Technical Note: How to delete admin user on FortiAnalyzer before 'Idle Timeout' expires
Description
Scope
Solution
This article explains how to delete an admin user on the FortiAnalyzer even if the 'idle timeout' has not yet expired.
This process can be used when:
1. The configured admin user has logged out, and
2. The user is not in the list of the "diag system admin-session list"
Even after user has logged out they will appear on the "diag system admin-session list" until the "Idle Timeout" expires (by default 15 minutes) or if users are manually deleted from the "admin-session list". An attempt to delete the user from the GUI will show the error message "Failed to deleted admin user [username]".
This process can be used when:
1. The configured admin user has logged out, and
2. The user is not in the list of the "diag system admin-session list"
Even after user has logged out they will appear on the "diag system admin-session list" until the "Idle Timeout" expires (by default 15 minutes) or if users are manually deleted from the "admin-session list". An attempt to delete the user from the GUI will show the error message "Failed to deleted admin user [username]".
Scope
All FortiAnalyzer firmware versions.
Solution
1. Verify session list
2. If the Administrator cannot wait for "Idle Timeout" to expire, the following steps can be used to delete the user.
2.1. Collect the "session-id" from the execution of "diag system admin-session list". In this example for user "Test" it is "session_id: 3027".
2.2. Apply the following command to remove the user from the list.
2.4. If there are more than one entries in the list for the user, steps 2.1 and 2.2 must be executed for each "session-id".
3. When no sessions remain in the list for the user, the user can be deleted by using the GUI (System Settings > Admin > Administrator > Username > Delete)
diag system admin-session listEven though the user "Test" has logged out they still appear in the list (entry 3) and "Idle Timeout" will keep increasing.
FAZVM64 # diag system admin-session list
*** entry 0 ***
session_id: 27999 (seq: 1)
username: admin
admin template: admin
from: ssh(192.168.1.110) (type 0)
profile: Super_User (type 3)
adom: root
session length: 655 (seconds)
*** entry 1 ***
session_id: 21454 (seq: 0)
username: admin
admin template: admin
from: console (type 0)
profile: Super_User (type 3)
adom: root
session length: 679 (seconds)
*** entry 2 ***
session_id: 44540 (seq: 2)
username: admin
admin template: admin
from: GUI(192.168.1.110) (type 1)
profile: Super_User (type 3)
adom: root
session length: 219 (seconds)
idle: 211 (seconds)
*** entry 3 ***
session_id: 3027 (seq: 0)
username: Test
admin template: Test
from: GUI(192.168.1.110) (type 1)
profile: Restricted_User (type 1)
adom: root
session length: 211 (seconds)
idle: 188 (seconds)
2. If the Administrator cannot wait for "Idle Timeout" to expire, the following steps can be used to delete the user.
2.1. Collect the "session-id" from the execution of "diag system admin-session list". In this example for user "Test" it is "session_id: 3027".
2.2. Apply the following command to remove the user from the list.
diag system admin-session kill [session-id]In this example:
diag system admin-session kill 30272.3. Confirm changes by executing again the command "diag system admin-session list".
FAZVM64 # diag system admin-session listNo entries are now seen for user "Test".
*** entry 0 ***
session_id: 27999 (seq: 0)
username: admin
admin template: admin
from: ssh(192.168.1.110) (type 0)
profile: Super_User (type 3)
adom: root
session length: 1049 (seconds)
*** entry 1 ***
session_id: 20467 (seq: 2)
username: admin
admin template: admin
from: GUI(192.168.1.110) (type 1)
profile: Super_User (type 3)
adom: root
session length: 561 (seconds)
idle: 165 (seconds)
*** entry 2 ***
session_id: 44540 (seq: 1)
username: admin
admin template: admin
from: GUI(192.168.1.110) (type 1)
profile: Super_User (type 3)
adom: root
session length: 613 (seconds)
idle: 605 (seconds)
2.4. If there are more than one entries in the list for the user, steps 2.1 and 2.2 must be executed for each "session-id".
3. When no sessions remain in the list for the user, the user can be deleted by using the GUI (System Settings > Admin > Administrator > Username > Delete)