Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Debbie_FTNT
Staff
Staff

Created on ‎01-19-2020 11:51 PM Edited on ‎05-30-2025 06:27 AM By Community Manager

Article Id 191892

Technical Tip: Admin login from 127.0.0.1

Description


This article explains why, under some circumstances, FortiGate can show successful (or failed) logins from 127.0.0.1 when FortiAnalyzer is connecting to it.

 

Scope

 

FortiAnalyzer.

 

Logs similar to the following are observed on the FortiGate:

 

date=2017-09-27 time=07:23:14 devname=utm01 devid=FGTxxxxx logid="0100032002" type="event" subtype="system" level="alert" vd="root" logtime=1506460994 logdesc="Admin login failed" sn="0" user="admin" ui="http(127.0.0.1)" method="http" srcip=127.0.0.1 dstip=127.0.0.1 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from http(127.0.0.1) because of invalid password"

 

Solution


When FortiGate is configured to send logs to FortiAnalyzer, under some circumstances, there can be logs regarding admin logins (or failed attempts) from 127.0.0.1.

FortiAnalyzer not only shows information based on FortiGate logs but can also retrieve additional information from FortiGate directly.
This is done by FortiAnalyzer triggering a login via the miglogd daemon running on FortiGate and then querying the FortiGate API.

Due to FortiAnalyzer communicating with the miglogd daemon in FortiGate and triggering the login from there, FortiGate can report an admin login from 127.0.0.1 (as the login comes from a local daemon).


If FortiAnalyzer does not have the correct credentials of the FortiGate, and the FortiAnalyzer OFTP certificate and serial number can't be verified by the FortiGate, then the API login call may fail and a log message like in the above example is recorded.

Note:
Login credentials to be used by FortiAnalyzer can be set from the FortiAnalyzer GUI under Device Manager; select 'FortiGate' and then ‘Edit’.

If the FortiAnalyzer is managed by FortiManager, the changes need to be made in FortiManager. From the FortiManager GUI under Device Manager, select 'FortiGate' and then ‘Edit’ and change the admin login credentials to match those used on the FortiGate.

 

To change the login credentials or create a new administrator account on FortiGate, see this KB article: Technical Tip: Change password for FortiGate from FortiManager

 

Additionally, logs may show the following authentication failure errors:

 

Target Host: 127.0.0.1
Target System: Fortinet/Fortigate

Target Username(s): netadmin

The number of authentication failures: At least 100 times in 97 Hour(s).
Failure Reason: timeout
Message: Administrator netadmin timed out on http(127.0.0.1)

 

If this occurs, re-enter the password between FortiGate and FortiAnalyzer/FortiManager on both sides.

 

Note:

To exclude the notification from the logs, use the following commands:


config log disk filter
    config free-style
        edit 0
            set type event
            set filter "(logid 0100032002)"
            set filter-type exclude
        end

 

Related article:

Technical Tip: How to exclude specific logs to be sent to FortiAnalyzer

 

29499
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.