Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.2.12 Administration Guide
    7.2.12
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Creating or editing a user

    Creating or editing a user

    Use the Users/Groups Creation Wizard to create user accounts. From the User Definition page, select Create New or select a user and click Edit to start the wizard.

    To create a local user:

    1. In the User Type page, select Local User and then select Next.

    2. In the Login Credentials page, enter a user name and password for the new user and then select Next.

    3. In the Contact Info page, enter an email address for the user and then select Next. Alternatively, you can supply the userʼs SMS contact information. To assign a FortiToken to the user, enable Two-factor Authentication and select a token from the drop-down menu provided. The Contact Info page is optional.

      FortiProxy supports the following 2FA options:

      • FortiToken—You can use hard tokens or mobile tokens.

        • Hard tokens must be registered and activated first before they appear in the dropdown list. See Registering and activating a hard token.

        • FortiProxy provides two trial mobile tokens ready for use from the dropdown list. You cannot add or import any other mobile tokens.

      • FortiToken Cloud—A Fortinet Identity and Access Management as a Service (IDaaS) cloud service that enables FortiProxy and FortiAuthenticator customers to add 2FA for their users using Mobile or hard tokens.

        You can activate a free one-month FortiToken Cloud trial subscription for registered FortiCare accounts using the link in the GUI option or the execute fortitoken-cloud trial command in the CLI.

        To verify the activation status, run exe fortitoken-cloud show. To view the user list, run diagnose fortitoken-cloud show users.

        Note

        The FortiToken Cloud free trial can only be activated once. The option will not be available if another FortiToken Cloud trial subscription has been activated on the FortiProxy or with the registered FortiCare accounts.

      • Email—Enter an email address to send a 2FA code to that address.

      • SMS—Select the Country Dial Code and enter the Phone Number (sms-phone in the CLI) to send a 2FA code to. SMS messages can also be sent to the FortiGuard SMS server or a custom server.

    4. In the Extra Info page, select Enabled to make the new user active. To place the user into a group, enable User Group and then select a group from the drop-down menu. For information on user groups, see Create or edit a user group.

    5. Select Submit to create the new local user.

    To create a remote RADIUS user:

    1. In the User Type page, select Remote RADIUS User and then select Next.

    2. In the RADIUS Server page, enter a user name, select a RADIUS server from the drop-down menu, and then select Next. For information on RADIUS servers, see Create or edit a RADIUS server.

    3. In the Contact Info page, enter an email address for the user and then select Next. Alternatively, you can supply the userʼs SMS contact information. To assign a FortiToken to the user, enable Two-factor Authentication and select a token from the drop-down menu provided. The Contact Info page is optional.

      1. FortiProxy supports the following 2FA options:

        • FortiToken—You can use hard tokens or mobile tokens.

          • Hard tokens must be registered and activated first before they appear in the dropdown list. See Registering and activating a hard token.

          • FortiProxy provides two trial mobile tokens ready for use from the dropdown list. You cannot add or import any other mobile tokens.

        • FortiToken Cloud—A Fortinet Identity and Access Management as a Service (IDaaS) cloud service that enables FortiProxy and FortiAuthenticator customers to add 2FA for their users using Mobile or hard tokens.

          You can activate a free one-month FortiToken Cloud trial subscription for registered FortiCare accounts using the link in the GUI option or the execute fortitoken-cloud trial command in the CLI.

          To verify the activation status, run exe fortitoken-cloud show. To view the user list, run diagnose fortitoken-cloud show users.

          Note

          The FortiToken Cloud free trial can only be activated once. The option will not be available if another FortiToken Cloud trial subscription has been activated on the FortiProxy or with the registered FortiCare accounts.

        • Email—Enter an email address to send a 2FA code to that address.

        • SMS—Select the Country Dial Code and enter the Phone Number (sms-phone in the CLI) to send a 2FA code to. SMS messages can also be sent to the FortiGuard SMS server or a custom server.

    4. In the Extra Info page, select Enabled to enable the new user. To place the user into a group, enable User Group and then select a group from the drop-down menu. For information on user groups, see Create or edit a user group.

    5. Select Submit to create the new RADIUS user.

    To create a remote TACACS+ user:

    By default, the TACACS+ Servers option under User & Device is not visible unless you add a server using the following CLI command:

    config user tacacs+
    edit <name>
        set server <IP_address>
    next
end

    1. In the User Type page, select Remote TACACS+ User and then select Next.

    2. In the TACACS+ Server page, enter a user name, select a TACACS+ server from the drop-down menu, and then select Next. For information on TACACS+ servers, see Create or edit a TACACS server

    3. In the Contact Info page, enter an email address for the user and then select Next. Alternatively, you can supply the userʼs SMS contact information. To assign a FortiToken to the user, enable Two-factor Authentication and select a token from the drop-down menu provided. The Contact Info page is optional.

      1. FortiProxy supports the following 2FA options:

        • FortiToken—You can use hard tokens or mobile tokens.

          • Hard tokens must be registered and activated first before they appear in the dropdown list. See Registering and activating a hard token.

          • FortiProxy provides two trial mobile tokens ready for use from the dropdown list. You cannot add or import any other mobile tokens.

        • FortiToken Cloud—A Fortinet Identity and Access Management as a Service (IDaaS) cloud service that enables FortiProxy and FortiAuthenticator customers to add 2FA for their users using Mobile or hard tokens.

          You can activate a free one-month FortiToken Cloud trial subscription for registered FortiCare accounts using the link in the GUI option or the execute fortitoken-cloud trial command in the CLI.

          To verify the activation status, run exe fortitoken-cloud show. To view the user list, run diagnose fortitoken-cloud show users.

          Note

          The FortiToken Cloud free trial can only be activated once. The option will not be available if another FortiToken Cloud trial subscription has been activated on the FortiProxy or with the registered FortiCare accounts.

        • Email—Enter an email address to send a 2FA code to that address.

        • SMS—Select the Country Dial Code and enter the Phone Number (sms-phone in the CLI) to send a 2FA code to. SMS messages can also be sent to the FortiGuard SMS server or a custom server.

    4. In the Extra Info page, select Enabled to enable the new user. To place the user into a group, enable User Group and then select a group from the drop-down menu. For information on user groups, see Create or edit a user group.

    5. Select Submit to create the new TACACS+ user.

    To create a remote LDAP user:

    1. In the User Type page, select Remote LDAP User and then select Next.

    2. In the LDAP Server page, select an existing LDAP server from the drop-down menu or create an LDAP server and then select Next. To create an LDAP server, select the Create New icon in the drop-down menu, enter the required information, and then click OK. For information on LDAP servers, see Create or edit an LDAP server.

    3. In the Remote Users page, enter and apply the LDAP filter, enter a search term to search the server, and select a user from the results.

    4. Select Submit to create the remote LDAP user.

    To use Fortinet Single Sign-On (FSSO):

    1. In the User Type page, select FSSO and then select Next.

    2. In the Remote Groups page, select the FSSO agent, select an AD group, and then select Next.

      To create an AD group, see To create an AD group:.

    3. In the Local Group page, select Choose Existing or Create New.

      If you select Choose Existing, select the FSSO group name from the drop-down menu.

      If you select Create New, enter the name of the FSSO group in the field.

    4. Select Submit to use FSSO.

    5. Click OK in the confirmation dialog box.

    To create an AD group:

    config user adgrp

    edit <AD_group_name>

    set server-name <FSSO_agent_name>

    next

    end

    For example:

    config user adgrp

    edit adgroup1

    set server-name NewFSSOserver

    next

    end

    To enable DNS service lookup:
    config user domain-controller
    edit "win2016"
        set ad-mode ds
        set dns-srv-lookup enable
        set hostname "win2016"
        set username "replicate"
        set password **********
        set domain-name "SMB2016.LAB"
    next
end
    To specify the source IP and port for the fetching domain controller:
    config user domain-controller
    edit "win2016"
        set ad-mode ds	
        set hostname "win2016"
        set username "replicate"
        set password **********
        set ip-address 172.18.52.188
        set source-ip-address 172.16.100.1
        set source-port 2000
        set domain-name "SMB2016.LAB"
    next
end
    To use an LDAP server as a credential store:

    1. Configure the LDAP server:

      config user ldap
    edit "openldap"
        set server "172.18.60.214"
        set cnid "cn"
        set dn "dc=qafsso,dc=com"
        set type regular
        set username "cn=Manager,dc=qafsso,dc=com"
        set password **********
        set antiphish enable
        set password-attr "userPassword"
    next
end

    2. Configure the web filter profile: 

      config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set action block
                next
            end
        end
        config antiphish
            set status enable
            config inspection-entries
                edit "cat34"
                    set fortiguard-category 34
                    set action block
                next
            end
            set authentication ldap
            set ldap "openldap"
        end
        set log-all-url enable
    next
end
    To configure Active Directory in LDS mode:
    config user domain-controller
    edit "win2016adlds"
        set ad-mode lds
	 set hostname "win2016adlds"
        set username "foo"
        set password **********
        set ip-address 192.168.10.9
        set domain-name "adlds.local"
        set adlds-dn "CN=adlds1part1,DC=ADLDS,DC=COM"
        set adlds-ip-address 192.168.10.9
        set adlds-port 3890
    next
end
    Previous
    Next

    Creating or editing a user

    Creating or editing a user

    Use the Users/Groups Creation Wizard to create user accounts. From the User Definition page, select Create New or select a user and click Edit to start the wizard.

    To create a local user:

    1. In the User Type page, select Local User and then select Next.

    2. In the Login Credentials page, enter a user name and password for the new user and then select Next.

    3. In the Contact Info page, enter an email address for the user and then select Next. Alternatively, you can supply the userʼs SMS contact information. To assign a FortiToken to the user, enable Two-factor Authentication and select a token from the drop-down menu provided. The Contact Info page is optional.

      FortiProxy supports the following 2FA options:

      • FortiToken—You can use hard tokens or mobile tokens.

        • Hard tokens must be registered and activated first before they appear in the dropdown list. See Registering and activating a hard token.

        • FortiProxy provides two trial mobile tokens ready for use from the dropdown list. You cannot add or import any other mobile tokens.

      • FortiToken Cloud—A Fortinet Identity and Access Management as a Service (IDaaS) cloud service that enables FortiProxy and FortiAuthenticator customers to add 2FA for their users using Mobile or hard tokens.

        You can activate a free one-month FortiToken Cloud trial subscription for registered FortiCare accounts using the link in the GUI option or the execute fortitoken-cloud trial command in the CLI.

        To verify the activation status, run exe fortitoken-cloud show. To view the user list, run diagnose fortitoken-cloud show users.

        Note

        The FortiToken Cloud free trial can only be activated once. The option will not be available if another FortiToken Cloud trial subscription has been activated on the FortiProxy or with the registered FortiCare accounts.

      • Email—Enter an email address to send a 2FA code to that address.

      • SMS—Select the Country Dial Code and enter the Phone Number (sms-phone in the CLI) to send a 2FA code to. SMS messages can also be sent to the FortiGuard SMS server or a custom server.

    4. In the Extra Info page, select Enabled to make the new user active. To place the user into a group, enable User Group and then select a group from the drop-down menu. For information on user groups, see Create or edit a user group.

    5. Select Submit to create the new local user.

    To create a remote RADIUS user:

    1. In the User Type page, select Remote RADIUS User and then select Next.

    2. In the RADIUS Server page, enter a user name, select a RADIUS server from the drop-down menu, and then select Next. For information on RADIUS servers, see Create or edit a RADIUS server.

    3. In the Contact Info page, enter an email address for the user and then select Next. Alternatively, you can supply the userʼs SMS contact information. To assign a FortiToken to the user, enable Two-factor Authentication and select a token from the drop-down menu provided. The Contact Info page is optional.

      1. FortiProxy supports the following 2FA options:

        • FortiToken—You can use hard tokens or mobile tokens.

          • Hard tokens must be registered and activated first before they appear in the dropdown list. See Registering and activating a hard token.

          • FortiProxy provides two trial mobile tokens ready for use from the dropdown list. You cannot add or import any other mobile tokens.

        • FortiToken Cloud—A Fortinet Identity and Access Management as a Service (IDaaS) cloud service that enables FortiProxy and FortiAuthenticator customers to add 2FA for their users using Mobile or hard tokens.

          You can activate a free one-month FortiToken Cloud trial subscription for registered FortiCare accounts using the link in the GUI option or the execute fortitoken-cloud trial command in the CLI.

          To verify the activation status, run exe fortitoken-cloud show. To view the user list, run diagnose fortitoken-cloud show users.

          Note

          The FortiToken Cloud free trial can only be activated once. The option will not be available if another FortiToken Cloud trial subscription has been activated on the FortiProxy or with the registered FortiCare accounts.

        • Email—Enter an email address to send a 2FA code to that address.

        • SMS—Select the Country Dial Code and enter the Phone Number (sms-phone in the CLI) to send a 2FA code to. SMS messages can also be sent to the FortiGuard SMS server or a custom server.

    4. In the Extra Info page, select Enabled to enable the new user. To place the user into a group, enable User Group and then select a group from the drop-down menu. For information on user groups, see Create or edit a user group.

    5. Select Submit to create the new RADIUS user.

    To create a remote TACACS+ user:

    By default, the TACACS+ Servers option under User & Device is not visible unless you add a server using the following CLI command:

    config user tacacs+
    edit <name>
        set server <IP_address>
    next
end

    1. In the User Type page, select Remote TACACS+ User and then select Next.

    2. In the TACACS+ Server page, enter a user name, select a TACACS+ server from the drop-down menu, and then select Next. For information on TACACS+ servers, see Create or edit a TACACS server

    3. In the Contact Info page, enter an email address for the user and then select Next. Alternatively, you can supply the userʼs SMS contact information. To assign a FortiToken to the user, enable Two-factor Authentication and select a token from the drop-down menu provided. The Contact Info page is optional.

      1. FortiProxy supports the following 2FA options:

        • FortiToken—You can use hard tokens or mobile tokens.

          • Hard tokens must be registered and activated first before they appear in the dropdown list. See Registering and activating a hard token.

          • FortiProxy provides two trial mobile tokens ready for use from the dropdown list. You cannot add or import any other mobile tokens.

        • FortiToken Cloud—A Fortinet Identity and Access Management as a Service (IDaaS) cloud service that enables FortiProxy and FortiAuthenticator customers to add 2FA for their users using Mobile or hard tokens.

          You can activate a free one-month FortiToken Cloud trial subscription for registered FortiCare accounts using the link in the GUI option or the execute fortitoken-cloud trial command in the CLI.

          To verify the activation status, run exe fortitoken-cloud show. To view the user list, run diagnose fortitoken-cloud show users.

          Note

          The FortiToken Cloud free trial can only be activated once. The option will not be available if another FortiToken Cloud trial subscription has been activated on the FortiProxy or with the registered FortiCare accounts.

        • Email—Enter an email address to send a 2FA code to that address.

        • SMS—Select the Country Dial Code and enter the Phone Number (sms-phone in the CLI) to send a 2FA code to. SMS messages can also be sent to the FortiGuard SMS server or a custom server.

    4. In the Extra Info page, select Enabled to enable the new user. To place the user into a group, enable User Group and then select a group from the drop-down menu. For information on user groups, see Create or edit a user group.

    5. Select Submit to create the new TACACS+ user.

    To create a remote LDAP user:

    1. In the User Type page, select Remote LDAP User and then select Next.

    2. In the LDAP Server page, select an existing LDAP server from the drop-down menu or create an LDAP server and then select Next. To create an LDAP server, select the Create New icon in the drop-down menu, enter the required information, and then click OK. For information on LDAP servers, see Create or edit an LDAP server.

    3. In the Remote Users page, enter and apply the LDAP filter, enter a search term to search the server, and select a user from the results.

    4. Select Submit to create the remote LDAP user.

    To use Fortinet Single Sign-On (FSSO):

    1. In the User Type page, select FSSO and then select Next.

    2. In the Remote Groups page, select the FSSO agent, select an AD group, and then select Next.

      To create an AD group, see To create an AD group:.

    3. In the Local Group page, select Choose Existing or Create New.

      If you select Choose Existing, select the FSSO group name from the drop-down menu.

      If you select Create New, enter the name of the FSSO group in the field.

    4. Select Submit to use FSSO.

    5. Click OK in the confirmation dialog box.

    To create an AD group:

    config user adgrp

    edit <AD_group_name>

    set server-name <FSSO_agent_name>

    next

    end

    For example:

    config user adgrp

    edit adgroup1

    set server-name NewFSSOserver

    next

    end

    To enable DNS service lookup:
    config user domain-controller
    edit "win2016"
        set ad-mode ds
        set dns-srv-lookup enable
        set hostname "win2016"
        set username "replicate"
        set password **********
        set domain-name "SMB2016.LAB"
    next
end
    To specify the source IP and port for the fetching domain controller:
    config user domain-controller
    edit "win2016"
        set ad-mode ds	
        set hostname "win2016"
        set username "replicate"
        set password **********
        set ip-address 172.18.52.188
        set source-ip-address 172.16.100.1
        set source-port 2000
        set domain-name "SMB2016.LAB"
    next
end
    To use an LDAP server as a credential store:

    1. Configure the LDAP server:

      config user ldap
    edit "openldap"
        set server "172.18.60.214"
        set cnid "cn"
        set dn "dc=qafsso,dc=com"
        set type regular
        set username "cn=Manager,dc=qafsso,dc=com"
        set password **********
        set antiphish enable
        set password-attr "userPassword"
    next
end

    2. Configure the web filter profile: 

      config webfilter profile
    edit "webfilter"
        config ftgd-wf
            unset options
            config filters
                edit 1
                    set action block
                next
            end
        end
        config antiphish
            set status enable
            config inspection-entries
                edit "cat34"
                    set fortiguard-category 34
                    set action block
                next
            end
            set authentication ldap
            set ldap "openldap"
        end
        set log-all-url enable
    next
end
    To configure Active Directory in LDS mode:
    config user domain-controller
    edit "win2016adlds"
        set ad-mode lds
	 set hostname "win2016adlds"
        set username "foo"
        set password **********
        set ip-address 192.168.10.9
        set domain-name "adlds.local"
        set adlds-dn "CN=adlds1part1,DC=ADLDS,DC=COM"
        set adlds-ip-address 192.168.10.9
        set adlds-port 3890
    next
end
    Previous
    Next