Details
Allow access again after a user has been locked out (due to failed login attempts). The user is allowed access after the configured time if there have been no login attempts during that time). This setting only takes effect if Deny access after failed login attempts is selected.
Rationale:
Users can accidentally lock themselves out of their accounts if they mistype their password multiple times. To reduce the chance of such accidental lockouts, the Allow access again after time setting determines the number of seconds that must elapse before the counter that tracks failed logon attempts and triggers lockouts is reset to 0.
Solution
Run the following command to set the deny-on-fail allow-afte setting.
CLI:
Hostname> set password-controls deny-on-fail allow-after 300
GUI:
Navigate to User Management > Password Policy > Deny Access After Failed Login Attempts:
Set the ‘Allow access again after time’ setting to 300 or more seconds.
Default Value:
1200 (20 minutes)
Notes:
Looking for input regarding a value for this recommendation.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system CheckPoint.