Description
System administrator’s are constantly trying to optimize the performance of their networks. Rather than continue to process attempts that are consistently failing, the administrator will block access to devices that repeatedly break the rules. One area this can be done is multiple bad attempts to use a policy that requires user authentication.
It’s a straight forward setting, but there is a potential “gotcha” when using it.
Solution
The syntax of the setting is as follows:
config user setting
set auth-lockout-threshold
end
The integer value in the setting is the number of times in a minute that a user can make an unsuccessful attempt to go through a firewall policy that requires device or user authentication. Once the threshold is passed, the IP address of the device is blocked and the address is blacklisted. All further traffic from the device will be dropped.
The symptom that most people will see that indicates a problem with the setup is that a computer will be denied access through a firewall policy because of too many failed login attempts even though the user has not even tried to go on the Internet. This will frustrate the logical analysis part of the troubleshooting process. If the user has made no attempts, how could they have too many failed logins? The problem is we often make the assumption that the attempts have to be made by a user. It’s right there in the name of the setting. We often forget that software will try to contact the Internet on its own. Most of the time, when the FortiGate doesn’t let software go out on the Internet unsupervised it’s a good thing. It is a security device and that’s one of the FortiGate’s jobs.
The most common cause of the inexplicable blacklisting is due to an automated process on a computer sending traffic to the Internet and there is no option to create an interactive login scenario.
A common example of this is the automated Microsoft Windows update process. Windows determines that it hasn’t been updated in a while and sends a request to one of the Microsoft servers. It tries repeatedly to connect but can’t because it needs to authenticate first to go through the firewall policy. After about 1 minute the computer is blacklisted because it exceeded the number of failed attempts set in the auth-lockout-threshold setting.
To stop this blacklisting behavior, the device or user needs to authenticate before accessing the Internet. Once authenticated, the traffic should flow without issue. A possible work around is to determine what’s causing the failed authentication attempts and add a policy that accepts this traffic. In this policy you can choose to allow or deny the traffic. In the case of Windows updates, you might want to create a policy that allows access to Windows Update servers with no requirement for authentication.
Information on what is needed to configure a firewall for Windows updates can be found in the Microsoft article "How to configure a firewall for software updates".
Other traffic causing this issue would have to be addressed on a case by case basis as the firewall parameters are likely to be different in each situation.
