Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kpatio
New Contributor

Created on ‎05-14-2024 02:49 PM

How can I automatically block the source IPs attempting to log in as admin on my FortiGate after sev

Hi everyone,

I'm looking to enhance the security of my FortiGate device. I want to set up a rule or policy that automatically blocks the source IPs trying to log in as admin and failing multiple times. For instance, if someone tries to log in with the wrong password 3 times(or more), the source IP should be automatically banned for a certain period of time.

Could someone guide me on how to configure this on my FortiGate? Is it possible to do this directly from the admin interface, or do I need to configure any additional security profiles? Detailed instructions or any advice would be greatly appreciated.

Thanks in advance.

Labels:
418
0 Kudos
6 REPLIES 6
AEK
SuperUser
SuperUser

Created on ‎05-14-2024 03:13 PM

Hello

You can increase the lockout duration (default is 60 seconds).

config system global
 set admin-lockout-duration 60

 

AEK
AEK
403
hhasny
Staff
Staff

Created on ‎05-14-2024 05:31 PM

Hi,

If I am not mistaken it should block the IP address for the duration set in the 'admin-lockout-duration'.

 

regards,

354
raureada
Staff
Staff

Created on ‎05-14-2024 10:55 PM

Hi 

 

Below is the sample configuration:

config system global
set admin-lockout-threshold X 
set admin-lockout-duration XX 
end

 

X = Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
XX = Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.

 

You can also refer on the below link for other system admin best practices:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-System-administrator-best-practices/ta-p/1...

321
kpatio
New Contributor

Created on ‎05-15-2024 03:09 AM

Hi, thanks, but if it happens where can i find later the banned ip ?

290
0 Kudos
hbac
Staff
Staff
In response to kpatio

Created on ‎05-15-2024 06:45 AM

Hi @kpatio,

 

You can configure automation stitch. The article below is for SSLVPN failed login but it should be similar procedure for admin failed login. 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Block-SSL-VPN-failed-logins-with-an-automa...

 

Regards,

272
0 Kudos
raureada
Staff
Staff

Created on ‎05-15-2024 09:06 AM

Hi @kpatio,

 

Please go to the Log & Report > System Events, Click Logs, Then click the "+" sign to add a filter choose Log Description then find the keyword "Admin login failed"

 

For the automation stitch below is the link for the exact guide for your reference:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-an-automation-stitch-to-get-an-e...

233
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.