Description
This article explains why, under some circumstances, FortiGate can show successful (or failed) logins from 127.0.0.1 when FortiAnalyzer is connecting to it.
Scope
FortiAnalyzer.
Logs similar to the following are observed on the FortiGate:
date=2017-09-27 time=07:23:14 devname=utm01 devid=FGTxxxxx logid="0100032002" type="event" subtype="system" level="alert" vd="root" logtime=1506460994 logdesc="Admin login failed" sn="0" user="admin" ui="http(127.0.0.1)" method="http" srcip=127.0.0.1 dstip=127.0.0.1 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from http(127.0.0.1) because of invalid password"
Or:
date="2025-08-05" time="14:01:05" id=7535101228385042582 bid=9660244 dvid=1060 itime=1754402469 euid=3 epid=3 dsteuid=3 dstepid=3 logver=702091688 logid="0100032021" type="event" subtype="system" level="alert" action="login" msg="Login disabled from IP 127.0.0.1 for 60 seconds because of 3 bad attempts" logdesc="Admin login disabled" ui="127.0.0.1" status="failed" reason="exceed_limit" eventtime=1754402465694062946 tz="+0000" devid="FGxxxxxxxxxxxxx" vd="root" devname="FGxxxxxxxxxxxxx"
Solution
When FortiGate is configured to send logs to FortiAnalyzer, under some circumstances, there can be logs regarding admin logins (or failed attempts) from 127.0.0.1.
FortiAnalyzer not only shows information based on FortiGate logs but can also retrieve additional information from FortiGate directly.
This is done by FortiAnalyzer triggering a login via the miglogd daemon running on FortiGate and then querying the FortiGate API.
Due to FortiAnalyzer communicating with the miglogd daemon in FortiGate and triggering the login from there, FortiGate can report an admin login from 127.0.0.1 (as the login comes from a local daemon).
If FortiAnalyzer does not have the correct credentials of the FortiGate, and the FortiAnalyzer OFTP certificate and serial number can't be verified by the FortiGate, then the API login call may fail, and a log message like in the above example is recorded.
Note:
Login credentials to be used by FortiAnalyzer can be set from the FortiAnalyzer GUI under Device Manager; select 'FortiGate' and then ‘Edit’.
If the FortiAnalyzer is managed by FortiManager, the changes need to be made in FortiManager. From the FortiManager GUI under Device Manager, select 'FortiGate' and then ‘Edit’ and change the admin login credentials to match those used on the FortiGate.
To change the login credentials or create a new administrator account on FortiGate, see this KB article: Technical Tip: Change password for FortiGate from FortiManager.
Additionally, logs may show the following authentication failure errors:
Target Host: 127.0.0.1
Target System: Fortinet/Fortigate
Target Username(s): netadmin
The number of authentication failures: At least 100 times in 97 Hour(s).
Failure Reason: timeout
Message: Administrator netadmin timed out on http(127.0.0.1)
If this occurs, re-enter the password between FortiGate and FortiAnalyzer/FortiManager on both sides, and additionally confirm that the FortiAnalyzer/FortiManager Serial number is present and is correct on the FortiGate.
Note:
To exclude the notification from the logs, use the following commands:
config log disk filter
config free-style
edit 0
set type event
set filter "(logid 0100032002)"
set filter-type exclude
end
Related articles:
Technical Tip: How to exclude specific logs to be sent to FortiAnalyzer
Technical Tip: Logs regarding Source and Destination IP 127.0.0.1 with UDP port 12121
