Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kpatio
New Contributor II

How can I automatically block the source IPs attempting to log in as admin on my FortiGate after sev

Hi everyone,

I'm looking to enhance the security of my FortiGate device. I want to set up a rule or policy that automatically blocks the source IPs trying to log in as admin and failing multiple times. For instance, if someone tries to log in with the wrong password 3 times(or more), the source IP should be automatically banned for a certain period of time.

Could someone guide me on how to configure this on my FortiGate? Is it possible to do this directly from the admin interface, or do I need to configure any additional security profiles? Detailed instructions or any advice would be greatly appreciated.

Thanks in advance.

1 Solution
raureada
Staff
Staff

Hi @kpatio,

 

Please go to the Log & Report > System Events, Click Logs, Then click the "+" sign to add a filter choose Log Description then find the keyword "Admin login failed"

 

For the automation stitch below is the link for the exact guide for your reference:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-an-automation-stitch-to-get-an-e...

View solution in original post

6 REPLIES 6
AEK
SuperUser
SuperUser

Hello

You can increase the lockout duration (default is 60 seconds).

config system global
 set admin-lockout-duration 60

 

AEK
AEK
hhasny
Staff
Staff

Hi,

If I am not mistaken it should block the IP address for the duration set in the 'admin-lockout-duration'.

 

regards,

raureada
Staff
Staff

Hi 

 

Below is the sample configuration:

config system global
set admin-lockout-threshold X 
set admin-lockout-duration XX 
end

 

X = Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
XX = Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.

 

You can also refer on the below link for other system admin best practices:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-System-administrator-best-practices/ta-p/1...

kpatio
New Contributor II

Hi, thanks, but if it happens where can i find later the banned ip ?

hbac

Hi @kpatio,

 

You can configure automation stitch. The article below is for SSLVPN failed login but it should be similar procedure for admin failed login. 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-SSL-VPN-failed-logins-with-an-automa...

 

Regards,

raureada
Staff
Staff

Hi @kpatio,

 

Please go to the Log & Report > System Events, Click Logs, Then click the "+" sign to add a filter choose Log Description then find the keyword "Admin login failed"

 

For the automation stitch below is the link for the exact guide for your reference:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-an-automation-stitch-to-get-an-e...

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors