Users and user groups

Users and user groups

FortiGate authentication controls system access by user group. By assigning individual users to the appropriate user groups you can control each user’s access to network resources. The members of user groups are user accounts, of which there are several types. Local users and peer users are defined on the FortiGate unit. User accounts can also be defined on remote authentication servers.

This section describes how to configure local users and peer users and then how to configure user groups. For information about configuration of authentication servers see Authentication servers on page 451.

This section contains the following topics:

  • Users
  • User groups



A user is a user account consisting of username, password, and in some cases other information, configured on the FortiGate unit or on an external authentication server. Users can access resources that require authentication only if they are members of an allowed user group. There are several different types of user accounts with slightly different methods of authentication:

User type                 Authentication

Local user The username and password must match a user account stored on the FortiGate unit.

Authentication by FortiGate security policy.

Remote user

The username must match a user account stored on the FortiGate unit and the user- name and password must match a user account stored on the remote authentication server. FortiOS supports LDAP, RADIUS, and TACACS+ servers.


Authentication server user

A FortiGate user group can include user accounts or groups that exist on a remote authentication server.


FSSO user

With Fortinet Single Sign On (FSSO), users on a Microsoft Windows or Novell network can use their network authentication to access resources through the FortiGate unit. Access is controlled through FSSO user groups which contain Windows or Novell user groups as their members.


PKI or Peer user      A Public Key Infrastructure (PKI) or peer user is a digital certificate holder who authen- ticates using a client certificate. No password is required, unless two-factor authen- tication is enabled.


IM Users

IM users are not authenticated. The FortiGate unit can allow or block each IM user name from accessing the IM protocols. A global policy for each IM protocol governs access to these protocols by unknown users.


Guest Users             Guest user accounts are temporary. The account expires after a selected period of time.


This section includes:

  • Local and remote users
  • PKI or peer users
  • Two-factor authentication
  • FortiToken
  • Monitoring users

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos