FortiGate-200D VPN users and groups operations

Recently we bought a FortiGate-200D VPN box. I have more good things than bad things to say about this device.
Long story short. I had to remove some users and because of some voodoo type of problem I couldn't do it from UI (I will contact their support that's for sure), so I had to do it from CLI. Who worked with Citrix Netscalers will find FortiGate's CLI a piece of sh!t (documentation makes no exception), but that's a different story.

  • To display one or all users

[codesyntax lang="bash"]

fgw # config user local
fgw (local) # get | grep john.doe
fgw (local) # get john.doe
fgw (local) # get


  • To delete a user

[codesyntax lang="bash"]

fgw # config user local
fgw (local) # delete john.doe



Note: When you're receiving an error like the one bellow the user is attached to one or more user groups.
The entry is used by other 1 entries
Command fail. Return code -23

In order to remove the user you have two options:

  1. CLI:
  2. [codesyntax lang="bash"]

    fgw # config user group
    fgw (group) # show
    config user group
        edit "ssl-vpn_office_users"
            set member "user1" "user2" "john.doe" "user4" "user5"
    fgw (group) # edit "group_name"
    fgw (group_name) # set member "user1" "user2" "user3" "user4"
    fgw (group_name) # next 
    fgw (group) # end


  3. UI:
    You will have to login to the FortiGate webinterface, navigate to User & Device > User definition, edit john.doe and uncheck Add this user to groups

Scrie si tu o vorbulita

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.