Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    Home FortiManager 7.4.0 New Features
    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.7
    6.2.3
    6.2.2
    6.2.1
    6.2.0

    Granular admin permission grants IPS Admin access to only IPS objects and prevents changes for regular Firewall Admin on IPS Profiles 7.4.2

    Granular admin permission grants IPS Admin access to only IPS objects and prevents changes for regular Firewall Admin on IPS Profiles 7.4.2

    Note

    This information is also available in the FortiManager 7.4 Administration Guide:

    Granular admin permission grants IPS Admin access to only IPS objects and prevents changes for regular Firewall Admin on IPS Profiles.

    To configure Firewall and IPS administrators with role separation:

    1. Create Firewall administrators:

      1. Go to System Settings > Admin Profiles. Create a new Firewall admin profile with Read Only permissions for IPS Objects and Edit Policy IPS Attributes.

      2. Go to System Settings > Administrators. Create a Firewall administrator using the previously created admin profile.

      3. Firewall administrators can create and update Policies, but cannot set or change IPS sensors and SSH/SSL inspection profiles in Policies.

      4. Firewall administrators can set and change Profile Groups and apply them to a Policy, but cannot set or change the IPS sensors and SSH/SSL inspection profiles in a Profile Group.

      5. Firewall administrators are granted read-only permission for IPS objects.

    2. Create an IPS administrator:

      1. Go to System Settings > Admin Profiles. Create a Restricted Admin profile with permission for Intrusion Prevention.

      2. Go to System Settings > Administrators. Create a restricted IPS administrator.

      3. IPS administrators can set and change IPS sensors and SSH/SSL inspection profiles in Policies after the Firewall administrator has created the Policy.

      4. IPS administrators can set and change IPS sensor and SSH/SSL inspection profiles in Profile Groups after the Firewall administrator has created the Profile Group.

      5. IPS administrators can create and update IPS sensors and SSH/SSL inspection profiles and their settings within Policies.

      6. IPS administrators can pick individual IPS sensors or SSH/SSL inspection profiles to install to devices.

    To configure a firewall administrator in the CLI:

    config system admin profile

    edit "FirewallAdmin"

    set system-setting read-write

    ...

    ...

    set ips-objects read <------ this is for IPS and SSH/SSL Inspection objects

    ...

    set policy-ips-attrs read <------ this is for IPS and SSH/SSL Inspection attributes setting in policy

    next

    To configure an IPS administrator in the CLI:

    config sys admin profile

    edit IPSadmin

    show

    config system admin profile

    edit "IPSadmin"

    set type restricted

    set web-filter enable

    set ips-filter enable

    set app-filter enable

    set device-fortiextender none

    set update-incidents none

    set triage-events none

    set run-report none

    set fgt-gui-proxy disable

    set ips-lock none

    set policy-ips-attrs none

    next

    end

    Previous
    Next

    Granular admin permission grants IPS Admin access to only IPS objects and prevents changes for regular Firewall Admin on IPS Profiles 7.4.2

    Granular admin permission grants IPS Admin access to only IPS objects and prevents changes for regular Firewall Admin on IPS Profiles 7.4.2

    Note

    This information is also available in the FortiManager 7.4 Administration Guide:

    Granular admin permission grants IPS Admin access to only IPS objects and prevents changes for regular Firewall Admin on IPS Profiles.

    To configure Firewall and IPS administrators with role separation:

    1. Create Firewall administrators:

      1. Go to System Settings > Admin Profiles. Create a new Firewall admin profile with Read Only permissions for IPS Objects and Edit Policy IPS Attributes.

      2. Go to System Settings > Administrators. Create a Firewall administrator using the previously created admin profile.

      3. Firewall administrators can create and update Policies, but cannot set or change IPS sensors and SSH/SSL inspection profiles in Policies.

      4. Firewall administrators can set and change Profile Groups and apply them to a Policy, but cannot set or change the IPS sensors and SSH/SSL inspection profiles in a Profile Group.

      5. Firewall administrators are granted read-only permission for IPS objects.

    2. Create an IPS administrator:

      1. Go to System Settings > Admin Profiles. Create a Restricted Admin profile with permission for Intrusion Prevention.

      2. Go to System Settings > Administrators. Create a restricted IPS administrator.

      3. IPS administrators can set and change IPS sensors and SSH/SSL inspection profiles in Policies after the Firewall administrator has created the Policy.

      4. IPS administrators can set and change IPS sensor and SSH/SSL inspection profiles in Profile Groups after the Firewall administrator has created the Profile Group.

      5. IPS administrators can create and update IPS sensors and SSH/SSL inspection profiles and their settings within Policies.

      6. IPS administrators can pick individual IPS sensors or SSH/SSL inspection profiles to install to devices.

    To configure a firewall administrator in the CLI:

    config system admin profile

    edit "FirewallAdmin"

    set system-setting read-write

    ...

    ...

    set ips-objects read <------ this is for IPS and SSH/SSL Inspection objects

    ...

    set policy-ips-attrs read <------ this is for IPS and SSH/SSL Inspection attributes setting in policy

    next

    To configure an IPS administrator in the CLI:

    config sys admin profile

    edit IPSadmin

    show

    config system admin profile

    edit "IPSadmin"

    set type restricted

    set web-filter enable

    set ips-filter enable

    set app-filter enable

    set device-fortiextender none

    set update-incidents none

    set triage-events none

    set run-report none

    set fgt-gui-proxy disable

    set ips-lock none

    set policy-ips-attrs none

    next

    end

    Previous
    Next