The Admin Logins console provides information on administrator interactions with the network, including the number of login instances, number of failed logins, and the length of time logged in. This console can be filtered by User Name.
Scenario: Scrutinizing Administrator Security
Admin Logins can be used in conjunction with System Events to see who was on during a system change that impacted performance and allowed a threat to persist/pass through the firewall:
- Go to System > FortiView > System Events, to see what and how many network events have taken place, as well as how severe they are in terms of the threat they pose to the network.
- You see that a particular event has warranted a severe rating, and has allowed traffic to bypass the firewall. Double-click on the event to drill down.
- Once drilled down, you can see the date and time that the system change took place.
- Go to System > FortiView > Admin Logins, to see who has been logged in, how long they have been logged in, and what configuration changes they have made. Using the time graph, you can correlate the information from System Events with who was logged in at the time the threat was allowed.
|Only FortiGate models 100D and above support the 24 hour historical data.|