Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexFeren
New Contributor III

"Too many login failures." by administrator - how to reset lockout?

Hi Fortigurus,

if an administrator has entered "Too many login failures. Please try again in a few minutes..." lockout state, using CLI command, how can I see which administrator is locked-out and what's the CLI command to unlock (before expiry)?

R's, Alex

 

15 REPLIES 15
AlexFeren
New Contributor III

emnoc wrote:
what is your lock-out time?  1 2 3  mins or what ?

Ideally, if ADMINISTRATOR can't authenticate, lockout is indefinite. Unlocked only by another administrator.

ede_pfau
Esteemed Contributor III

Alex,

 

invalid SSL VPN logins is not the same as invalid admin logins (what your question was about). Not all situations which appear to be 'similar' need to be handled in a similar fashion in FortiOS.

SSLVPN is IMHO just a user login, and I would have expected to see violators in the quarantine. But the threshold is def. not set in 'admin-lockout-threshold'.

 

edit:

config vpn ssl settings

set login-attempt-limit {integer} SSL VPN maximum login attempt times before block (0 - 10, default = 2, 0 = no
limit). range[0-4294967295]

set login-block-time {integer} Time for which a user is blocked from logging in after too many failed login attempts
(0 - 86400 sec, default = 60). range[0-4294967295]

 

and I would expect failed login IPs in User > Quarantine.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
emnoc
Esteemed Contributor III

 Ideally, if ADMINISTRATOR can't authenticate, lockout is indefinite. Unlocked only by another administrator.

 

Not correct by any means, also when your address is locked out you can use another address and the same admin account to login in. If what you stated was correct, a hacker could conduct a denial of service attack and lock out any "admin" account.

 

Btw, I never use the default "admin" for the system in a fortigate.

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
AlexFeren
New Contributor III

Perhaps you scrutinise every alertemail or log messages - you’ll notice consistently wrong credentials indicative of brute force. I don’t/can’t, so, to have this indelibly flagged I want indefinite lockout, requiring human intervention (not just to unlock but to determine context). (Our admin trustedhost addresses include a variety of address spaces, including is a static VPN address.)
djp
New Contributor

7.2.6

diagnose user banned-ip [option]

 


list List banned IPs.
add Add banned IP address.
delete Delete banned IP address.
clear Clear all banned IP addresses.
stat stat

mpeddalla
Staff
Staff

Hello @AlexFeren  ,

 

Thank you for contacting the Fortinet Forum portal.

Please refer to below article

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-clear-disabled-admin-lockout/ta-p/2...

 

 

Best regards,

Manasa.

 

If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.

 

 

Top Kudoed Authors