FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
salmas
Staff
Staff
Article Id 329141
Description This article describes how to check failed admin logins on FortiGate via either the GUI or the CLI.
Scope FortiGate.
Solution

To check failed admin logins in the GUI, go to Log & Report -> System Events -> General System Events and apply the filter Log Description = Admin login failed.

 

salmas_0-1722357230606.png

 

To check failed admin logins from the CLI, run the following command:

 

diag alertconsole list

 

Or:

 

diag alertconsole list | grep login

 

salmas_1-1722357230619.png

 

It is also possible to create an automation stitch to get alerts for failed admin logins. Go to Security Fabric -> Automation -> Create new, andcreate an Automation Trigger for the FortiOS Event Log with the 'Admin login failed' event.

 

salmas_2-1722357334711.png

 

Create an Automation Action with Email.

 

salmas_3-1722357334725.png

 

The final automation stitch will look like this:

 

salmas_4-1722357436199.png

 

The same configuration from the CLI:

 

  1. Automation Trigger:

config system automation-trigger

    edit "Login_Failed"

        set event-type event-log

        set logid 32002

    next

end

 

2. Automation Action:

 

config system automation-action

    edit "Login-Failed_Email"

        set action-type email

        set email-to "myemail@example.com"

        set email-subject "FortiGate Admin Login Failed"

    next

end

 

3. Automation Stitch:

 

config system automation-stitch

    edit "Admin_Login_Failed"

        set trigger "Login_Failed"

        config actions

            edit 1

                set action "Login-Failed_Email"

                set required enable

            next

        end

    next

end

 

Once there a failed login event triggers, the stitch will activate and send an alert message. The email body should look like the following raw logs.

 

date=2024-07-30 time=09:12:22 eventtime=1722345142416647315 tz="-0400" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="testlogin" ui="https(172.25.181.118)" method="https" srcip=172.25.181.118 dstip=10.9.11.34 action="login" status="failed" reason="name_invalid" msg="Administrator testlogin login failed from https(172.25.181.118) because of invalid user name"

 

date=2024-07-30 time=09:10:19 eventtime=1722345019384149693 tz="-0400" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="testlogin" ui="ssh(172.25.181.118)" method="ssh" srcip=172.25.181.118 dstip=10.9.11.34 action="login" status="failed" reason="name_invalid" msg="Administrator testlogin login failed from ssh(172.25.181.118) because of invalid user name"