Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    6.4.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    user setting

    Configure user authentication setting.

      config user setting
      Description: Configure user authentication setting.
      set auth-type {option1}, {option2}, ...
      set auth-cert {string}
      set auth-ca-cert {string}
      set auth-secure-http [enable|disable]
      set auth-http-basic [enable|disable]
      set auth-ssl-allow-renegotiation [enable|disable]
      set auth-src-mac [enable|disable]
      set auth-on-demand [always|implicitly]
      set auth-timeout {integer}
      set auth-timeout-type [idle-timeout|hard-timeout|...]
      set auth-portal-timeout {integer}
      set radius-ses-timeout-act [hard-timeout|ignore-timeout]
      set auth-blackout-time {integer}
      set auth-invalid-max {integer}
      set auth-lockout-threshold {integer}
      set auth-lockout-duration {integer}
      set per-policy-disclaimer [enable|disable]
      config auth-ports
          Description: Set up non-standard ports for authentication with HTTP, HTTPS, FTP, and TELNET.
          edit <id>
              set type [http|https|...]
              set port {integer}
          next
      end
      set auth-ssl-min-proto-version [default|SSLv3|...]
  end

    config user setting

    Parameter Name Description Type Size
    auth-type Supported firewall policy authentication protocols/methods.
    http: Allow HTTP authentication.
    https: Allow HTTPS authentication.
    ftp: Allow FTP authentication.
    telnet: Allow TELNET authentication.
    		 option -
    auth-cert HTTPS server certificate for policy authentication. string Maximum length: 35
    auth-ca-cert HTTPS CA certificate for policy authentication. string Maximum length: 35
    auth-secure-http Enable/disable redirecting HTTP user authentication to more secure HTTPS.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    auth-http-basic Enable/disable use of HTTP basic authentication for identity-based firewall policies.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    auth-ssl-allow-renegotiation Allow/forbid SSL re-negotiation for HTTPS authentication.
    enable: Allow SSL re-negotiation.
    disable: Forbid SSL re-negotiation.
    		 option -
    auth-src-mac Enable/disable source MAC for user identity.
    enable: Enable source MAC for user identity.
    disable: Disable source MAC for user identity.
    		 option -
    auth-on-demand Always/implicitly trigger firewall authentication on demand.
    always: Always trigger firewall authentication on demand.
    implicitly: Implicitly trigger firewall authentication on demand.
    		 option -
    auth-timeout Time in minutes before the firewall user authentication timeout requires the user to re-authenticate. integer Minimum value: 1 Maximum value: 1440
    auth-timeout-type Control if authenticated users have to login again after a hard timeout, after an idle timeout, or after a session timeout.
    idle-timeout: Idle timeout.
    hard-timeout: Hard timeout.
    new-session: New session timeout.
    		 option -
    auth-portal-timeout Time in minutes before captive portal user have to re-authenticate (1 - 30 min, default 3 min). integer Minimum value: 1 Maximum value: 30
    radius-ses-timeout-act Set the RADIUS session timeout to a hard timeout or to ignore RADIUS server session timeouts.
    hard-timeout: Use session timeout from RADIUS as hard-timeout.
    ignore-timeout: Ignore session timeout from RADIUS.
    		 option -
    auth-blackout-time Time in seconds an IP address is denied access after failing to authenticate five times within one minute. integer Minimum value: 0 Maximum value: 3600
    auth-invalid-max Maximum number of failed authentication attempts before the user is blocked. integer Minimum value: 1 Maximum value: 100
    auth-lockout-threshold Maximum number of failed login attempts before login lockout is triggered. integer Minimum value: 1 Maximum value: 10
    auth-lockout-duration Lockout period in seconds after too many login failures. integer Minimum value: 0 Maximum value: 4294967295
    per-policy-disclaimer Enable/disable per policy disclaimer.
    enable: Enable per policy disclaimer.
    disable: Disable per policy disclaimer.
    		 option -
    auth-ssl-min-proto-version Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
    default: Follow system global setting.
    SSLv3: SSLv3.
    TLSv1: TLSv1.
    TLSv1-1: TLSv1.1.
    TLSv1-2: TLSv1.2.
    		 option -

    config auth-ports

    Parameter Name Description Type Size
    type Service type.
    http: HTTP service.
    https: HTTPS service.
    ftp: FTP service.
    telnet: TELNET service.
    		 option -
    port Non-standard port for firewall user authentication. integer Minimum value: 1 Maximum value: 65535
    Previous
    Next

    user setting

    Configure user authentication setting.

      config user setting
      Description: Configure user authentication setting.
      set auth-type {option1}, {option2}, ...
      set auth-cert {string}
      set auth-ca-cert {string}
      set auth-secure-http [enable|disable]
      set auth-http-basic [enable|disable]
      set auth-ssl-allow-renegotiation [enable|disable]
      set auth-src-mac [enable|disable]
      set auth-on-demand [always|implicitly]
      set auth-timeout {integer}
      set auth-timeout-type [idle-timeout|hard-timeout|...]
      set auth-portal-timeout {integer}
      set radius-ses-timeout-act [hard-timeout|ignore-timeout]
      set auth-blackout-time {integer}
      set auth-invalid-max {integer}
      set auth-lockout-threshold {integer}
      set auth-lockout-duration {integer}
      set per-policy-disclaimer [enable|disable]
      config auth-ports
          Description: Set up non-standard ports for authentication with HTTP, HTTPS, FTP, and TELNET.
          edit <id>
              set type [http|https|...]
              set port {integer}
          next
      end
      set auth-ssl-min-proto-version [default|SSLv3|...]
  end

    config user setting

    Parameter Name Description Type Size
    auth-type Supported firewall policy authentication protocols/methods.
    http: Allow HTTP authentication.
    https: Allow HTTPS authentication.
    ftp: Allow FTP authentication.
    telnet: Allow TELNET authentication.
    		 option -
    auth-cert HTTPS server certificate for policy authentication. string Maximum length: 35
    auth-ca-cert HTTPS CA certificate for policy authentication. string Maximum length: 35
    auth-secure-http Enable/disable redirecting HTTP user authentication to more secure HTTPS.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    auth-http-basic Enable/disable use of HTTP basic authentication for identity-based firewall policies.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    auth-ssl-allow-renegotiation Allow/forbid SSL re-negotiation for HTTPS authentication.
    enable: Allow SSL re-negotiation.
    disable: Forbid SSL re-negotiation.
    		 option -
    auth-src-mac Enable/disable source MAC for user identity.
    enable: Enable source MAC for user identity.
    disable: Disable source MAC for user identity.
    		 option -
    auth-on-demand Always/implicitly trigger firewall authentication on demand.
    always: Always trigger firewall authentication on demand.
    implicitly: Implicitly trigger firewall authentication on demand.
    		 option -
    auth-timeout Time in minutes before the firewall user authentication timeout requires the user to re-authenticate. integer Minimum value: 1 Maximum value: 1440
    auth-timeout-type Control if authenticated users have to login again after a hard timeout, after an idle timeout, or after a session timeout.
    idle-timeout: Idle timeout.
    hard-timeout: Hard timeout.
    new-session: New session timeout.
    		 option -
    auth-portal-timeout Time in minutes before captive portal user have to re-authenticate (1 - 30 min, default 3 min). integer Minimum value: 1 Maximum value: 30
    radius-ses-timeout-act Set the RADIUS session timeout to a hard timeout or to ignore RADIUS server session timeouts.
    hard-timeout: Use session timeout from RADIUS as hard-timeout.
    ignore-timeout: Ignore session timeout from RADIUS.
    		 option -
    auth-blackout-time Time in seconds an IP address is denied access after failing to authenticate five times within one minute. integer Minimum value: 0 Maximum value: 3600
    auth-invalid-max Maximum number of failed authentication attempts before the user is blocked. integer Minimum value: 1 Maximum value: 100
    auth-lockout-threshold Maximum number of failed login attempts before login lockout is triggered. integer Minimum value: 1 Maximum value: 10
    auth-lockout-duration Lockout period in seconds after too many login failures. integer Minimum value: 0 Maximum value: 4294967295
    per-policy-disclaimer Enable/disable per policy disclaimer.
    enable: Enable per policy disclaimer.
    disable: Disable per policy disclaimer.
    		 option -
    auth-ssl-min-proto-version Minimum supported protocol version for SSL/TLS connections (default is to follow system global setting).
    default: Follow system global setting.
    SSLv3: SSLv3.
    TLSv1: TLSv1.
    TLSv1-1: TLSv1.1.
    TLSv1-2: TLSv1.2.
    		 option -

    config auth-ports

    Parameter Name Description Type Size
    type Service type.
    http: HTTP service.
    https: HTTPS service.
    ftp: FTP service.
    telnet: TELNET service.
    		 option -
    port Non-standard port for firewall user authentication. integer Minimum value: 1 Maximum value: 65535
    Previous
    Next