Firewall Authentication

Authentication Methods

• Local password 

• RADIUS 

• TACACS+ 

• POP3 (requires an email address) 

• LDAP 

• 2FA is supported 

To create a local user account

• User & Authentication > User Definition 

• To use a remote server, select Remote Groups > Add. 

Configuring an LDAP server to work with FortiGate

• User & Authentication > LDAP Servers 

• CLI command for testing user credentials to the LDAP server, # diagnose test authserver ldap <server> <username> <password> 

Configuring RADIUS Server

• User & Authentication > RADIUS Servers 

• CLI command for testing user credentials to the RADIUS server, # diagnose test authserver radius <server> <username> <password> 

Setting up FortiToken to a User

• User & Authentication > FortiTokens 

• 2 free mobile tokens per FortiGate, purchase additional activation if more tokens are needed. 

• Ensure 2FA for a user, select FortiToken > select the actual token to assign to the user.Token > select the actual token to assign to 

Types of user groups

• Firewall 

• Guest 

• Fortinet Single sign-on (FSSO) 

• RADIUS SSO (RSSO) 

• Create a user group, User & Authentication > User Groups > New | Members = users, Remote Groups = pre-config remote servers to the group.  

Firewall Policy 

• Include the following: 

  • Name 

  • Incoming interface – Ingress interface for incoming traffic 

  • Outgoing interface  - Egress interface for outgoing traffic 

  • Source – The sender of the traffic 

  • Destination – The intended destination of the traffic 

  • Schedule 

  • Service – Type of service or protocol 

  • Action – Accept or Deny 

• Monitor authenticated users, Dashboard > User & Devices > Firewall Users. This view enables you de-authenticate a user at any time. 

• The firewall policy must allow the HTTP, HTTPS, FTP and/or Telnet protocols in order for the user to be prompted for credentials.