Description | This article describes the case when it is impossible to log into the FortiGate via SSH, or GUI with the Local firewall user. The user belongs to a remote server (Radius, Tacacs) and can access it. |
Scope | FortiGate. |
Solution |
When it comes to firewall local users, the main reason will be enabling the admin-restrict in the global setting.
config system global
set admin-restrict-local {enable | disable} <- Default is set to disable.
end
If it is enabled, then the user credential check request will not check with respect to the local database and it will be blocked. Instead, it will be querying the remoter servers always.
It is possible to confirm the same by running the below command in the CLI:
diag de reset
diag de application fnbamd -1
diag de application authd -1
dia de enable
After that, disable the log by 'diag de disable'.
In the debug, it is possible to see that the request is only forwarding to the remote server and not the local database.
Perform the initial troubleshooting by following the below article:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.