Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 7.4.5 Administration Guide
    7.4.5
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    IPS administration permissions

    IPS administration permissions

    FortiManager includes IPS specific administrator profile permissions that can be used to determine an administrator's ability to view and manage IPS objects and IPS attributes within policies.

    The following IPS permissions can be applied to an administrator profile. See Administrator profiles.

    Permission

    Description

    IPS Objects

    ips-object

    Determines an administrator's ability to view and manage IPS objects.

    Policy IPS Attributes

    policy-ips-attrs

    Determines the administrator's ability to manage IPS attributes (IPS and SSL/SSH Inspection) in Policies.

    For more information on configuring administrator profile permissions, see Permissions.

    Firewall and IPS administrators with role separation
    To configure firewall and IPS administrators with role separation:
    1. Create a new admin profile with Read Only permissions for IPS Objects and Edit Policy IPS Attributes, and assign the admin profile to a firewall administrator.
      The firewall administrators will have the following permissions for IPS objects and attributes:
      • The firewall admin can create and update Policies, but cannot set or change IPS sensors and SSH/SSL inspection profiles in Policies.
      • The firewall admin can set and change Profile Groups and apply them to a Policy, but cannot set or change the IPS sensors and SSH/SSL inspection profiles in a Profile Group.
      • The firewall admin has Read-only permission for IPS objects.
    2. Create a new restricted IPS administrator using the default IPSadmin admin profile.
      The IPS administrator will have the following permissions for IPS objects and attributes:
      • The IPS admin can set and change IPS sensors and SSH/SSL inspection profiles in Policies after the Firewall administrator has created the Policy.
      • The IPS admin can set and change IPS sensor and SSH/SSL inspection profiles in Profile Groups after the Firewall administrator has created the Profile Group.
      • The IPS admin can create and update IPS sensors and SSH/SSL inspection profiles and their settings within Policies.
      • The IPS admin can select individual IPS sensors or SSH/SSL inspection profiles to install to devices.
    To configure a firewall admin profile in the CLI:

    config system admin profile

    edit "FirewallAdmin"

    set system-setting read-write

    ...

    ...

    set ips-objects read<------ this is for IPS and SSH/SSL Inspection objects

    ...

    set policy-ips-attrs read <------ this is for IPS and SSH/SSL Inspection attributes setting in policy

    next

    To view the default IPS admin profile in the CLI:

    config sys admin profile

    edit IPSadmin

    show

    config system admin profile

    edit "IPSadmin"

    set type restricted

    set web-filter enable

    set ips-filter enable

    set app-filter enable

    set device-fortiextender none

    set update-incidents none

    set triage-events none

    set run-report none

    set fgt-gui-proxy disable

    set ips-lock none

    set policy-ips-attrs none

    next

    end

    Previous
    Next

    IPS administration permissions

    IPS administration permissions

    FortiManager includes IPS specific administrator profile permissions that can be used to determine an administrator's ability to view and manage IPS objects and IPS attributes within policies.

    The following IPS permissions can be applied to an administrator profile. See Administrator profiles.

    Permission

    Description

    IPS Objects

    ips-object

    Determines an administrator's ability to view and manage IPS objects.

    Policy IPS Attributes

    policy-ips-attrs

    Determines the administrator's ability to manage IPS attributes (IPS and SSL/SSH Inspection) in Policies.

    For more information on configuring administrator profile permissions, see Permissions.

    Firewall and IPS administrators with role separation
    To configure firewall and IPS administrators with role separation:
    1. Create a new admin profile with Read Only permissions for IPS Objects and Edit Policy IPS Attributes, and assign the admin profile to a firewall administrator.
      The firewall administrators will have the following permissions for IPS objects and attributes:
      • The firewall admin can create and update Policies, but cannot set or change IPS sensors and SSH/SSL inspection profiles in Policies.
      • The firewall admin can set and change Profile Groups and apply them to a Policy, but cannot set or change the IPS sensors and SSH/SSL inspection profiles in a Profile Group.
      • The firewall admin has Read-only permission for IPS objects.
    2. Create a new restricted IPS administrator using the default IPSadmin admin profile.
      The IPS administrator will have the following permissions for IPS objects and attributes:
      • The IPS admin can set and change IPS sensors and SSH/SSL inspection profiles in Policies after the Firewall administrator has created the Policy.
      • The IPS admin can set and change IPS sensor and SSH/SSL inspection profiles in Profile Groups after the Firewall administrator has created the Profile Group.
      • The IPS admin can create and update IPS sensors and SSH/SSL inspection profiles and their settings within Policies.
      • The IPS admin can select individual IPS sensors or SSH/SSL inspection profiles to install to devices.
    To configure a firewall admin profile in the CLI:

    config system admin profile

    edit "FirewallAdmin"

    set system-setting read-write

    ...

    ...

    set ips-objects read<------ this is for IPS and SSH/SSL Inspection objects

    ...

    set policy-ips-attrs read <------ this is for IPS and SSH/SSL Inspection attributes setting in policy

    next

    To view the default IPS admin profile in the CLI:

    config sys admin profile

    edit IPSadmin

    show

    config system admin profile

    edit "IPSadmin"

    set type restricted

    set web-filter enable

    set ips-filter enable

    set app-filter enable

    set device-fortiextender none

    set update-incidents none

    set triage-events none

    set run-report none

    set fgt-gui-proxy disable

    set ips-lock none

    set policy-ips-attrs none

    next

    end

    Previous
    Next