Hi all,I would like to clarify a best practice regarding the management of local users on FortiGate when the device is managed by FortiManager.Scenario:FortiManager 7.6.xFortiGate clusters running FortiOS 7.4.xDevices are fully managed by FortiManager (policy packages and device settings)Multiple VDOMs in useQuestion:Local users are configured under:config user localThese users are used for:SSL VPN authenticationExplicit proxy authenticationFrom my understanding:Local users are defined directly on the FortiGateFortiManager does not natively manage them as part of policy packagesWhat is the recommended approach in production environments?Specifically:Is it considered best practice to manage local users directly on the FortiGate even when the device is managed by FortiManager?Is there any supported/reliable way to manage local users from FortiManager without risking inconsistencies or purge during install?How do you handle scenarios where local users are actively used (e.g. proxy or VPN) and FortiManager is used for centralized management?Any official guidance or real-world best practices would be appreciated.Thanks in advance!

luca1994

Explorer III

Solved

FortiManager best practice for managing local users (config user local) on FortiGate

Forum|Forum|2 months ago
March 31, 2026
2 replies
166 views

Hi all,

I would like to clarify a best practice regarding the management of local users on FortiGate when the device is managed by FortiManager.

Scenario:

FortiManager 7.6.x
FortiGate clusters running FortiOS 7.4.x
Devices are fully managed by FortiManager (policy packages and device settings)
Multiple VDOMs in use

Question:
Local users are configured under:

config user local

These users are used for:

SSL VPN authentication
Explicit proxy authentication

From my understanding:

Local users are defined directly on the FortiGate
FortiManager does not natively manage them as part of policy packages

What is the recommended approach in production environments?

Specifically:

Is it considered best practice to manage local users directly on the FortiGate even when the device is managed by FortiManager?
Is there any supported/reliable way to manage local users from FortiManager without risking inconsistencies or purge during install?
How do you handle scenarios where local users are actively used (e.g. proxy or VPN) and FortiManager is used for centralized management?

Any official guidance or real-world best practices would be appreciated.

Thanks in advance!

Best answer by farhanahmed

I am not able to find any exact doc for this, but:

--- If you are not using the local users in policies, then you do not them in ADOM DB. Can manage either directly on FGT or in FMG > Device Manager > Select the FGT > System > Administrators.

-- If users are used in policies then doing Import Config should bring them in to the FMG ADOM DB (P&O > User & Auth.)

--- If you are NOT using the FMG > VPN-Manager then the local users DO NOT need to be in ADOM DB. You can manage the users from Device Manager.

farhanahmedAnswer

Staff

I am not able to find any exact doc for this, but:

--- If you are not using the local users in policies, then you do not them in ADOM DB. Can manage either directly on FGT or in FMG > Device Manager > Select the FGT > System > Administrators.

-- If users are used in policies then doing Import Config should bring them in to the FMG ADOM DB (P&O > User & Auth.)

--- If you are NOT using the FMG > VPN-Manager then the local users DO NOT need to be in ADOM DB. You can manage the users from Device Manager.

Toshi_Esumi

SuperUser

If you need to have specific local users defined at FMG then push them, you can use a CLI template then sync with FGTs.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded