Troubleshooting Tip: How to fix CLI output error when executing debugging commands from a user which is not part of the super_admin profile

In specific conditions, enabling 'cli-diagnose' from the CLI will return an error with a -672 discard code.

Conditions that will trigger this situation:

1. A new admin profile with all CLI options enabled (cli-get, cli-show, cli-exec, cli-config).

config system accprofile
    edit "test_admin_profile"

        set secfabgrp read-write

        set ftviewgrp read-write

        set authgrp read-write

        set sysgrp read-write

        set netgrp read-write
        set loggrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wanoptgrp read-write
        set wifi read-write
        set cli-get enable
        set cli-show enable
        set cli-exec enable
        set cli-config enable

    next

end

2. The user part of this new admin profile:

config system admin

    edit "test"

        set accprofile "test_admin_profile"

        set vdom "root"

        set password ENC SH22jwJ46fFCMCCLIcRHJhm17XuQz4L4SxADKdMiUW

    next

end

3. Executing CLI commands from the 'test' user.
   
   

FGT (test_admin_profile) $ set cli-diagnose enable

FGT (test_admin_profile) $ next
object set operator error, -672 discard the setting
Command fail. Return code 1

FGT (accprofile) $

To fix this issue, log in with an admin account that is a member of the super_admin profile.

Note:

If it is not possible to access the FortiGate with the super_admin profile then the admin account with the super_admin profile needs to be recovered following the link: Technical Tip: How to recover admin account with super_admin profile.

This is because an account profile from the same user that is part of that profile cannot be changed.

Another user with higher privileges is required to make this change.

Related Documents:
Technical Tip: Unable to run debug command

Administrator profiles