I was hoping for something more immediate than waiting for timeout. Does same answer apply to SSL VPN users?

If you have individual accounts, have another admin log in and look at the logs. Or maybe syslog?

My issue isn't knowing of lockout but resetting it.

I think some issues are not clear, when you get the reject it's not for a user but a IP-addr. So the FGT has no clue nor care what the user account is that keeps failing.

 

The command to see current login users "get sys admin list"

 

If you need to look for log messages; in the category of events

 

Ken Felix

 

 

 

Received alertemails: Message meets Alert condition The following critical firewall event was detected: Admin login disabled. date=2020-01-25 time=18:06:10 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1579935970 logdesc="Admin login disabled" ui="192.168.1.21" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 192.168.1.21 for 60 seconds because of 3 bad attempts" Message meets Alert condition The following critical firewall event was detected: Admin login failed. date=2020-01-25 time=18:06:10 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1579935970 logdesc="Admin login failed" sn="0" user="alex_admin" ui="https(192.168.1.21)" method="https" srcip=192.168.1.21 dstip=192.168.1.2 action="login" status="failed" reason="passwd_invalid" msg="Administrator alex_admin login failed from https(192.168.1.21) because of invalid password" Message meets Alert condition The following critical firewall event was detected: Admin login failed. date=2020-01-25 time=18:06:05 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1579935965 logdesc="Admin login failed" sn="0" user="alex_admin" ui="https(192.168.1.21)" method="https" srcip=192.168.1.21 dstip=192.168.1.2 action="login" status="failed" reason="passwd_invalid" msg="Administrator alex_admin login failed from https(192.168.1.21) because of invalid password"   You're correct, I assumed wrong - the login failures are username/IP-specific, but the lockout (topmost) is IP.

 

The gist of question still remains, is it possible to undo a lockout (now, from IP, instead of administrator username)? And, does the same apply to SSL VPN lockout?

Have you tried

diag user quarantine list

diag user quarantine delete src4 x.x.x.x?

 

It's meant for user quarantine by IPS/AppCtrl but it might apply to admin lockout as well...surprisingly hard to test without a helping hand. If it applies you would see the q'ed IP with the 'list' command.

Tried.. Entered wrong SSL VPN credentials more than 3 times, browser showing "Too many bad login attempts. Please try again in a few minutes." and received 3 emailalerts, of type:

Message meets Alert condition The following critical firewall event was detected: SSL VPN login fail. [size="2"] date=2020-01-27 time=13:13:32 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0101039426" type="event" subtype="vpn" level="alert" vd="root" eventtime=1580091212 logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=45.125.247.196 user="alex" group="N/A" dst_host="N/A" reason="sslvpn_login_unknown_user" msg="SSL user failed to logged in"[/size]

Interestingly, no alert about lockout! On CLI: FWF61E4Q16001082 # diagnose user quarantine list src-ip-addr       created                  expires                  cause             FWF61E4Q16001082 #  

I can't think of anything that would let you unlock and user/ip but what is your lock-out time?  1 2 3  mins or what ?

 

Ken Felix