Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.0 Administration Guide
    7.6.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Restricting local administrator logins through the console NEW

    Restricting local administrator logins through the console NEW

    FortiOS can now restrict local administrator logins using the console when FortiGate can reach the remote authentication server. This enhancement provides more control over local administrator logins to improve system security.

    config system global
    set admin-restrict-local {all | non-console-only | disable}
end

    set admin-restrict-local {all | non-console-only | disable}

    Restrict local administrator logins when the remote authentication server is reachable.

    • all: Enable local administrator authentication restriction, including the console.

    • non-console-only: Enable local administrator authentication restriction, excluding the console.

    • disable: Disable local administrator authentication restriction.

    Example 1

    In this example, the local administrator restriction is set to non-console-only. As a result, local administrators cannot use non-console methods, such as SSH, to log in to FortiGate when the remote authentication server is reachable. However, local administrators can use the console to log in to FortiGate.

    To exclude the console from local administrator login restrictions:

    1. In FortiOS, set the administrator restriction to non-console-only:

      config system global
    set admin-restrict-local non-console-only
end

    2. Using SSH and the local administrator account, log in to FortiOS.

      Login is denied:

      ssh admin@<ip address>
admin@<ip address>'s password:
Permission denied, please try again.

      The login failure is captured in the logs:

      1: date=2024-04-01 time=15:42:08 eventtime=1712011328452918375 tz="-0700" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="ssh(172.16.200.100)" method="ssh" srcip=172.16.200.100 dstip=172.16.200.1 action="login" status="failed" reason="none" msg="Administrator admin login failed from ssh(172.16.200.100)"

    3. Using the FortiGate console and the local administrator account, log in to FortiOS.

      Login is allowed:

      FGT login: admin
Password:
Welcome!

      The successful login is captured in the logs:

      1: date=2024-04-01 time=15:43:36 eventtime=1712011415358013250 tz="-0700" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1712011415" user="admin" ui="console" method="console" srcip=0.0.0.0 dstip=0.0.0.0 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from console"

    Example 2

    In this example, the local administrator restriction is set to all. As a result, local administrators cannot use any method to log in to FortiGate when the remote authentication server is reachable.

    To restrict all local administrator logins:

    1. In FortiOS, set the local administrator restriction to all:

      config system global
    set admin-restrict-local all
end

    2. Using SSH and the local administrator account, log in to FortiOS.

      Login is denied and the failure is captured in the logs.

    3. Using the FortiGate console and the local administrator account, log in to FortiOS.

      Login is denied, and the failure is captured in the logs:

      2: date=2024-04-01 time=16:26:56 eventtime=1712014017124846849 tz="-0700" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="console" method="console" srcip=0.0.0.0 dstip=0.0.0.0 action="login" status="failed" reason="none" msg="Administrator admin login failed from console"
    Previous
    Next

    Restricting local administrator logins through the console NEW

    Restricting local administrator logins through the console NEW

    FortiOS can now restrict local administrator logins using the console when FortiGate can reach the remote authentication server. This enhancement provides more control over local administrator logins to improve system security.

    config system global
    set admin-restrict-local {all | non-console-only | disable}
end

    set admin-restrict-local {all | non-console-only | disable}

    Restrict local administrator logins when the remote authentication server is reachable.

    • all: Enable local administrator authentication restriction, including the console.

    • non-console-only: Enable local administrator authentication restriction, excluding the console.

    • disable: Disable local administrator authentication restriction.

    Example 1

    In this example, the local administrator restriction is set to non-console-only. As a result, local administrators cannot use non-console methods, such as SSH, to log in to FortiGate when the remote authentication server is reachable. However, local administrators can use the console to log in to FortiGate.

    To exclude the console from local administrator login restrictions:

    1. In FortiOS, set the administrator restriction to non-console-only:

      config system global
    set admin-restrict-local non-console-only
end

    2. Using SSH and the local administrator account, log in to FortiOS.

      Login is denied:

      ssh admin@<ip address>
admin@<ip address>'s password:
Permission denied, please try again.

      The login failure is captured in the logs:

      1: date=2024-04-01 time=15:42:08 eventtime=1712011328452918375 tz="-0700" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="ssh(172.16.200.100)" method="ssh" srcip=172.16.200.100 dstip=172.16.200.1 action="login" status="failed" reason="none" msg="Administrator admin login failed from ssh(172.16.200.100)"

    3. Using the FortiGate console and the local administrator account, log in to FortiOS.

      Login is allowed:

      FGT login: admin
Password:
Welcome!

      The successful login is captured in the logs:

      1: date=2024-04-01 time=15:43:36 eventtime=1712011415358013250 tz="-0700" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1712011415" user="admin" ui="console" method="console" srcip=0.0.0.0 dstip=0.0.0.0 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from console"

    Example 2

    In this example, the local administrator restriction is set to all. As a result, local administrators cannot use any method to log in to FortiGate when the remote authentication server is reachable.

    To restrict all local administrator logins:

    1. In FortiOS, set the local administrator restriction to all:

      config system global
    set admin-restrict-local all
end

    2. Using SSH and the local administrator account, log in to FortiOS.

      Login is denied and the failure is captured in the logs.

    3. Using the FortiGate console and the local administrator account, log in to FortiOS.

      Login is denied, and the failure is captured in the logs:

      2: date=2024-04-01 time=16:26:56 eventtime=1712014017124846849 tz="-0700" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="console" method="console" srcip=0.0.0.0 dstip=0.0.0.0 action="login" status="failed" reason="none" msg="Administrator admin login failed from console"
    Previous
    Next