Release Notes

FortiAuthenticator 6.6.2
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

August 6, 2024
FortiAuthenticator 6.6.2 Release Notes
23-662-1055024-20240806
 TABLE OF CONTENTS

Change log 4
FortiAuthenticator 6.6.2 release 5
Special notices 6
TFTP boot firmware upgrade process 6
Monitor settings for GUI access 6
Before any firmware upgrade 6
After any firmware upgrade 6
FortiAuthenticator does not support PEAP-MAB 6
SHA-1 cryptographic operations are no longer supported 6
Reconfigure LinkedIn social login 7
What's new 8
Upgrade instructions 9
Hardware and VM support 9
Image checksums 9
Upgrading from 4.x/5.x/6.x 10
Product integration and support 13
Web browser support 13
FortiOS support 13
Fortinet agent support 13
Virtualization software support 14
Third-party RADIUS authentication 14
FortiAuthenticator-VM 15
Resolved issues 16
Common Vulnerabilities and Exposures 17
Known issues 18
Maximum values for hardware appliances 19
Maximum values for VM 23

FortiAuthenticator 6.6.2 Release Notes 3

Fortinet Inc.
Change log

Date Change Description

2024-08-06 Initial release.

FortiAuthenticator 6.6.2 Release Notes 4

Fortinet Inc.
FortiAuthenticator 6.6.2 release

FortiAuthenticator 6.6.2 release

This document provides a summary of new features, enhancements, support information, installation instructions,
caveats, and resolved and known issues for FortiAuthenticator 6.6.2, build 1669.
FortiAuthenticator is a user and identity management solution that provides strong authentication, wireless 802.1X
authentication, certificate management, RADIUS AAA (authentication, authorization, and accounting), and Fortinet
Single Sign-On (FSSO).
For additional documentation, please visit: https://docs.fortinet.com/product/fortiauthenticator/

FortiAuthenticator 6.6.2 Release Notes 5

Fortinet Inc.
Special notices

Special notices

TFTP boot firmware upgrade process

Upgrading FortiAuthenticator firmware by interrupting the FortiAuthenticator boot process and installing a firmware
image from a TFTP server erases the current FortiAuthenticator configuration and replaces it with factory default
settings.

Monitor settings for GUI access

Fortinet recommends setting your monitor to a screen resolution of 1600x1200. This allows for all the objects in the GUI
to be viewed properly without the need for scrolling.

Before any firmware upgrade

Save a copy of your FortiAuthenticator configuration before upgrading the firmware. From the administrator dropdown
menu in the toolbar, go to Restore/Backup, and click Download Backup File to backup the configuration.

After any firmware upgrade

Clear your browser cache before logging in to the FortiAuthenticator GUI to ensure the pages display properly.

FortiAuthenticator does not support PEAP-MAB

FortiAuthenticator only supports MAB in clear-text and not the encapsulated MAB.

SHA-1 cryptographic operations are no longer supported

FortiAuthenticator does not support SHA-1 as the SHA-1 cryptographic algorithm is no longer considered secure.
Update SHA-1 certificate signing to use SHA-2 or above for enhanced security. If this is not possible, downgrade to
FortiAuthenticator version 6.5.3 for SHA-1 support.

FortiAuthenticator 6.6.2 Release Notes 6

Fortinet Inc.
Special notices

Reconfigure LinkedIn social login

LinkedIn has changed their OAuth app API.

If you are using LinkedIn social login, you will need to reconfigure your application on LinkedIn and update your remote
OAuth server for LinkedIn with the new Key and Secret after upgrading to the FortiAuthenticator 6.6.1 GA firmware.

FortiAuthenticator 6.6.2 Release Notes 7

Fortinet Inc.
What's new

What's new

FortiAuthenticator version 6.6.2 is a patch release. There are no new features. See Resolved issues on page 16 and
Known issues on page 18 for more information.

FortiAuthenticator 6.6.2 Release Notes 8

Fortinet Inc.
Upgrade instructions

Back up your configuration before beginning this procedure. While no data loss should occur if
the procedures below are correctly followed, it is recommended a full backup is made before
proceeding and the user will be prompted to do so as part of the upgrade process.
For information on how to back up the FortiAuthenticator configuration, see the
FortiAuthenticator Administration Guide.

FortiAuthenticator 6.6.2 requires at least 4GB of RAM.

l Hardware and VM support on page 9

l Image checksums on page 9
l Upgrading from 4.x/5.x/6.x on page 10

Hardware and VM support

FortiAuthenticator 6.6.2 supports:

l FortiAuthenticator 200E
l FortiAuthenticator 300F
l FortiAuthenticator 400E
l FortiAuthenticator 800F
l FortiAuthenticator 1000D
l FortiAuthenticator 2000E
l FortiAuthenticator 3000E
l FortiAuthenticator 3000F
l FortiAuthenticator VM (VMWare, Hyper-V, KVM, Xen, Azure, AWS, Oracle OCI, and Alibaba Cloud)

Image checksums

To verify the integrity of the firmware file, use a checksum tool to compute the firmware file’s MD5 checksum. Compare it
with the checksum indicated by Fortinet. If the checksums match, the file is intact.
MD5 checksums for software releases are available on FortiCloud.

FortiAuthenticator 6.6.2 Release Notes 9

Fortinet Inc.
Upgrade instructions

FortiCloud image checksum tool

After logging in to FortiCloud, in the menus at the top of the page, click Support, then click Firmware Image
Checksum.
In the Image File Name field, enter the firmware image file name including its extension, then click Get Checksum
Code to get the checksum code.

Upgrading from 4.x/5.x/6.x

FortiAuthenticator 6.6.2 build 1669 officially supports upgrades from previous versions by following these supported
FortiAuthenticator upgrade paths:
l If currently running FortiAuthenticator 6.0.5 or older, first upgrade to 6.0.7, then upgrade to 6.6.2, else the following
message will be displayed: Image validation failed: The firmware image model number is
different from the appliance's.
l If currently running FortiAuthenticator 6.0.7, then upgrade to 6.6.2 directly.
l If currently running FortiAuthenticator between 6.1.0 and 6.2.0, first upgrade to 6.3.3, then upgrade to 6.6.2.
l If currently running FortiAuthenticator 6.2.1 or later, then upgrade to 6.6.2 directly.

When upgrading existing KVM and Xen virtual machines to FortiAuthenticator 6.6.2 from
FortiAuthenticator 6.0.7, you must first increase the size of the virtual hard disk drive
containing the operating system image (not applicable for AWS & OCI Cloud Marketplace
upgrades). See Upgrading KVM / Xen virtual machines on page 11.

Upgrade to and from FortiAuthenticator 6.0.6 is not recommended.

FortiAuthenticator 6.6.2 Release Notes 10

Fortinet Inc.
Upgrade instructions

Ensure the hypervisor provides at least 4GB of memory to the FortiAuthenticator-VM.

Firmware upgrade process

First, back up your configuration, then follow the procedure below to upgrade the firmware.
Before you can install FortiAuthenticator firmware, you must download the firmware image from the FortiCloud, then
upload it from your computer to the FortiAuthenticator unit.
1. Log in to the FortiCloud. In the Support > Download section of the page, select the Firmware Download link to
download the firmware.
2. To verify the integrity of the download, go back to the Download section of the login page and click the Firmware
Image Checksum link.
3. Log in to the FortiAuthenticator unit’s web-based manager using the admin administrator account.
4. Upload the firmware and begin the upgrade.
When upgrading from FortiAuthenticator 6.0.4 and earlier:
a. Go to System > Dashboard > Status.
b. In the System Information widget, in the Firmware Version row, select Upgrade. The Firmware Upgrade or
Downgrade dialog box opens.
c. In the Firmware section, select Choose File, and locate the upgrade package that you downloaded.
When upgrading from FortiAuthenticator 6.1.0 or later.
a. Click on the administrator name in the upper-right corner of the GUI to display the dropdown menu, and click
Upgrade.
b. In the Firmware Upgrade or Downgrade section, select Upload a file, and locate the upgrade package that
you downloaded.
5. Select OK to upload the file to the FortiAuthenticator.
Your browser uploads the firmware file. The time required varies by the size of the file and the speed of your network
connection. When the file transfer is complete, the following message is shown:
Fortinet recommends to save a copy of the current configuration before proceeding
with firmware upgrade.
It is recommended that a system backup is taken at this point. Once complete, click Start Upgrade.
Wait until the unpacking, upgrade, and reboot process completes (usually 3-5 minutes), then refresh the page.

Due to a known issue in 6.0.x and earlier releases, the port5 and port6 fiber ports are inverted
in the GUI for FAC-3000E models (i.e. port5 in the GUI corresponds to the physical port6 and
vice-versa).
This is resolved in 6.1.0 and later, however, the upgrade process does not swap these
configurations automatically. If these ports are used in your configuration during the upgrade
from 6.0.x to 6.1.0 and later, you will need to physically swap the port5 and port6 fibers to
avoid inverting your connections following the upgrade.

Upgrading KVM / Xen virtual machines

When upgrading existing KVM and Xen virtual machines from FortiAuthenticator 6.0.7 to 6.6.2, it is necessary to
manually increase the size of the virtual hard disk drive which contains the operating system image before starting the

FortiAuthenticator 6.6.2 Release Notes 11

Fortinet Inc.
Upgrade instructions

upgrade. This requires file system write-access to the virtual machine disk drives, and must be performed while the
virtual machines are in an offline state, fully powered down.

If your virtual machine has snapshots, the resize commands detailed below will exit with an
error. You must delete the snapshots in order to perform this resize operation. Please make a
separate copy of the virtual disk drives before deleting snapshots to ensure you have the
ability to rollback.

Use the following command to run the resize on KVM:

qemu-img resize /path/to/fackvm.qcow2 1G

Use the following command to run the resize on Xen:

qemu-img resize /path/to/facxen.qcow2 1G

After this command has been completed, you may proceed with the upgrade from 6.0.7 to 6.6.2

Recovering improperly upgraded KVM / Xen virtual machines

If the upgrade was performed without completing the resize operation above, the virtual machine will fail to properly boot,
instead displaying many initd error messages. If no snapshots are available, manual recovery is necessary.
To recover your virtual machine, you will need to replace the operating system disk with a good copy, which also requires
write-access to the virtual hard disks in the file system while the virtual machines are in an offline state, fully powered
down.

To recover an improperly upgraded KVM virtual machine:

1. Download the 6.0.7 GA ZIP archive for KVM, FAC_VM_KVM-v6-build0059-FORTINET.out.kvm.zip.

2. Extract the archive, then replace your virtual machine's fackvm.qcow2 with the one from the archive.
3. Execute the following command:
qemu-img resize /path/to/fackvm.qcow2 1G

To recover an improperly upgraded Xen virtual machine:

1. Download the 6.0.7 GA ZIP archive for Xen, FAC_VM_XEN-v6-build0059-FORTINET.out.xen.zip.

2. Extract the archive, then replace your virtual machine's facxen.qcow2 with the one from the archive.
3. Execute the following command:
qemu-img resize /path/to/facxen.qcow2 1G

FortiAuthenticator 6.6.2 Release Notes 12

Fortinet Inc.
Product integration and support

FortiAuthenticator supports the following:

l Web browser support on page 13
l FortiOS support on page 13
l Fortinet agent support on page 13
l Virtualization software support on page 14
l Third-party RADIUS authentication on page 14

Web browser support

The following web browsers are supported by FortiAuthenticator 6.6.2:

l Microsoft Edge version 127
l Mozilla Firefox version 128
l Google Chrome version 127
Other web browsers may function correctly, but are not supported by Fortinet.

FortiOS support

FortiAuthenticator 6.6.2 supports the following FortiOS versions:

l FortiOS v7.4.x
l FortiOS v7.2.x
l FortiOS v7.0.x
l FortiOS v6.4.x
l FortiOS v6.2.x
l FortiOS v6.0.x

Fortinet agent support

FortiAuthenticator 6.6.2 supports the following Fortinet Agents:

l FortiClient v.6.x , v.7.x for Microsoft Windows and macOS (Single Sign-On Mobility Agent)
l For FortiAuthenticator Agents for Microsoft Windows and Outlook Web Access compatibility with FortiAuthenticator,
see the Agents Compatibility Matrix on the Fortinet Docs Library.

FortiAuthenticator 6.6.2 Release Notes 13

Fortinet Inc.
Product integration and support

Note that the FortiAuthenticator Agents for Microsoft Windows and OWA download files are now available in the
FortiTrustID_Agents folder in Support > Firmware Download on FortiCloud.
l FSSO DC Agent v.5.x
l FSSO TS Agent v.5.x
Other Agent versions may function correctly, but are not supported by Fortinet.
For details of which operating systems are supported by each agent, please see the install guides provided with the
software.
Note: FortiAuthenticator Agent for Microsoft Windows 4.0 and above required to support emergency offline access.
Also, FortiAuthenticator Agent for Microsoft Windows below 4.0 compatible for all other features.

Virtualization software support

FortiAuthenticator 6.6.2 supports:

l VMware ESXi / ESX 6/7/8
l Microsoft Hyper-V 2010, Hyper-V 2016, and Hyper-V 2019
l Linux Kernel-based Virtual Machine (KVM) on Virtual Machine Manager and QEMU 2.5.0
l Xen Virtual Machine (for Xen HVM)
l Nutanix
l Amazon AWS
l Microsoft Azure
l Oracle OCI
l Alibaba Cloud
l Saudi Cloud Computing Company (SCCC) and alibabacloud.sa domain (a standalone cloud backed by AliCloud)

Support for HA in Active-Passive and Active-Active modes has not been confirmed on the
FortiAuthenticator for Xen VM at the time of the release.

See FortiAuthenticator-VM on page 15 for more information.

Third-party RADIUS authentication

FortiAuthenticator uses standards based RADIUS for authentication and can deliver two-factor authentication via
multiple methods for the greatest compatibility:
l RADIUS Challenge Response - Requires support by third party vendor.
l Token Passcode Appended - Supports any RADIUS compatible system.
FortiAuthenticator should therefore be compatible with any RADIUS capable authentication client / network access
server (NAS).

FortiAuthenticator 6.6.2 Release Notes 14

Fortinet Inc.
FortiAuthenticator-VM

FortiAuthenticator-VM

For information about FortiAuthenticator-VM deployments and system requirements, see the VM installation guide on
the Fortinet Docs Library.

FortiAuthenticator 6.6.2 Release Notes 15

Fortinet Inc.
Resolved issues

Resolved issues

The resolved issues listed below may not list every bug that has been corrected with this release. For inquiries about a
particular bug, please contact Technical Support within the FortiCare portal.

Bug ID Description

1052867 Upgrade to jinja2-3.1.4 + gunicorn 22.0.0.

1052881 Upgrade to apache 2.4.61.

1052954 Update to newer kernel.

1054867 Upgrade to krb5-1.21.3.

1057001 Upgrade to OpenVPN 2.6.12.

1060660 Upgrade to libxml2-2.12.9.

FortiAuthenticator 6.6.2 Release Notes 16

Fortinet Inc.
Resolved issues

Common Vulnerabilities and Exposures

Bug ID CVE references

1051910 FortiAuthenticator 6.6.2 is no longer vulnerable to the following CVE-Reference

(s):
l CVE-2024-6387

1054794 FortiAuthenticator6.6.2 is no longer vulnerable to the following CVE-Reference

(s):
l CVE-2024-3596

FortiAuthenticator 6.6.2 Release Notes 17

Fortinet Inc.
Known issues

Known issues

This section lists the known issues of this release, but is not a complete list. For inquiries about a particular bug, please
contact Technical Support within the FortiCare portal.

Bug ID Description

1024455 EAP-TLS computer authentication failure - Reason: Error in error - certificate verify failed.

1026080 RDP FSSO overwrites original FSSO session information.

1026189 EAP with NTLMv2 to Windows AD fails in 6.6.1 but works well in FortiAuthenticator 6.5.4.

1027363 SAML sync rule removes manually-provisioned Hardware FortiToken.

1030796 Fortinet Single Sign-On Filtering Objects do not save after POST in REST API.

1032068 FortiAuthenticator is very slow to auto-delete logs. The gateway Timeout/ HTTP 504 error still occurs.

1033428 Trusted Endpoint SSO does not prompt for FIDO when 'Enforce MFA' option is selected.

1035728 Failed OCSP rsp verification.

1036821 After importing new users via import CSV file on FortiAuthenticator v6.6.1, the existing users on the
User group are removed.

1037883 Updated SMTP password does not take effect (old password still in use).

1037946 FortiAuthenticator does not send a random 64 character value but the placeholder itself.

1039024 FortiToken Mobile push notifications fails for units without a firmware certificate signed by FTNT CA2.

1041406 Token verification error when trying to send push to a token device without push registration ID.

1048329 FortiAuthenticator not logging SSH (CLI) access in the regular logs.

1050958 FortiAuthenticator does not allow creating new group objects to LDAP Service Directory Tree.

1053775 SmartConnect not launching for Android devices.

1060487 Unable to expand large list of LDAP users when using Google LDAP.

1061416 REST API command to create a user fails with 'Invalid time format. Time should be formatted using ISO-
8601.'

1062342 When importing CRL larger than 500 000 bytes, the FortiAuthenticator GUI shows error "CRL file
'test.crl' size is too large."

FortiAuthenticator 6.6.2 Release Notes 18

Fortinet Inc.
Maximum values for hardware appliances

Maximum values for hardware appliances

The following table lists the maximum number of configuration objects per FortiAuthenticator appliance that can be
added to the configuration database for different FortiAuthenticator hardware models.

Similar to the FortiAuthenticator-VM, the FortiAuthenticator hardware appliances permit

stacking licenses.

The maximum values in this document are the maximum configurable values and are not a
commitment of performance.

Feature Model

200 300F 400E 800F 1000 2000 3000E 3000F

E D E

System

Network Static 50 50 50 50 50 50 50 50
Routes

Messages SMTP 20 20 20 20 20 20 20 20
Servers

SMS 20 20 20 20 20 20 20 20
Gateways

SNMP 20 20 20 20 20 20 20 20
Hosts

Administrat Syslog 20 20 20 20 20 20 20 20
ion Servers

User 40 90 115 415 515 1015 2015 2015

Uploaded
Images

Language 50 50 50 50 50 50 50 50
Files

Realms 20 60 80 320 400 800 1600 1600

Authentication

General Auth 166 500 666 2666 3333 6666 13333 13333
Clients
(NAS)

FortiAuthenticator 6.6.2 Release Notes 19

Fortinet Inc.
Maximum values for hardware appliances

Feature Model

200 300F 400E 800F 1000 2000 3000E 3000F

E D E

Users 500 1500/350 2000 8000/180 10000 20000 40000/1400 40000/1400

(Local + 0* 00* 00* 00*
Remote)1

User 1500 4500 6000 24000 30000 60000 120000 120000

RADIUS
Attributes

User 50 150 200 800 1000 2000 4000 4000

Groups

Group 150 450 150 2400 600 6000 12000 12000

RADIUS
Attributes

FortiToke 1000 3000 4000 16000 20000 40000 80000 80000

ns

FortiToke 200 200 200 200 200 200 200 200

n Mobile
Licenses2

LDAP 1000 3000 4000 16000 20000 40000 80000 80000

Entries

Device 2500 7500 1000 40000 50000 10000 200000 200000

(MAC- 0 0
based
Auth.)

RADIUS 500 1500 2000 8000 10000 20000 40000 40000

Client
Profiles

Remote 50 150 200 800 1000 2000 4000 4000

LDAP
Users
Sync Rule

Remote 1500 4500 6000 24000 30000 60000 120000 120000

LDAP
User
Radius
Attributes

FortiAuthenticator 6.6.2 Release Notes 20

Fortinet Inc.
Maximum values for hardware appliances

Feature Model

200 300F 400E 800F 1000 2000 3000E 3000F

E D E

Remote Remote 20 60 80 320 400 800 1600 1600

authenticat LDAP
ion servers Servers

Remote 20 60 80 320 400 800 1600 1600

RADIUS
Servers

Remote 20 60 80 320 400 800 1600 1600

SAML
Servers

Remote 20 60 80 320 400 800 1600 1600

OAuth
Servers

Remote 20 60 80 320 400 800 1600 1600

TACACS
+ Servers

FSSO & Dynamic Policies

FSSO FSSO 500 1500 2000 8000 10000 20000 2000003 200000
Users

FSSO 250 750 1000 4000 5000 10000 20000 20000

Groups

Domain 10 15 20 80 100 200 400 400

Controller
s

RADIUS 166 500 666 2666 3333 6666 13333 13333

Accountin
g SSO
Clients

FortiGate 250 750 1000 4000 5000 10000 20000 20000

Group
Filtering

FSSO 5 15 20 80 100 200 400 400

Tier
Nodes

IP 250 750 1000 4000 5000 10000 20000 20000

Filtering
Rules

FortiAuthenticator 6.6.2 Release Notes 21

Fortinet Inc.
Maximum values for hardware appliances

Feature Model

200 300F 400E 800F 1000 2000 3000E 3000F

E D E

Accounting Sources 500 1500 2000 8000 10000 20000 40000 40000
Proxy
Destinati 25 75 100 400 500 1000 2000 2000
ons

Rulesets 25 75 100 400 500 1000 2000 2000

Certificates

User User 2500 7500 1000 40000 50000 10000 200000 200000
Certificates Certificat 0 0
es

Server 50 150 200 800 1000 2000 4000 40000

Certificat
es

Certificate CA 10 10 10 50 50 50 50 50
Authorities Certificat
es

Trusted 200 200 200 200 200 200 200 200

CA
Certificat
es

Certificate 200 200 200 200 200 200 200 200

Revocati
on Lists

SCEP Enrollme 2500 7500 1000 40000 50000 10000 200000 200000
nt 0 0
Requests

Services

FortiGate 50 150 200 800 1000 2000 4000 4000

Services

TACACS 50 150 200 800 1000 2000 4000 4000

+
Services

1 Users includes both local and remote users.

2 FortiToken Mobile Licenses refers to the licenses that can be applied to a FortiAuthenticator, not the number of
FortiToken Mobile instances that can be managed. The total number is limited by the FortiToken metric.
3 For the 3000E model, the total number of concurrent SSO users is set to a higher level to cater for large deployments.

* Upper limit

FortiAuthenticator 6.6.2 Release Notes 22

Fortinet Inc.
Maximum values for VM

Maximum values for VM

The following table lists the maximum number of configuration objects that can be added to the configuration database
for different FortiAuthenticator virtual machine (VM) configurations.

The maximum values in this document are the maximum configurable values and are not a
commitment of performance.

The FortiAuthenticator-VM is licensed based on the total number of users and licensed on a stacking basis. All
installations must start with a FortiAuthenticator-VM Base license and users can be stacked with upgrade licenses in
blocks of 100, 1,000, 10,000 and 100,000 users. Due to the dynamic nature of this licensing model, most other metrics
are set relative to the number of licensed users. The Calculating metric column below shows how the feature size is
calculated relative to the number of licensed users for example, on a 100 user FortiAuthenticator]-VM Base License, the
number of auth clients (RADIUS and TACACS+) that can authenticate to the system is:
100 / 3 = 33
Where this relative system is not used e.g. for static routes, the Calculating metric is denoted by a "-". The supported
figures are shown for both the base VM and a 5000 user licensed VM system by way of example.

Feature Model

Unlicensed Calculating Licensed VM Example

VM metric (100 users) 5000
licensed user
VM

System

Network Static Routes 2 50 50 50

Messaging SMTP Servers 2 20 20 20

SMS Gateways 2 20 20 20

SNMP Hosts 2 20 20 20

Administration Syslog Servers 2 20 20 20

User Uploaded 19 Users / 20 19 (minimum) 250

Images

Language Files 5 50 50 50

Authentication

General Auth Clients 3 Users / 3 33 1666

(RADIUS and
TACACS+)

FortiAuthenticator 6.6.2 Release Notes 23

Fortinet Inc.
Maximum values for VM

Feature Model

Unlicensed Calculating Licensed VM Example

VM metric (100 users) 5000
licensed user
VM

Authentication Policy 6 Users 100 5000

(RADIUS and
TACACS+)

Remote Remote LDAP 4 Users / 25 4 200

authentication Servers
servers
Remote RADIUS 1 Users / 25 4 200
Servers

Remote SAML 1 Users / 25 4 200

Servers

Remote OAuth 1 Users / 25 4 200

Servers

Remote TACACS+ 1 Users / 25 4 200

Servers

User Management Users 5 *********** 100 5000

(Local + Remote)1

User RADIUS 15 Users x 3 300 15000

Attributes

User Groups 3 Users / 10 10 500

Group RADIUS 9 User groups x 30 1500

Attributes 3

FortiTokens 10 Users x 2 200 10000

FortiToken Mobile 3 200 200 200

Licenses (Stacked) 2

LDAP Entries 20 Users x 2 200 10000

Device (MAC-based 5 Users x 5 500 25000

Auth.)

Remote LDAP Users 1 Users / 10 10 500

Sync Rule

Remote LDAP User 15 Users x 3 300 15000

Radius Attributes

Realms 2 Users / 25 4 200

FSSO & Dynamic Policies

FortiAuthenticator 6.6.2 Release Notes 24

Fortinet Inc.
Maximum values for VM

Feature Model

Unlicensed Calculating Licensed VM Example

VM metric (100 users) 5000
licensed user
VM

FSSO FSSO Users 5 Users 100 5000

FSSO Groups 3 Users / 2 50 2500

Domain Controllers 3 Users / 100 10 50

(min=10)

RADIUS Accounting 10 Users 100 5000

SSO Clients

FortiGate Group 30 Users / 2 50 2500

Filtering

FSSO Tier Nodes 3 Users /100 5 50

(min=5)

IP Filtering Rules 30 Users / 2 50 2500

FSSO Filtering 30 Users x 2 200 10000

Object

Accounting Proxy Sources 3 Users 100 5000

Destinations 3 Users / 20 5 250

Rulesets 3 Users / 20 5 250

Certificates

User Certificates User Certificates 5 Users x 5 500 25000

Server Certificates 2 Users / 10 10 500

Certificate CA Certificates 3 Users / 20 5 250

Authorities Trusted CA 5 200 200 200
Certificates

Certificate 5 200 200 200

Revocation Lists

SCEP Enrollment Requests 5 Users x 5 500 25000

Services

FortiGate Services 2 Users / 10 10 500

TACACS+ Services 5 Users / 10 10 500

1 Users includes both local and remote users.

FortiAuthenticator 6.6.2 Release Notes 25

Fortinet Inc.
Maximum values for VM

2 FortiToken Mobile Licenses refers to the licenses that can be applied to a FortiAuthenticator, not the number of
FortiToken Mobile instances that can be managed. The total number is limited by the FortiToken metric.

FortiAuthenticator 6.6.2 Release Notes 26

Fortinet Inc.
 www.fortinet.com

Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.