Skip to main content
naveenk
Staff
naveenk
Staff
October 19, 2020

Technical Tip: Disable diagnose command access for specific admin profile

  • October 19, 2020
  • 0 replies
  • 7084 views

Description

 

This article describes how to disable diagnose command access for specific admin profiles.

In some network management environments, it is important to prevent some admins of FortiGate to avoid from accessing to FortiGate diagnose commands.

 

Scope

 

FortiGate.

Solution


To address this requirement, on FortiOS v6.4, v7.0, and v7.2, the 'Permit usage of CLI diagnostic commands' option has been introduced in the GUI under ‘admin profiles’.

 
This option has to enable specific admin groups to prevent them from accessing diagnostic commands.
Map this admin-profile to the required administrators.
This can also be configured under CLI with the following commands.
 

The system-diagnostics command in an administrator profile can be used to control access to diagnose commands for global and VDOM-level administrators.
To block an administrator's access to diagnose commands:

Create an admin profile that cannot access diagnose commands:

 

config system accprofile
    edit "nodiagnose"
        set system-diagnostics disable
end

 

Apply the profile to an administrator:

 

config system admin
    edit "nodiag"
        set accprofile "nodiagnose"
        set vdom "root"
        set password ********
end

 

Log in as the administrator and confirm that others cannot access the diagnose commands:

 

 

  • In FortiOS v7.4.2, the default setting disables using CLI diagnostic commands for most users, allowing only those with the super_admin profile to access them, thus enhancing security and control over command usage. 
  • For further details, users can refer to the documentation on the CLI system permissions.

CLI system permissions

 

  • When upgrading to FortiOS v7.4.2 or later, specific CLI options will be enforced automatically, without regard to the previous configurations of system diagnostics in FortiOS v7.4.1 or earlier versions, ensuring a consistent application of settings in the upgraded environment.

 

config system accprofile
    edit "User"

        set cli-diagnose disable
        set cli-get enable
        set cli-show enable
        set cli-exec enable
        set cli-config enable
    next
end

 

  • To enable the CLI diagnostic commands permission:

 

config system accprofile
    edit "User"
        set cli-diagnose enable
    next
end

 

Note: Since FortiOS v7.4.4, the option was changed, and more granularity was added:

Technical Tip: How to Limit Custom Admin User Permissions for Specific Commands 

Terms & ConditionsAccessibility statement