Skip to main content
mhdganji
mhdganji
Explorer III
April 10, 2022
Solved

Restricting admin session to a single session

  • April 10, 2022
  • 2 replies
  • 5975 views

Hi,

On Fortigate FortiOS 6.4, this is I'd like to do:

 

Limit an admin login to a single session, so if another login happened with the same admin user from another system (another PC), the current session goes off.

 

Is that possible?

 

Regards,

 

Best answer by Yurisk
  • Nope, this setting is global, either for all admins or none. You cannot restrict number of  local admins logins per user.
  • Yes, as the message says, you have to run this command in SSH
  • Security-wise, I'd suggest switching your admin authentication to remote one - Radius + AD. Or even easier -  every hardware FGT comes with 2 Fortitokens license, which you can use for 2 admin accounts as MFA. Also, you can set automation trigger - to get email alert on each successful admin login. Frankly, I don't see much value in knowing that admin password was compromised because someone logs in with it in fact - it is a bit too late, and too little, as you most probably have bigger problems already with the compromise than malicious user trying to login into FGT, and what if it happens at night?  Malicious actors once in LAN, will usually go after AD/storage/backups/infrastructure, not the firewall.

2 replies

Yurisk
SuperUser
Yurisk
SuperUser
April 10, 2022

Yes, it is doable. 

see how to here: https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-set-a-maximum-number-of-logged-in/ta-p/195629 

If you limit number of admin sessions to 1, then next admin after authentication will be asked what to do with the currently logged in admin, including option to disconnect him and go with the session. 

Opposite of this would be to limit admin to just 1 sessions, but to DENY any other admin sessions without option to disconnect the current one:

 

FortiGate-VM64 # config sys global

FortiGate-VM64 (global) # set admin-concurrent
enable Enable admin concurrent login.
disable Disable admin concurrent login.
FortiGate-VM64 (global) # set admin-concurrent disable

FortiGate-VM64 (global) # end

 

Then any additional admin log in will be prevented with the error of wrong username/password, until the current admin session ends:

 

The client has disconnected from the server.  Reason: Unable to authenticate using any of the configured authentication methods.

 

HTH

Yuri

mhdganji
mhdganjiAuthor
Explorer III
April 10, 2022

Thanks but I see problems:

 

-Firstly, we are two admins say Jack and Jill and we work simultaneously so many times so there is a need to be two concurrent admin sessions, but, we need to limit Jack's sessions to 1 so if any other session with the same username is getting connected from another device, the current one will be disconnected and you'll find out there is some malicious activity. I like these behaviours and settings to be controlled per admin username not per any admin defined.

 

- In option provided in the link, you should SSH to the device and disconnect the current session. No option to do this just at the GUI and go on with the login?

 

 

 

Capture.JPG

Yurisk
SuperUser
YuriskAnswer
SuperUser
April 14, 2022
  • Nope, this setting is global, either for all admins or none. You cannot restrict number of  local admins logins per user.
  • Yes, as the message says, you have to run this command in SSH
  • Security-wise, I'd suggest switching your admin authentication to remote one - Radius + AD. Or even easier -  every hardware FGT comes with 2 Fortitokens license, which you can use for 2 admin accounts as MFA. Also, you can set automation trigger - to get email alert on each successful admin login. Frankly, I don't see much value in knowing that admin password was compromised because someone logs in with it in fact - it is a bit too late, and too little, as you most probably have bigger problems already with the compromise than malicious user trying to login into FGT, and what if it happens at night?  Malicious actors once in LAN, will usually go after AD/storage/backups/infrastructure, not the firewall.
    Terms & ConditionsAccessibility statement