Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff & Editor
Staff & Editor

Created on ‎04-10-2025 02:36 AM Edited on ‎09-15-2025 05:43 AM By Moderator

Article Id 387113

Technical Tip: Disable concurrent admin login to FortiGate

Description This article describes the configuration to restrict the admin user to one active session at a time.
Scope FortiGate.
Solution

Log in to the device with the super-admin privilege admin account and go to settings.
Search 'Allow concurrent sessions' and disable the option (by default, it is enabled).
Apply the settings.

 

settingpage.PNG

 

To make the same changes to the configuration via CLI:

 

config system global
    set admin-concurrent disable
end

 

With this configuration, when an admin session is already established and active, the same admin account cannot be used to log in to FortiGate again.

 

For example, user 'admin' has logged into FortiGate GUI from 10.32.22.115, and the session is active.

 

FGT1_HO_TLP # get system admin status
path=system, objname=admin, tablename=(null), size=1312
username: admin <---
login local: jsconsole
login device: port1:10.40.19.6:443
login remote: 10.32.22.115:50941
login vdom: root
login access profile: super_admin
login started: 2025-04-10 02:16:29
current time: 2025-04-10 02:16:33

 

Below are the messages FortiGate will show when the 'admin' tries to log in to FortiGate.

In the GUI, the message is 'Authentication failure'.

 

adminlogin error.PNG

 

In SSH, the message is 'Access denied'.

 

login as: admin
admin@10.40.19.6's password:********
Access denied

 

A log will be generated in FortiGate: 'Administrator admin login failed from https(x.x.x.x) because admin concurrent is disabled'.

 

date=2025-04-10 time=02:20:37 eventtime=1744276837186075837 tz="-0700" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="ssh(172.26.153.52)" method="ssh" srcip=172.26.153.52 dstip=10.40.19.6 action="login" status="failed" reason="admin_concurrent_disabled" msg="Administrator admin login failed from ssh(172.26.153.52) because admin concurrent is disabled"

 

date=2025-04-10 time=01:56:46 eventtime=1744275407254713715 tz="-0700" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="https(172.26.153.52)" method="https" srcip=172.26.153.52 dstip=10.40.19.6 action="login" status="failed" reason="admin_concurrent_disabled" msg="Administrator admin login failed from https(172.26.153.52) because admin concurrent is disabled"

 

Note: When an admin session is active through one protocol (such as SSH), no other admin sessions (like HTTPS) can be established until the current session ends. However, 'jsconsole' (GUI CLI Console) sessions, listed under 'exec disconnect-admin-session', are exempt from this restriction and do not count toward the one-session limit.

Concurrent.png

 

Related article:

Technical Tip: Restricting multiple admin sessions from the same admin user
568
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.