Hi Fortigurus,
if an administrator has entered "Too many login failures. Please try again in a few minutes..." lockout state, using CLI command, how can I see which administrator is locked-out and what's the CLI command to unlock (before expiry)?
R's, Alex
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Wait for the time to expire and change the thresholds for the lockout
If you have individual accounts, have another admin log in and look at the logs. Or maybe syslog?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
My issue isn't knowing of lockout but resetting it.
I think some issues are not clear, when you get the reject it's not for a user but a IP-addr. So the FGT has no clue nor care what the user account is that keeps failing.
The command to see current login users "get sys admin list"
If you need to look for log messages; in the category of events
Ken Felix
PCNSE
NSE
StrongSwan
Received alertemails: Message meets Alert condition The following critical firewall event was detected: Admin login disabled. date=2020-01-25 time=18:06:10 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0100032021" type="event" subtype="system" level="alert" vd="root" eventtime=1579935970 logdesc="Admin login disabled" ui="192.168.1.21" action="login" status="failed" reason="exceed_limit" msg="Login disabled from IP 192.168.1.21 for 60 seconds because of 3 bad attempts" Message meets Alert condition The following critical firewall event was detected: Admin login failed. date=2020-01-25 time=18:06:10 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1579935970 logdesc="Admin login failed" sn="0" user="alex_admin" ui="https(192.168.1.21)" method="https" srcip=192.168.1.21 dstip=192.168.1.2 action="login" status="failed" reason="passwd_invalid" msg="Administrator alex_admin login failed from https(192.168.1.21) because of invalid password" Message meets Alert condition The following critical firewall event was detected: Admin login failed. date=2020-01-25 time=18:06:05 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1579935965 logdesc="Admin login failed" sn="0" user="alex_admin" ui="https(192.168.1.21)" method="https" srcip=192.168.1.21 dstip=192.168.1.2 action="login" status="failed" reason="passwd_invalid" msg="Administrator alex_admin login failed from https(192.168.1.21) because of invalid password" You're correct, I assumed wrong - the login failures are username/IP-specific, but the lockout (topmost) is IP.
The gist of question still remains, is it possible to undo a lockout (now, from IP, instead of administrator username)? And, does the same apply to SSL VPN lockout?
Have you tried
diag user quarantine list
diag user quarantine delete src4 x.x.x.x?
It's meant for user quarantine by IPS/AppCtrl but it might apply to admin lockout as well...surprisingly hard to test without a helping hand. If it applies you would see the q'ed IP with the 'list' command.
Tried.. Entered wrong SSL VPN credentials more than 3 times, browser showing "Too many bad login attempts. Please try again in a few minutes." and received 3 emailalerts, of type:
Message meets Alert condition The following critical firewall event was detected: SSL VPN login fail. [size="2"] date=2020-01-27 time=13:13:32 devname=FWF61EXXXXXXX devid=FWF61EXXXXXXX logid="0101039426" type="event" subtype="vpn" level="alert" vd="root" eventtime=1580091212 logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=45.125.247.196 user="alex" group="N/A" dst_host="N/A" reason="sslvpn_login_unknown_user" msg="SSL user failed to logged in"[/size]
Interestingly, no alert about lockout! On CLI: FWF61E4Q16001082 # diagnose user quarantine list src-ip-addr created expires cause FWF61E4Q16001082 #I can't think of anything that would let you unlock and user/ip but what is your lock-out time? 1 2 3 mins or what ?
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.