emnoc wrote:

if you have o365 you have MS-AD services. Just define a user-group that matches the MS group and avoid adding users. Adding users manually creates overhead for add/changes/deletions. if you tie a user group to a users group in fortios you have less overhead and vpn is controlled centrally at MS AD ( i.e remove the user from the group, lock the account,etc......)

 

If you do not want to do MS-AD ldap , radius ( NPS ) would be the next best great thing.

 

Ken Felix

 

Thanks for your feedback, but we don't want integration with MS AD.  Is there any way to just import useres via csv file ?? 

Well if you have o365 I'd also suggest using AD integration for that's the easiest and most elegant solution for this.

Importing usere to the FGT would require you to write some converter script or app to generate the corresponding FortiOS Cli-Script output to import into thr FGT. Also if a User changes passwort or is deleted you have to perform this in your AD and on your FGT...

Hi,

there is NO import option for local users on FortiGate (from any format, not just from CSV).

Such option exist only on FortiAuthenticator, but that's different product and 'league'.

 

However as mentioned here ..  1.

first, via direct integration you will save a lot of headache as your users will have separate passwords on O365 and on FortiGate. Plus you will have to manually set all those up and maintain their group membership. So maybe integration is not that bad idea and is quite used solution, as it let's you drive all the permissions from AD.

 

2.

CLI config of 'config user local' is pretty simple and even simple bash/MS-cmd script might be enough to generate that config section, then copy and paste that to config backup from your unit, and restore such enhanced config back.

Groups can be handled as well. That's simplest way.

 

3.

As you mentioned O365, then maybe you do not have Domain Services in Azure, to make LDAP integration. But even without that you might consider SAML integration. But it's again a bit more complicated then plain users in local storage on FortiGate, but similarly flexible to point 1. If you want to learn more about that then check https://docs.fortinet.com and FortiGate integration with SAML.

 

4. not mentioned before but I can't keep that out .. how about to upgrade 6.2.4 (released year ago) to something more recent, or do you have some serious reason for keeping that old version ?

 

To Mohammad, any reason that you do not want to integrate? And have thought of how you want to manage passwords for X amount of users?

 

SAML is pointed out is a great alternative it quite simple, o just need to define the saml-user place it in a group and your authentication rules.

 

Diagnostic and troubleshooting would be slightly more complex, fwiw.

 

Ken Felix

Additionally, when I needed to do a one time conversion job not worth writing a script, I did such conversions (From VDOM to VDOM, from model to model of Fortigate) in Notepad++ with its Find&Replace command, was quite easy and productive.