Description | This article discusses FortiOS behavior when applying administrative lockout after multiple invalid API keys are seen from the same IP address. In particular, this article notes the increasing lockout duration caused by repeated invalid API attempts. |
Scope | FortiGate. |
Solution |
Authentication attempts for firewall administrators and REST API users are subject to lockouts according to the admin-lockout settings in 'config system global'.
API_TEST # config system global API_TEST (global) # set admin-lockout? admin-lockout-threshold <----- Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
API_TEST (global) # set admin-lockout-duration ? admin-lockout-duration <----- Enter an integer value from <1> to <2147483647> (default = <60>).
API_TEST (global) # set admin-lockout-threshold ? admin-lockout-threshold <----- Enter an integer value from <1> to <10> (default = <3>).
Administrative lockouts prevent a blocked source IP from authenticating until the lockout-duration passes or the device is rebooted.
A single successful authentication will reset the count completely, but during lockout, FortiGate rejects the API call without checking the API user's token. API calls during lockout do not contribute to successes or failures.
Example lockout diagnostics from SSH session:
diagnose debug application httpsd -1 diagnose debug enable 2024-12-06 12:45:47 [httpsd 516 - 1733445947 info] fweb_debug_init[531] -- New GET request for "/api/v2/monitor/system/current-admins" from "10.255.254.200:50578" ... 2024-12-06 12:45:51 [httpsd 516 - 1733445951 warning] _lock_out_check_and_lock_out[416] -- Failed api-key login attempt from 10.255.254.200. (2/3 attempts within 60s).
Later, the lockout cleared and the administrator sent more test API calls, which also had the wrong Token.
2024-12-06 12:58:10 [httpsd 588 - 1733446690 info] fweb_debug_init[531] -- New GET request for "/api/v2/monitor/system/current-admins" from "10.255.254.200:58664"
While the api-user is locked out, the FortiGate will return HTTP error 429 'Too many requests'.
Example output from a test API call while the user is locked out:
curl -k -v "https://10.255.255.100/api/v2/monitor/system/current-admins" --header "Authorization: Bearer 86zk**********************8s58" <--- key is entered in Request Header. * Trying 10.255.255.100:443... * Connected to 10.255.255.100 (10.255.255.100) port 443 (#0) * schannel: disabled automatic use of client certificate * schannel: using IP address, SNI is not supported by OS. * ALPN: offers http/1.1 * ALPN: server accepted http/1.1 * using HTTP/1.1 > GET /api/v2/monitor/system/current-admins HTTP/1.1 > Host: 10.255.255.100 > User-Agent: curl/8.0.1 > Accept: */* > Authorization: Bearer 86zk**********************8s58 > < HTTP/1.1 429 Too Many Requests <----- FortiGate returns HTTP error 429 during lockout regardless of whether key is correct. < X-Frame-Options: SAMEORIGIN < Content-Security-Policy: frame-ancestors 'self' < Strict-Transport-Security: max-age=63072000 < date: Thu, 05 Dec 2024 23:06:22 GMT < content-length: 354 < content-type: text/html; charset=iso-8859-1 < Connection: keep-alive < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>429 Too Many Requests</title> </head><body> <h1>Too Many Requests</h1> <p>The user has sent too many requests in a given amount of time.</p> <p>Additionally, a 429 Too Many Requests error was encountered while trying to use an ErrorDocument to handle the request.</p> </body></html> * Connection #0 to host 10.255.255.100 left intact
The remaining lockout time of a failing API call can be verified from the FortiGate httpsd debug output. If it is not possible to wait for the remaining lockout time, a different source IP address should be used for the API call.
In some previous FortiOS versions, it was possible to work around a system administrator lockout by logging in from a different source IP and manipulating the configured lockout time. This was never possible for REST API users and has been removed for system administrators in current FortiOS versions, see this KB article: How to clear disabled admin lockout.
Note: It may sometimes be necessary to generate a new API key in order to resolve a 403 error code. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.