DescriptionIn some network management environment it is important to prevent some admins of FortiGate to avoid from accessing to FortiGate diagnose commands.
This article describes how to disable diagnose command access for specific admin profile.
SolutionTo address this requirement, on the FortiOS v6.4, 'Permit usage of CLI diagnostic commands' option has been introduced in GUI under ‘admin profiles’.
This option has to enable specific admin group to prevent from accessing to diagnostic commands.
Map this admin-profile to the required administrators
.
This also can be configured under CLI with following commands.
The system-diagnostics command in an administrator profile can be used to control access to diagnose commands for global and VDOM level administrators.
To block an administrator's access to diagnose commands:
Create an admin profile that cannot access diagnose commands:
# config system accprofile
edit "nodiagnose"
set system-diagnostics disable
end
Apply the profile to an administrator:
# config system admin
edit "nodiag"
set accprofile "nodiagnose"
set vdom "root"
set password ********
end
Log in as the administrator and confirm that others cannot access diagnose commands: