Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎05-10-2010 07:43 AM Edited on ‎09-19-2025 12:21 AM By Moderator

Article Id 196813

Troubleshooting Tip: How to list, monitor, or de-authenticate users authenticated on a FortiGate

Description

 

This article describes how to list, monitor, or de-authenticate users currently authenticated on a FortiGate. This applies when users are authenticated with the following methods :

  • Local (user) authentication (accounts/password stored on the FortiGate).
  • LDAP.
  • RADIUS.
  • TACACS+.
  • SAML.

FSAE and FortiGuard override with authentication are not in the scope of this procedure. Refer to related articles.

 

Scope

 

FortiGate.


Solution

 

CLI commands to list authenticated users:

 

FortiOS v5.0.3 and later

 

diagnose firewall auth list

10.253.0.100, jsmorth
type: fw, id: 0, duration: 8, idled: 8
server: FAC
packets: in 0 out 15, bytes: in 0 out 1359
group_id: 8
group_name: VPN-RADIUS

----- 1 listed, 0 filtered ------

 

  • The first line lists the IP address and username.
  • The third line lists the remote authentication source.
  • The fifth and sixth lines refer to the locally configured user group.

 

The related command for IPv6 is 'diagnose firewall auth ipv6'.


FortiOS v5.02 and earlier.

 

FGT# diagnose firewall iprope authuser

 

username: localuser
(firewall_user_group)
source:   10.160.0.94 - 10.160.0.94

username: user1
(firewall_user_group(ldap_server))
source:   10.160.0.93 - 10.160.0.93


From the above entry, 2 users are listed as currently authenticated, belonging to the same user group, with the following details:

  • The first entry for a user lists the username itself (i.e., localuser, user1).
  • The second entry indicates the user group (i.e., firewall_user_group).
  • The value in quotes after the user group (if applicable) indicates the remote authentication services (i.e, ldap_server).
  • The last entry shows the IP address against which the user is authenticated.

 

CLI commands to clear authenticated users:

 

FortiOS v5.03 and later.

 

diagnose firewall auth filter user jsmorth

diagnose firewall auth clear
----- 1 cleared, 1 filtered ------

 

To clear all user authentication entries, run the clear command without a filter.

 

diagnose firewall auth filter clear

diagnose firewall auth clear
----- 2 cleared, 0 filtered ------

 

The command does not clear the sessions, which means that some users may still be able to access resources until their session expires.

 

FortiOS v5.02 and earlier.

 

FGT# diagnose firewall iprope resetauth

 

Warning: This command will reset all authenticated users. The command does not clear the sessions, which means that some users may still be able to access resources until their session expires.

 

Procedure from the Web-Based Manager (GUI), FortiOS v7.4.x and higher.

The image below indicates the place where authenticated users can be monitored. The 'Firewall user monitor' widget can be added to the FortiView dashboard, which will allow an individual to de-authenticate.  This view also provides information about the duration and the traffic volume generated by these sessions.

auth user.png

 

Related articles:

Troubleshooting Tip: FSAE Troubleshooting Guide

Technical Tip: Multiple ways to list and disconnect administrators logged in to a FortiGate

Labels:
11208
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.