Skip to main content
terencemak
terencemak
New Member
April 1, 2026
Solved

Password history threshold and account lockout settings in FW201E running OS 7.6.6

  • April 1, 2026
  • 1 reply
  • 185 views

Hello everyone, I am new to Fortinet products and have two questions regarding password history thresholds and account lockout settings. I have already reviewed the available online documentation and community forums but was unable to find definitive answers.  Thank you.

 

How can I check the current account lockout settings from the command line? The documentation I found only explains how to configure (set) these values, but not how to display the existing configuration.

config system global     set admin-lockout-threshold <failed_attempts>     set admin-lockout-duration <seconds> end

 

2. What is the expected outcome if the Password history threshold is set to 3, while Allow password reuse → Specify is set to 8? According to the administrator guide, the reuse value must be lower than the password history threshold. In this case, which setting would take precedence, and how would the system enforce the policy?

1.png

 
 

 

Best answer by OktaRianzani

Based on FortiOS 7.6.x behavior, these two settings are controlled in different places:

1. Admin lockout settings 

The lockout parameters are under config system global:

config system global     set admin-lockout-threshold <failed_attempts>     set admin-lockout-duration <seconds> end

Fortinet documents that the defaults are 3 failed attempts and 60 seconds, and that these values are configurable from the CLI. To display the current values from CLI, the practical way is to inspect the current system global config, for example:

show system global | grep admin-lockout

or, if you also want to see defaulted values:

show full-configuration system global | grep admin-lockout

This works because FortiOS CLI supports show/get, and grep can be used to filter the output.

 

2. Password history threshold vs. Allow password reuse = Specify

 

Starting in FortiOS 7.6.x, Fortinet added a global password history threshold:

config system global     set user-history-password-threshold <3-15> end

and a separate reuse-password-limit in the password policy:

config system password-policy     set reuse-password-limit <integer> end

Fortinet explicitly states that reuse-password-limit cannot exceed the global user-history-password-threshold. It also gives the example that if the global history is 3 and reuse-password-limit is 1, then only one of those three saved passwords may be reused. So if the history threshold is set to 3, a reuse value of 8 is not a valid effective configuration. The threshold of 3 is the hard ceiling; the system should reject or prevent saving reuse-password-limit 8 rather than silently honoring it. In other words, the maximum valid reuse value in that case is 3.

 

3. Extra note

If Allow password reuse is disabled, Fortinet notes that FortiOS blocks reuse of the stored previous passwords; historically this was the last 3 passwords, and from 7.6.x the stored history became configurable up to 15.

 

Regards

1 reply

OktaRianzani
OktaRianzaniAnswer
Visitor III
April 1, 2026

Based on FortiOS 7.6.x behavior, these two settings are controlled in different places:

1. Admin lockout settings 

The lockout parameters are under config system global:

config system global     set admin-lockout-threshold <failed_attempts>     set admin-lockout-duration <seconds> end

Fortinet documents that the defaults are 3 failed attempts and 60 seconds, and that these values are configurable from the CLI. To display the current values from CLI, the practical way is to inspect the current system global config, for example:

show system global | grep admin-lockout

or, if you also want to see defaulted values:

show full-configuration system global | grep admin-lockout

This works because FortiOS CLI supports show/get, and grep can be used to filter the output.

 

2. Password history threshold vs. Allow password reuse = Specify

 

Starting in FortiOS 7.6.x, Fortinet added a global password history threshold:

config system global     set user-history-password-threshold <3-15> end

and a separate reuse-password-limit in the password policy:

config system password-policy     set reuse-password-limit <integer> end

Fortinet explicitly states that reuse-password-limit cannot exceed the global user-history-password-threshold. It also gives the example that if the global history is 3 and reuse-password-limit is 1, then only one of those three saved passwords may be reused. So if the history threshold is set to 3, a reuse value of 8 is not a valid effective configuration. The threshold of 3 is the hard ceiling; the system should reject or prevent saving reuse-password-limit 8 rather than silently honoring it. In other words, the maximum valid reuse value in that case is 3.

 

3. Extra note

If Allow password reuse is disabled, Fortinet notes that FortiOS blocks reuse of the stored previous passwords; historically this was the last 3 passwords, and from 7.6.x the stored history became configurable up to 15.

 

Regards

terencemak
terencemakAuthor
New Member
April 1, 2026

Thank you for your explanation, OktaRianzani.

Terms & ConditionsAccessibility statement