user : setting
 
setting
Use this command to change per VDOM user settings such as the firewall user authentication time out and protocol support for firewall policy authentication.
user settings differ from system global settings in that system global settings fields apply to the entire FortiGate unit, where user settings fields apply only to the user VDOM.
Syntax
config user setting
set auth-blackout-time <blackout_time_int>
set auth-ca-cert <cert_name>
set auth-cert <cert_name>
set auth-http-basic {enable | disable}
set auth-invalid-max <int>
set auth-lockout-duration <seconds>
set auth-lockout-threshold <int>
set auth-multi-group {enable | disable}
set auth-secure-http {enable | disable}
set auth-type {ftp | http | https | telnet}
set auth-timeout <auth_timeout_minutes>
set auth-timeout-type {idle‑timeout | hard‑timeout | new‑session}
config auth-ports
edit <auth-table-entry-id>
set port <port_int>
set type {ftp | http | https | telnet}
end
end
Variable
Description
Default
auth-blackout-time <blackout_time_int>
When a firewall authentication attempt fails 5 times within one minute the IP address that is the source of the authentication attempts is denied access for the <blackout_time_int> period in seconds. The range is 0 to 3600 seconds.
0
auth-ca-cert <cert_name>
If the built-in certificate is not used, specify the CA certificate to use instead.
null
auth-cert <cert_name>
HTTPS server certificate for policy authentication. Fortinet_Factory, Fortinet_Firmware (if applicable to your FortiGate unit), and self-sign are built-in certificates but others will be listed as you add them.
self-sign
auth-http-basic {enable | disable}
Enable or disable support for HTTP basic authentication for identity-based firewall policies. HTTP basic authentication usually causes a browser to display a pop-up authentication window instead of displaying an authentication web page. Some basic web browsers, for example, web browsers on mobile devices, may only support HTTP basic authentication.
disable
auth-invalid-max <int>
Enter the maximum number of failed authentication attempts to allow before the client is blocked. Range: 1-100.
5
auth-lockout-duration <seconds>
Enter the login lockout period in seconds. The lockout is imposed after too many failed login attempts, set by auth-lockout-threshold.
0
auth-lockout-threshold <int>
Enter the number of login attempts that trigger a login lockout. Range 1 to 10.
3
auth-multi-group {enable | disable}
This option can be disabled if the Active Directory structure is setup such that users belong to only 1 group for the purpose of firewall authentication.
enable
auth-secure-http {enable | disable}
Enable to have http user authentication redirected to secure channel - https.
disable
auth-type {ftp | http | https | telnet}
Set the user authentication protocol support for firewall policy authentication. User controls which protocols should support the authentication challenge.
 
auth-timeout <auth_timeout_minutes>
Set the number of minutes before the firewall user authentication timeout requires the user to authenticate again. The maximum authtimeout interval is 1440 minutes (24 hours). To improve security, keep the authentication timeout at the default value of 5 minutes.
5
auth-timeout-type {idle‑timeout | hard‑timeout | new‑session}
Set the type of authentication timeout.
idle‑timeout — applies only to idle session
hard‑timeout — applies to all sessions
new‑session — applies only to new sessions
idle‑timeout
radius-ses-timeout-act {hard-timeout | ignore‑timeout}
Select how to use RADIUS session timeout:
hard-timeout — use RADIUS timeout
ignore‑timeout — ignore RADIUS timeout
hard-timeout
config auth-ports variables
<auth-table-entry-id>
Create an entry in the authentication port table if you are using non-standard ports.
 
port <port_int>
Specify the authentication port. Range 1 to 65535.
1024
type {ftp | http | https | telnet}
Specify the protocol to which port applies.
http