Skip to main content
hbouddine
hbouddine
New Member
July 12, 2017
Question

Manager Fortigate

  • July 12, 2017
  • 1 reply
  • 6188 views

Hello,

I have a question in relation to the fortimanager, I have several UTMs on different sites and that are managed by the local IT but with a user profile with only the rights to modify the Webfilter and to consult the logs. When adding the UTM to the Fortimanager, the local IT no longer have the hand to manage the FGT since they do not have the admin rights to resume control. Can you tell me if this is normal or if there is a configuration to make Fortimanager side to allow them to manage the Fortigate via the Fortimanager and also with direct access, knowing well that one can not give them access With admin rights instead of the Fortimanager.

Thank you in advance.

Best regards,

    1 reply

    emnoc
    emnoc
    New Member
    July 12, 2017

    If your question is access-profiles I'm sure you can  add access profile and account for the UTM "admin" and restrict him to that  device via the pkg and adom

     

    You might have to look at your FMG-ver and admin settings an admin profiles.

     

     

    config system admin profile

        edit "UTM"

            set system-setting none

            set adom-switch none

            set global-policy-packages none

            set assignment none

            set read-passwd none

            set intf-mapping none

            set device-manager none

            set device-config none

            set device-op none

            set device-wan-link-load-balance none

            set device-ap none

            set device-forticlient none

            set device-profile none

            set policy-objects none

            set deploy-management none

            set import-policy-packages none

            set config-retrieve none

            set config-revert none

            set term-access none

            set adom-policy-packages none

            set vpn-manager none

            set realtime-monitor none

            set consistency-check none

            set fgd_center none

            set fgd-center-licensing none

            set fgd-center-fmw-mgmt none

            set fgd-center-advanced none

            set log-viewer none

            set report-viewer none

            set event-management none

        next

    end

     

     

    chall_FTNT
    Staff
    chall_FTNT
    Staff
    July 25, 2017

    When using the FortiManager is Normal Mode (default), it is discouraged to make changes directly on the FortiGate.

     

    That is why, by design, the FGT GUI default to Read-Only access when the FGT is managed by FMG.  Only a super-admin FGT account is giving the option to switch to Read-Write.

     

    Those wishing to make regular changes directly on the FGT GUI & only wanting FMG as a configuration repository should consider using FMG in Backup Mode.

    emnoc
    emnoc
    New Member
    July 25, 2017

    Only a super-admin FGT account is giving the option to switch to Read-Write.

     

     

    That's not 100% correct. Take this user it's not technically a super_admin in fact it has a custom access_profile

     

     

    GETCOMRKT1 (GCP) $ get system  admin list username   local    device                         vdom     profile      remote                 started      kfelix.socpuppets  ssh      N/A                            GCP       PROFILE1  192.168.77.11:51427      2017-07-25 18:18:58 kfelix.socpuppets  https    N/A                            GCP      PROFILE1   192.168.77.11:51482      2017-07-25 18:20:21

     

     

    Terms & ConditionsAccessibility statement