Firewall User Groups - Fortinet FortiGate Series Administration Manual

User

Firewall user groups

FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
For a user group, the
Directory Service
they log in to the network. The FortiGate unit receives the user's name and IP address
from the FSAE collector agent. For more information about FSAE, see the
FSAE Technical Note.
You can configure user groups to provide authenticated access to:
• Firewall policies that require authentication
See "Adding authentication to firewall policies" on page
You can choose the user groups that are allowed to authenticate with these policies.
• SSL VPNs on the FortiGate unit
See "Configuring SSL VPN identity-based firewall policies" on page
• IPSec VPN Phase 1 configurations for dialup users
See "Creating a new phase 1 configuration" on page
Only users in the selected user group can authenticate to use the VPN tunnel.
• XAuth for IPSec VPN Phase 1 configurations
See XAUTH in "Defining phase 1 advanced settings" on page
Only user groups in the selected user group can be authenticated using XAuth.
• FortiGate PPTP configuration
See "PPTP configuration using FortiGate web-based manager" on page
Only users in the selected user group can use PPTP.
• FortiGate L2TP configuration
You can configure this only by using the config vpn l2tp CLI command. See the
FortiGate CLI Reference.
Only users in the selected user group can use L2TP.
• Administrator login with RADIUS authentication
See "Configuring RADIUS authentication for administrators" on page
Only administrators with an account on the RADIUS server can log in.
• FortiGuard Web Filtering override groups
See "FortiGuard - Web Filter" on page
When FortiGuard Web Filtering blocks a web page, authorized users can authenticate
to access the web page or to allow members of another group to access it.
For each resource that requires authentication, you specify which user groups are
permitted access. You need to determine the number and membership of user groups
appropriate to your authentication needs.
A firewall user group provides access to a firewall policy that requires authentication and
lists the user group as one of the allowed groups. The FortiGate unit requests the group
member's user name and password when the user attempts to access the resource that
the policy protects.
You can also authenticate a user by certificate if you have selected this method. For more
information, see "Adding authentication to firewall policies" on page
server authenticates users when
Directory Service
396.
614.
559.
User Group
400.
616.
629.
273.
396.
667