Failed Authentication
The Failed Authentication console displays instances in which users attempted to connect to the server but were unsuccessful. Depending on the Time Display setting, the console will display instances from the last 5 minutes, 1 hour, or 24 hours. The results can be sorted by the number of instances a given user attempted to log in.
By double-clicking on any of the entries on the main Failed Authentication console, a drill down view appears, displaying more detailed information on that user’s authentication attempts, including the date and time of each login attempt, the message explaining the reason each authentication failed e.g. a mismatched password, and the source IP address.
This console can be filtered by Destination, Login Type, Result, Source, Type, and User. For more on filters, seeĀ Filtering options.
Only FortiGate models 100D and above support the 24 hour historical data.
Scenario: Investigating a user’s failed authentication attempts
The Failed Authentications console can be used to access information on individual users and their unsuccessful attempts to access the network. In this scenario, an administrator investigates a user’s multiple attempts via the console’s drill down capability.
1. Go to FortiView > Failed Authentication to access the Failed Authentication console.
2. Select the Failed Attempts column header to sort the entries by number of attempts.
3. Double-click the top entry to drill down to more detailed information on attempts made by the user with the highest number of attempts.