Hi everyone,
I'm looking to enhance the security of my FortiGate device. I want to set up a rule or policy that automatically blocks the source IPs trying to log in as admin and failing multiple times. For instance, if someone tries to log in with the wrong password 3 times(or more), the source IP should be automatically banned for a certain period of time.
Could someone guide me on how to configure this on my FortiGate? Is it possible to do this directly from the admin interface, or do I need to configure any additional security profiles? Detailed instructions or any advice would be greatly appreciated.
Thanks in advance.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @kpatio,
Please go to the Log & Report > System Events, Click Logs, Then click the "+" sign to add a filter choose Log Description then find the keyword "Admin login failed"
For the automation stitch below is the link for the exact guide for your reference:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-an-automation-stitch-to-get-an-e...
Hello
You can increase the lockout duration (default is 60 seconds).
config system global
set admin-lockout-duration 60
Hi,
If I am not mistaken it should block the IP address for the duration set in the 'admin-lockout-duration'.
regards,
Hi
Below is the sample configuration:
config system global
set admin-lockout-threshold X
set admin-lockout-duration XX
end
X = Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
XX = Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
You can also refer on the below link for other system admin best practices:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-System-administrator-best-practices/ta-p/1...
Hi, thanks, but if it happens where can i find later the banned ip ?
Hi @kpatio,
You can configure automation stitch. The article below is for SSLVPN failed login but it should be similar procedure for admin failed login.
Regards,
Hi @kpatio,
Please go to the Log & Report > System Events, Click Logs, Then click the "+" sign to add a filter choose Log Description then find the keyword "Admin login failed"
For the automation stitch below is the link for the exact guide for your reference:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-an-automation-stitch-to-get-an-e...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.