Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dwarr1993
New Contributor

Automation Stitch:Failed Admin Login is triggered

Hello,

I get this error every time I restart a specific Windows Server:
FG.PNG

I have look in the Event Viewer of the Server but can't find anything related to this failed login.

Is there a way that the FortiGate can tell me what application is being used by the server to try and login?

It's a relatively new server, as well as the FortiGate, and I'm pretty certain I haven't setup anything on this server to try and connect to my gateway.

Stumped. 

2 REPLIES 2
pminarik
Staff
Staff

The short answer is "no". In general it is not possible for the receiving end to learn which process generated the traffic on the other side That fact is not advertised over the network.

 

Here's a suggestion: 

1, Start and keep running a packet capture on the FortiGate (filter for hosts 192.168.0.16 + 192.168.0.1, and for your SSH port) -> This will tell you which source-port was used.

1.a, Alternatively, if you are logging local-in traffic, find these sessions in the Local Traffic log.

 

2, With this info, you might be able to trace which process generated this traffic on the Windows server end, assuming there's a way to log which processes used which source ports. (I don't know)

 

Another alternative: Perhaps you have some firewall application installed on the Windows server? If yes, check if you can set it up to block this traffic and log it. Then maybe this log will tell you which process tried to initiate that connection.

 

one addition: Since this is SSH, the initial communication is a "Protocol version exchange", which tends to include the version of the client/server. You can try looking at that in the packet capture, maybe that will give a hint as to which process is the client on the Windows server.

 

https://datatracker.ietf.org/doc/html/rfc4253#section-4.2

[ corrections always welcome ]
dwarr1993

Thank you for replying! I have setup a Packet Capture, just need to start it. Which I'll do before I restart the server. Need to wait until the weekend though :(

Labels
Top Kudoed Authors