Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
crp0499-onsite
New Contributor II

Created on ‎02-06-2025 04:34 PM

SSL VPN issues on my E61

So, I have an E61 firewall and it's got a nice SSL VPN on it for my 10 or so users who are in other countries.  These users connect and we are using an LDAP integration for authentication.

 

Today, I found out that people are trying to access the SSL VPN using real usernames from the org, and when they enter the wrong password three times, the user is locked out of Active Directory.

 

For now, the SSL VPN is disabled.

 

I need a solution for this.  

 

My first thought is to get some tokens and enable 2FA.

 

Can some of you experts make some suggestions about how to best mitigate this?

 

Thanks

Labels:
229
0 Kudos
1 Solution
crp0499-onsite
New Contributor II

Created on ‎02-07-2025 03:47 PM

I opened a ticket with FG and they recommended the dialup SSL VPN using a preshared key.

 

I opted for 40 tokens and turning on 2FA.

View solution in original post

150
0 Kudos
3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-06-2025 04:56 PM

This is Googles answer when I searched with "windows AD lockout after three failed attempts". You can get the same yourself.

AI Overview
 
In a Windows Active Directory (AD) environment, a user account will typically be locked out after three failed login attempts, meaning if someone enters the wrong password three times in a row, their account will be temporarily blocked from accessing the system; this is considered a standard setting to prevent brute-force password attacks. 
 
Key points about AD account lockouts:
Threshold setting:
The number of failed attempts before lockout is customizable through Group Policy and is often set to "3" as a default. 
 


Security measure:

Account lockouts are a crucial security feature to prevent unauthorized access by automatically blocking accounts after multiple incorrect password attempts. 
 

 

How to manage account lockout settings:
Access Group Policy:
Navigate to "Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy" to modify the lockout threshold and duration. 
 

Considerations:

Setting the threshold too low can lead to accidental lockouts due to typos, while setting it too high might allow attackers more attempts to guess the password. 
 

Toshi

 

218
0 Kudos
crp0499-onsite
New Contributor II

Created on ‎02-06-2025 04:59 PM

Thank you Toshi. 

211
0 Kudos
crp0499-onsite
New Contributor II

Created on ‎02-07-2025 03:47 PM

I opened a ticket with FG and they recommended the dialup SSL VPN using a preshared key.

 

I opted for 40 tokens and turning on 2FA.

151
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.