Fortinet white logo
Fortinet white logo

Administration Guide

Administrator profiles

Administrator profiles

Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an administrator account, you also assign an administrator profile which dictates what the administrator sees. Depending on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much or as little as is required. Access to CLI diagnose commands can also be disabled for global and VDOM level administrators.

By default, the FortiGate has an admin administrator account that uses the super_admin profile.

super_admin profile

This profile has access to all components of FortiOS, including the ability to add and remove other system administrators. For certain administrative functions, such as backing up and restoring the configuration, super_admin access is required. To ensure that there is always a method to administer the FortiGate, the super_admin profile cannot be deleted or modified.

Note

Lower level administrator profiles cannot backup or restore the FortiOS configuration.

The super_admin profile is used by the default admin account. It is recommended that you add a password and rename this account once you have set up your FortiGate. In order to rename the default account, a second admin account is required.

Creating customized profiles

To create a profile in the GUI:
  1. Go to System > Admin Profiles and click Create New.
  2. Configure the following settings:
    • Name
    • Access permissions
    • Usage of CLI diagnose commands
    • Override idle timeout
  3. Click OK.
To create a profile in the CLI:
config system accprofile
    edit <name>
        set secfabgrp {none | read | read-write}
        set ftviewgrp {none | read | read-write}
        set authgrp {none | read | read-write}
        set sysgrp {none | read | read-write | custom}
        set netgrp {none | read | read-write | custom}
        set loggrp {none | read | read-write | custom}
        set fwgrp {none | read | read-write | custom}
        set vpngrp {none | read | read-write}
        set utmgrp {none | read | read-write | custom}
        set wanoptgrp {none | read | read-write}
        set wifi {none | read | read-write}
        set admintimeout-override {enable | disable}
        set cli-diagnose {enable | disable}
        set cli-get {enable | disable}
        set cli-show {enable | disable}
        set cli-exec {enable | disable}
        set cli-config {enable | disable}
    next
end
Note

The CLI profile configuration includes additional options to allow usage of the get, show, execute, and config CLI commands.

Many diagnostic commands have privileged access. As a result, using them could unintentionally grant unexpected access or cause serious problems, so understanding the risks involved is crucial.

Controlling CLI system permissions

Administrator profiles can control administrator access to CLI commands based on role, access level, or seniority.

To configure CLI command access in administrative profiles:
config system accprofile
    edit <name>
        set cli-diagnose {enable | disable}
        set cli-get {enable | disable}
        set cli-show {enable | disable}
        set cli-exec {enable | disable}
        set cli-config {enable | disable}
    next
end

This command allows the administrator to configure the administrator profiles by enabling specific CLI commands as needed. The default setting for all the CLI command options is disable.

Displaying execute commands for custom system permissions

A custom access profile can have customized system permissions. In this example, a profile is created for maintenance read access, and the profile is applied to a new system administrator account. Once the administrator logs in, they can view the available execute commands by entering execute ? in the CLI.

To create the profile:
  1. Configure the access profile:
    config system accprofile
        edit "mnt test"
            set sysgrp custom
            config sysgrp-permission
                set mnt read
            end
        next
    end
  2. Configure the system administrator account:
    config system admin
        edit "mnt"
            set accprofile "mnt test"
            set vdom "root"
            set password ********
        next
    end
To display the list of the execute commands:
$ execute ?
backup                backup
fctems                fctems
ping                  PING command.
ping-options          ping-options
ping6                 PINGv6 command. [Take 0-100 arg(s)]
ping6-options         ping6-options
ssh-options           SSH options.
ssh6-options          IPv6 SSH options.
telnet-options        telnet-options
traceroute            Traceroute {IP|hostname}.
traceroute-options    traceroute-options
tracert6              Traceroute for IPv6. [Take 0-32 arg(s)]
usb-device            usb-device
usb-disk              usb-disk
vm-license-options    VM license options.
Note

The output will vary based on the FortiGate model. A FortiGate VM is used in this example. For more information about using the CLI, see CLI basics.

Editing profiles

To edit a profile in the GUI:
  1. Go to System > Admin Profiles.
  2. Select the profile to be edited and click Edit.
  3. Make the required changes.
  4. Click OK to save any changes.
To edit a profile in the CLI:
config system accprofile
    edit "sample"
        set secfabgrp read
    next
end

Deleting profiles

To delete a profile in the GUI:
  1. Go to System > Admin Profiles.
  2. Select the profile to be deleted and click Delete.
  3. Click OK.
To delete a profile in the CLI:
config system accprofile
    delete "sample"
end

Administrator profiles

Administrator profiles

Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an administrator account, you also assign an administrator profile which dictates what the administrator sees. Depending on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much or as little as is required. Access to CLI diagnose commands can also be disabled for global and VDOM level administrators.

By default, the FortiGate has an admin administrator account that uses the super_admin profile.

super_admin profile

This profile has access to all components of FortiOS, including the ability to add and remove other system administrators. For certain administrative functions, such as backing up and restoring the configuration, super_admin access is required. To ensure that there is always a method to administer the FortiGate, the super_admin profile cannot be deleted or modified.

Note

Lower level administrator profiles cannot backup or restore the FortiOS configuration.

The super_admin profile is used by the default admin account. It is recommended that you add a password and rename this account once you have set up your FortiGate. In order to rename the default account, a second admin account is required.

Creating customized profiles

To create a profile in the GUI:
  1. Go to System > Admin Profiles and click Create New.
  2. Configure the following settings:
    • Name
    • Access permissions
    • Usage of CLI diagnose commands
    • Override idle timeout
  3. Click OK.
To create a profile in the CLI:
config system accprofile
    edit <name>
        set secfabgrp {none | read | read-write}
        set ftviewgrp {none | read | read-write}
        set authgrp {none | read | read-write}
        set sysgrp {none | read | read-write | custom}
        set netgrp {none | read | read-write | custom}
        set loggrp {none | read | read-write | custom}
        set fwgrp {none | read | read-write | custom}
        set vpngrp {none | read | read-write}
        set utmgrp {none | read | read-write | custom}
        set wanoptgrp {none | read | read-write}
        set wifi {none | read | read-write}
        set admintimeout-override {enable | disable}
        set cli-diagnose {enable | disable}
        set cli-get {enable | disable}
        set cli-show {enable | disable}
        set cli-exec {enable | disable}
        set cli-config {enable | disable}
    next
end
Note

The CLI profile configuration includes additional options to allow usage of the get, show, execute, and config CLI commands.

Many diagnostic commands have privileged access. As a result, using them could unintentionally grant unexpected access or cause serious problems, so understanding the risks involved is crucial.

Controlling CLI system permissions

Administrator profiles can control administrator access to CLI commands based on role, access level, or seniority.

To configure CLI command access in administrative profiles:
config system accprofile
    edit <name>
        set cli-diagnose {enable | disable}
        set cli-get {enable | disable}
        set cli-show {enable | disable}
        set cli-exec {enable | disable}
        set cli-config {enable | disable}
    next
end

This command allows the administrator to configure the administrator profiles by enabling specific CLI commands as needed. The default setting for all the CLI command options is disable.

Displaying execute commands for custom system permissions

A custom access profile can have customized system permissions. In this example, a profile is created for maintenance read access, and the profile is applied to a new system administrator account. Once the administrator logs in, they can view the available execute commands by entering execute ? in the CLI.

To create the profile:
  1. Configure the access profile:
    config system accprofile
        edit "mnt test"
            set sysgrp custom
            config sysgrp-permission
                set mnt read
            end
        next
    end
  2. Configure the system administrator account:
    config system admin
        edit "mnt"
            set accprofile "mnt test"
            set vdom "root"
            set password ********
        next
    end
To display the list of the execute commands:
$ execute ?
backup                backup
fctems                fctems
ping                  PING command.
ping-options          ping-options
ping6                 PINGv6 command. [Take 0-100 arg(s)]
ping6-options         ping6-options
ssh-options           SSH options.
ssh6-options          IPv6 SSH options.
telnet-options        telnet-options
traceroute            Traceroute {IP|hostname}.
traceroute-options    traceroute-options
tracert6              Traceroute for IPv6. [Take 0-32 arg(s)]
usb-device            usb-device
usb-disk              usb-disk
vm-license-options    VM license options.
Note

The output will vary based on the FortiGate model. A FortiGate VM is used in this example. For more information about using the CLI, see CLI basics.

Editing profiles

To edit a profile in the GUI:
  1. Go to System > Admin Profiles.
  2. Select the profile to be edited and click Edit.
  3. Make the required changes.
  4. Click OK to save any changes.
To edit a profile in the CLI:
config system accprofile
    edit "sample"
        set secfabgrp read
    next
end

Deleting profiles

To delete a profile in the GUI:
  1. Go to System > Admin Profiles.
  2. Select the profile to be deleted and click Delete.
  3. Click OK.
To delete a profile in the CLI:
config system accprofile
    delete "sample"
end