Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Anthony_E
Community Manager
Community Manager

Created on ‎03-08-2021 05:37 AM

Article Id 192697

Technical Tip: Explanation of 'Match all users on remote server' setting

Description
This article describes 'Match all users on remote server' administrator settings on FortiManager and FortiAnalyzer.

Solution
1) Given local users a.admin, b.admin and c.admin with RADUIS enabled on FortiAuthenticator.





2) On FortiAnalyzer, 'FAC' remote authentication server is created and a new administrator 'FAC' is created with 'Match all users on remote server' enable.






3) Noticed that 'a.admin' and 'b.admin' will be able to login to FortiAnalyzer and get assigned to 'FAC' admin template.
FAZVM64 # diagnose system admin-session list
*** entry 0 ***
session_id: 35411 (seq: 0)
username: a.admin
admin template: FAC
from: GUI(192.168.244.169) (type 0)
profile: Super_User (type 3)
adom: root
session length: 170 (seconds)
 
*** entry 1 ***
session_id: 10077 (seq: 0)
username: b.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 19 (seconds)
idle: 5 (seconds)
4) If a new administrator is created, 'a.admin' with Standard_User profile and specify access to 'a_adom' only.
'Match all users on remote server' is selected.







5) When login with 'a.admin', the admin profile will still be 'Super_User' and it can access to all ADOMs.
*** entry 1 ***
session_id: 541 (seq: 0)
username: a.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 152 (seconds)
idle: 39 (seconds)
6) Once we uncheck 'Match all users on remote server' for 'a.admin'.
'a.admin' will now assigned to 'a.admin' admin template and only able to access to 'a_adom'.
*** entry 1 ***
session_id: 17948 (seq: 0)
username: a.admin
admin template: a.admin
from: GUI(192.168.244.169) (type 1)
profile: Standard_User (type 2)
adom: a_adom
session length: 86 (seconds)
idle: 62 (seconds)
7) 'b.admin' and 'c.admin' can still login and get assigned with 'Super_User' profile.
*** entry 2 ***
session_id: 29427 (seq: 0)
username: b.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 59 (seconds)
idle: 37 (seconds)

*** entry 3 ***
session_id: 47111 (seq: 0)
username: c.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 15 (seconds)
idle: 6 (seconds)
8) Now, create a new administrator 'FAC_restricted' with admin profile 'Restricted_User' and specify access to 'root' ADOM only.








9) Notice that 'b.admin' and 'c.admin' will still be assigned to 'FAC' admin template.
*** entry 1 ***
session_id: 13225 (seq: 0)
username: b.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 48 (seconds)
idle: 36 (seconds)

*** entry 2 ***
session_id: 47175 (seq: 0)
username: c.admin
admin template: FAC
from: GUI(192.168.244.169) (type 1)
profile: Super_User (type 3)
adom: root
session length: 34 (seconds)
idle: 20 (seconds)
10) 'FAC_restricted' is moved above 'FAC'.




11) Notice that 'b.admin' and 'c.admin' will now be assigned to 'FAC_restricted' admin template and can only access to 'root' adom.
'a.admin' will still be assigned to 'a.admin' template.
*** entry 1 ***
session_id: 755 (seq: 0)
username: a.admin
admin template: a.admin
from: GUI(192.168.244.169) (type 1)
profile: Standard_User (type 2)
adom: a_adom
session length: 77 (seconds)
idle: 63 (seconds)

*** entry 2 ***
session_id: 1727 (seq: 0)
username: b.admin
admin template: FAC_restricted
from: GUI(192.168.244.169) (type 1)
profile: Restricted_User (type 1)
adom: root
session length: 63 (seconds)
idle: 4 (seconds)

*** entry 3 ***
session_id: 16953 (seq: 0)
username: c.admin
admin template: FAC_restricted
from: GUI(192.168.244.169) (type 1)
profile: Restricted_User (type 1)
adom: root
session length: 47 (seconds)
idle: 4 (seconds)
12) Conclusion, FortiManager / FortiAnalyzer will first match the exact same username specified on the LDAP server (if 'Match all users on remote server' is not selected).
Then, it will match all users specified in the Distinguished Name filed in the remote server from top to bottom (if 'Match all users on remote server' is selected).

5240
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.