Firewall user groups

Firewall user groups

Firewall user groups are used locally as part of authentication. When a security policy allows access only to specified user groups, users must authenticate. If the user authenticates successfully and is a member of one of the permitted groups, the session is allowed to proceed.

This section includes:

  • SSL VPN access
  • IPsec VPN access
  • Configuring a firewall user group
  • Multiple group enforcement support
  • User group timeouts


SSL VPN access

SSL VPN settings include a list of the firewall user groups that can access the SSL VPN and the SSL VPN portal that each group will use. When the user connects to the FortiGate unit via HTTPS on the SSL VPN port (default 10443), the FortiGate unit requests a username and password.

SSL VPN access also requires a security policy where the destination is the SSL interface. For more information, see the FortiOS Handbook SSL VPN guide.


IPsec VPN access

A firewall user group can provide access for dialup users of an IPsec VPN. In this case, the IPsec VPN phase 1 configuration uses the Accept peer ID in dialup group peer option. The user’s VPN client is configured with the username as peer ID and the password as pre-shared key. The user can connect successfully to the IPsec VPN only if the username is a member of the allowed user group and the password matches the one stored on the FortiGate unit.

A user group cannot be used as a dialup group if any member of the group is authen- ticated using an external authentication server.

For more information, see the FortiOS Handbook IPsec VPN guide.


Configuring a firewall user group

A user group can contain:

  • local users, whether authenticated by the FortiGate unit or an authentication server
  • PKI users
  • authentication servers, optionally specifying particular user groups on the server

To create a Firewall user group – web-based manager:

1. Go to User & Device > User > User Groups and select Create New.

2. Enter a name for the user group.

3. In Type, select Firewall.

4. Add user names to to the Members list.

5. Add authentication servers to the Remote groups list.

By default all user accounts on the authentication server are members of this FortiGate user group. To include only specific user groups from the authentication server, deselect Any and enter the group name in the appropriate format for the type of server. For example, an LDAP server requires LDAP format, such as: cn=users,dn=office,dn=example,dn=com

Remote servers must already be configured in User & Device > Authentication.

6. Select OK.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.