Fortinet black logo

Administration Guide

Home FortiManager 7.4.2 Administration Guide
7.4.2
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.6
6.2.5
6.2.3
6.2.2
6.2.1
6.2.0
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.10
5.2.7
5.2.6
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
4.3.8
4.3.7
4.3.6
4.3.5
4.3.4
4.3.3
4.3.2
4.3.1
4.3.0
4.2.9
4.2.8
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.1.0
4.0.3
4.0.2
4.0.1
4.0.0

IPS administration permissions

IPS administration permissions

FortiManager includes IPS specific administrator profile permissions that can be used to determine an administrator's ability to view and manage IPS objects and IPS attributes within policies.

The following IPS permissions can be applied to an administrator profile. See Administrator profiles.

Permission

Description

IPS Objects

ips-object

Determines an administrator's ability to view and manage IPS objects.

Policy IPS Attributes

policy-ips-attrs

Determines the administrator's ability to manage IPS attributes (IPS and SSL/SSH Inspection) in Policies.

For more information on configuring administrator profile permissions, see Permissions.

Firewall and IPS administrators with role separation
To configure firewall and IPS administrators with role separation:
  1. Create a new admin profile with Read Only permissions for IPS Objects and Edit Policy IPS Attributes, and assign the admin profile to a firewall administrator.
    The firewall administrators will have the following permissions for IPS objects and attributes:
    • The firewall admin can create and update Policies, but cannot set or change IPS sensors and SSH/SSL inspection profiles in Policies.
    • The firewall admin can set and change Profile Groups and apply them to a Policy, but cannot set or change the IPS sensors and SSH/SSL inspection profiles in a Profile Group.
    • The firewall admin has Read-only permission for IPS objects.
  2. Create a new restricted IPS administrator using the default IPSadmin admin profile.
    The IPS administrator will have the following permissions for IPS objects and attributes:
    • The IPS admin can set and change IPS sensors and SSH/SSL inspection profiles in Policies after the Firewall administrator has created the Policy.
    • The IPS admin can set and change IPS sensor and SSH/SSL inspection profiles in Profile Groups after the Firewall administrator has created the Profile Group.
    • The IPS admin can create and update IPS sensors and SSH/SSL inspection profiles and their settings within Policies.
    • The IPS admin can select individual IPS sensors or SSH/SSL inspection profiles to install to devices.
To configure a firewall admin profile in the CLI:

config system admin profile

edit "FirewallAdmin"

set system-setting read-write

...

...

set ips-objects read<------ this is for IPS and SSH/SSL Inspection objects

...

set policy-ips-attrs read <------ this is for IPS and SSH/SSL Inspection attributes setting in policy

next

To view the default IPS admin profile in the CLI:

config sys admin profile

edit IPSadmin

show

config system admin profile

edit "IPSadmin"

set type restricted

set web-filter enable

set ips-filter enable

set app-filter enable

set device-fortiextender none

set update-incidents none

set triage-events none

set run-report none

set fgt-gui-proxy disable

set ips-lock none

set policy-ips-attrs none

next

end

Previous
Next

IPS administration permissions

FortiManager includes IPS specific administrator profile permissions that can be used to determine an administrator's ability to view and manage IPS objects and IPS attributes within policies.

The following IPS permissions can be applied to an administrator profile. See Administrator profiles.

Permission

Description

IPS Objects

ips-object

Determines an administrator's ability to view and manage IPS objects.

Policy IPS Attributes

policy-ips-attrs

Determines the administrator's ability to manage IPS attributes (IPS and SSL/SSH Inspection) in Policies.

For more information on configuring administrator profile permissions, see Permissions.

Firewall and IPS administrators with role separation
To configure firewall and IPS administrators with role separation:
  1. Create a new admin profile with Read Only permissions for IPS Objects and Edit Policy IPS Attributes, and assign the admin profile to a firewall administrator.
    The firewall administrators will have the following permissions for IPS objects and attributes:
    • The firewall admin can create and update Policies, but cannot set or change IPS sensors and SSH/SSL inspection profiles in Policies.
    • The firewall admin can set and change Profile Groups and apply them to a Policy, but cannot set or change the IPS sensors and SSH/SSL inspection profiles in a Profile Group.
    • The firewall admin has Read-only permission for IPS objects.
  2. Create a new restricted IPS administrator using the default IPSadmin admin profile.
    The IPS administrator will have the following permissions for IPS objects and attributes:
    • The IPS admin can set and change IPS sensors and SSH/SSL inspection profiles in Policies after the Firewall administrator has created the Policy.
    • The IPS admin can set and change IPS sensor and SSH/SSL inspection profiles in Profile Groups after the Firewall administrator has created the Profile Group.
    • The IPS admin can create and update IPS sensors and SSH/SSL inspection profiles and their settings within Policies.
    • The IPS admin can select individual IPS sensors or SSH/SSL inspection profiles to install to devices.
To configure a firewall admin profile in the CLI:

config system admin profile

edit "FirewallAdmin"

set system-setting read-write

...

...

set ips-objects read<------ this is for IPS and SSH/SSL Inspection objects

...

set policy-ips-attrs read <------ this is for IPS and SSH/SSL Inspection attributes setting in policy

next

To view the default IPS admin profile in the CLI:

config sys admin profile

edit IPSadmin

show

config system admin profile

edit "IPSadmin"

set type restricted

set web-filter enable

set ips-filter enable

set app-filter enable

set device-fortiextender none

set update-incidents none

set triage-events none

set run-report none

set fgt-gui-proxy disable

set ips-lock none

set policy-ips-attrs none

next

end

Previous
Next