Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
New Contributor III

Restricting admin session to a single session

Hi,

On Fortigate FortiOS 6.4, this is I'd like to do:

 

Limit an admin login to a single session, so if another login happened with the same admin user from another system (another PC), the current session goes off.

 

Is that possible?

 

Regards,

 

1 Solution
Yurisk
Valued Contributor

  • Nope, this setting is global, either for all admins or none. You cannot restrict number of  local admins logins per user.
  • Yes, as the message says, you have to run this command in SSH
  • Security-wise, I'd suggest switching your admin authentication to remote one - Radius + AD. Or even easier -  every hardware FGT comes with 2 Fortitokens license, which you can use for 2 admin accounts as MFA. Also, you can set automation trigger - to get email alert on each successful admin login. Frankly, I don't see much value in knowing that admin password was compromised because someone logs in with it in fact - it is a bit too late, and too little, as you most probably have bigger problems already with the compromise than malicious user trying to login into FGT, and what if it happens at night?  Malicious actors once in LAN, will usually go after AD/storage/backups/infrastructure, not the firewall.

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.

View solution in original post

4 REPLIES 4
Yurisk
Valued Contributor

Yes, it is doable. 

see how to here: https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-set-a-maximum-number-of-logged-in/... 

If you limit number of admin sessions to 1, then next admin after authentication will be asked what to do with the currently logged in admin, including option to disconnect him and go with the session. 

Opposite of this would be to limit admin to just 1 sessions, but to DENY any other admin sessions without option to disconnect the current one:

 

FortiGate-VM64 # config sys global

FortiGate-VM64 (global) # set admin-concurrent
enable Enable admin concurrent login.
disable Disable admin concurrent login.
FortiGate-VM64 (global) # set admin-concurrent disable

FortiGate-VM64 (global) # end

 

Then any additional admin log in will be prevented with the error of wrong username/password, until the current admin session ends:

 

The client has disconnected from the server.  Reason:
Unable to authenticate using any of the configured authentication methods. 

 

HTH

Yuri

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
mhdganji
New Contributor III

Thanks but I see problems:

 

-Firstly, we are two admins say Jack and Jill and we work simultaneously so many times so there is a need to be two concurrent admin sessions, but, we need to limit Jack's sessions to 1 so if any other session with the same username is getting connected from another device, the current one will be disconnected and you'll find out there is some malicious activity. I like these behaviours and settings to be controlled per admin username not per any admin defined.

 

- In option provided in the link, you should SSH to the device and disconnect the current session. No option to do this just at the GUI and go on with the login?

 

 

 

Capture.JPG

mhdganji
New Contributor III

Sorry to up this discussion but as I want to wrap it up, and as I asked: Are these settings applicable in a per-admin-user mode (For instance, limiting Jack to two sessions but Jimmy to just one) and the other elaboration and conditions I explained?

 

Regards,

Yurisk
Valued Contributor

  • Nope, this setting is global, either for all admins or none. You cannot restrict number of  local admins logins per user.
  • Yes, as the message says, you have to run this command in SSH
  • Security-wise, I'd suggest switching your admin authentication to remote one - Radius + AD. Or even easier -  every hardware FGT comes with 2 Fortitokens license, which you can use for 2 admin accounts as MFA. Also, you can set automation trigger - to get email alert on each successful admin login. Frankly, I don't see much value in knowing that admin password was compromised because someone logs in with it in fact - it is a bit too late, and too little, as you most probably have bigger problems already with the compromise than malicious user trying to login into FGT, and what if it happens at night?  Malicious actors once in LAN, will usually go after AD/storage/backups/infrastructure, not the firewall.

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.