Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Created on ‎05-08-2023 02:34 AM

Forticlient SSL VPN failed login limit

Hello,

how could I set limit for failed logins using Forticlient in SSL Mode.

Now I have such settings:

FGT (settings) # show full-configuration 
config vpn ssl settings
    set login-attempt-limit 2
    set login-block-time 60

but no matter of that I can login how many time I like in forticlient and every time it return me that password is incorrect, then on the 10th time I use correct password and can login - so blocking is not working.

Labels:
5955
0 Kudos
7 REPLIES 7
srajeswaran
Staff
Staff

Created on ‎05-08-2023 02:45 AM

Can you please confirm if you are trying to login from same client IP and login attempts are made within 30 seconds?

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-timers-explanation-and-SSL-VPN-Log...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
5952
0 Kudos
chauhans
Staff
Staff
In response to srajeswaran

Created on ‎05-08-2023 02:57 AM Edited on ‎05-08-2023 02:58 AM

Hi @Tutek 

You may also look into the below doc. Hope it will help you out.
Limit the count of failed login attempts until the user is banned:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-limit-SSL-VPN-login-attempts-and-bl...

>>Restrict the source IP address area
If your users only need access to the SSL VPN portal from a specific source address or range, you can limit the allowed source addresses to those addresses.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-by-country-or-geolocation/ta-...

Also, please run the below commands in the CLI and then try to connect to VPN, post that logs will be generated, please share me those logs.

diag debug reset 

diagnose vpn ssl debug-filter src-addr4

diag debug appl sslvpn -1

diag debug enable

 





5950
0 Kudos
Tutek
Contributor
In response to chauhans

Created on ‎05-08-2023 03:24 AM Edited on ‎05-08-2023 03:25 AM

where I could check on CLI or GUI if user is blocked or not?

5940
0 Kudos
Tutek
Contributor
In response to srajeswaran

Created on ‎05-08-2023 03:26 AM

Yes logins attemps are made in seconds, but I have multiple autoentication methods looks like local account get blocked (don't know how to verify this) and the domain users (radius authentication) are not getting blocked at all.

5939
0 Kudos
srajeswaran
Staff
Staff
In response to Tutek

Created on ‎05-08-2023 03:39 AM

On GUI under "User and Authentication" > "User Definition"

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
5932
0 Kudos
Tutek
Contributor
In response to srajeswaran

Created on ‎05-08-2023 03:45 AM

I have here only status column if this column shows if the user is locked out because of failed logins?

5929
0 Kudos
Tutek
Contributor
In response to srajeswaran

Created on ‎05-08-2023 03:56 AM Edited on ‎05-08-2023 03:57 AM

so I can do for local user even five wrong logins from the same laptop the same IP, status for this user on the "User and Authentication" have status "Enabled - so blocking is not working for local users. For domain (radius) users situation is the same.

5924
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.