Fortinet black logo

Administration Guide

Home FortiAuthenticator 6.6.0 Administration Guide
6.6.0
6.6.1
6.6.0
6.5.4
6.5.3
6.5.2
6.5.1
6.5.0
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.2
6.2.1
6.2.0
6.1.3
6.1.2
6.1.1
6.1.0
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.5.0
5.4.0
5.3.0
5.2.0
5.1.0
5.0.0
4.3.0
4.2.1
4.2.0

Lockouts

Lockouts

For various security reasons, you may want to lock a user’s account. For example, repeated unsuccessful attempts to log in might indicate an attempt at unauthorized access.

Information on locked-out users can be viewed in the Top User Lockouts widget, see Top user lockouts widget.

Currently locked-out users can be viewed in Monitor > Authentication > Locked-out Users.

To configure the user lockout policy:
  1. Go to Authentication > User Account Policies > Lockouts.
  2. Configure the following settings, then select Save to apply any changes:
    Enable user account lockout policyEnable user account lockout for failed login attempts and enter the maximum number of allowed failed attempts in the Maximum failed login attempts field.
    Specify lockout period

    Enable to specify the length of the lockout period, from 60 to 86400 seconds (or one minute to one day). After the lockout period expires, the Maximum failed login attempts number applies again.

    When disabled, locked out users are permanently disabled until an administrator manually re-enables them.

    Enable inactive user lockout

    Select to enable disabling a local user account if there is no login activity for a given number of days. Inactive user lockout applies to local users only. In the Lock out inactive users after field, enter the number of days, from 1 to 1825 (or one day to five years), after which a local user is locked out.

    Enable IP lockout policy

    Enable to block login attempts by source IP addresses after repeated failed attempts.

    Maximum failed login attempts

    Enter the maximum number of login attempts after which the source IP address is blocked from gaining access for the configured IP Lockout period (default = 3).

    Note: The failed login attempts are counted by the source IP address.

    Specify IP lockout period

    Enable to specify the IP address lockout period.

    When disabled, locked out IP addresses are permanently disabled until an administrator manually re-enables them.

    IP Lockout period

    Enter the period of time for which the logins from the locked source IP address are blocked, in seconds ( 60 - 86400 or one minute to a day, default = 60).

    Enable captcha on SAML IdP login

    Enable to use CAPTCHA on the SAML IdP login and set the number of failed login attempts in Display captcha after from the same source IP address, after which CAPTCHA challenge must be completed to log in (default = 0).

    Note: Set to 0 to require users to complete the CAPTCHA challenge on every login.

    The value entered in Display captcha after must be smaller than the one in Maximum failed login attempts.

Previous
Next

Lockouts

For various security reasons, you may want to lock a user’s account. For example, repeated unsuccessful attempts to log in might indicate an attempt at unauthorized access.

Information on locked-out users can be viewed in the Top User Lockouts widget, see Top user lockouts widget.

Currently locked-out users can be viewed in Monitor > Authentication > Locked-out Users.

To configure the user lockout policy:
  1. Go to Authentication > User Account Policies > Lockouts.
  2. Configure the following settings, then select Save to apply any changes:
    Enable user account lockout policyEnable user account lockout for failed login attempts and enter the maximum number of allowed failed attempts in the Maximum failed login attempts field.
    Specify lockout period

    Enable to specify the length of the lockout period, from 60 to 86400 seconds (or one minute to one day). After the lockout period expires, the Maximum failed login attempts number applies again.

    When disabled, locked out users are permanently disabled until an administrator manually re-enables them.

    Enable inactive user lockout

    Select to enable disabling a local user account if there is no login activity for a given number of days. Inactive user lockout applies to local users only. In the Lock out inactive users after field, enter the number of days, from 1 to 1825 (or one day to five years), after which a local user is locked out.

    Enable IP lockout policy

    Enable to block login attempts by source IP addresses after repeated failed attempts.

    Maximum failed login attempts

    Enter the maximum number of login attempts after which the source IP address is blocked from gaining access for the configured IP Lockout period (default = 3).

    Note: The failed login attempts are counted by the source IP address.

    Specify IP lockout period

    Enable to specify the IP address lockout period.

    When disabled, locked out IP addresses are permanently disabled until an administrator manually re-enables them.

    IP Lockout period

    Enter the period of time for which the logins from the locked source IP address are blocked, in seconds ( 60 - 86400 or one minute to a day, default = 60).

    Enable captcha on SAML IdP login

    Enable to use CAPTCHA on the SAML IdP login and set the number of failed login attempts in Display captcha after from the same source IP address, after which CAPTCHA challenge must be completed to log in (default = 0).

    Note: Set to 0 to require users to complete the CAPTCHA challenge on every login.

    The value entered in Display captcha after must be smaller than the one in Maximum failed login attempts.

Previous
Next