FortiGate Users and user groups

Firewall user groups

Firewall user groups are used locally as part of authentication. When a security policy allows access only to specified user groups, users must authenticate. If the user authenticates successfully and is a member of one of the permitted groups, the session is allowed to proceed.

This section includes: l SSL VPN access l IPsec VPN access l Configuring a firewall user group l Multiple group enforcement support

l User group timeouts

SSL VPN access

SSL VPN settings include a list of the firewall user groups that can access the SSL VPN and the SSL VPN portal that each group will use. When the user connects to the FortiGate unit via HTTPS on the SSL VPN port (default 10443), the FortiGate unit requests a username and password.

SSL VPN access also requires a security policy where the destination is the SSL interface. For more information, see the FortiOS Handbook SSL VPN guide.

IPsec VPN access

A firewall user group can provide access for dialup users of an IPsec VPN. In this case, the IPsec VPN phase 1 configuration uses the Accept peer ID in dialup group peer option. The user’s VPN client is configured with the username as peer ID and the password as pre-shared key. The user can connect successfully to the IPsec VPN only if the username is a member of the allowed user group and the password matches the one stored on the FortiGate unit.

For more information, see the FortiOS Handbook IPsec VPN guide.

Configuring a firewall user group

A user group can contain:

  • local users, whether authenticated by the FortiGate unit or an authentication server l PKI users
  • authentication servers, optionally specifying particular user groups on the server

To create a Firewall user group – web-based manager:

  1. Go to User & Device > User Groups and select Create New.
  2. Enter a name for the user group.
  3. In Type, select Firewall.
  4. Add user names to to the Members
  5. Add authentication servers to the Remote groups

By default all user accounts on the authentication server are members of this FortiGate user group. To include only specific user groups from the authentication server, deselect Any and enter the group name in the appropriate format for the type of server. For example, an LDAP server requires LDAP format, such as: cn=users,dn=office,dn=example,dn=com

Remote servers must already be configured in User & Device.

  1. Select OK.

To create a firewall user group – CLI example:

In this example, the members of accounting_group are User1 and all of the members of rad_ accounting_group on myRADIUS external RADIUS server.

config user group

edit accounting_group set group-type firewall set member User1 myRADIUS config match

edit 0 set server-name myRADIUS set group-name rad_accounting_group

end

end

Matching user group names from an external authentication server might not work if the list of group memberships for the user is longer than 8000 bytes. Group names beyond this limit are ignored.

server_name is the name of the RADIUS, LDAP, or TACACS+ server, but it must be a member of this group first and must also be a configured remote server on the FortiGate unit.

group_name is the name of the group on the RADIUS, LDAP, or TACACS+ server such as “engineering” or “cn=users,dc=test,dc=com”.

Before using group matching with TACACS+, you must first enable authentication. For example if you have a configured TACACS+ server called myTACS, use the following CLI commands.

config user tacacs+ edit myTACS set authorization enable

next

end

For more information about user group CLI commands, see the Fortinet CLI Guide.

Multiple group enforcement support

Previously, when a user belonged to multiple user groups, this user could only access the group services that were within one group. With multiple group enforcement, a user can access the services within the groups that the user is part of.

For example, userA belongs to user_group1, user_group2, user_group3, and user_group4; previously userA could only access services within one of those four groups, typically the group that matches the first security policy. This can be annoying if HTTP access is in user_group1, FTP access is in user_group2, and email access is in user_group3. Now userA can access services within user_group1, user_group2, user_group3, and user_group4.

This feature is available only in the CLI and is enabled by default. It applies to RADIUS, LDAP, and TACACS+ servers. The new command for this feature is auth-multi-group found in config user settings and checks all groups a user belongs to for authentication.

User group timeouts

User groups can have timeout values per group in addition to FortiGate-wide timeouts. There are essentially three different types of timeouts that are configurable for user authentication on the FortiGate unit — idle timeout, hard timeout, and session timeout. These are in addition to any external timeouts such as those associated with RADIUS servers.

If VDOMs are enabled, the global level user setting authtimeout is the default all VDOMs inherit. If VDOMs are not enabled, user settings authtimeout is the default. The default timeout value is used when the authtimeout keyword for a user group is set to zero.

Each type of timeout will be demonstrated using the existing user group example_group. Timeout units are minutes. A value of zero indicates the global timeout is used.

Membership in multiple groups

When a user belongs to multiple groups in RADIUS groups, the group auth-timeout values are ignored. Instead the global timeout value is used. The default value is 5 minutes, but it can be set from 1 to 43200 minutes (30 days).

config user setting set auth-timeout-type idle-timeout set auth-timeout 300

end

Idle timeout

The default type of timeout is idle timeout. When a user initiates a session, it starts a timer. As long as data is transferred in this session, the timer continually resets. If data flow stops, the timer is allowed to advance until it reaches its limit. At that time the user has been idle for too long, and the user is forced to re-authenticate before traffic is allowed to continue in that session.

To configure user group authentication idle timeout – CLI:

config user settings set auth-timeout-type idle-timeout

end config user group edit example_group set authtimeout 5 //range is 0-43200 minutes (0 = use global authtimeout value)

next

end

Hard timeout

Where the idle timeout is reset with traffic, the hard timeout is absolute. From the time the first session a user establishes starts, the hard timeout counter starts. When the timeout is reached, all the sessions for that user must be re-authenticated. This timeout is not affected by any event.

To configure user group authentication hard timeout – CLI:

config user settings set auth-timeout-type hard-timeout

end config user group edit example_group set authtimeout 43200 //range is 0-43200 minutes (0 = use global authtimeout value)

next end

Session timeout

The session timeout works much like the hard timeout in that its an absolute timer that can not be affected by events. However, when the timeout is reached existing sessions may continue but new sessions are not allowed until re-authentication takes place.

To configure a user group authentication new session hard timeout – CLI:

config user setting set auth-timeout-type new-session

end

config user group edit example_group set authtimeout 30 //range is 0-43200 minutes (0 = use global authtimeout value)

next

end

SSO user groups

SSO user groups are part of FSSO authentication and contain only Windows or Novell network users. No other user types are permitted as members. Information about the Windows or Novell user groups and the logon activities of their members is provided by the Fortinet Single Sign On (FSSO) which is installed on the network domain controllers.

You can specify FSSO user groups in security policies in the same way as you specify firewall user groups. FSSO user groups cannot have SSL VPN or dialup IPsec VPN access.

Configuring peer user groups

Peer user groups can only be configured using the CLI. Peers are digital certificate holders defined using the config user peer command. The peer groups you define here are used in dialup IPsec VPN configurations that accept RSA certificate authentication from members of a peer certificate group.

To create a peer group – CLI

config user peergrp edit vpn_peergrp1 set member pki_user1 pki_user2 pki_user3

end

Viewing, editing, and deleting user groups

To view the list of FortiGate user groups, go to User & Device > User Groups.

Editing a user group

When editing a user group in the CLI you must set the type of group this will be — either a firewall group, a

Fortinet Single Sign-On Service group (FSSO), a Radius based Single Sign-On Service group (RSSO), or a guest group. Once the type of group is set, and members are added you cannot change the group type without removing the members.

In the web-based manager, if you change the type of the group any members will be removed automatically.

To edit a user group – web-based manager

  1. Go to User & Device > User Groups.
  2. Select the user group that you want to edit.
  3. Select the Edit
  4. Modify the user group as needed.
  5. Select OK.

To edit a user group – CLI

This example adds user3 to Group1. Note that you must re-specify the full list of users:

config user group edit Group1 set group-type firewall set member user2 user4 user3

end

Deleting a user group

Before you delete a user group, you must ensure there are no objects referring to, it such as security policies. If there are, you must remove those references before you are able to delete the user group.

To remove a user group – web-based manager

  1. Go to User & Device > User Groups.
  2. Select the user group that you want to remove.
  3. Select the Delete
  4. Select OK.

To remove a user group – CLI

config user group delete Group2

end

SSL renegotiation in firewall authentication

The auth-ssl-allow-renegotiation option is available under config user setting to allow/forbid SSL renegotiation in firewall authentication. The default value is disable, where a session would be terminated by authd once renegotiation is detected and this login would be recorded as a failure. Other behavior follows regular authentication settings.

To enable SSL renegotiation – CLI

config user setting set auth-ssl-allow-renegotiation enable end

 

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.