Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

"Too many login failures." by administrator - how to reset lockout?

Hi Fortigurus,

if an administrator has entered "Too many login failures. Please try again in a few minutes..." lockout state, using CLI command, how can I see which administrator is locked-out and what's the CLI command to unlock (before expiry)?

R's, Alex


New Contributor III

emnoc wrote:
what is your lock-out time?  1 2 3  mins or what ?

Ideally, if ADMINISTRATOR can't authenticate, lockout is indefinite. Unlocked only by another administrator.




invalid SSL VPN logins is not the same as invalid admin logins (what your question was about). Not all situations which appear to be 'similar' need to be handled in a similar fashion in FortiOS.

SSLVPN is IMHO just a user login, and I would have expected to see violators in the quarantine. But the threshold is def. not set in 'admin-lockout-threshold'.



config vpn ssl settings

set login-attempt-limit {integer} SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no
limit). range[0-4294967295]

set login-block-time {integer} Time for which a user is blocked from logging in after too many failed login attempts
(0 - 86400 sec, default = 60). range[0-4294967295]


and I would expect failed login IPs in User > Quarantine.


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Esteemed Contributor III

 Ideally, if ADMINISTRATOR can't authenticate, lockout is indefinite. Unlocked only by another administrator.


Not correct by any means, also when your address is locked out you can use another address and the same admin account to login in. If what you stated was correct, a hacker could conduct a denial of service attack and lock out any "admin" account.


Btw, I never use the default "admin" for the system in a fortigate.



Ken Felix




PCNSE NSE StrongSwan
New Contributor III

Perhaps you scrutinise every alertemail or log messages - you’ll notice consistently wrong credentials indicative of brute force. I don’t/can’t, so, to have this indelibly flagged I want indefinite lockout, requiring human intervention (not just to unlock but to determine context). (Our admin trustedhost addresses include a variety of address spaces, including is a static VPN address.)
New Contributor


diagnose user banned-ip [option]


list List banned IPs.
add Add banned IP address.
delete Delete banned IP address.
clear Clear all banned IP addresses.
stat stat


Hello @AlexFeren  ,


Thank you for contacting the Fortinet Forum portal.

Please refer to below article



Best regards,



If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.



Top Kudoed Authors