Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexFeren
New Contributor III

"Too many login failures." by administrator - how to reset lockout?

Hi Fortigurus,

if an administrator has entered "Too many login failures. Please try again in a few minutes..." lockout state, using CLI command, how can I see which administrator is locked-out and what's the CLI command to unlock (before expiry)?

R's, Alex

 

15 REPLIES 15
ShawnZA
Contributor II

Wait for the time to expire and change the thresholds for the lockout

AlexFeren
New Contributor III

I was hoping for something more immediate than waiting for timeout. Does same answer apply to SSL VPN users?
rwpatterson
Valued Contributor III

If you have individual accounts, have another admin log in and look at the logs. Or maybe syslog?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
AlexFeren

My issue isn't knowing of lockout but resetting it.

emnoc
Esteemed Contributor III

I think some issues are not clear, when you get the reject it's not for a user but a IP-addr. So the FGT has no clue nor care what the user account is that keeps failing.

 

The command to see current login users "get sys admin list"

 

If you need to look for log messages; in the category of events

 

Ken Felix

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
AlexFeren
New Contributor III

Received alertemails: Message meets Alert condition The following critical firewall event was detected: Admin login disabled. date=2020-01-25 time=18:06:10 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1579935970 logdesc="Admin login disabled" ui="192.168.1.21" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 192.168.1.21 for 60 seconds because of 3 bad attempts" Message meets Alert condition The following critical firewall event was detected: Admin login failed. date=2020-01-25 time=18:06:10 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1579935970 logdesc="Admin login failed" sn="0" user="alex_admin" ui="https(192.168.1.21)" method="https" srcip=192.168.1.21 dstip=192.168.1.2 action="login" status="failed" reason="passwd_invalid" msg="Administrator alex_admin login failed from https(192.168.1.21) because of invalid password" Message meets Alert condition The following critical firewall event was detected: Admin login failed. date=2020-01-25 time=18:06:05 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1579935965 logdesc="Admin login failed" sn="0" user="alex_admin" ui="https(192.168.1.21)" method="https" srcip=192.168.1.21 dstip=192.168.1.2 action="login" status="failed" reason="passwd_invalid" msg="Administrator alex_admin login failed from https(192.168.1.21) because of invalid password"   You're correct, I assumed wrong - the login failures are username/IP-specific, but the lockout (topmost) is IP.

 

The gist of question still remains, is it possible to undo a lockout (now, from IP, instead of administrator username)? And, does the same apply to SSL VPN lockout?

ede_pfau
Esteemed Contributor III

Have you tried

diag user quarantine list

diag user quarantine delete src4 x.x.x.x?

 

It's meant for user quarantine by IPS/AppCtrl but it might apply to admin lockout as well...surprisingly hard to test without a helping hand. If it applies you would see the q'ed IP with the 'list' command.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
AlexFeren
New Contributor III

Tried.. Entered wrong SSL VPN credentials more than 3 times, browser showing "Too many bad login attempts. Please try again in a few minutes." and received 3 emailalerts, of type:

Message meets Alert condition The following critical firewall event was detected: SSL VPN login fail. [size="2"] date=2020-01-27 time=13:13:32 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0101039426" type="event" subtype="vpn" level="alert" vd="root" eventtime=1580091212 logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=45.125.247.196 user="alex" group="N/A" dst_host="N/A" reason="sslvpn_login_unknown_user" msg="SSL user failed to logged in"[/size]

Interestingly, no alert about lockout! On CLI: FWF61E4Q16001082 # diagnose user quarantine list src-ip-addr       created                  expires                  cause             FWF61E4Q16001082 #  
emnoc
Esteemed Contributor III

I can't think of anything that would let you unlock and user/ip but what is your lock-out time?  1 2 3  mins or what ?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors