Fortinet black logo

Administration Guide

Lockouts

Lockouts

For various security reasons, you may want to lock a user’s account. For example, repeated unsuccessful attempts to log in might indicate an attempt at unauthorized access.

Information on locked-out users can be viewed in the Top User Lockouts widget, see Top user lockouts widget.

Currently locked-out users can be viewed in Monitor > Authentication > Locked-out Users.

To configure the user lockout policy:
  1. Go to Authentication > User Account Policies > Lockouts.
  2. Configure the following settings, then select OK to apply any changes:
    Enable user account lockout policyEnable user account lockout for failed login attempts and enter the maximum number of allowed failed attempts in the Maximum failed login attempts field.
    Specify lockout period

    Enable to specify the length of the lockout period, from 60 to 86400 seconds (or one minute to one day). After the lockout period expires, the Maximum failed login attempts number applies again.

    When disabled, locked out users are permanently disabled until an administrator manually re-enables them.

    Enable inactive user lockout

    Select to enable disabling a local user account if there is no login activity for a given number of days. Inactive user lockout applies to local users only. In the Lock out inactive users after field, enter the number of days, from 1 to 1825 (or one day to five years), after which a local user is locked out.

    Enable IP lockout policy

    Enable to block login attempts by source IP addresses after repeated failed attempts.

    Maximum failed login attempts

    Enter the maximum number of login attempts after which the source IP address is blocked from gaining access for the configured IP Lockout period (default = 3).

    Note: The failed login attempts are counted by the source IP address.

    Specify IP lockout period

    Enable to specify the IP address lockout period.

    When disabled, locked out IP addresses are permanently disabled until an administrator manually re-enables them.

    IP Lockout period

    Enter the period of time for which the logins from the locked source IP address are blocked, in seconds ( 60 - 86400 or one minute to a day, default = 60).

Lockouts

For various security reasons, you may want to lock a user’s account. For example, repeated unsuccessful attempts to log in might indicate an attempt at unauthorized access.

Information on locked-out users can be viewed in the Top User Lockouts widget, see Top user lockouts widget.

Currently locked-out users can be viewed in Monitor > Authentication > Locked-out Users.

To configure the user lockout policy:
  1. Go to Authentication > User Account Policies > Lockouts.
  2. Configure the following settings, then select OK to apply any changes:
    Enable user account lockout policyEnable user account lockout for failed login attempts and enter the maximum number of allowed failed attempts in the Maximum failed login attempts field.
    Specify lockout period

    Enable to specify the length of the lockout period, from 60 to 86400 seconds (or one minute to one day). After the lockout period expires, the Maximum failed login attempts number applies again.

    When disabled, locked out users are permanently disabled until an administrator manually re-enables them.

    Enable inactive user lockout

    Select to enable disabling a local user account if there is no login activity for a given number of days. Inactive user lockout applies to local users only. In the Lock out inactive users after field, enter the number of days, from 1 to 1825 (or one day to five years), after which a local user is locked out.

    Enable IP lockout policy

    Enable to block login attempts by source IP addresses after repeated failed attempts.

    Maximum failed login attempts

    Enter the maximum number of login attempts after which the source IP address is blocked from gaining access for the configured IP Lockout period (default = 3).

    Note: The failed login attempts are counted by the source IP address.

    Specify IP lockout period

    Enable to specify the IP address lockout period.

    When disabled, locked out IP addresses are permanently disabled until an administrator manually re-enables them.

    IP Lockout period

    Enter the period of time for which the logins from the locked source IP address are blocked, in seconds ( 60 - 86400 or one minute to a day, default = 60).