Fortinet black logo

CLI Reference

user setting

user setting

Use this command to configure per VDOM user settings such as the firewall user authentication time out and protocol support for firewall policy authentication.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set auth-src-mac {enable | disable}

Enable (by default) or disable source MAC user identity check for firewall authentication.
config user setting
    set auth-type {http | https | ftp | telnet}   Supported firewall policy authentication protocols/methods.
            http    Allow HTTP authentication.
            https   Allow HTTPS authentication.
            ftp     Allow FTP authentication.
            telnet  Allow TELNET authentication.
    set auth-cert {string}   HTTPS server certificate for policy authentication. size[35] - datasource(s): vpn.certificate.local.name
    set auth-ca-cert {string}   HTTPS CA certificate for policy authentication. size[35] - datasource(s): vpn.certificate.local.name
    set auth-secure-http {enable | disable}   Enable/disable redirecting HTTP user authentication to more secure HTTPS.
    set auth-http-basic {enable | disable}   Enable/disable use of HTTP basic authentication for identity-based firewall policies.
    set auth-ssl-allow-renegotiation {enable | disable}   Allow/forbid SSL re-negotiation for HTTPS authentication.
    set auth-src-mac {enable | disable}   Enable/disable source MAC for user identity.
    set auth-timeout {integer}   Time in minutes before the firewall user authentication timeout requires the user to re-authenticate. range[1-1440]
    set auth-timeout-type {idle-timeout | hard-timeout | new-session}   Control if authenticated users have to login again after a hard timeout, after an idle timeout, or after a session timeout.
            idle-timeout  Idle timeout.
            hard-timeout  Hard timeout.
            new-session   New session timeout.
    set auth-portal-timeout {integer}   Time in minutes before captive portal user have to re-authenticate (1 - 30 min, default 3 min). range[1-30]
    set radius-ses-timeout-act {hard-timeout | ignore-timeout}   Set the RADIUS session timeout to a hard timeout or to ignore RADIUS server session timeouts.
            hard-timeout    Use session timeout from RADIUS as hard-timeout.
            ignore-timeout  Ignore session timeout from RADIUS.
    set auth-blackout-time {integer}   Time in seconds an IP address is denied access after failing to authenticate five times within one minute. range[0-3600]
    set auth-invalid-max {integer}   Maximum number of failed authentication attempts before the user is blocked. range[1-100]
    set auth-lockout-threshold {integer}   Maximum number of failed login attempts before login lockout is triggered. range[1-10]
    set auth-lockout-duration {integer}   Lockout period in seconds after too many login failures. range[0-4294967295]
    config auth-ports
        edit {id}
        # Set up non-standard ports for authentication with HTTP, HTTPS, FTP, and TELNET.
            set id {integer}   ID. range[0-4294967295]
            set type {http | https | ftp | telnet}   Service type.
                    http    HTTP service.
                    https   HTTPS service.
                    ftp     FTP service.
                    telnet  TELNET service.
            set port {integer}   Non-standard port for firewall user authentication. range[1-65535]
        next
end

Additional information

The following section is for those options that require additional explanation.

auth-blackout-time <seconds>

When a firewall authentication attempt fails five times within one minute, the IP address (that is the source of the authentication attempts) is denied access for this period of time in seconds. Set the value between 0-3600 (or no denial to one hour). The default is set to When a firewall authentication attempt fails five times within one minute, the IP address (that is the source of the authentication attempts) is denied access for this period of time in seconds. Set the value between 0-3600 (or no denial to one hour). The default is set to 0.

auth-ca-cert <ca-cert>

If the built-in certificate is not used here, specify the CA certificate to use instead.

auth-cert <cert>

HTTPS server certificate for policy authentication. Select from built-in defaults or custom certificates. The built-in Fortinet_Factory certificate is set by default.

auth-http-basic {enable | disable}

Enable or disable (by default) support for HTTP basic authentication for identity-based firewall policies. HTTP basic authentication usually causes a browser to display a pop-up authentication window instead of an authentication web page. An example to use this would be for web browsers on mobile devices, as some may only support HTTP basic authentication. Enable or disable (by default) support for HTTP basic authentication for identity-based firewall policies. HTTP basic authentication usually causes a browser to display a pop-up authentication window instead of an authentication web page. An example to use this would be for web browsers on mobile devices, as some may only support HTTP basic authentication.

auth-invalid-max <failed-attempts>

Maximum number of failed authentication attempts before the client is blocked. Set the value between 1-100. The default is set to 5.

auth-lockout-duration <seconds>

Period of time in seconds that login lockout lasts for. Set the value between 1-4294967295 (or one second to 136+ years), or 0 for no lockout.

auth-lockout-threshold <login-attempts>

Number of login attempts before a login lockout is triggered. Set the value between 1-10. The default is set to 3.

auth-portal-timeout <minutes>

Period of time in minutes before the firewall Captive Portal authentication timeout requires the user to authenticate again. Set the value between 1-30 (or one minute to half an hour). The default is set to 3.

auth-secure-http {enable | disable}

Enable or disable (by default) redirecting HTTP user authentication to more secure HTTPS.

auth-timeout <minutes>

Period of time in minutes before the firewall user authentication timeout requires the user to authenticate again. Set the value between 1-1440 (or one minute to one day). To improve security, it's recommended to keep the authentication timeout at the default value of 5.

auth-timeout-type {idle-timeout | hard-timeout | new-session}

Type of authentication timeout.

  • idle-timeout: Applies only to idle sessions. This is set by default.
  • hard-timeout: Uses RADIUS timeout.
  • new-session: Applies only to new sessions.

auth-type {http | https | ftp | telnet}

Select the protocols that can be used for firewall policy authentication. Default is http https ftp telnet, which means firewall policy authentication can be done using HTTP, HTTPS, FTP or Telnet. You can remove protocols to limit the authentication options.

config auth-ports

A configuration method to set authentication ports and their authentication types. Edit to create new and configure the following entries below.

port <port>

Authentication port number. Set the value between 1-65535. The default is set to 1024.

radius-ses-timeout-act {hard-timeout | ignore-timeout}

RADIUS session timeout action.

  • hard-timeout: Uses RADIUS timeout. This is set by default.
  • ignore-timeout: Ignores RADIUS timeout.

type {http | https | ftp | telnet}

User authentication protocol support for firewall policy authentication for the port. User controls which protocols (HTTP, HTTPS, FTP, and/or TELNET) should support the authentication challenge. The default is set to http.

user setting

Use this command to configure per VDOM user settings such as the firewall user authentication time out and protocol support for firewall policy authentication.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set auth-src-mac {enable | disable}

Enable (by default) or disable source MAC user identity check for firewall authentication.
config user setting
    set auth-type {http | https | ftp | telnet}   Supported firewall policy authentication protocols/methods.
            http    Allow HTTP authentication.
            https   Allow HTTPS authentication.
            ftp     Allow FTP authentication.
            telnet  Allow TELNET authentication.
    set auth-cert {string}   HTTPS server certificate for policy authentication. size[35] - datasource(s): vpn.certificate.local.name
    set auth-ca-cert {string}   HTTPS CA certificate for policy authentication. size[35] - datasource(s): vpn.certificate.local.name
    set auth-secure-http {enable | disable}   Enable/disable redirecting HTTP user authentication to more secure HTTPS.
    set auth-http-basic {enable | disable}   Enable/disable use of HTTP basic authentication for identity-based firewall policies.
    set auth-ssl-allow-renegotiation {enable | disable}   Allow/forbid SSL re-negotiation for HTTPS authentication.
    set auth-src-mac {enable | disable}   Enable/disable source MAC for user identity.
    set auth-timeout {integer}   Time in minutes before the firewall user authentication timeout requires the user to re-authenticate. range[1-1440]
    set auth-timeout-type {idle-timeout | hard-timeout | new-session}   Control if authenticated users have to login again after a hard timeout, after an idle timeout, or after a session timeout.
            idle-timeout  Idle timeout.
            hard-timeout  Hard timeout.
            new-session   New session timeout.
    set auth-portal-timeout {integer}   Time in minutes before captive portal user have to re-authenticate (1 - 30 min, default 3 min). range[1-30]
    set radius-ses-timeout-act {hard-timeout | ignore-timeout}   Set the RADIUS session timeout to a hard timeout or to ignore RADIUS server session timeouts.
            hard-timeout    Use session timeout from RADIUS as hard-timeout.
            ignore-timeout  Ignore session timeout from RADIUS.
    set auth-blackout-time {integer}   Time in seconds an IP address is denied access after failing to authenticate five times within one minute. range[0-3600]
    set auth-invalid-max {integer}   Maximum number of failed authentication attempts before the user is blocked. range[1-100]
    set auth-lockout-threshold {integer}   Maximum number of failed login attempts before login lockout is triggered. range[1-10]
    set auth-lockout-duration {integer}   Lockout period in seconds after too many login failures. range[0-4294967295]
    config auth-ports
        edit {id}
        # Set up non-standard ports for authentication with HTTP, HTTPS, FTP, and TELNET.
            set id {integer}   ID. range[0-4294967295]
            set type {http | https | ftp | telnet}   Service type.
                    http    HTTP service.
                    https   HTTPS service.
                    ftp     FTP service.
                    telnet  TELNET service.
            set port {integer}   Non-standard port for firewall user authentication. range[1-65535]
        next
end

Additional information

The following section is for those options that require additional explanation.

auth-blackout-time <seconds>

When a firewall authentication attempt fails five times within one minute, the IP address (that is the source of the authentication attempts) is denied access for this period of time in seconds. Set the value between 0-3600 (or no denial to one hour). The default is set to When a firewall authentication attempt fails five times within one minute, the IP address (that is the source of the authentication attempts) is denied access for this period of time in seconds. Set the value between 0-3600 (or no denial to one hour). The default is set to 0.

auth-ca-cert <ca-cert>

If the built-in certificate is not used here, specify the CA certificate to use instead.

auth-cert <cert>

HTTPS server certificate for policy authentication. Select from built-in defaults or custom certificates. The built-in Fortinet_Factory certificate is set by default.

auth-http-basic {enable | disable}

Enable or disable (by default) support for HTTP basic authentication for identity-based firewall policies. HTTP basic authentication usually causes a browser to display a pop-up authentication window instead of an authentication web page. An example to use this would be for web browsers on mobile devices, as some may only support HTTP basic authentication. Enable or disable (by default) support for HTTP basic authentication for identity-based firewall policies. HTTP basic authentication usually causes a browser to display a pop-up authentication window instead of an authentication web page. An example to use this would be for web browsers on mobile devices, as some may only support HTTP basic authentication.

auth-invalid-max <failed-attempts>

Maximum number of failed authentication attempts before the client is blocked. Set the value between 1-100. The default is set to 5.

auth-lockout-duration <seconds>

Period of time in seconds that login lockout lasts for. Set the value between 1-4294967295 (or one second to 136+ years), or 0 for no lockout.

auth-lockout-threshold <login-attempts>

Number of login attempts before a login lockout is triggered. Set the value between 1-10. The default is set to 3.

auth-portal-timeout <minutes>

Period of time in minutes before the firewall Captive Portal authentication timeout requires the user to authenticate again. Set the value between 1-30 (or one minute to half an hour). The default is set to 3.

auth-secure-http {enable | disable}

Enable or disable (by default) redirecting HTTP user authentication to more secure HTTPS.

auth-timeout <minutes>

Period of time in minutes before the firewall user authentication timeout requires the user to authenticate again. Set the value between 1-1440 (or one minute to one day). To improve security, it's recommended to keep the authentication timeout at the default value of 5.

auth-timeout-type {idle-timeout | hard-timeout | new-session}

Type of authentication timeout.

  • idle-timeout: Applies only to idle sessions. This is set by default.
  • hard-timeout: Uses RADIUS timeout.
  • new-session: Applies only to new sessions.

auth-type {http | https | ftp | telnet}

Select the protocols that can be used for firewall policy authentication. Default is http https ftp telnet, which means firewall policy authentication can be done using HTTP, HTTPS, FTP or Telnet. You can remove protocols to limit the authentication options.

config auth-ports

A configuration method to set authentication ports and their authentication types. Edit to create new and configure the following entries below.

port <port>

Authentication port number. Set the value between 1-65535. The default is set to 1024.

radius-ses-timeout-act {hard-timeout | ignore-timeout}

RADIUS session timeout action.

  • hard-timeout: Uses RADIUS timeout. This is set by default.
  • ignore-timeout: Ignores RADIUS timeout.

type {http | https | ftp | telnet}

User authentication protocol support for firewall policy authentication for the port. User controls which protocols (HTTP, HTTPS, FTP, and/or TELNET) should support the authentication challenge. The default is set to http.