Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hvardhang
Staff
Staff

Created on ‎05-11-2020 07:58 AM Edited on ‎12-02-2024 06:19 AM By Moderator

Article Id 194229

Technical Tip: How to limit SSL VPN login attempts and block duration

Description

 

This article describes how to alter the default login-attempt-limit and login-block-time for SSL VPN users.

 

Scope

 

FortiGate.


Solution

 

The default login-attempt-limit for SSL VPN users is 2 and the login-block-time is 60 seconds.
This indicates if user enters incorrect username/password combinations continuously twice, the firewall will block attempts and prompt with message as 'Too many bad attempts. Please try again in few minutes'.
Now, the user has to wait for 60 seconds to try to login again.

Stephen_G_0-1703866925431.png


To increase or alter the value, configure the desired values using the CLI as below.

 
config vpn ssl settings
    set login-attempt-limit x          <----- Insert the number of attempts to allow in place of x.
    set login-block-time y             <----- Insert the number of seconds to block attempts in place of y.
    set login-attempt-window z         <----- Insert the number of seconds for which logins are considered consecutive and applicable to the login-       end                                                                attempt-limit of z.

Note: Setting the login-block-time value to 0 does not mean that it will block the connection permanently. It will take it 0 seconds for the block-time and will allow the connection again instantly.

 

For newer FortiOS versions the command login-attempt-window has been renamed as login-timeout but is still referring to the window of time for which logins are considered consecutive and applicable to the login-attempt-limit.

 

The above config will help in preventing brute force attacks through SSL VPN.

 

To view the block listed IP address, use the CLI command:


diagnose vpn ssl blocklist list

 

Note: The command is available starting FortiOS versions 7.2.6 and above, 7.4.1 and above.

 

Sample output:

 

sc1.png

 

Status: locked – indicates that user has reached maximum failed login-attempt.

pending – indicates that user login attempts are lesser than the configured login-attempt-limit.


To delete an entry from the SSL VPN blocklist, use the CLI command :


diagnose vpn ssl blocklist del <all|vfid|addr>

 

Sample output :


sc1.png

 

sc1.png

 

To view the total number to users with failed login attempts, use the CLI command :


diagnose vpn ssl blocklist count

 

This method does not apply to SAML user groups. SAML user groups use an Azure application, FortiAuthenticator, or other IDP authentication not in the FortiGate. The FortiGate cannot count each incorrect username/password entry.

 

Related articles:
Technical Tip: How to unblock IP addresses from the SSL VPN blocklist

Technical Tip: SSL VPN timers explanation and SSL VPN Login Attempt Limit (aka 'Lockout')

96282
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.