Description
This article describes optimal ways to strengthen security and improve operational efficiency with FortiGate admin profiles, enabling customized access control and privileges for different administrators.
Scope
FortiGate running v7.2.5 or above.
Solution
FortiGate's admin profiles offer a robust method for managing administrative access to the FortiGate device, granting the flexibility to customize privileges for different administrators. Follow these steps to optimize the configuration of admin profiles for improved security and efficient management:
- Navigate to System -> Admin Profiles.
- Create a new admin profile: select the '+ Create New' button to initiate the setup of a new admin profile.
- In the admin profile configuration page, provide the following information:
- Name: Use a clear and descriptive name for the admin profile, such as 'Full Access Admin' or 'Read-Only Admin'.
- Comments (optional): Include relevant notes or details to help identify the purpose or scope of the profile.
- Under the 'Permissions' section, there are three main options. Choose one:
- None Access: No permissions to view or configure settings.
- Read-Only Access: View-only privilege, no modifications allowed.
- Read/Write Access: Full privilege to view and modify settings.
- Fine-tune admin 'Access Permissions': Under the 'Access Control' section, carefully customize access permissions for different administrative functions:
- Security Fabric: For all the features under Security Fabric in the GUI.
- FortiView: Permission to view various things under FortiView, which is under the dashboard in the GUI.
- User & Device: For all the features under User & Device in the GUI.
- Firewall: For all the features under Policy & Objects in the GUI.
If 'Custom' is chosen, granular control can be gained.
Note: To provide clearer explanations, each section under 'Custom' is enabled individually while keeping all other sections disabled in all the access control features.
Policy:
Address:
Service:
Schedule:
Others:
- Log & Report: All the features under Log & Report on the GUI.
Configuration:
Data Access:
Report Access:
Threat Weight:
- Network: For all the features under Network in the GUI.
Configuration:
Packet Capture:
Router:
- System: For all the features under System in the GUI.
Administrator Users:
FortiGuard Updates:
Configuration:
Maintenance:
Only Dashboard Status would be visible. The rest of the things under Dashboard will not be displayed.
Security Profile: For all the features under Security Profile in the GUI.
Similarly, the Custom feature can also be used for Security Profile.
- VPN: For SSL and IPsec VPN.
- WiFi & Switch: For all the features under WiFi & Switch in the GUI.
XI: Wifi & Switch Controller: For visibility of SSIDs.
Configure Administrative Services:
Under the 'Administrative Services' section, enable or disable specific administrative services based on security policies. For example, restrict SSH access to trusted IPs only.
Assign Administrators to the Profile:
Go to 'System -> Administrators' and select an existing administrator or create a new one. In the administrator's settings, associate the admin profile that was created with the respective administrator.
Save and Validate the Configuration:
After configuring the admin profile and associating it with administrators, thoroughly review the settings to ensure they align with the organization's security and operational requirements. Then, select the 'OK' or 'Apply' button to save the changes.
Note:
If permission is set to 'none' for all the entries in the admin-profile, the admin account referred to the admin-profile will not be able to log in. When such an admin user attempts to log in to FortiGate, the browser refreshes and returns to the login prompt again without showing any error message.
