Technical Tip: Changes to the prof_admin admin profile after upgrading from v7.2 to v7.4
| Description | The article explains the changes in the prof_admin admin profile after upgrading from v7.2.11 to v7.4.8. |
| Scope | FortiGate. |
| Solution | The following are the default settings of the prof_admin profile in v7.2.11:
config system accprofile edit "prof_admin" set comments '' next end
The following are the default settings of the prof_admin profile in v7.4.8.
config system accprofile edit "prof_admin" set comments '' next end
The key difference is that in v7.2.11, by default, the prof_admin profile can run diagnose commands because the system-diagnostics is enabled. However, after upgrading to v7.4.8, by default, prof_admin cannot run diagnose commands because the cli-diagnose option is disabled. As a result, after upgrading to v7.4.8, prof_admin admins cannot run the diagnose commands.
If it is required for the users assigned with the prof_admin profile to have the ability to run diagnostics command, the firewall administrator can enable it with the following command:
config system accprofile edit "prof_admin" set cli-diagnose enable next end
This option is configurable only via the CLI.
Related documents: Technical Tip: How to recover admin account with super_admin profile FortiGate-7.4.8: CLI reference-config-system-accprofile Technical Tip: Configuring admin profiles on the FortiGate for enhanced security and access control |