Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pavankr5
Staff
Staff

Created on ‎12-27-2024 12:00 AM Edited on ‎01-02-2025 08:38 AM By Moderator

Article Id 366701

Technical Tip: Steps to confirm a Brute-Force Attack 

Description This article describes how to confirm a Brute-Force Attack in FortiGate.
Scope FortiGate.
Solution

Definition of Brute force attack:

What Is A Brute Force Attack?

 

  1. On the FortiGate check Event Logs for Authentication Failures under Log & Report -> Events -> User Events to see authentication-related logs. Look for repeated failed login attempts from the same IP address or user account. Login attempts at unusually high frequencies.


Example log entries indicating brute force:

 

"Administrator admin login failed from https(192.168.100.20) because of invalid password/username"
"Too many failed login attempts, user admin is locked out."

"Login disabled from IP 172.25.181.177 for 60 seconds because of 3 bad attempts"

 

login-disabled.PNG

 

  1. Use FortiView under Threats and filter for login failures or anomalous activity. Look for a spike in failed logins over a short period.
  2. Check Firewall Policy Hit Count: If the brute force is targeting specific services (e.g., SSH, HTTPS, VPN), analyze the policy hit counts.
  3. Monitor IPS and DoS Attack Logs under Log & Report -> Intrusion Prevention and check for triggers on brute-force-related IPS signatures. Check DoS attack logs for repeated access attempts.

 

Indicators of Brute Force:
A large number of failed login attempts over a short period. Repeated attempts from a single or a few IP addresses.
Account lockouts due to failed attempts. High-volume traffic targeting login services.


Once confirmed, take mitigation steps such as blocking IPs, tightening access policies, and enabling DoS protection.

 

Preventive Measures:

  1. Enable Two-Factor Authentication (2FA). Set up 2FA for admin accounts and user VPN logins to mitigate the risk.
  2. Configure 'Login Attempt Limits' and 'Failed login attempt lockout' for admin accounts.
  3. Block IPs After Multiple Failures. Use local-in policies to block repeated failed login attempts.
  4. Enable IPS Signatures. Ensure IPS signatures for brute-force attacks (for example: SSH, RDP, HTTPS) are enabled.
  5. Monitor and Notify. Configure alerts to notify administrators of failed login attempts under System -> Settings -> Email Service.
  6. If not necessary, disable administrative access in public-facing interfaces and/or restrict login only from Trusted Ho...
171
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.