Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CHood
New Contributor

AuthCodes Flooding Email Since Upgrading to 5.6.0

Since upgrading my FortiAnalyzer 200D to v5.6.0, I am being flooded with AuthCode emails. My FortiGates are configured with 2 factor authentication enabled.

6 REPLIES 6
chall_FTNT
Staff
Staff

If the e-mails you are referring to are e-mail alerts sent by the FAZ, then they would be triggered by logs sent by your FortiGates.  Can you provide output of one of the log messages triggering that e-mail alert?

 

The question is then whether that alert message *ought* to be triggered by the logs in question, depending on how you have configured it.  You can increase the threshold for that alert to ensure less frequent e-mails.  But ultimately, you should probably address the reason why the FortiGates were sending the logs.  Ultimately, the only thing your FAZ upgrade might have done is make the event handler more sensitive.

Chris Hall
Fortinet Technical Support
CHood

These are authentication code emails sent from the FortiGates. We use the legacy email-based 2 factor authentication. It appears that the FortiAnalyzer is triggering these emails when it connects to the FortiGates. This is happening about every few seconds.

 

I think I've come up with a workaround by creating a separate user account without 2FA enabled on the FortiGates for the FortiAnalyzer to use. I've restricted login to the address of the FortiAnalyzer.

chall_FTNT

Glad you found a workaround.

 

When you refer to "FortiAnalyzer" (FAZ), perhaps you are referring to a FortiManager (FMG), perhaps which has FortiAnalyzer features enabled.   A FMG will attempt to login to FGT (for configuration management).  A FAZ (logging/reporting) will not.

Chris Hall
Fortinet Technical Support
CHood

No, we have a FortiAnalyzer 200D appliance which we just upgraded to the new v5.6.0 firmware. For each FortiGate device entry in the FortiAnalyzer, it was requesting login credentials. When I provided it with the admin credentials that's when we started getting flooded with the AuthCode emails. Undoubtedly it was trying to log into the FortiGates with the admin account which had 2FA enabled.

chall_FTNT

The one exception that I can think of (new to FAZ 5.6.0) is CSF (Security Fabric).

 

If the FGT added to the FAZ has security fabric enabled, then FAZ *does* need to have credentials for an admin account on the FGT.

 

It may be that a non-2FA admin account is required in that case.  The alternative would be to disable CSF on the FGT.

Chris Hall
Fortinet Technical Support
CHood

Gotcha. And we do have CSF enabled. Seems like the optimal solution is to have a dedicated login account for the FortiAnalyzer without 2FA which is what we did.

 

Thanks for the sanity check :)

Top Kudoed Authors