|
The following are the default settings of the prof_admin profile in v7.2.11:
config system accprofile
edit "prof_admin"
set comments ''
set secfabgrp read-write
set ftviewgrp read-write
set authgrp read-write
set sysgrp read-write
set netgrp read-write
set loggrp read-write
set fwgrp read-write
set vpngrp read-write
set utmgrp read-write
set wifi read-write
set admintimeout-override disable
set system-diagnostics enable
set system-execute-ssh enable
set system-execute-telnet enable
next
end
The following are the default settings of the prof_admin profile in v7.4.8.
config system accprofile
edit "prof_admin"
set comments ''
set secfabgrp read-write
set ftviewgrp read-write
set authgrp read-write
set sysgrp read-write
set netgrp read-write
set loggrp read-write
set fwgrp read-write
set vpngrp read-write
set utmgrp read-write
set wifi read-write
set admintimeout-override disable
set cli-diagnose disable
set cli-get enable
set cli-show enable
set cli-exec enable
set cli-config enable
set system-execute-ssh enable
set system-execute-telnet enable
next
end
The key difference is that in v7.2.11, by default, the prof_admin profile can run diagnose commands because the system-diagnostics is enabled.
However, after upgrading to v7.4.8, by default, prof_admin cannot run diagnose commands because the cli-diagnose option is disabled. As a result, after upgrading to v7.4.8, prof_admin admins cannot run the diagnose commands.
If it is required for the users assigned with the prof_admin profile to have the ability to run diagnostics command, the firewall administrator can enable it with the following command:
config system accprofile
edit "prof_admin"
set cli-diagnose enable
next
end
This option is configurable only via the CLI.
Related documents:
Technical Tip: How to recover admin account with super_admin profile
FortiGate-7.4.8: CLI reference-config-system-accprofile
Technical Tip: Configuring admin profiles on the FortiGate for enhanced security and access control
|
