Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jdlanuza
New Contributor

The following critical firewall event was detected: Admin login failed

date=2023-12-13 9 time=11:56:25 devname=FGT200xxxxxxxxx=FG200xxxxxxxxx eventtime=1885229385635990681 tz="+0100" logid="0122032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="https(89.248.192.55)" method="https" srcip=xxx.xxx.xxx.xxx. dstip=xxx.xxx.xxx.xxx action="login" status="failed" reason="passwd_invalid" msg="Administrator admin login failed from https(xxx.xxx.xxx.xxx) because of invalid password"

 

 

How can i block that IP on FORTIGATE?

1 Solution
hbac
Staff
Staff

 Hi @jdlanuza

 

You can block that IP address by configuring local-in-policy. Please refer to https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/363127/local-in-policy

 

As per the best practices, you shouldn't have HTTP/HTTPS access enabled on the public facing interfaces. You can also configure trusted hosts. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-System-administrator-best-practices/ta-p/1... 

 

Regards, 

View solution in original post

1 REPLY 1
hbac
Staff
Staff

 Hi @jdlanuza

 

You can block that IP address by configuring local-in-policy. Please refer to https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/363127/local-in-policy

 

As per the best practices, you shouldn't have HTTP/HTTPS access enabled on the public facing interfaces. You can also configure trusted hosts. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-System-administrator-best-practices/ta-p/1... 

 

Regards, 

Labels
Top Kudoed Authors