How to restrict use of local admin, then remoter-server is running ... on FM & FAZ

Forum|Forum|4 years ago
February 25, 2022
2 replies
2233 views

hiya,
This will be my first post in this forum !

Reading https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-local-admin-authentication-when-remote/ta-p/191581

and I am already running this on my FortiGates, I need to do the same RBAC on FM & FAZ.

However, i'm unable to find the similar Command in FM/FAZ.

How can this be done ?

Debbie_FTNT

Staff & Editor

There is currently no equivalent setting on FortiManager/FortiAnalyzer, to prefer remote users over local users.

You can apply stringent trusted-host settings to the local admin accounts to limit where they can log in from, but a local admin will always be able to log in, even when LDAP/RADIUS/TACACS+ servers are reachable.

mbilgravAuthor

Visitor III

Thanks for the reply !
I have removed the 0-0 trusted hosts, plus set a "Zero-Permission" admin-profile on the admin user.
This effectively "disables" the user.
Also I found a tech-tip in here to completely delete the admin user, if so required, but this involved doing a backup, edit the system.conf, and restore ... somewhat cumbersome

On the FortiGates, i simple issue : delete admin

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded