Definition of a Brute Force attack:

What Is A Brute Force Attack?

1. On the FortiGate, check Event Logs for Authentication Failures under Log & Report -> Events -> User Events to see authentication-related logs. Look for repeated failed login attempts from the same IP address or user account. Login attempts are at unusually high frequencies.

    

Example log entries indicating brute force:

"Administrator admin login failed from https(192.168.100.20) because of invalid password/username"
"Too many failed login attempts, user admin is locked out."

"Login disabled from IP 172.25.181.177 for 60 seconds because of 3 bad attempts"

2. Run the command 'diagnose alertconsole list', the command displays the source ip where the attempt originated.

3. Use FortiView under Threats and filter for login failures or anomalous activity. Look for a spike in failed logins over a short period.

    

    

4. Check Firewall Policy Hit Count: If the brute force is targeting specific services (e.g., SSH, HTTPS, VPN), analyze the policy hit counts.

    

    

5. Monitor IPS and DoS Attack Logs under Log & Report -> Intrusion Prevention and check for triggers on brute-force-related IPS signatures. Check DoS attack logs for repeated access attempts.

Indicators of Brute Force:
A large number of failed login attempts over a short period. Repeated attempts from a single or a few IP addresses.
Account lockouts due to failed attempts. High-volume traffic targeting login services.

Once confirmed, take mitigation steps such as blocking IPs, tightening access policies, and enabling DoS protection.

Resource consumption and performance impacts:

• The CPU cores might spike to 99%,  making the system sluggish or unresponsive. This occurs because the attack floods the system with login attempts, forcing constant credential validation. The user space will be impacted.
• The httpsd process (verify with: diagnose system top) can show elevated CPU and memory usage. Multiple instances of httpsd may run simultaneously, with rapid process ID changes indicating overload from failed or incomplete login attempts (e.g., HTTP POST requests to '/logincheck'). Debug logs on the daemon will reveal authentication failures with error codes like '-100', often from varied IPs.
• Slow or inaccessible web GUI, as high httpsd load can lead to difficulties accessing the FortiGate web interface, with repeated crash logs for the daemon.
• Potential high memory usage: Sustained attacks may also increase RAM consumption, especially if combined with other traffic.

Preventive measures:

1. Enable Applying multi-factor authentication. Set up 2FA for admin accounts and user VPN logins to mitigate the risk.
2. Configure following this document: Setting the administrator password retries and lockout time.
3. Block IPs After Multiple Failures. Use this article: Technical Tip: How to check failed admin logins from the GUI and CLI.
4. Enable IPS Signatures. Ensure IPS signatures for brute-force attacks (for example: SSH, RDP, HTTPS) are enabled.
5. Monitor and Notify. Configure following this Technical Tip: How to check failed admin logins from the GUI and CLI under Email alerts.
6. If not necessary, follow this article: Technical Tip: System administrator best practices for FortiGate and FortiProxy

Related article:

Technical Tip: How to prevent brute force attempts to a FortiGate administrator account login