Fortinet black logo

Administration Guide

Admin profile option for diagnose access

The system-diagnostics command in an administrator profile can be used to control access to diagnose commands for global and VDOM level administrators.

To block an administrator's access to diagnose commands:
  1. Create an admin profile that cannot access diagnose commands:
    config system accprofile
        edit "nodiagnose"
            ...
            set system-diagnostics disable
        next
    end
  2. Apply the profile to an administrator:
    config system admin
        edit "nodiag"
            set accprofile "nodiagnose"
            set vdom "root"
            set password ********
        next
    end
  3. Log in as that administrator and confirm that they cannot access diagnose commands:
    $ ?
    config     Configure object.
    get        Get dynamic and system information.
    show       Show configuration.
    execute    Execute static commands.
    alias      Execute alias commands.
    exit       Exit the CLI.
    

The system-diagnostics command in an administrator profile can be used to control access to diagnose commands for global and VDOM level administrators.

To block an administrator's access to diagnose commands:
  1. Create an admin profile that cannot access diagnose commands:
    config system accprofile
        edit "nodiagnose"
            ...
            set system-diagnostics disable
        next
    end
  2. Apply the profile to an administrator:
    config system admin
        edit "nodiag"
            set accprofile "nodiagnose"
            set vdom "root"
            set password ********
        next
    end
  3. Log in as that administrator and confirm that they cannot access diagnose commands:
    $ ?
    config     Configure object.
    get        Get dynamic and system information.
    show       Show configuration.
    execute    Execute static commands.
    alias      Execute alias commands.
    exit       Exit the CLI.