Technical Tip: Change in behavior of diagnose commands for non-super-admins before and after FortiOS 7.4.2

In FortiGates running firmware version before 7.4.2 (for example, 7.2.7), the available options for a custom account profile would be similar to the following:

config sys accprofile

edit test1

get

name                : test1

comments            :

secfabgrp           : read-write

ftviewgrp           : read-write

authgrp             : read-write

sysgrp              : read-write

netgrp              : read-write

loggrp              : read-write

fwgrp               : read-write

vpngrp              : read-write

utmgrp              : read-write

wifi                : read-write

admintimeout-override: disable

system-diagnostics  : enable

system-execute-ssh  : enable

system-execute-telnet: enable

From firmware version 7.4.2, there is better control available over CLI commands. This feature allows administrators to customize access to CLI commands based on their role, access level, or seniority. This feature can be used to enhance both security and efficiency.

To configure CLI command access in administrative profiles, run the following:

config system accprofile

    edit <name>

        set cli-diagnose {enable | disable}

        set cli-get {enable | disable}

        set cli-show {enable | disable}

        set cli-exec {enable | disable}

        set cli-config {enable | disable}

    next

end

This command allows the administrator to configure the administrator profiles by enabling specific CLI commands as needed. The default setting for all the CLI command options is 'disable'.

Below output is an example for  a custom account profile in 7.4.3  :

config  sys accprofile

edit test1

get

name                : test1

comments            :

secfabgrp           : read-write

ftviewgrp           : read-write

authgrp             : read-write

sysgrp              : read-write

netgrp              : read-write

loggrp              : read-write

fwgrp               : read-write

vpngrp              : read-write

utmgrp              : read-write

wifi                : read-write

admintimeout-override: disable

cli-diagnose        : enable

cli-get             : disable

cli-show            : disable

cli-exec            : disable

cli-config          : disable

system-execute-ssh  : enable

system-execute-telnet: enable

Users who are upgrading to 7.4.2 and wish to enable cli-diagnose can do so manually through the CLI using the command shown below (to edit an administrator profile, an account with sufficient privileges must be used, or a super_admin user).

By default, the FortiGate has an administrator account that uses the super_admin profile. See Administrator profiles for more information.
 

config system accprofile 

edit <name> 
     set cli-diagnose enable 
end 
 

Be aware that many diagnostic commands have privileged access. As a result, using them could unintentionally grant unexpected access or cause serious problems. Understanding the risks involved in each command is therefore crucial.