Description

 

This article describes optimal ways to strengthen security and improve operational efficiency with FortiGate admin profiles, enabling customized access control and privileges for different administrators.

 

Scope

 

FortiGate v7.2.5 or above.

 

Solution

 

FortiGate's admin profiles offer a robust method for managing administrative access to the FortiGate device, granting the flexibility to customize privileges for different administrators. Follow these steps to optimize the configuration of admin profiles for improved security and efficient management:

1. Navigate to System -> Admin Profiles.
2. Create a new admin profile: select the '+ Create New' button to initiate the setup of a new admin profile.
3. In the admin profile configuration page, provide the following information:

• Name: Use a clear and descriptive name for the admin profile, such as 'Full Access Admin' or 'Read-Only Admin'.
• Comments (optional): Include relevant notes or details to help identify the purpose or scope of the profile.
• Under the 'Permissions' section, there are three main options. Choose one:

1. None Access: No permissions to view or configure settings.
2. Read-Only Access: View-only privilege, no modifications allowed.
3. Read/Write Access: Full privilege to view and modify settings.

 

CLI Syntax:

--------------------

FGT # config global

FGT (global) # config system accprofile

FGT (accprofile) # edit MyAccProfile
new entry 'MyAccProfile' added

A default admin profile has the following Access Permission attributes:

--------------------
FGT (MyAccProfile) # show full-configuration
config system accprofile
    edit "MyAccProfile"
        set scope vdom
        set comments ''
        set secfabgrp none
        set ftviewgrp none
        set authgrp none
        set sysgrp none
        set netgrp none
        set loggrp none
        set fwgrp none
        set vpngrp none
        set utmgrp none
        set wifi none
        set admintimeout-override disable
        set system-diagnostics enable
        set system-execute-ssh enable
        set system-execute-telnet enable
    next
end

 

Access Permissions

 

• Fine-tune admin 'Access Permissions': Under the 'Access Control' section, carefully customize access permissions for different administrative functions:

1. Security Fabric: For all the features under Security Fabric in the GUI.
2. FortiView: Permission to view various things under FortiView, which is under the dashboard in the GUI.
3. User & Device: For all the features under User & Device in the GUI.
4. Firewall: For all the features under Policy & Objects in the GUI.

If 'Custom' is chosen, granular control can be gained.

Note: To provide clearer explanations, each section under 'Custom' is enabled individually while keeping all other sections disabled in all the access control features.

 

Policy:

 

 

 

Address:

 

 

 

Service:

 

 

 

Schedule:

 

 

Others:

 

 

 

 

5. Log & Report: All the features under Log & Report on the GUI.

Configuration:

 

 

Data Access:

 

 

 

Report Access:

 

 

 

Threat Weight:

 

 

 

 

6. Network: For all the features under Network in the GUI.

Configuration:

 

 

 

Packet Capture:

 

 

 

Router:

 

 

 

 

7. System: For all the features under System in the GUI.

Administrator Users:

 

 

 

 

FortiGuard Updates:

 

 

 

Configuration:

 

 

 

 

 

Maintenance:

Only Dashboard Status would be visible. The rest of the things under Dashboard will not be displayed.   

 

 

 

Security Profile: For all the features under Security Profile in the GUI.

Similarly, the Custom feature can also be used for Security Profile.

 

9. VPN: For SSL and IPsec VPN.

 

 

 

10.  WiFi & Switch: For all the features under WiFi & Switch in the GUI.

 

 

 

     XI: Wifi & Switch Controller: For visibility of SSIDs.

 

 

 

Configure Administrative Services:

Under the 'Administrative Services' section, enable or disable specific administrative services based on security policies. For example, restrict SSH access to trusted IPs only.

 

Assign Administrators to the Profile:

Go to 'System -> Administrators' and select an existing administrator or create a new one. In the administrator's settings, associate the admin profile that was created with the respective administrator.

 

Save and Validate the Configuration:

After configuring the admin profile and associating it with administrators, thoroughly review the settings to ensure they align with the organization's security and operational requirements. Then, select the 'OK' or 'Apply' button to save the changes.

 

Note:

If permission is set to 'none' for all the entries in the admin-profile, the admin account referred to the admin-profile will not be able to log in. When such an admin user attempts to log in to FortiGate, the browser refreshes and returns to the login prompt again without showing any error message.