Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Adonist
New Contributor

Mass create or bulk import users

Hi,

 

We are switching our firewall to Fortigate and will be using SSLVPN with local users.

Is there a way to mass create users or import it from a csv ?

 

Thanks

2 Solutions
xsilver_FTNT
Staff
Staff

Sure, every user is just record in 'config user local'.

Have s look into CLI or CLI guide on http://docs.fortinet.com  for more details.

So you can prepare those configs in advance and then drop them to console.

Preparation can range from utilizing any text processing tool to make a template and fill those variables as usernames, to programming languages like Perl or Python to gather user data from LDAP reform them to text output written directly to FortiGate's command line via SSH session opened by your small coded tool.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

View solution in original post

ede_pfau
Esteemed Contributor III

Two hints:

 

1- if you have a long user list, don't directly paste it to the CLI. Chances are high that you will get a timing error, and that not all of the input is actually 'taken'. Rather, submit the same file (which is a partial config file) via 'Advanced > Batch command'. This will upload all data first, and then import into the running config.

 

2- if you have along user list, consider adding your LDAP (or MS-AD) as a 'remote user'. User management (who is granted SSLVPN access, who is removed from SSLVPN etc.) is then done via LDAP management. For instance, if you connect the FGT to your MS-AD, and create a user group in the MS-AD like 'SSLVPN users', you grant VPN access by dropping a user into this group. User management is completely independent of the Fortigate, and the config on your FGT is not touched in the future.

 

Of course, this only pays out if you already manage users by LDAP or MS-AD.

 

BTW, you can also grant admin access via LDAP, using a 'remote admin wildcard account'. Sound difficult but isn't.

 

These methods are well documented in the Cookbook or KB.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
9 REPLIES 9
xsilver_FTNT
Staff
Staff

Sure, every user is just record in 'config user local'.

Have s look into CLI or CLI guide on http://docs.fortinet.com  for more details.

So you can prepare those configs in advance and then drop them to console.

Preparation can range from utilizing any text processing tool to make a template and fill those variables as usernames, to programming languages like Perl or Python to gather user data from LDAP reform them to text output written directly to FortiGate's command line via SSH session opened by your small coded tool.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Adonist

Thank you for the reply Tomas!

If i can prepare like a template with them and drop in the cli that would be great.

Thank you again for that!

ede_pfau
Esteemed Contributor III

Two hints:

 

1- if you have a long user list, don't directly paste it to the CLI. Chances are high that you will get a timing error, and that not all of the input is actually 'taken'. Rather, submit the same file (which is a partial config file) via 'Advanced > Batch command'. This will upload all data first, and then import into the running config.

 

2- if you have along user list, consider adding your LDAP (or MS-AD) as a 'remote user'. User management (who is granted SSLVPN access, who is removed from SSLVPN etc.) is then done via LDAP management. For instance, if you connect the FGT to your MS-AD, and create a user group in the MS-AD like 'SSLVPN users', you grant VPN access by dropping a user into this group. User management is completely independent of the Fortigate, and the config on your FGT is not touched in the future.

 

Of course, this only pays out if you already manage users by LDAP or MS-AD.

 

BTW, you can also grant admin access via LDAP, using a 'remote admin wildcard account'. Sound difficult but isn't.

 

These methods are well documented in the Cookbook or KB.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
rwpatterson
Valued Contributor III

+1 to Ede_phau

 

Managing from Active directory means that any non Fortigate admin can add and remove users easily to your SSL VPN group without your intervention. That's how I always set it up.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Adonist

Thanks Bob! Unfortunately we don't want to integrate with Active Directory (what would make my life a lot easier).

Adonist

Thank you for that.

I had to do with a bunch each time not to have the issues you mentioned. Unfortunately we don't want to integrate with LDAP which would make my life a lot easier. I managed to do it with a template and some scripting to populate the users.

Adonist

I used a template and replicated it a hundred times as suggested. I used some scripting to populate it with the right names and it worked perfectly.

gilbertthor

Hi,

 

I'm need create the Local Users with group same as your scenario and finding if any template/method can accomplish this on Fortigate firewall, do you mind to share some information on this. Thanks a lot.

xsilver_FTNT

+5 Ede well done. It's way beyond the original question but good point. Just in case someone uses FAC (FortiAuthenticator), that can even sync users and automatically sort them to groups based on LDAP filters or provision FortiTokens to those users.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors