Users and user groups

Users and user groups

FortiGate authentication controls system access by user group. By assigning individual users to the appropriate user groups you can control each user’s access to network resources. The members of user groups are user accounts, of which there are several types. Local users and peer users are defined on the FortiGate unit. User accounts can also be defined on remote authentication servers.

This section describes how to configure local users and peer users and then how to configure user groups. For information about configuration of authentication servers see Authentication servers on page 451.

This section contains the following topics:

  • Users
  • User groups



A user is a user account consisting of username, password, and in some cases other information, configured on the FortiGate unit or on an external authentication server. Users can access resources that require authentication only if they are members of an allowed user group. There are several different types of user accounts with slightly different methods of authentication:

User type                 Authentication

Local user The username and password must match a user account stored on the FortiGate unit.

Authentication by FortiGate security policy.

Remote user

The username must match a user account stored on the FortiGate unit and the user- name and password must match a user account stored on the remote authentication server. FortiOS supports LDAP, RADIUS, and TACACS+ servers.


Authentication server user

A FortiGate user group can include user accounts or groups that exist on a remote authentication server.


FSSO user

With Fortinet Single Sign On (FSSO), users on a Microsoft Windows or Novell network can use their network authentication to access resources through the FortiGate unit. Access is controlled through FSSO user groups which contain Windows or Novell user groups as their members.


PKI or Peer user      A Public Key Infrastructure (PKI) or peer user is a digital certificate holder who authen- ticates using a client certificate. No password is required, unless two-factor authen- tication is enabled.


IM Users

IM users are not authenticated. The FortiGate unit can allow or block each IM user name from accessing the IM protocols. A global policy for each IM protocol governs access to these protocols by unknown users.


Guest Users             Guest user accounts are temporary. The account expires after a selected period of time.


This section includes:

  • Local and remote users
  • PKI or peer users
  • Two-factor authentication
  • FortiToken
  • Monitoring users
This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.