Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AmmaIsha
Staff
Staff

Created on ‎02-24-2025 09:37 PM

Article Id 378605

Troubleshooting Tip: Failed login attempts to FortiGate-6K/7K chassis backplane management IP address

Description

This article describes the reason for System Event logs related to failed login attempt to the backplane management IP address (10.101.10.X) 

 

date=2024-02-18 time=14:40:56 devname=7K_labFGT devid=FG73ES3E1XXXXXX slot=1 eventtime=1739911256673233782 tz="-0600" logid="0100032002" type="event" subtype="system" level="alert" vd="mgmt-vdom" logdesc="Admin login failed" sn="0" user="admin" ui="https(92.X.Y.Z)" method="https" srcip=92.255.85.45 dstip=10.101.10.1 action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from https(92.255.85.45) because of invalid password"

 

Accessing the GUI via 'https://<mgmt ip>:<special management port>' will route to that particular FIM/FPM/FPC of the chassis. The flow will be from the client IP to the management_IP: port and eventually NATed to be client IP to the base-mgmt IP 10.101.10.X: port (by default port is 443).

For example, if the source IP a.b.c.d connects to the FortiGate using HTTPS on port 44301, as shown below:

'https://<management IP>:44301', after the connection is made, the following packets can be observed in the sniffer output

 

[FIM01] 2024-02-18 13:41:44.890219 havdlink1 out a.b.c.d.55931 -> 10.101.10.1.443: syn 2762137813
[FIM01] 2024-02-18 13:41:44.890272 havdlink1 in 10.101.10.1.443 -> a.b.c.d.55931: syn 2582827963 ack 2762137814
[FIM01] 2024-02-18 13:41:45.048003 havdlink1 out a.b.c.d.55931 -> 10.101.10.1.443: ack 2582827964
[FIM01] 2024-02-18 13:41:45.048049 havdlink1 out a.b.c.d.55931 -> 10.101.10.1.443: psh 2762137814 ack 2582827964
[FIM01] 2024-02-18 13:41:45.048054 havdlink1 in 10.101.10.1.443 -> a.b.c.d.55931: ack 2762138044
[FIM01] 2024-02-18 13:41:45.050148 havdlink1 in 10.101.10.1.443 -> a.b.c.d.55931: psh 2582827964 ack 2762138044
[FIM01] 2024-02-18 13:41:45.208347 havdlink1 out a.b.c.d.55931 -> 10.101.10.1.443: psh 2762138044 ack 2582829288
Scope FortiGate-6K/7K chassis.
Solution

Use one of the below two solutions to restrict access to special management IP addresses. 

  1. Configure local-in-policy to block access to special management ports from public IP address.
  2. Add trusted hosts under the admin account settings to allow access to only trusted IP address

 

A list of special management IP addresses can be found from: Special management port numbers

 

246
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.