FortiGate-200D VPN users and groups operations

Recently we bought a FortiGate-200D VPN box. I have more good things than bad things to say about this device.
Long story short. I had to remove some users and because of some voodoo type of problem I couldn't do it from UI (I will contact their support that's for sure), so I had to do it from CLI. Who worked with Citrix Netscalers will find FortiGate's CLI a piece of sh!t (documentation makes no exception), but that's a different story.

  • To display one or all users
fgw # config user local
fgw (local) # get | grep john.doe
fgw (local) # get john.doe
fgw (local) # get
  • To delete a user
fgw # config user local
fgw (local) # delete john.doe

 

Note: When you're receiving an error like the one bellow the user is attached to one or more user groups.
The entry is used by other 1 entries
Command fail. Return code -23

In order to remove the user you have two options:

  1. CLI:
  2. fgw # config user group
    fgw (group) # show
    config user group
        edit "ssl-vpn_office_users"
            set member "user1" "user2" "john.doe" "user4" "user5"
        next
    end
    fgw (group) # edit "group_name"
    fgw (group_name) # set member "user1" "user2" "user3" "user4"
    fgw (group_name) # next 
    fgw (group) # end
  3. UI:
    You will have to login to the FortiGate webinterface, navigate to User & Device > User definition, edit john.doe and uncheck Add this user to groups

Leave a Reply

Your email address will not be published. Required fields are marked *