Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ciaica
New Contributor

Remove max login attempts by interface?

Hello,

 

So I have a question I cannot find if there is an answer to.

 

We have a Fortigate 201E that contains a dedicated management interface.  We do NOT have that interface connected normally to any network.  We use it as a "Something has gone wrong, and I need direct access to the firewall"...

The problem we had (literally this morning), was that we locked ourselves out, because most of our accounts are LDAP based, and suddenly the firewall couldn't connect to the internal network. We have a local admin account, but for some reason, we had 5 different passwords saved for that account.  This locked us out, and delayed us getting services back online because of this simple problem.

 

I would like to have the max login attempts either disabled, or at least changed for that single interface only.  Can this be done?

1 Solution
sharmaj
Staff
Staff

Hello,

 

There are no interface-specific settings.

 

But below are the settings to  increase the lockout threshold ranging from 0-10 :

 

# config user setting
    set auth-lockout-threshold <number from 0-10>
    set auth-lockout-duration 100
end

Jay sharma

View solution in original post

2 REPLIES 2
sharmaj
Staff
Staff

Hello,

 

There are no interface-specific settings.

 

But below are the settings to  increase the lockout threshold ranging from 0-10 :

 

# config user setting
    set auth-lockout-threshold <number from 0-10>
    set auth-lockout-duration 100
end

Jay sharma
ede_pfau
Esteemed Contributor III

Yes, there is a way.

If you had tried to login on the console port you would have noticed that there is no lockout threshold. Physical security is an important part of network security, as you see.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors