Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Markus_M
Staff
Staff

Created on ‎09-25-2013 06:32 AM Edited on ‎02-20-2023 09:12 PM By Community Manager

Article Id 191429

Technical Tip: Create an admin user account with a read only access to all VDOMS

Description


When using multiple VDOMs in the FortiGate configuration, there are two options to create an admin user that has the visibility of all VDOMs:

- A global admin account with read write (full) privileges . This is the default admin account profile (super_admin)
- A read only admin account, with a visibility on all VDOMs.

This article describes how to create the read only admin user with access to all VDOMs.


Solution


1) Create an admin profile with read only privileges from the CLI:

# config global
# config system accprofile
    edit "admin_readonly"
        set admingrp read
        set authgrp read
        set endpoint-control-grp read
        set fwgrp read
        set loggrp read
        set mntgrp read
        set netgrp read
        set routegrp read
        set sysgrp read
        set updategrp read
        set utmgrp read
        set vpngrp read
        set wanoptgrp read
        set wifi read
        set scope global
    next
end

By default, this admin profile option is configured with 'set scope vdom', which restricts the admin profiles VDOM visibility.
When this admin is created the interesting option is the 'set scope global' setting.
It has to be modified manually via CLI only in order to prevent accidental privileges for admin users.

This is not possible to  see the 'Global' VDOM from GUI or CLI after login, even if the intention was to create an all access profile.
A global configuration change cannot be done unless either using a super_admin profile or changing the account profiles scope to 'global' from the CLI.

2) After the admin profile is created with the correct scope, create an admin user account and assign it the above created admin profile from the CLI:

 

# config global
# config system admin
    edit "admin_read"
        set accprofile "admin_readonly"
    next
end

1) Creating Admin Profile: 

Login to the firewall as admin, select System, -> Admin Profiles, and then select Create new.

Name: Give Any name to the profile. 

For all the access permissions select 'Read' mode, so that the concerned administrator will be able to view only, he will not be able to change any setting. 

 

Permit use of CLI diagnostic commands: 

If this option is enabled, Admins will be able to execute diagnostic commands in the FortiGate. 

Here is the reference screenshot: 

 

Sgagan_0-1676925666114.png

 

Select 'SAVE' button, the profile will be saved. 

 

Now ti is necessary to create new administrator and attach this READ ONLY profile to that specific user. 

 

2) Creating Administrator: 

Select System -> Administrators and select Create New.

Fill in all the fields like name, and password, and then attach the newly created profile 'read only' to the admin user. 

 

Refer to the below screenshot: 

 

Sgagan_1-1676925666115.png

 

 

Now try to log in with this user, only read-only access will be available. 

Labels:
29010
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.