Administrator profiles
Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an administrator account, you also assign an administrator profile which dictates what the administrator sees. Depending on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much or as little as is required. Access to CLI diagnose commands can also be disabled for global and VDOM level administrators.
By default, the FortiGate has an admin administrator account that uses the super_admin profile.
super_admin profile
This profile has access to all components of FortiOS, including the ability to add and remove other system administrators. For certain administrative functions, such as backing up and restoring the configuration, super_admin access is required. To ensure that there is always a method to administer the FortiGate, the super_admin profile cannot be deleted or modified.
Lower level administrator profiles cannot backup or restore the FortiOS configuration. |
The super_admin profile is used by the default admin account. It is recommended that you add a password and rename this account once you have set up your FortiGate. In order to rename the default account, a second admin account is required.
Creating customized profiles
To create a profile in the GUI:
- Go to System > Admin Profiles and click Create New.
- Configure the following settings:
- Name
- Access permissions
- Usage of CLI diagnose commands
- Override idle timeout
- Click OK.
To create a profile in the CLI:
config system accprofile edit <name> set secfabgrp {none | read | read-write} set ftviewgrp {none | read | read-write} set authgrp {none | read | read-write} set sysgrp {none | read | read-write | custom} set netgrp {none | read | read-write | custom} set loggrp {none | read | read-write | custom} set fwgrp {none | read | read-write | custom} set vpngrp {none | read | read-write} set utmgrp {none | read | read-write | custom} set wanoptgrp {none | read | read-write} set wifi {none | read | read-write} set admintimeout-override {enable | disable} set cli-diagnose {enable | disable} set cli-get {enable | disable} set cli-show {enable | disable} set cli-exec {enable | disable} set cli-config {enable | disable} next end
The CLI profile configuration includes additional options to allow usage of the Many diagnostic commands have privileged access. As a result, using them could unintentionally grant unexpected access or cause serious problems, so understanding the risks involved is crucial. |
Controlling CLI system permissions
Administrator profiles can control administrator access to CLI commands based on role, access level, or seniority.
To configure CLI command access in administrative profiles:
config system accprofile edit <name> set cli-diagnose {enable | disable} set cli-get {enable | disable} set cli-show {enable | disable} set cli-exec {enable | disable} set cli-config {enable | disable} next end
This command allows the administrator to configure the administrator profiles by enabling specific CLI commands as needed. The default setting for all the CLI command options is disable
.
Displaying execute commands for custom system permissions
A custom access profile can have customized system permissions. In this example, a profile is created for maintenance read access, and the profile is applied to a new system administrator account. Once the administrator logs in, they can view the available execute commands by entering execute ?
in the CLI.
To create the profile:
- Configure the access profile:
config system accprofile edit "mnt test" set sysgrp custom config sysgrp-permission set mnt read end next end
- Configure the system administrator account:
config system admin edit "mnt" set accprofile "mnt test" set vdom "root" set password ******** next end
To display the list of the execute commands:
$ execute ? backup backup fctems fctems ping PING command. ping-options ping-options ping6 PINGv6 command. [Take 0-100 arg(s)] ping6-options ping6-options ssh-options SSH options. ssh6-options IPv6 SSH options. telnet-options telnet-options traceroute Traceroute {IP|hostname}. traceroute-options traceroute-options tracert6 Traceroute for IPv6. [Take 0-32 arg(s)] usb-device usb-device usb-disk usb-disk vm-license-options VM license options.
The output will vary based on the FortiGate model. A FortiGate VM is used in this example. For more information about using the CLI, see CLI basics. |
Editing profiles
To edit a profile in the GUI:
- Go to System > Admin Profiles.
- Select the profile to be edited and click Edit.
- Make the required changes.
- Click OK to save any changes.
To edit a profile in the CLI:
config system accprofile edit "sample" set secfabgrp read next end
Deleting profiles
To delete a profile in the GUI:
- Go to System > Admin Profiles.
- Select the profile to be deleted and click Delete.
- Click OK.
To delete a profile in the CLI:
config system accprofile delete "sample" end