Skip to main content
com2irq5
com2irq5
New Member
August 2, 2017
Question

Guest User

  • August 2, 2017
  • 1 reply
  • 14098 views

I've noticed that there is a Guest user by default on the Fortigates.  Under User & Device and then User Definition there is a user called guest that is a member of the Guest-group.  Attached is a screenshot of the Guest user I am talking about.

 

Can the guest user authenticate to the SSL VPN?  Should the guest user be disabled or deleted?  If you look at the configuration in a text editor you can see that the guest user user has a password assigned to it.  The password is encrypted so I am not sure what that password is.

 

I did some Google'ing before posting this message and couldn't find any information regarding the guest user.

 

Thanks for the help. 

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    August 3, 2017

    Hi com2irq5,

    note that guest user is member of Guest-group.

    Firewall policies mainly work with user groups.

    Therefore, if you check Ref. counter for references then you should see that Guest-group is not used in SSL and so user cannot authenticate to SSL VPN, untill you set that explicitly.

    This also answers the question 'Should the guest user be disabled or deleted?'. It's not used anywhere further in the config so it's harmless so I do not see need to delete that. Some default parts cannot be even deleted, but this one can. Feel free to do so if you are suspicious.

    Default guest mechanism should accept guest user with any password.

    Best regards,

    Tomas

    emnoc
    emnoc
    New Member
    August 3, 2017

    The  short answer;

     

    yes  delete it  and the group

    ( cmds to check  reference via cli )

     

    diag sys checkused   user.local.name guest

    diag sys checkused   user.group.name Guest-group

     

    Terms & ConditionsAccessibility statement