Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Forticlient SSL VPN failed login limit

Hello,

how could I set limit for failed logins using Forticlient in SSL Mode.

Now I have such settings:

FGT (settings) # show full-configuration 
config vpn ssl settings
    set login-attempt-limit 2
    set login-block-time 60

but no matter of that I can login how many time I like in forticlient and every time it return me that password is incorrect, then on the 10th time I use correct password and can login - so blocking is not working.

7 REPLIES 7
srajeswaran
Staff
Staff

Can you please confirm if you are trying to login from same client IP and login attempts are made within 30 seconds?

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-timers-explanation-and-SSL-VPN-Log...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
chauhans

Hi @Tutek 

You may also look into the below doc. Hope it will help you out.
Limit the count of failed login attempts until the user is banned:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-limit-SSL-VPN-login-attempts-and-bl...

>>Restrict the source IP address area
If your users only need access to the SSL VPN portal from a specific source address or range, you can limit the allowed source addresses to those addresses.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-...

Also, please run the below commands in the CLI and then try to connect to VPN, post that logs will be generated, please share me those logs.

diag debug reset 

diagnose vpn ssl debug-filter src-addr4

diag debug appl sslvpn -1

diag debug enable

 





Tutek

where I could check on CLI or GUI if user is blocked or not?

Tutek

Yes logins attemps are made in seconds, but I have multiple autoentication methods looks like local account get blocked (don't know how to verify this) and the domain users (radius authentication) are not getting blocked at all.

srajeswaran

On GUI under "User and Authentication" > "User Definition"

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Tutek

I have here only status column if this column shows if the user is locked out because of failed logins?

Tutek

so I can do for local user even five wrong logins from the same laptop the same IP, status for this user on the "User and Authentication" have status "Enabled - so blocking is not working for local users. For domain (radius) users situation is the same.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors