Administrator profiles
Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an administrator account, you also assign an administrator profile which dictates what the administrator sees. Depending on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much or as little as is required. Access to CLI diagnose commands can also be disabled for global and VDOM level administrators.
By default, the FortiGate has an admin administrator account that uses the super_admin profile.
super_admin profile
This profile has access to all components of FortiOS, including the ability to add and remove other system administrators. For certain administrative functions, such as backing up and restoring the configuration, super_admin access is required. To ensure that there is always a method to administer the FortiGate, the super_admin profile cannot be deleted or modified.
|
Lower level administrator profiles cannot backup or restore the FortiOS configuration. |
The super_admin profile is used by the default admin account. It is recommended that you add a password and rename this account once you have set up your FortiGate. In order to rename the default account, a second admin account is required.
Creating customized profiles
To create a profile in the GUI:
- Go to System > Admin Profiles and click Create New.
- Configure the following settings:
- Name
- Access permissions
- Usage of CLI diagnose commands
- Override idle timeout
- Click OK.
To create a profile in the CLI:
config system accprofile
edit <name>
set secfabgrp {none | read | read-write}
set ftviewgrp {none | read | read-write}
set authgrp {none | read | read-write}
set sysgrp {none | read | read-write | custom}
set netgrp {none | read | read-write | custom}
set loggrp {none | read | read-write | custom}
set fwgrp {none | read | read-write | custom}
set vpngrp {none | read | read-write}
set utmgrp {none | read | read-write | custom}
set wanoptgrp {none | read | read-write}
set wifi {none | read | read-write}
set admintimeout-override {enable | disable}
set system-diagnostics {enable | disable}
next
end
Displaying execute commands for custom system permissions
A custom access profile can have customized system permissions. In this example, a profile is created for maintenance read access, and the profile is applied to a new system administrator account. Once the administrator logs in, they can view the available execute commands by entering execute ? in the CLI.
To create the profile:
- Configure the access profile:
config system accprofile edit "mnt test" set sysgrp custom config sysgrp-permission set mnt read end next end - Configure the system administrator account:
config system admin edit "mnt" set accprofile "mnt test" set vdom "root" set password ******** next end
To display the list of the execute commands:
$ execute ?
backup backup
fctems fctems
ping PING command.
ping-options ping-options
ping6 PINGv6 command. [Take 0-100 arg(s)]
ping6-options ping6-options
ssh-options SSH options.
ssh6-options IPv6 SSH options.
telnet-options telnet-options
traceroute Traceroute {IP|hostname}.
traceroute-options traceroute-options
tracert6 Traceroute for IPv6. [Take 0-32 arg(s)]
usb-device usb-device
usb-disk usb-disk
vm-license-options VM license options.
|
|
The output will vary based on the FortiGate model. A FortiGate VM is used in this example. For more information about using the CLI, see CLI basics. |
Editing profiles
To edit a profile in the GUI:
- Go to System > Admin Profiles.
- Select the profile to be edited and click Edit.
- Make the required changes.
- Click OK to save any changes.
To edit a profile in the CLI:
config system accprofile
edit "sample"
set secfabgrp read
next
end
Deleting profiles
To delete a profile in the GUI:
- Go to System > Admin Profiles.
- Select the profile to be deleted and click Delete.
- Click OK.
To delete a profile in the CLI:
config system accprofile
delete "sample"
end