Global Lockout Rules

You can set the global lockout rules apply to the entire system in the Global Lockout Rules section.

The following figure shows the Global Lockout Rules section:

To set any of the fields in the Login Failure Attempts section, a lock action in the Lock Action section must be enabled. You can set either one or both lock actions to Yes.

To enable the Send Alert Email lock action, you must set the Alert Email Address field in the Global Settings section on this page.

The failure retention period set for a user account is reset upon a successful login of that user account. For example, if the number of login failure attempts for a user is set to 3 and a user fails to log in twice but logs in successfully on the third attempt, the number of login failure attempts is reset to zero. This also occurs when the lock duration expires. This means if a user is locked out of the system and the lock duration expires, the number of login failure attempts is reset to zero. However, this does not occur for the failure retention period of a system or IP. To clear the attempts for these actions requires a lockout release for the system or IP address by a super administration account that is configured with a restricted IP address to log in. These user accounts are never locked out of the system. For more details about releasing lockouts, see Lockout Management.

When setting the number of login failure attempts for the system, an acceptable number should be based on the amount of users that can access the system. The value is reached by the accumulation of the number of login failure attempts of users and that of the IP that are being retained. A very simple example of a system lockout occurring is if the number of login failure attempts for users is set to 3 and that for system is set to 7, the entire system is locked when the seventh failed attempt occurs (the default failure retention period for users is 120 minutes). Based on the above settings all it takes is three users to fail to access the system in a 120 minute time frame because of attempting to log in with incorrect passwords causing the number of failed login attempts being retained to reach the count of 7 and the system is locked.

You can define the lock action to be taken when the login failure attempts thresholds are reached within the failure retention period. An alert email is sent to the email address defined in the Alert Email Address field of the Global Settings section. The Lockout field defines whether the lockout processing is to be performed.
Note: The Lockout field must be set to Yes when any one value in the Login Failure Attempts section is set to a non-zero value.
The amount of time that a user, IP address, or system is locked out depends on the Lock Duration settings. You can also define whether to propagate lockout between MFT instances and also define the server instances where lockouts are propagated.