Administrator admin logged in successfully from https(127.0.0.1)

eby · ‎09-20-2024

Fortigate 60D(v6.0.13) and FortiAnalyzer(v7.2.5)

I'm having strange issue, Fortigate dashboard show two admins logged in - Admin (with my workstation ip ) and Admin (127.0.01).

FortiAnalyzer system events for FGT60D show the following. Every hour there is a successful login.

14:57:45 Administrator admin timed out on https(127.0.0.1)
14:47:46 Administrator admin logged in successfully from https(127.0.0.1)
13:57:22 Administrator admin timed out on https(127.0.0.1)
13:48:19 Administrator admin logged in successfully from https(127.0.0.1)

I have other devices with older and newer firmware, not seeing this issue for other devices, including 60D with older firmware.

Any idea what is causing this and how to resolve this ?.

Thanks.

Shashwati · ‎09-20-2024

Hello,

Please refer to the document regarding 127.0.0.1 Admin login

https://community.fortinet.com/t5/FortiAnalyzer/Technical-tip-Admin-login-from-127-0-0-1/ta-p/191892

eby · ‎09-20-2024

Hello,

on FAZ, correct username and password are configured.

on FGT following is configured,

config log fortianalyzer setting
    set status enable
    set server <FAZ_IP>
    set enc-algorithm high-medium
    set certificate "Fortinet_Factory"
    set upload-option 1-minute
    set reliable enable
end

there is no "set serial" command available on FGT as per the document shared by you.

SonaMuvv · ‎09-20-2024

Hello,

Please run the following command

config log fortianalyzer setting

sh full

end

This sh full configuration will show the set serial command

https://docs.fortinet.com/document/fortigate/6.4.8/cli-reference/465620/config-log-fortianalyzer-set...

eby · ‎09-20-2024

unfortunately "set serial" command is not available on this firmware.

config log fortianalyzer setting
    set status enable
    set ips-archive enable
    set server <FAZ_IP>
    set enc-algorithm high-medium
    set ssl-min-proto-version default
    set conn-timeout 10
    set monitor-keepalive-period 5
    set monitor-failure-retry-period 5
    set certificate "Fortinet_Factory"
    set source-ip ''
    set upload-option 1-minute
    set reliable enable
end

output of set options.

# set ?
status                          Enable/disable logging to FortiAnalyzer.
ips-archive                     Enable/disable IPS packet archive logging.
*server                          The remote FortiAnalyzer.
enc-algorithm                   Enable/disable sending FortiAnalyzer log data with SSL encryption.
ssl-min-proto-version           Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
conn-timeout                    FortiAnalyzer connection time-out in seconds (for status and log buffer).
monitor-keepalive-period        Time between OFTP keepalives in seconds (for status and log buffer).
monitor-failure-retry-period    Time between FortiAnalyzer connection retries in seconds (for status and log buffer).
certificate                     Certificate used to communicate with FortiAnalyzer.
source-ip                       Source IPv4 or IPv6 address used to communicate with FortiAnalyzer.
upload-option                   Enable/disable logging to hard disk and then uploading to FortiAnalyzer.
reliable                        Enable/disable reliable logging to FortiAnalyzer.
 
#

AlexC-FTNT · ‎09-22-2024

Technically it's not a problem to solve. It's normal behavior when FAZ polls information from that firewall. In some (older) versions it is shown in the logs, in others it is not. In the newer FortiOS this log was removed. The only concern you should have is when you see failed attempts from FAZ IP and admin account.

How to remove these logs? Try to filter them in FortiGate or FAZ by log ID and exclude them. Make sure you don't exclude valid logs too with this filter.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-exclude-a-specific-set-of-logs-that...

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

Administrator admin logged in successfully from https(127.0.0.1)

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website