Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nubi
New Contributor II

Created on ‎04-25-2022 01:08 PM

Howto unblock banned IP on SSL-VPN?

Hi, we have a FortiGate v6.4.2 build1723 (GA) where we use SSL-VPN.  Sometime the users enter (many times) the password wrong and the Forti block the public IP of the users and they have to wait for a long time to be automatically unblocked (unbanned). How Can I unblock that IP from the forti console to allow the user try the login again ?

Labels:
13738
0 Kudos
1 Solution
pminarik
Staff
Staff
In response to jintrah_FTNT

Created on ‎04-26-2022 02:40 AM Edited on ‎04-26-2022 02:40 AM

Unfortunately this is incorrect.

 

SSL-VPN lockout is controlled in "config vpn ssl settings":

login-attempt-limit - how many attempts are allowed <0~10; 0 = no limit, default=2>

login-block-time - how long to block an IP if the limit is reached <0~86400 seconds; default=60>

 

@nubi :

As for manually clearing the lockouts: As far as I am aware, there is no native mechanism to clear someone's block. You have to wait for it to expire.

If I had to guess, you might be able to reset it if you restart sslvpnd process, but that would also drop other SSL-VPN tunnels, so it would be unfeasible in production even if it worked.

 

There is an existing NFR asking for this feature, so if you're interested, let your Fortinet sales contact know that you'd like to see this in a future version.

[ corrections always welcome ]

View solution in original post

13716
3 REPLIES 3
jintrah_FTNT
Staff
Staff

Created on ‎04-26-2022 12:48 AM

Hi Nubi,

 

You can set an auth lockout duration as  minimum desired or even increase the number of attempts needed by a user to enter their passwords correctly.

 

#config user setting

#set auth-lockout?

 

auth-lockout-threshold -> Maximum number of failed login attempts before login lockout is triggered.
auth-lockout-duration  ->Lockout period in seconds after too many login failures.

#end

 

Best regards,

Jin

13662
pminarik
Staff
Staff
In response to jintrah_FTNT

Created on ‎04-26-2022 02:40 AM Edited on ‎04-26-2022 02:40 AM

Unfortunately this is incorrect.

 

SSL-VPN lockout is controlled in "config vpn ssl settings":

login-attempt-limit - how many attempts are allowed <0~10; 0 = no limit, default=2>

login-block-time - how long to block an IP if the limit is reached <0~86400 seconds; default=60>

 

@nubi :

As for manually clearing the lockouts: As far as I am aware, there is no native mechanism to clear someone's block. You have to wait for it to expire.

If I had to guess, you might be able to reset it if you restart sslvpnd process, but that would also drop other SSL-VPN tunnels, so it would be unfeasible in production even if it worked.

 

There is an existing NFR asking for this feature, so if you're interested, let your Fortinet sales contact know that you'd like to see this in a future version.

[ corrections always welcome ]
13717
nubi
New Contributor II

Created on ‎04-26-2022 05:48 AM

Thank you so much!. I applied that solution and its workings as expected.

I did:
```

config vpn ssl settings

 set login-attempt-limit 3

 set login-block-time 180

end

13645
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.