Chapter 5 Compliance : Configuring FortiGate units for PCI DSS compliance : Controlling access to the CDE network : Administrator lockout requirement
  
Administrator lockout requirement
PCI DSS requires a user account lockout for administrators to guard against unauthorized access attempts:
Limit repeated access attempts by locking out the user ID after not more than six attempts. (8.1.6),
Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID. (8.1.7)
You can meet these requirements with the following CLI commands:
config system global
set admin-lockout-threshold 6
set admin-lockout-duration 1800
end
The threshold can be less than 6 and the lockout duration can be more than 1800.