FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
This article describes an issue that may be seen with FortiAP-U 'universal' Access Points whereby the system event logs may display failed login attempts but without the source IP address.
If administrative access is enabled in the Access Point Operation Profile and an attempt is made to access to the HTTP interface of an AP using an invalid user name, the FortiGate acting as a Wireless Controller may not record the source IP address of the device that attempted to access the administrative interface.
Instead, the FortiGate may simply record an IP of 0.0.0.0 and an event ID of '0100032002'
Below is an example of the log entry that may be seen in this scenario:
date=2024-09-07 time=05:24:29 eventtime=1725642469337932624 logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="FortiAP:PU431FXX12345678" ui="https(0.0.0.0)" method="https" action="login" status="failed" srcip=0.0.0.0 dstip=1.2.3.4 reason="name_invalid" msg="Administrator test login failed from https(0.0.0.0) because of invalid user name"
The behavior seen here has been confirmed as a bug, with the fix available in FortiAP v7.0.5.
