Since upgrading my FortiAnalyzer 200D to v5.6.0, I am being flooded with AuthCode emails. My FortiGates are configured with 2 factor authentication enabled.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If the e-mails you are referring to are e-mail alerts sent by the FAZ, then they would be triggered by logs sent by your FortiGates. Can you provide output of one of the log messages triggering that e-mail alert?
The question is then whether that alert message *ought* to be triggered by the logs in question, depending on how you have configured it. You can increase the threshold for that alert to ensure less frequent e-mails. But ultimately, you should probably address the reason why the FortiGates were sending the logs. Ultimately, the only thing your FAZ upgrade might have done is make the event handler more sensitive.
These are authentication code emails sent from the FortiGates. We use the legacy email-based 2 factor authentication. It appears that the FortiAnalyzer is triggering these emails when it connects to the FortiGates. This is happening about every few seconds.
I think I've come up with a workaround by creating a separate user account without 2FA enabled on the FortiGates for the FortiAnalyzer to use. I've restricted login to the address of the FortiAnalyzer.
Glad you found a workaround.
When you refer to "FortiAnalyzer" (FAZ), perhaps you are referring to a FortiManager (FMG), perhaps which has FortiAnalyzer features enabled. A FMG will attempt to login to FGT (for configuration management). A FAZ (logging/reporting) will not.
No, we have a FortiAnalyzer 200D appliance which we just upgraded to the new v5.6.0 firmware. For each FortiGate device entry in the FortiAnalyzer, it was requesting login credentials. When I provided it with the admin credentials that's when we started getting flooded with the AuthCode emails. Undoubtedly it was trying to log into the FortiGates with the admin account which had 2FA enabled.
The one exception that I can think of (new to FAZ 5.6.0) is CSF (Security Fabric).
If the FGT added to the FAZ has security fabric enabled, then FAZ *does* need to have credentials for an admin account on the FGT.
It may be that a non-2FA admin account is required in that case. The alternative would be to disable CSF on the FGT.
Gotcha. And we do have CSF enabled. Seems like the optimal solution is to have a dedicated login account for the FortiAnalyzer without 2FA which is what we did.
Thanks for the sanity check :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.