FortiGate Brute Force Protection: Ban IPs After Failed Admin Login

Auto-Ban IPs After Failed Admin Login Attempts

Brute force attacks targeting FortiGate admin accounts are common. Hackers attempt to guess passwords, often trying multiple usernames and passwords from the same IP address. Each failed login attempt is logged, for example:

FGT[] Automation Stitch:E-Mail_Admin login failed is triggered.
log: date=2025-11-19 time=22:40:40 logid="0100032002" type="event" subtype="system" level="alert" vd="root" eventtime=1763588440 logdesc="Admin login failed" sn="0" user="ameier" ui="https(xxx.xxx.xxx.xxx)" method="https" srcip=xxx.xxx.xxx.xxx dstip=192.168.1.253 action="login" status="failed" reason="name_invalid" msg="Administrator ameier login failed from https(xxx.xxx.xxx.xxx) because of invalid user name"

In my case, I received an automatic email alert from my FortiGate firewall notifying me that someone was attempting to log in to the admin account. This kind of alert is part of FortiGate’s automation features and is critical for timely response.

Even though I use a complex and strong password, there is always a risk that an attacker could eventually crack it using brute-force techniques. Each additional safeguard, such as limiting failed login attempts and automatically banning IPs, significantly reduces this risk and adds a critical layer of protection to your network.

Even a single compromised account can be dangerous, and repeated login attempts increase the risk of breach.

Solution: SHAPER-BAN for Admin Login (CLI)

FortiGate provides a built-in mechanism to automatically block IP addresses after a configurable number of failed admin login attempts. Here’s how to configure it:

config system global
    set admin-lockout-threshold 2
    set admin-lockout-duration 86400
end

Explanation:

admin-lockout-threshold = Number of failed login attempts before the IP is blocked (2 in this case)
admin-lockout-duration = Duration of the ban in seconds (86400 seconds = 24 hours)

Check currently blocked IPs:

diagnose sys lockout list

Clear all bans manually (if needed):

diagnose sys lockout clear

Risks / Considerations

Locking yourself out: If you mistype your admin password twice, your IP will be blocked. Always test from a secondary management IP or VPN.
DoS risk: A malicious actor could intentionally trigger failed logins from another IP to “blacklist” your admin access. Consider combining SHAPER-BAN with VPN-only admin access.
Monitoring: Keep logs and alerts active to track lockouts and detect suspicious behavior.

Conclusion

Using SHAPER-BAN on FortiGate is an effective way to immediately block brute-force attempts, protecting your firewall and network from unauthorized access. Combined with VPN-only admin access and strong passwords, it dramatically reduces the attack surface for hackers targeting your admin accounts.

For even stronger security, it is highly recommended to disable direct admin access via SSH or HTTPS from the internet. Instead, access the FortiGate admin interface only through a secure VPN. This ensures that even if attackers try brute-force attacks, they cannot reach your firewall directly from the public internet.