Manage Local Groups

Groups manage sets of user privileges so they do not need to be maintained individually on every user account. For example, a group can be used for IPsec xauth users, or a group that can access the firewall dashboard, a group of firewall administrators, or many other possible scenarios using any combination of privileges.

Groups are managed under System > User Manager on the Groups tab.


The all and admins groups cannot be deleted.

Groups and Remote Authentication

When working with group privileges while authenticating against LDAP and RADIUS (Authentication Servers), local groups must exist with names that exactly match groups from the server. For example, if an LDAP group named firewall_admins exists then the firewall must also contain a identically named group, firewall_admins, with the desired privileges.

If a user attempts to authenticate against a remote authentication server and there are no matching groups, the user will not have any privileges from groups, and cannot access resources which require privileges.

Creating and Editing Groups

As with users, the first step is to add the group and save. Privileges can only be added to existing groups, they cannot be added when creating a new group.

To add a new group:

  • Navigate to System > User Manager, Groups tab

  • Click fa-plus Add

To edit an existing group:

  • Navigate to System > User Manager, Groups tab

  • Click fa-pencil on the row containing the group

Group Settings

Group name:

The name of the group.

For groups in the Local scope, this setting has the same restrictions as a username: It must be 16 characters or less and may only contain letters, numbers, and a period, hyphen, or underscore.

Groups in the Remote scope do not have strict name restrictions, for example they may have longer names.


The scope in which this group is available for use.


LDAP and RADIUS groups can match names in both local and remote scopes.


Groups on the firewall itself, such as those for use in the shell, filesystem, and other local uses. These groups are added to the operating system, so they are subject to naming restrictions imposed there.


Groups from remote sources, such as authentication servers (RADIUS or LDAP). These groups are not exposed to the operating system, and thus are only available for use in the GUI and other similar uses not involving the operating system layer. This scope has relaxed name restrictions, for example, group names may be longer and may contain spaces.


Optional free-form text for reference and to better identify the purpose of the group in case the Group name is not sufficient.

Group Memberships:

This set of controls defines which existing users will be members of the new group. Firewall users are listed in the Not Members column by default.

To add a user to this group:

  • Click the user name in the Not Members column

  • Click fa-angle-double-right to move it to the Members column

To remove a user from this group:

  • Click the user name in the Members column

  • Click fa-angle-double-left to move it to the Not Members column

Assigned Privileges:

A list of privileges assigned to this group. Appears only when editing an existing group.

See also

See Privileges earlier in this for information on managing privileges.