| Description |
This article describes a scenario where an administrator account configured with a custom read/write admin profile on a FortiGate firewall is forced into read-only mode when the device is managed by FortiManager. |
| Scope | FortiGate, FortiManager |
| Solution |
When a FortiGate firewall is managed by FortiManager, administrator accounts created with custom read/write admin profiles may not behave as expected. These profiles are often designed to allow the user to perform specific administrative tasks (such as managing VPN users, WiFi, or other selected features) without granting full system-level access.
After logging in with such an administrator account, the FortiGate displays a notification indicating that the device is managed by FortiManager and that the administrator is logged in with read-only access. As a result, the administrator is unable to make any configuration changes, even though the custom admin profile is configured with read/write permissions for certain feature groups.
This behavior is expected and by-design. When a FortiGate is managed by FortiManager, administrator users must have read/write access to the System permission in addition to the other sections defined in the admin profile in order to read and modify the configuration. Custom admin profiles without System permission are limited to read-only access.
Resolving this limitation: To allow administrators with custom admin profiles to function correctly, consider implementing one of the following options:
Option 1: Add System Permissions to the admin profile. Navigate to System -> Admin Profiles, select the custom admin profile, then select Edit. Modify the System permission and set it to Read/Write, then select OK to commit the change.
To make this change from the CLI, modify the Admin Profile and set the sysgrp option to read-write:
config system accprofile edit <name> set sysgrp read-write next end
If an Admin Profile should not grant full System permissions (which include access to Administrator Users, FortiGuard Updates, Configuration, and Maintenance), select Custom under the System permission instead.
Under Custom System permissions, enable Read/Write access only for Configuration, which includes Settings, HA, SNMP, Replacement Messages, and Feature Visibility, as this is the minimum required permission. Without Read/Write access to Configuration, the administrator will only be able to log in with read-only access, even if other feature permissions are set to Read/Write. For the CLI equivalent:
config system accprofile edit <name> set sysgrp custom config sysgrp-permission set cfg read-write end next end
Option 2: Perform all configuration changes directly from FortiManager. Changes should generally be made from FortiManager to ensure consistency between the FortiManager's version of the configuration and the FortiGates. However, FortiManager does not have as granular of a permission structure when it comes to specifying sub-sections of an individual FortiGate's configuration.
Option 3: Disconnect the FortiGate from FortiManager (not recommended in production environments). FortiGates that are not managed by FortiManager do not require administrators to have the System permission set to read/write, as the Login Read-Only/Read-Write prompt only appears for FortiManager-connected FortiGates. However, disconnecting from FortiManager would mean that the FortiGate is no longer able to be centrally managed.
Related documents: |
