Managed Sentinel – Alert 159

Alert IDMS-A159
Alert NameAdmin authentication failure detected on firewall - Fortinet
DescriptionThis alert is triggered whenever there are x login failure detected in y minutes for the admin/root user account on any particular Fortinet firewall.
Severity LevelLow
Threat IndicatorRoot Access
MITRE ATT&CK TacticsCredential Access
Lateral Movement
Log sourcesFirewalls
False PositivesPenetration Tests
Recommendations1. Change admin/root/administrator account password
2. Login into the firewall console and review change history
3. Block IP address which requested the console access
4. Consider to disable management access from the untrust zones (best practices)