.

soldanes
soldanesAuthor
New Member
March 16, 2026

Thank you for your answers. I fully understand the risks, and that is exactly why I am looking for a solution. This doesn't depend only on me but on other stakeholders, so I want to gather as much information as possible before moving forward.

Here is the situation: Our VPN authenticates through a Domain Controller, so only users within that domain can gain access. If we restrict Admin Console access exclusively to the VPN and the Domain Controller goes down for any reason, we would be completely locked out of the management interface.

Furthermore, it is important to note that this FortiGate is located thousands of kilometers away from our main office. If we were to be locked out, there is no physical way for us to access the console port or perform a manual recovery without incurring massive travel costs and downtime.

Therefore, I need a way to access the Admin Console in a scenario where the VPN is unavailable, while simultaneously keeping the door closed to bots. Does that make sense? Thank you very much for your help.

Terms & ConditionsAccessibility statement