| Description | This article describes how to implement an automation stitch to enhance security measures against unauthorized FortiGate access by blocking remote IP addresses associated with 3 bad failed login attempts. |
| Scope | FortiGate. |
| Solution |
Step 1: Create an address group.
In the GUI:
Navigate to Policy & Objects -> Addresses -> Create New -> Address Group -> Enter a name: Admin_Failed_Login -> Select OK. This automation configuration is compatible with version 7.2 and later.
In the CLI:
config firewall addrgrp edit Admin_Failed_Login end
Step 2: Create an automation stitch.
Navigate to Security Fabric -> Automation -> Create New -> Supply the name 'Admin_Login_Block'.
Select Add Trigger -> Create -> FortiOS Event Log -> Supply the name 'Admin_Login_disabled' -> Open the FortiOS Event Log: Search and add 'Admin login disabled' -> Select OK -> Select Apply.
Select Add Action -> Create -> CLI Script -> Supply the name 'Block_Admin_Failed' -> Enter the script below and select Administrator profile: Super_admin -> Select OK -> Select Apply -> Select OK. config firewall address edit %%log.srcip%% set subnet %%log.srcip%%/32 end config firewall addrgrp edit Admin_Failed_Login append member %%log.srcip%% end
In the CLI:
config system automation-trigger edit "Admin_Login_disabled" set event-type event-log set logid 32002 next end config system automation-action edit "Block_Admin_Failed" set action-type cli-script set script "config firewall address edit %%log.srcip%% set subnet %%log.srcip%%/32 end
edit Admin_Failed_Login append member %%log.srcip%% end" set accprofile "super_admin" next end
config system automation-stitch edit "Admin_Login_Block" set description "Admin_Login_Block" set trigger "Admin_Login_disabled" config actions edit 1 set action "Block_Admin_Failed" set required enable next end next end Step 3: Create a local-in policy.
config firewall local-in-policy edit 0 set intf <WAN_interface> set srcaddr "Admin_Failed_Login" set dstaddr "all" set action deny set service "ALL" set schedule "always" set status enable next end
Note: Local-in-Policy can now be configured on the GUI starting from FortiOS version 7.6.0. Refer to Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI
Result: In the event of login being disabled because of 3 bad attempts, a trigger will activate, resulting in the creation of an address object for the source IP associated with the unsuccessful attempt. Subsequently, this address object will be included in the 'Admin_Failed_Login' address object group specified in the local in policy. The local in policy, in turn, will enforce the blocking of traffic originating from the identified source IP.
Debugs to verify the automation stitch being triggered:
__action_cli_script_close()-213: cli script action is done. script: config firewall address edit %%log.srcip%% set subnet %%log.srcip%%/32 end config firewall addrgrp edit Admin_Failed_Login append member %%log.srcip%% end
Output:
diagnose deb app autod -1
diagnose deb en
########## script name: autod.388 ##########
========== #1, 2025-08-04 11:39:43 ==========
Disable the debugs by running 'diag debug disable'.
Reference Log:
date=2025-08-04 time=11:32:42 eventtime=1754328762352279340 tz="-0600" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="https(178.X.X.X)" method="https" srcip=178.X.X.X dstip=191.X.X.X action="login" status="failed" reason="name_invalid" msg="Administrator admin login failed from https(178.X.X.X) because of invalid user name"
Related article: Technical Tip: Configure an automation stitch to get an email alert for admin login failures |
