Good point.  I'm not worried about the telnet attempts getting in, really.

I would like to figure out how to quiet or consolidate the thousands of logs generated, though.

For now I'm just adding -service=TELNET,SSH,PING,HTTPS to most of my FortiAnalyzer log views of (external) policy violations.

Hi tanr,

can you post a pic of your logs? are those logs in Anomaly log?

You could write a custom IPS signature for failed login attempts, and have it block the source IP address if triggered. In v5.2 (?) rate limited IPS signatures even can be written in the GUI.

Has been treated (with examples) several times around here, search for 'rate limit' or such.

@ede,

Thanks for the tip, I've found a couple examples and will try them out.

@Mehdi,

Logs are visible in Log & Report > Forward Traffic Log, also in Fortiview > Threats > Blocked by Firewall Policy.

I also look at them from a few custom FortiAnalyzer views.

Great question! I shut down admin access on the WAN ports to quiet the logs, which had the unintended consequence of shutting down pings to those ports as well. If you find a signature that works well please share it. 

If it's failed telnet/ssh to the FGT a IPS custom signature would not work.

I use local-in policies to control access to administrative services.  This thread may be of interest:

https://forum.fortinet.com/tm.aspx?m=126290

(In case the link doesn't work now or in the future, the subject is "Unauthorized user attempt" started July 27, 2015.)

It looks like services denied explicitly by local-in-policy are passed directly to the implicit deny and logged there, while administrative access services that are only implicitly not available on a port (for example, when allowaccess doesn't include telnet or ssh) must go through the set of security policies till they find a match.

I want to have the Implicit Deny logging everything that falls to it, but filter out the telnet, ssh, etc. attempts.

So, it seems I can clean up my logs by