Help
FortiSIEM Discussions
Ernie
New Contributor III

Created on ‎02-28-2025 06:12 AM Edited on ‎03-03-2025 03:10 AM

FortiSIEM account locked due to excessive login failures

Hi Community,

 

Recently our FortiSIEM is flooded every 2 seconds with "System user account locked due to excessive login failures" by user SYSTEM(su). Which generates an Incident that locks out the user...

 

The Short Process Name is AppServer but the remarkable thing is, that the request comes from it's own IP address (=192.168.1.1):

 

 

 

 

 

[root@FortiSIEM logs]# tail -f /var/log/httpd/ssl_request_log | grep 192.168.1.1
192.168.1.1 - - [28/Feb/2025:15:07:17 +0100] "GET /phoenix HTTP/1.1" 301 180 "-" "-"
192.168.1.1 - - [28/Feb/2025:15:07:17 +0100] "GET /phoenix/ HTTP/1.1" 302 190 "-" "-"
192.168.1.1 - - [28/Feb/2025:15:07:17 +0100] "GET /phoenix/login.html HTTP/1.1" 200 2025 "-" "-"
192.168.1.1 - - [28/Feb/2025:15:07:18 +0100] "GET /phoenix/rest/sync/task?custId=1&agentId=1&time=1740751638&phProcessName=phMonitorSupervisor HTTP/1.1" 200 112 "-" "-"
192.168.1.1 - - [28/Feb/2025:15:07:19 +0100] "GET /phoenix HTTP/1.1" 301 180 "-" "-"
192.168.1.1 - - [28/Feb/2025:15:07:19 +0100] "GET /phoenix/ HTTP/1.1" 302 190 "-" "-"
192.168.1.1 - - [28/Feb/2025:15:07:19 +0100] "GET /phoenix/login.html HTTP/1.1" 200 2025 "-" "-"
192.168.1.1 - - [28/Feb/2025:15:07:21 +0100] "GET /phoenix HTTP/1.1" 301 180 "-" "-"
192.168.1.1 - - [28/Feb/2025:15:07:21 +0100] "GET /phoenix/ HTTP/1.1" 302 190 "-" "-"
192.168.1.1 - - [28/Feb/2025:15:07:21 +0100] "GET /phoenix/login.html HTTP/1.1" 200 2025 "-" "-"

 

 

 

 

I can't seem to find out or block the IP, for example with an .htaccess file.

 

Has anyone got a clue on how to solve this?

Labels:
503
0 Kudos
2 REPLIES 2
Secucard
New Contributor III

Created on ‎07-16-2025 02:42 AM

Hi, we had it with 7.3.0 and now, with 7.4.0, even it got more worse. Same problem.

Can anyone from Fortinet help us?

173
0 Kudos
Secusaurus
Contributor III

Created on ‎07-16-2025 02:53 AM Edited on ‎07-16-2025 02:54 AM

Hi @Ernie and @Secucard,

 

I see this issue usually in context with upgrades. The internal cluster passwords get changed/reset on cluster upgrades, so the workers trying to access the supervisor or even internal processes might not be able to connect to each other during an upgrade or after issues with the upgrade. It will have a mismatch if you run "phLicenseTool --showRedisPassword"

 

If this is not you issue, can you share more details/logs about the issue and your deployment scenario?

 

Best,

Christian

FCX #003451 | Fortinet Advanced Partner
FCX #003451 | Fortinet Advanced Partner
167
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.