FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
krajaa
Staff
Staff
Article Id 191581

Description


This article describes how to restrict local admin authentication when a remote authentication server is running.

 

Scope

 

FortiGate.

Solution


config system global
    set admin-restrict-local {enable | disable} <----- Default is set to disable.
end

 

 

Behavior before FortiOS v7.2.0 :


If enabled, as long as any remote server is available on FortiGate (TACACS, LDAP, or RADIUS) is up and running, local admin authentication will be blocked. Local admins will be allowed access only if no remote server is detected.

 

Behavior from FortiOS v7.2.0:


If enabled, FortiGate now only checks if all remote authentication servers applied in 'system admin'  are down, instead of all remote servers configured on the FortiGate, before allowing local administrators to log in.

 

NOTE.

This setting applies to FortiGate GUI/CLI (ssh/telnet) access only. In both cases, console access to  FortiGate would still be available using local administrators even if the remote authentication servers are up. 

 

Behavior from FortiOS v7.6.0:

 

config system global

    set admin-restrict-local {all | non-console-only | disable} <----- Default is set to disable.

end

Restrict local administrator logins through the console

 

NOTE.

The setting of 'all' applies to FortiGate GUI/CLI (ssh/telnet) and console access. If the remote authentication servers are up, the local admin account will not be available, this includes via the console.