When configuring a FortiGate for the first time or after performing a factory reset, a user named ‘guest’ is created as a member of the group ‘Guest-group’. By default, the password of the ‘guest’ user is set to ‘guest’.

This user/group is not created when adding new VDOMs to a FortiGate, they are only created for the ‘root’ VDOM.

On FortiWiFis, ‘Guest-group’ is referenced as the default group that is able to log into the ‘GuestWiFi’ WiFi SSID that is also created by default.

On non-FortiWiFis, there are no default references to the ‘Guest-group' group, and the only reference for the 'guest' user is its membership in ‘Guest-group’. This means that by default, neither of them can be used to:

• Gain access to the FortiGate management GUI/CLI and modify the FortiGate configuration.
• Gain access to SSL or dialup IPsec VPNs.
• Authenticate to WiFi SSIDs (outside the default ‘GuestWiFi’ SSID on FortiWiFis)

As long as there are no references to either the ‘guest’ user or the 'Guest-group' group, they can be deleted without affecting the normal operation of the FortiGate.

The reference count can be verified by looking at the 'Ref' column in the GUI, or referring here:

Technical Note: How to Check Referenced Objects

It is also worth noting that the default ‘guest’ user is separate from the 'Guest Management' feature within FortiOS, which requires configuring a separate group on the FortiGate with the type set to 'Guest'.

Note that the default ‘Guest-group’ is a Firewall group and cannot be used for Guest Management.