Administrator profiles
Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an administrator account, you also assign an administrator profile which dictates what the administrator sees. Depending on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much or as little as is required. Access to CLI diagnose commands can also be disabled for global and VDOM level administrators.
By default, the FortiGate has an admin administrator account that uses the super_admin profile.
super_admin profile
This profile has access to all components of FortiOS, including the ability to add and remove other system administrators. For certain administrative functions, such as backing up and restoring the configuration, super_admin access is required. To ensure that there is always a method to administer the FortiGate, the super_admin profile cannot be deleted or modified.
|
Lower level administrator profiles cannot backup or restore the FortiOS configuration. |
The super_admin profile is used by the default admin account. It is recommended that you add a password and rename this account once you have set up your FortiGate. In order to rename the default account, a second admin account is required.
Creating customized profiles
To create a profile in the GUI:
- Go to System > Admin Profiles and click Create New.
- Configure the following settings:
- Name
- Access permissions
- Usage of CLI diagnose commands
- Override idle timeout
- Click OK.
To create a profile in the CLI:
config system accprofile
edit <name>
set secfabgrp {none | read | read-write}
set ftviewgrp {none | read | read-write}
set authgrp {none | read | read-write}
set sysgrp {none | read | read-write}
set netgrp {none | read | read-write}
set loggrp {none | read | read-write}
set fwgrp {none | read | read-write}
set vpngrp {none | read | read-write}
set utmgrp {none | read | read-write}
set wanoptgrp {none | read | read-write}
set wifi {none | read | read-write}
set admintimeout-override {enable | disable}
set system-diagnostics {enable | disable}
next
end
Edit profiles
To edit a profile in the GUI:
- Go to System > Admin Profiles.
- Select the profile to be edited and click Edit.
- Make the required changes.
- Click OK to save any changes.
To edit a profile in the CLI:
config system accprofile
edit "sample"
set secfabgrp read
next
end
Delete profiles
To delete a profile in the GUI:
- Go to System > Admin Profiles.
- Select the profile to be deleted and click Delete.
- Click OK.
To delete a profile in the CLI:
config system accprofile
delete "sample"
end