Technical Tip: Prof admin VDOM administrator unable to login in read-write mode on a FortiGate device managed by FortiManager

Description

This article describes the behavior of Prof admin administrators when the FortiGate is managed from FortiManager.

Scope

FortiGate.

Solution

When a FortiGate is managed from FortiManager, the Prof admin VDOM administrators do not have the read-write mode when they are accessing GUI, even if read-write permissions are obtained.
Only the read-only option is available.
Only Global scope administrators have read-write permissions when accessing GUI.

This behavior is, by design, to prevent accidental out-of-sync issues. This restriction applies only for GUI access, in CLI the Prof admin administrators will have read-write access depending on how permissions are configured in the profile.

A way to overwrite this behavior is to change the cental-management mode to backup:

config system central-management
    set mode backup
end

After this change, the Prof admin administrators will have read-write access in GUI depending on how the permissions are configured.

Note:

In backup mode, all the changes should be performed directly to FortiGate and FortiManager and will be used to backup the configurations.

Change in Behavior for Prof_Admin VDOM Administrators in FortiGate managed by FortiManager.
In v7.2.11, v7.4.8, and v7.6.1 a behavior change has been implemented. Users logging into a VDOM as Prof_Admin will now have the same access as it would if the FortiGate was not running in VDOM mode.