FortiAuthenticator 4.

0
Release Notes
FortiAuthenticator 4.0 Release Notes
July 30, 2015
Revision 2
Copyright 2015 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks
of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment
by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the
extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a
purchaser that expressly warrants that the identified product will perform according to the
performance metrics herein. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in
full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise
this publication without notice, and the most current version of the publication shall be
applicable.

Technical Documentation http://help.fortinet.com

Knowledge Base http://kb.fortinet.com
Forums https://support.fortinet.com/forums
Customer Service & Support https://support.fortinet.com
Training http://training.fortinet.com
FortiGuard Threat Research & Response http://www.fortiguard.com
License Agreement http://www.fortinet.com/doc/legal/EULA.pdf
Document Feedback Email: [email protected]
Table of contents
Introduction ...................................................................................................... 5
Special Notices ................................................................................................ 6
TFTP boot process ...................................................................................................................6
Monitor settings for web-based manager access .....................................................................6
Before any upgrade ..................................................................................................................6
After any upgrade .....................................................................................................................6
Whats new ....................................................................................................... 7
System features ........................................................................................................................7
Authentication ...........................................................................................................................7
FSSO ........................................................................................................................................9
API ............................................................................................................................................9
Upgrade instructions ..................................................................................... 10
Hardware & VM support ........................................................................................................ 10
Image checksums .................................................................................................................. 10
Upgrading from FortiAuthenticator v3.3 ................................................................................. 11
Upgrading from FortiAuthenticator earlier releases ............................................................... 11
Firmware upgrade process .................................................................................................... 11
Product Integration and Support .................................................................. 13
Web browser support ............................................................................................................. 13
FortiOS support ..................................................................................................................... 13
Fortinet agent support ............................................................................................................ 13
Virtualization software support............................................................................................... 13
Third party RADIUS authentication ....................................................................................... 13
Resolved issues ............................................................................................. 15
System ................................................................................................................................... 15
HA .......................................................................................................................................... 15
Authentication ........................................................................................................................ 15
Agent for MS Windows .......................................................................................................... 16
FSSO ..................................................................................................................................... 16
Certificate Management ......................................................................................................... 17
GUI......................................................................................................................................... 17
Certificate Authority ............................................................................................................... 18
API ......................................................................................................................................... 18

Fortinet 3 FortiAuthenticator 4.0 Release Notes

 Known issues ................................................................................................. 19
Appendix A: FortiAuthenticator VM ............................................................. 20
FortiAuthenticator VM system requirements ......................................................................... 20
FortiAuthenticator VM firmware ............................................................................................. 20
Appendix B: Maximum values ...................................................................... 21
Hardware appliances ............................................................................................................. 21
VM appliances ....................................................................................................................... 22

Fortinet 4 FortiAuthenticator 4.0 Release Notes

Introduction
This document provides a summary of new features, enhancements, support information,
installation instructions and caveats, resolved and known issues for FortiAuthenticator 4.0,
build 0008.

FortiAuthenticator is a User and Identity Management solution enabling including Strong

Authentication, Wireless 802.1X Authentication, Certificate Management and Fortinet Single
Sign-On.
For additional documentation, please visit:
http://docs.fortinet.com/fortiauthenticator/

Fortinet 5 FortiAuthenticator 4.0 Release Notes

Special Notices
TFTP boot process
The TFTP boot process erases all current FortiAuthenticator configuration and replaces it with
the factory default settings.

Monitor settings for web-based manager access

Fortinet recommends setting your monitor to a screen resolution of 1600x1200. This allows for
all the objects in the Web-based Manager to be viewed properly without need for scrolling.

Before any upgrade

Save a copy of your FortiAuthenticator unit configuration prior to upgrading. Go to System >
Maintenance > Config and select Download Backup File to backup the configuration.

After any upgrade

If you are using the Web-based Manager, clear your browser cache prior to login on the
FortiAuthenticator to ensure the Web-based Manager screens are displayed properly

Fortinet 6 FortiAuthenticator 4.0 Release Notes

Whats new
Before upgrading, review the following changes for impact to your unique deployment. Note
that this list is not exhaustive but highlights the major feature enhancements in this release.
For more information about these features, please refer to the Whats New or Administration
Guides.

System features
These are features related to general system operation and not a specific functional area.

SNMP enhancements
Several new statistics have been added to SNMP:
facHaCurrentStatus: The current HA status of the FortiAuthenticator
facRadiusProxyInTotal: The total number of RADIUS accounting proxy packets received
facRadiusProxyOutTotal: The total number of RADIUS accounting proxy packets sent

It also adds a new trap facTrapHAStatusChange that is triggered when there is a change in
the HA status of the FortiAuthenticator.

Add Additional RADIUS VSAs

The Riverbed and Juniper JunOS Space RADIUS dictionaries have been added to the RADIUS
engine.

Role Based Administration

To simplify the configuration of user permissions, the concept of Admin User Profiles has been
implemented to allow a profile to be defined according to administrator role and applied across
multiple users.

Authentication
Authentication covers all of the explicit authentication options within the FortiAuthenticator
including RADIUS, LDAP, Two-Factor, Tokens, EAP, guest management and user self-service
features.

Social and MAC address authentication

Social Wifi authentication allows FortiAuthenticator to utilize third party user identity methods to
authenticate users into a wireless guest network. Supported authentication methods include:
Google +
Facebook
Linkedin
Twitter

Fortinet 7 FortiAuthenticator 4.0 Release Notes

 Form based authentication (similar to existing self-reg feature)
SMS based authentication
MAC Address authentication

Allow expired FTM reactivation

When provisioning FortiTokenMobile, FortiAuthenticator would put the FTM into a locked state
once the timeout expired, but leave the user enabled. The user with a locked FTM would not be
able to login (as expected) but was difficult for an administrator to detect, identify and rectify
increasing administrator overhead.
A new workflow for behavior when the FTM provisioning period expires has been changed to
simplify administration:
Disassociate the FTM from the user
Put the FTM back in the pool of available FTMs
Disable the user (reason = "FTM activation timeout")

RADIUS Sub Auth Client Profiles

FortiAuthenticator previously has differentiated authentication sources based purely on IP
address (NAS or RADIUS Client) and for most use cases, this is sufficient. FortiGate is
somewhat unique however in that it offers multiple services on a single appliance, which may
require specific configuration (groups, users, attributes, 802.1x support) for each e.g.
Management (GUI/SSH)
IPSEC/SSL-VPN
Web Filtering Override
Wireless Authentication
Each of these methods may require a different profile (permitted groups, auth methods,
backend databases), yet all RADIUS authentication requests may originate from the same IP
address and therefore have previously been indistinguishable to the FortiAuthenticator.
FortiAuthenticator 4.0 introduces the concept of RADIUS Client Profiles where the
authentication profile is applied according to a RADIUS attribute in the authentication request.

Bulk purge inactive users

The goal of this feature is to provide a convenient way to identify and manage expired user
accounts.
The Local Users list page currently includes a Status column indicating whether the user is
enabled or disabled. When the user is disabled, a comment is added specifying the reason it
has been disabled (manually, expired or login inactivity).
The Local Users page has been modified to include the ability to perform a bulk disabled user
purge, or re-enablement.

Active Directory password change

FortiAuthenticator 4.0 extends the local user self-service password reset capability to support
Active Directory user password management.
Several different methods of managing the password change process are supported including
RADIUS 802.1x Login and via the GUI.

Fortinet 8 FortiAuthenticator 4.0 Release Notes

 FSSO
Fortinet Single Sign-On (FSSO) is a method used by FortiGate and FortiCache to transparently
identify users on the network.

DC/TS Monitor
A new monitoring page has been added to the GUI under Monitor > SSO to display information
on the Domain Controller (DC) and Terminal Server (TS) agents that are reporting to the
FortiAuthenticator.

SSO filtering enhancements

Multiple changes have been made to the filtering of SSO Users to make the process more
flexible and allow filtering based on User/group/OU/IP.

SSO - include username with '$'

In previous firmware releases, the FortiAuthenticator excludes usernames containing the '$'
character in its SSO feature since this usually indicate Computer accounts on modern versions
of Windows AD servers. However, it is not a hard rule and the '$' character may still be present
in usernames. It is especially more prevalent when user accounts have been migrated from
older Windows NT servers.
If not relying on the '$' character to detect Computer accounts, the FortiAuthenticator must do
an extra LDAP search, thus impacting performance. Therefore, we will make this feature
configurable. The legacy behavior will be the default setting.

Download OWA agent from GUI

The Agent for Microsoft Outlook Web Access is now downloadable via the FortiAuthenticator
GUI as per the Microsoft Windows Agent

Windows FAC agent - group/OU exemptions

In order to accommodate the scenario where only a limited group of users are required to log
into the Microsoft domain with two-factor authentication the ability to exempt users from two-
factor auth using AD container filtering has been added to the FortiAuthenticator Agent for
Microsoft Windows. Users who are members of an exempt groups and the users located under
an exempt AD container are only required to provide a password to authenticate, i.e. no
FortiToken code.

API
The REST API allows programatic access to the FortiAuthenticator for integration with third
party applications and business processes.

REST API - Set user expiration

User account expiration can now be set and modified via the API. See the REST API Guide for
more details. http://docs.fortinet.com/fortiauthenticator/

Fortinet 9 FortiAuthenticator 4.0 Release Notes

Upgrade instructions

Back up your configuration before beginning this procedure. Whilst no data loss should occur
if the procedures below are correctly followed, it is recommended a full backup is made
before proceeding and the user will be prompted to do so as part of the upgrade process.
For information on how to back up the FortiAuthenticator configuration, see the
FortiAuthenticator Administration Guide.

Hardware & VM support

FortiAuthenticator 4.0 supports:
FortiAuthenticator 200D
FortiAuthenticator 400C
FortiAuthenticator 1000C
FortiAuthenticator 1000D
FortiAuthenticator 3000B
FortiAuthenticator 3000D
FortiAuthenticator VM (VMWare & Hyper-V)

Image checksums
To verify the integrity of the firmware file, use a checksum tool to compute the firmware files
MD5 checksum. Compare it with the checksum indicated by Fortinet. If the checksums match,
the file is intact.
MD5 checksums for software releases are available from Fortinet Customer Service & Support:
https://support.fortinet.com
Figure 1: Customer Service & Support image checksum tool

Fortinet 10 FortiAuthenticator 4.0 Release Notes

 After logging in to the web site, in the menus at the top of the page, click Download, then click
Firmware Image Checksums.
Alternatively, near the bottom of the page, click the Firmware Image Checksums button. (The
button appears only if one or more of your devices has a current support contract.) In the File
Name field, enter the firmware image file name including its extension, then click Get Checksum
Code.

Upgrading from FortiAuthenticator v3.3

FortiAuthenticator 4.0 build 0008 officially supports upgrade from FortiAuthenticator v3.3.

Upgrading from FortiAuthenticator earlier releases

FortiAuthenticator 4.0 build 0008 does not support upgrade from releases prior to
FortiAuthenticator 3.3. Please upgrade via FortiAuthenticator 3.3, following instructions shown
in the relevant firmware release notes.

Firmware upgrade process

After backing up your configuration first, follow the following procedure to upgrade the firmware.
Before you can install FortiAuthenticator firmware, you must download the firmware package
from the Customer Service & Support web site, then upload it from your computer to the
FortiAuthenticator unit.
1. Log in to the Customer Service & Support web site at https://support.fortinet.com. In the
Download section of the page, select the Firmware Images link to download the firmware.

Fortinet 11 FortiAuthenticator 4.0 Release Notes

 2. To verify the integrity of the download, go back to the Download section of the login page,
then click the Firmware Image Checksums link.
3. Log in to the FortiAuthenticator units Web-based Manager using the admin administrator
account.
4. Go to System > Dashboard > Status.
5. In the System Information widget, in the Firmware Version row, select Upgrade. The
Firmware Upgrade or Downgrade dialog box opens.
6. In the Firmware section, select Choose File, and locate the upgrade package that you
downloaded.
7. Select OK to upload the file to the FortiAuthenticator.
Your browser uploads the firmware file. The time required varies by the size of the file and the
speed of your network connection. When the file transfer is complete, the following message is
shown:

It is recommended that a system backup is taken at this point. Once complete, click Start
Upgrade.
Wait until the unpacking, upgrade and reboot process completes (usually 3-5 minutes), then
refresh the page.

Fortinet 12 FortiAuthenticator 4.0 Release Notes

Product Integration and Support
Web browser support
The following web browsers are supported by FortiAuthenticator 4.0:
Microsoft Internet Explorer versions 9 to 11
Mozilla Firefox versions 18 to 39
Google Chrome versions 28 to 44
Other web browsers may function correctly, but are not supported by Fortinet.

FortiOS support
FortiAuthenticator 4.0 supports the following FortiOS versions:
FortiOS v5.0 Patch Release 12
FortiOS v5.2 Patch Release 4
Other FortiOS versions may function correctly, but may not be supported by Fortinet.

Fortinet agent support

FortiAuthenticator 4.0 supports the following Fortinet Agents.
FortiClient v.5.2.3 for Microsoft Windows (Single Sign-On Mobility Agent)
FortiAuthenticator Agent for Microsoft Windows 1.5.0
FortiAuthenticator Agent for Outlook Web Access 1.0.0
FSSO DC Agent v.4.3.0159
FSSO TS Agent v.4.3.0159
Other Agent versions may function correctly, but may not be supported by Fortinet.
For details of which Operating Systems are supported by each Agent, please see the Install
Guides provided with the software.

Virtualization software support

FortiAuthenticator 4.0 supports VMware ESXi / ESX 4.0, 4.1, 5.0, 5.1, 5.5 and 6.0.
FortiAuthenticator 4.0 supports Microsoft Hyper-V 2010 and Microsoft Hyper-V 2012 R2.
See Appendix A: FortiAuthenticator VM for more information.

Third party RADIUS authentication

FortiAuthenticator uses standards based RADIUS for authentication and can deliver two-factor
authentication via multiple methods for the greatest compatibility:
RADIUS Challenge Response - Requires support by third party vendor
Token Passcode Appended - Supports any RADIUS compatible system

Fortinet 13 FortiAuthenticator 4.0 Release Notes

 FortiAuthenticator should therefore be compatible with any RADIUS capable authentication
client / network access server (NAS). For more information, see the FortiAuthenticator Two-
Factor Authentication Interoperability Guide http://docs.fortinet.com/fortiauthenticator/admin-
guides

Fortinet 14 FortiAuthenticator 4.0 Release Notes

Resolved issues
The resolved issues listed below may not list every bug that has been corrected with this
release. For inquires about a particular bug, please Fortinet Customer Service & Support:
https://support.fortinet.com.

System
Table 1: Resolved Authentication issues

Bug ID Description

0269645 Graciously recover from unformatted HDD

0272135 Multiple OpenSSL Vulnerabilities

0281537
0284837
0279245
0284858

0265365 Update description of facAuth.facFortiTokenRemaining in MIB

0258394 Cannot send email with Unicode characters.

HA
Table 2: Resolved Authentication issues

Bug ID Description

0281043 HA status always stays as "Cluster not formed" caused by missing HA

0281730 tables on upgrade

0280455 HA is not forming on Cluster Member and Load-balancing slave

0272416 Non-HA configured ports stop working after reboot

0282499 Restoring Config, in HA environment results in table checksums are not

being initiated and sync failing

0282384 Disable changing HA node type when HA is already enabled

0280455 HA is not forming on Cluster Member and Load-balancing slave

Authentication

Fortinet 15 FortiAuthenticator 4.0 Release Notes

 Table 3: Resolved Authentication issues

Bug ID Description

0278779 When machine auth is enabled, RADIUS attributes from specified user
group is not applied

0280176 Agent for MSWindows: Installation inconsistent between GUI and

CMDLine

0269371 Agent for MSWindows: Error while trying to add users to the exempt list
on FAC agent 1.2

0274549 Ability to filter users from FSSO before entity into DB (reducing licensing
overhead)

0278608 Token is Locked after activation window expires

0262454 HTTP/S POST to SMS Gateway encodes credentials in URL not body
0262455

0274627 Match cert bindings against all CNs

0280432 Error on unlock token when no disable reason set

0280991 Agent for MSWindows: Login fails if unable to list group members

Agent for MS Windows

Table 4: Resolved Agent for MS Windows issues

Bug ID Description

0280176 Installation inconsistent between GUI and CMDLine

0269371 Error while trying to add users to the exempt list on FAC agent 1.2

0280991 Login fails if unable to list group members. Change group lookup
method.

FSSO
Table 5: Resolved Authentication issues

Bug ID Description

0265979 RSSO and SSO portal race condition

0282285 FSSO Groups truncated at 2048. Increase to support 8192 groups

Fortinet 16 FortiAuthenticator 4.0 Release Notes

 Certificate Management
Table 6: Resolved Authentication issues

Bug ID Description

0278630 Unable to sign a CSR generated from Exchange Server 2010

0274627 Match cert bindings against all CNs

GUI
Table 7: Resolved GUI issues

Bug ID Description

0258050 Incorrect help URL

0268458 Flush expired auth requests from RADIUS queue

0274942 Random password expiration is not disabled when password is changed

0276734 for a user with 2FA
0276636

0259042 Broken log search when keywords includes special characters

0259044 Misleading connection status message in Monitor

0277728 Requested page does not exist after delete the only EAP entry

0251546 Support upgrade when duplicate user incorrectly exists in user lockout
table

0263047 Add missing tooltip hints

0264229 CLI commands to list and remove HA serial numbers

0266331

0258217 Prevent error if users submits multiple upgrade requests

0258220 GUI reports service unavailable when disabling or enabling Kerberos

keytab

0218995 Authentication activity widget stress cause WebGUI denial of service

0252346 Error while trying to access GUI logs when large volume of logs

0277173 GUI crashes when trying to read some Microsoft certificate extensions

0258539 Account expiry setting doesn't save at first attempt when creating user

Fortinet 17 FortiAuthenticator 4.0 Release Notes

 with random password

Certificate Authority
Table 8: Resolved Certificate Authority issues

Bug ID Description

0278630 Unable to sign a CSR generated from Exchange Server 2010

0265516 Wildcard enrollment with empty subject should allow signing any CSR

API
Table 9: Resolved Authentication issues

Bug ID Description

0281434 Disabled User can still authenticate via API

0279451 Incrementally add users to a group

0276163 Locked tokens selected for provision via API (and fail)

0282549 Cannot change name of group containing users using PUT

0279672 Allow modification of Remote Users vis LDAP

0275086 Exceeding Failed Auth Attempt via API Limit does not lock user

Fortinet 18 FortiAuthenticator 4.0 Release Notes

Known issues
This section lists the known issues of this release, but is not a complete list. For inquires about
a particular bug, please contact Fortinet Customer Service & Support:
https://support.fortinet.com
Table 10: Known issues

Bug ID Description

There are no known issues at this time.

Fortinet 19 FortiAuthenticator 4.0 Release Notes

Appendix A: FortiAuthenticator VM
FortiAuthenticator VM system requirements
The following table provides a detailed summary on FortiAuthenticator VM system
requirements. Installing FortiAuthenticator VM requires that you have already installed a
supported virtual machine (VM) environment. For details, see the Install Guide for
FortiAuthenticator VM available at http://docs.fortinet.com.
Table 11: VM Requirements

Virtual Machine Requirement

Hypervisor Support VMware ESXi / ESX 4.0, 4.1, 5.0, 5.1 and 5.5
Virtual Machine Form Factor Open Virtualization Format (OVF)
Virtual CPUs Supported 1/8
(Minimum / Maximum)

Virtual NICs Supported 1/4

(Minimum / Maximum)

Storage Support 60GB / 2TB

(Minimum / Maximum)

Memory Support 512 MB / 64GB

(Minimum / Maximum)

High Availability Support Yes

FortiAuthenticator VM firmware
Fortinet provides FortiAuthenticator VM firmware images in two formats:
.out: Use this image for new and upgrades to physical appliance installations. Upgrades
to existing virtual machine installations are also distributed in this format.
ovf.zip: Use this image for new VM installations. It contains a deployable Open
Virtualization Format (OVF) virtual machine package for initial VMware ESXi installations.

For more information see the FortiAuthenticator product datasheet available on the Fortinet web
site, http://www.fortinet.com/products/fortiauthenticator/index.html

Fortinet 20 FortiAuthenticator 4.0 Release Notes

Appendix B: Maximum values
This section lists the maximum number of configuration objects per FortiAuthenticator appliance
that can be added to the configuration database for different FortiAuthenticator hardware and
VM configurations.

The maximum values in this document are the maximum configurable values and are not a
commitment of performance.

Hardware appliances
The following table describes the maximum values set for the various hardware models.

T
a Model
b
l
e

FortiAuthenticator

FortiAuthenticator

FortiAuthenticator

FortiAuthenticator

FortiAuthenticator
1 Feature
2
:

3000D
1000C

3000B
200D

400C
M
a
x System
i Network Static Routes 50 50 50 50 50
m
u Messages SMTP Servers 20 20 20 20 20
m SMS Gateways 20 20 20 20 20
SNMP Hosts 20 20 20 20 20
v
a Administration SYSLOG Servers 20 20 20 20 20
l User Uploaded Images 25 100 500 1000 2000
u
e Language Files 50 50 50 50 50
s 5 5
0
- 9

HAuthentication
a General Auth Clients (NAS) 50 200 1000 2000 4000
r
d Local User Users 500 2000 10000 20000 40000
1
wManagement (Local + Remote)
a User Radius Attributes 1500 6000 30000 60000 120000
r User Groups 50 200 1000 2000 4000
e
Group Radius Attributes 150 150 600 6000 120000
.
FortiTokens 1000 4000 20000 40000 80000

Fortinet 21 FortiAuthenticator 4.0 Release Notes

 FortiToken Mobile 200 200 200 200 200
2
Licenses
LDAP Entries 1000 4000 20000 40000 80000
Device (MAC-based 50 200 1000 2000 4000
Auth.)
Remote LDAP Servers 20 80 400 800 1600
Remote LDAP Sync 25 100 500 1000 2000
Rule
Remote LDAP User 1500 6000 30000 60000 120K
Radius Attributes
SSO & Dynamic Policies
3
SSO SSO Users 500 2000 10000 20000 200K
SSO Groups 1000 1000 5000 10000 20000
Domain Controllers 10 20 100 200 4000
RADIUS Accounting 50 200 1000 2000 4000
SSO Clients
FortiGate Services 50 200 1000 2000 4000
FortiGate Group 250 1000 5000 10000 20000
Filtering
FSSO Tier Nodes 5 20 100 200 400
IP Filtering Rules 250 1000 5000 10000 20000
Accounting Proxy Sources 50 200 1000 2000 4000
Destinations 25 100 500 1000 2000
Rulesets 25 100 500 1000 2000
Certificates
User Certificates User Certificates 2500 10000 50000 100K 200K
Server Certificates 50 200 1000 2000 4000
Certificate CA Certificates 10 10 50 50 50
Authorities Trusted CA Certificates 200 200 200 200 200
Certificate Revocation 200 200 200 200 200
Lists
SCEP Enrollment Requests 500 2000 10000 20000 40000
1
Note that there is one metric used for the number of allowed users which is Users. Local
Users and Remote Users share the same limit value. This enables Local Users or Remote
Users to be equal to Users or for there to be a mixture of user types, however, the total number
of Local and Remote Users cannot exceed the Users metric.
2
FortiToken Mobile Licenses refers to the licenses that can be applied to a
FortiAuthenticator, not the number of FortiToken Mobile instances that can be managed. The
total number is limited by the FortiToken metric.
3
For the 3000D, the total number of concurrent SSO Users is set to a higher level to cater
for large deployments.

VM appliances
The FortiAuthenticator-VM Appliance is licensed based on the total number of users and
licensed on a stacking basis. All installations must start with a FortiAuthenticator VM-Base
license and users can be stacked with upgrade licenses in blocks of 100, 1,000, 10,000 and

Fortinet 22 FortiAuthenticator 4.0 Release Notes

 100,000 users. Due to the dynamic nature of this licensing model, most other metrics are set
relative to the number of licensed users. The Calculating Metric column below shows how the
feature size is calculated relative to the number of licensed users for example, on a 100 user
FortiAuthenticator-VM Base License, the number of Auth Clients (NAS Devices) that can
authenticate to the system is:
100
10 = 10
Where this relative system is not used e.g. for static routes, the calculating metric is denoted by
a -. The supported figures are shown for both the base VM and a 5000 user licensed VM
system by way of example.

Table 13: Maximum Values - Virtual Machines.

Model

Base VM (100 Users)

Calculating Metric

licensed User VM
Unlicensed VM

Example 5000
Feature

System
Network Static Routes 2 50 50 50
Messaging SMTP Servers 2 20 20 20
SMS Gateways 2 20 20 20
SNMP Hosts 2 20 20 20
Administration SYSLOG Servers 2 20 20 20
User Uploaded Images 5 Users / 20 5 100
Language Files 5 50 50 50
Authentication
General Auth Clients (NAS) 3 Users / 10 10 500
User Management Users 5 *********** 100 5000
(Local + Remote)*
User Radius Attributes 15 U sers x 3 300 15000
User Groups 3 Users / 10 10 500
Group Radius Attributes 9 Users x 3 300 15000
FortiTokens 10 Users x 2 200 10000
FortiToken Mobile Licenses 3 200 200 200
(Stacked)
LDAP Entries 20 Users x 2 200 10000
Device (MAC-based Auth.) 1 Users / 10 10 500
Remote LDAP Servers 4 Users / 25 4 200
Remote LDAP Sync Rule 1 Users / 20 5 250
Remote LDAP User Radius 15 Users x 3 300 15000
Attributes
SSO & Dynamic Policies
SSO SSO Users 5 Users 100 5000

Fortinet 23 FortiAuthenticator 4.0 Release Notes

 SSO Groups 30 Users / 2 50 2500
Domain Controllers 3 Users / 100 10 50
(min=10)
RADIUS Accounting SSO 3 Users / 10 10 50
Clients (min=10)
FortiGate Services 2 Users / 10 10 500
FortiGate Group Filtering 30 Users / 2 50 2500
FSSO Tier Nodes 3 Users /100 5 50
(min=5)
IP Filtering Rules 30 Users / 2 50 2500
Accounting Proxy Sources 3 Users / 10 10 500
Destinations 3 Users / 20 5 250
Rulesets 3 Users / 20 5 250
Certificates
User Certificates User Certificates 5 Users x 5 500 25000
Server Certificates 2 Users / 10 10 500
Certificate Authorities CA Certificates 3 Users / 20 5 250
Trusted CA Certificates 200 200 200 200
Certificate Revocation Lists 5 200 200 200
SCEP Enrollment Requests 5 Users 100 5000
1
Note that there is one metric used for the number of allowed users which is Users. Local
Users and Remote Users share the same limit value. This enables Local Users or Remote
Users to be equal to Users or for there to be a mixture of user types, however, the total number
of Local and Remote Users cannot exceed the Users metric.
2
FortiToken Mobile Licenses refers to the licenses that can be applied to a
FortiAuthenticator, not the number of FortiToken Mobile instances that can be managed. The
total number is limited by the FortiToken metric.
3
Minimum value overrides Calculating Metric in this case

Fortinet 24 FortiAuthenticator 4.0 Release Notes

Fortinet 25 FortiAuthenticator 4.0 Release Notes