Description

This article describes how to disable diagnose command access for specific admin profiles.

In some network management environments, it is important to prevent some admins of FortiGate to avoid from accessing to FortiGate diagnose commands.

Scope

FortiGate.

Solution

To address this requirement, on the FortiOS v6.4, v7.0, and v7.2, the 'Permit usage of CLI diagnostic commands' option has been introduced in GUI under ‘admin profiles’.

The system-diagnostics command in an administrator profile can be used to control access to diagnose commands for global and VDOM-level administrators.
To block an administrator's access to diagnose commands:

Create an admin profile that cannot access diagnose commands:

config system accprofile
    edit "nodiagnose"
        set system-diagnostics disable
end

Apply the profile to an administrator:

config system admin
    edit "nodiag"
        set accprofile "nodiagnose"
        set vdom "root"
        set password ********
end

Log in as the administrator and confirm that others cannot access diagnose commands:

• In FortiOS v7.4.2, the default setting disables using CLI diagnostic commands for most users, allowing only those with the super_admin profile to access them, thus enhancing security and control over command usage. 
• For further details, users can refer to the documentation on the CLI system permissions.

CLI system permissions

• When upgrading to FortiOS v7.4.2 or later, specific CLI options will be enforced automatically, without regard to the previous configurations of system diagnostics in FortiOS v7.4.1 or earlier versions, ensuring a consistent application of settings in the upgraded environment.

config system accprofile
    edit "User"

        set cli-diagnose disable
        set cli-get enable
        set cli-show enable
        set cli-exec enable
        set cli-config enable
    next
end

• To enable the CLI diagnostic commands permission:

config system accprofile
    edit "User"
        set cli-diagnose enable
    next
end