Fortinet black logo

CLI Reference

user setting

Configure user authentication setting.

  config user setting
      Description: Configure user authentication setting.
      set auth-type {option1}, {option2}, ...
      set auth-cert {string}
      set auth-ca-cert {string}
      set auth-secure-http [enable|disable]
      set auth-http-basic [enable|disable]
      set auth-ssl-allow-renegotiation [enable|disable]
      set auth-src-mac [enable|disable]
      set auth-on-demand [always|implicitly]
      set auth-timeout {integer}
      set auth-timeout-type [idle-timeout|hard-timeout|...]
      set auth-portal-timeout {integer}
      set radius-ses-timeout-act [hard-timeout|ignore-timeout]
      set auth-blackout-time {integer}
      set auth-invalid-max {integer}
      set auth-lockout-threshold {integer}
      set auth-lockout-duration {integer}
      set per-policy-disclaimer [enable|disable]
      config auth-ports
          Description: Set up non-standard ports for authentication with HTTP, HTTPS, FTP, and TELNET.
          edit <id>
              set type [http|https|...]
              set port {integer}
          next
      end
      set auth-ssl-min-proto-version [default|SSLv3|...]
  end

config user setting

Parameter Name Description Type Size
auth-type Supported firewall policy authentication protocols/methods.
http: Allow HTTP authentication.
https: Allow HTTPS authentication.
ftp: Allow FTP authentication.
telnet: Allow TELNET authentication.
option -
auth-cert HTTPS server certificate for policy authentication. string Maximum length: 35
auth-ca-cert HTTPS CA certificate for policy authentication. string Maximum length: 35
auth-secure-http Enable/disable redirecting HTTP user authentication to more secure HTTPS.
enable: Enable setting.
disable: Disable setting.
option -
auth-http-basic Enable/disable use of HTTP basic authentication for identity-based firewall policies.
enable: Enable setting.
disable: Disable setting.
option -
auth-ssl-allow-renegotiation Allow/forbid SSL re-negotiation for HTTPS authentication.
enable: Allow SSL re-negotiation.
disable: Forbid SSL re-negotiation.
option -
auth-src-mac Enable/disable source MAC for user identity.
enable: Enable source MAC for user identity.
disable: Disable source MAC for user identity.
option -
auth-on-demand Always/implicitly trigger firewall authentication on demand.
always: Always trigger firewall authentication on demand.
implicitly: Implicitly trigger firewall authentication on demand.
option -
auth-timeout Time in minutes before the firewall user authentication timeout requires the user to re-authenticate. integer Minimum value: 1 Maximum value: 1440
auth-timeout-type Control if authenticated users have to login again after a hard timeout, after an idle timeout, or after a session timeout.
idle-timeout: Idle timeout.
hard-timeout: Hard timeout.
new-session: New session timeout.
option -
auth-portal-timeout Time in minutes before captive portal user have to re-authenticate (1 - 30 min, default 3 min). integer Minimum value: 1 Maximum value: 30
radius-ses-timeout-act Set the RADIUS session timeout to a hard timeout or to ignore RADIUS server session timeouts.
hard-timeout: Use session timeout from RADIUS as hard-timeout.
ignore-timeout: Ignore session timeout from RADIUS.
option -
auth-blackout-time Time in seconds an IP address is denied access after failing to authenticate five times within one minute. integer Minimum value: 0 Maximum value: 3600
auth-invalid-max Maximum number of failed authentication attempts before the user is blocked. integer Minimum value: 1 Maximum value: 100
auth-lockout-threshold Maximum number of failed login attempts before login lockout is triggered. integer Minimum value: 1 Maximum value: 10
auth-lockout-duration Lockout period in seconds after too many login failures. integer Minimum value: 0 Maximum value: 4294967295
per-policy-disclaimer Enable/disable per policy disclaimer.
enable: Enable per policy disclaimer.
disable: Disable per policy disclaimer.
option -
auth-ssl-min-proto-version Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
default: Follow system global setting.
SSLv3: SSLv3.
TLSv1: TLSv1.
TLSv1-1: TLSv1.1.
TLSv1-2: TLSv1.2.
option -
Parameter Name Description Type Size
type Service type.
http: HTTP service.
https: HTTPS service.
ftp: FTP service.
telnet: TELNET service.
option -
port Non-standard port for firewall user authentication. integer Minimum value: 1 Maximum value: 65535

Configure user authentication setting.

  config user setting
      Description: Configure user authentication setting.
      set auth-type {option1}, {option2}, ...
      set auth-cert {string}
      set auth-ca-cert {string}
      set auth-secure-http [enable|disable]
      set auth-http-basic [enable|disable]
      set auth-ssl-allow-renegotiation [enable|disable]
      set auth-src-mac [enable|disable]
      set auth-on-demand [always|implicitly]
      set auth-timeout {integer}
      set auth-timeout-type [idle-timeout|hard-timeout|...]
      set auth-portal-timeout {integer}
      set radius-ses-timeout-act [hard-timeout|ignore-timeout]
      set auth-blackout-time {integer}
      set auth-invalid-max {integer}
      set auth-lockout-threshold {integer}
      set auth-lockout-duration {integer}
      set per-policy-disclaimer [enable|disable]
      config auth-ports
          Description: Set up non-standard ports for authentication with HTTP, HTTPS, FTP, and TELNET.
          edit <id>
              set type [http|https|...]
              set port {integer}
          next
      end
      set auth-ssl-min-proto-version [default|SSLv3|...]
  end

config user setting

Parameter Name Description Type Size
auth-type Supported firewall policy authentication protocols/methods.
http: Allow HTTP authentication.
https: Allow HTTPS authentication.
ftp: Allow FTP authentication.
telnet: Allow TELNET authentication.
option -
auth-cert HTTPS server certificate for policy authentication. string Maximum length: 35
auth-ca-cert HTTPS CA certificate for policy authentication. string Maximum length: 35
auth-secure-http Enable/disable redirecting HTTP user authentication to more secure HTTPS.
enable: Enable setting.
disable: Disable setting.
option -
auth-http-basic Enable/disable use of HTTP basic authentication for identity-based firewall policies.
enable: Enable setting.
disable: Disable setting.
option -
auth-ssl-allow-renegotiation Allow/forbid SSL re-negotiation for HTTPS authentication.
enable: Allow SSL re-negotiation.
disable: Forbid SSL re-negotiation.
option -
auth-src-mac Enable/disable source MAC for user identity.
enable: Enable source MAC for user identity.
disable: Disable source MAC for user identity.
option -
auth-on-demand Always/implicitly trigger firewall authentication on demand.
always: Always trigger firewall authentication on demand.
implicitly: Implicitly trigger firewall authentication on demand.
option -
auth-timeout Time in minutes before the firewall user authentication timeout requires the user to re-authenticate. integer Minimum value: 1 Maximum value: 1440
auth-timeout-type Control if authenticated users have to login again after a hard timeout, after an idle timeout, or after a session timeout.
idle-timeout: Idle timeout.
hard-timeout: Hard timeout.
new-session: New session timeout.
option -
auth-portal-timeout Time in minutes before captive portal user have to re-authenticate (1 - 30 min, default 3 min). integer Minimum value: 1 Maximum value: 30
radius-ses-timeout-act Set the RADIUS session timeout to a hard timeout or to ignore RADIUS server session timeouts.
hard-timeout: Use session timeout from RADIUS as hard-timeout.
ignore-timeout: Ignore session timeout from RADIUS.
option -
auth-blackout-time Time in seconds an IP address is denied access after failing to authenticate five times within one minute. integer Minimum value: 0 Maximum value: 3600
auth-invalid-max Maximum number of failed authentication attempts before the user is blocked. integer Minimum value: 1 Maximum value: 100
auth-lockout-threshold Maximum number of failed login attempts before login lockout is triggered. integer Minimum value: 1 Maximum value: 10
auth-lockout-duration Lockout period in seconds after too many login failures. integer Minimum value: 0 Maximum value: 4294967295
per-policy-disclaimer Enable/disable per policy disclaimer.
enable: Enable per policy disclaimer.
disable: Disable per policy disclaimer.
option -
auth-ssl-min-proto-version Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
default: Follow system global setting.
SSLv3: SSLv3.
TLSv1: TLSv1.
TLSv1-1: TLSv1.1.
TLSv1-2: TLSv1.2.
option -
Parameter Name Description Type Size
type Service type.
http: HTTP service.
https: HTTPS service.
ftp: FTP service.
telnet: TELNET service.
option -
port Non-standard port for firewall user authentication. integer Minimum value: 1 Maximum value: 65535