Fortinet black logo

CLI Reference

user peer

user peer

Use this command to add or edit peer (digital certificate holder) information. Peers that you define can be used in the vpn ipsec phase1 command if peertype is set to peer. These peers can also be added to peer groups in the user peergrp command. This command refers to certificates imported into the FortiGate unit. You can import CA certificates using the vpn certificate ca command and local certificates using the vpn certificate local command.

config user peer
    edit {name}
    # Configure peer users.
        set name {string}   Peer name. size[35]
        set mandatory-ca-verify {enable | disable}   Determine what happens to the peer if the CA certificate is not installed. Disable to automatically consider the peer certificate as valid.
        set ca {string}   Name of the CA certificate as returned by the execute vpn certificate ca list command. size[127] - datasource(s): vpn.certificate.ca.name
        set subject {string}   Peer certificate name constraints. size[255]
        set cn {string}   Peer certificate common name. size[255]
        set cn-type {option}   Peer certificate common name type.
                string  Normal string.
                email   Email address.
                FQDN    Fully Qualified Domain Name.
                ipv4    IPv4 address.
                ipv6    IPv6 address.
        set ldap-server {string}   Name of an LDAP server defined under the user ldap command. Performs client access rights check. size[35] - datasource(s): user.ldap.name
        set ldap-username {string}   Username for LDAP server bind. size[35]
        set ldap-password {password_string}   Password for LDAP server bind. size[128]
        set ldap-mode {password | principal-name}   Mode for LDAP peer authentication.
                password        Username/password.
                principal-name  Principal name.
        set ocsp-override-server {string}   Online Certificate Status Protocol (OCSP) server for certificate retrieval. size[35] - datasource(s): vpn.certificate.ocsp-server.name
        set two-factor {enable | disable}   Enable/disable two-factor authentication, applying certificate and password-based authentication.
        set passwd {password_string}   Peer's password used for two-factor authentication. size[128]
    next
end

Additional information

The following section is for those options that require additional explanation.

ca <cert-ca>

Name of the CA certificate, as returned by the execute vpn certificate ca list command.

cn <cert-common-name>

Name of the peer certificate common name.

cn-type {string | email | FQDN | ipv4 | ipv6}

Peer certificate common name type.

  • string: Normal string. This is set by default.
  • email: User's email address.
  • FQDN: Fully qualified domain name.
  • ipv4: User's IPv4 address.
  • ipv6: User's IPv6 address.

ldap-mode {password | principal-name}

Mode for LDAP authentication.

  • password: Authenticate through user name and password. This is set by default.
  • principal-name: Authenticate through LDAP userPrincipalName attribute.

ldap-password <password>

Login password for the LDAP server.

ldap-server <server>

Name of an LDAP server defined under the user ldap command. Performs client access rights check for the defined peer.

ldap-username <name>

Login name for the LDAP server.

mandatory-ca-verify {enable | disable}

CA certificates installed on the FortiGate unit will check the peer certificate for validity. Enable (by default) or disable to determine what to do if the CA certificate is not installed.

  • enable: Peer will not be authenticated
  • disable: Peer certificate is automatically considered valid and authenticated

ocsp-override-server <server>

Online Certificate Status Protocol (OCSP) server used to retrieve certificates. This applies if OCSP is enabled in the vpn certificate setting command.

passwd <password>

Note: This entry is only available when two-factor is set to enable. This peer's password for two-factor authentication.

subject [constraints]

Optionally, enter any peer certificate name constraints; the name defined here must match the certificate name for successful authentication.

two-factor {enable | disable}

Enable or disable (by default) two-factor authentication, applying certificate and password based authentication. Once set, specify the password to use in the passwd entry (see entry below).

user peer

Use this command to add or edit peer (digital certificate holder) information. Peers that you define can be used in the vpn ipsec phase1 command if peertype is set to peer. These peers can also be added to peer groups in the user peergrp command. This command refers to certificates imported into the FortiGate unit. You can import CA certificates using the vpn certificate ca command and local certificates using the vpn certificate local command.

config user peer
    edit {name}
    # Configure peer users.
        set name {string}   Peer name. size[35]
        set mandatory-ca-verify {enable | disable}   Determine what happens to the peer if the CA certificate is not installed. Disable to automatically consider the peer certificate as valid.
        set ca {string}   Name of the CA certificate as returned by the execute vpn certificate ca list command. size[127] - datasource(s): vpn.certificate.ca.name
        set subject {string}   Peer certificate name constraints. size[255]
        set cn {string}   Peer certificate common name. size[255]
        set cn-type {option}   Peer certificate common name type.
                string  Normal string.
                email   Email address.
                FQDN    Fully Qualified Domain Name.
                ipv4    IPv4 address.
                ipv6    IPv6 address.
        set ldap-server {string}   Name of an LDAP server defined under the user ldap command. Performs client access rights check. size[35] - datasource(s): user.ldap.name
        set ldap-username {string}   Username for LDAP server bind. size[35]
        set ldap-password {password_string}   Password for LDAP server bind. size[128]
        set ldap-mode {password | principal-name}   Mode for LDAP peer authentication.
                password        Username/password.
                principal-name  Principal name.
        set ocsp-override-server {string}   Online Certificate Status Protocol (OCSP) server for certificate retrieval. size[35] - datasource(s): vpn.certificate.ocsp-server.name
        set two-factor {enable | disable}   Enable/disable two-factor authentication, applying certificate and password-based authentication.
        set passwd {password_string}   Peer's password used for two-factor authentication. size[128]
    next
end

Additional information

The following section is for those options that require additional explanation.

ca <cert-ca>

Name of the CA certificate, as returned by the execute vpn certificate ca list command.

cn <cert-common-name>

Name of the peer certificate common name.

cn-type {string | email | FQDN | ipv4 | ipv6}

Peer certificate common name type.

  • string: Normal string. This is set by default.
  • email: User's email address.
  • FQDN: Fully qualified domain name.
  • ipv4: User's IPv4 address.
  • ipv6: User's IPv6 address.

ldap-mode {password | principal-name}

Mode for LDAP authentication.

  • password: Authenticate through user name and password. This is set by default.
  • principal-name: Authenticate through LDAP userPrincipalName attribute.

ldap-password <password>

Login password for the LDAP server.

ldap-server <server>

Name of an LDAP server defined under the user ldap command. Performs client access rights check for the defined peer.

ldap-username <name>

Login name for the LDAP server.

mandatory-ca-verify {enable | disable}

CA certificates installed on the FortiGate unit will check the peer certificate for validity. Enable (by default) or disable to determine what to do if the CA certificate is not installed.

  • enable: Peer will not be authenticated
  • disable: Peer certificate is automatically considered valid and authenticated

ocsp-override-server <server>

Online Certificate Status Protocol (OCSP) server used to retrieve certificates. This applies if OCSP is enabled in the vpn certificate setting command.

passwd <password>

Note: This entry is only available when two-factor is set to enable. This peer's password for two-factor authentication.

subject [constraints]

Optionally, enter any peer certificate name constraints; the name defined here must match the certificate name for successful authentication.

two-factor {enable | disable}

Enable or disable (by default) two-factor authentication, applying certificate and password based authentication. Once set, specify the password to use in the passwd entry (see entry below).