Technical Tip: Granting read only admins with diagnose commands

This article describes how to grant read-only admins with diagnose commands so that it is possible to perform basic diagnostics.

FortiOS 6.4.0 or above.

• Before FortiOS 6.4.0, read-only admins do not have any rights to run diagnostic commands such as diag sniffer and diag debug.
  
  
• In FortiOS 6.4.0, a new CLI command has been introduced:

config system accprofile

    edit read-only

        set system-diagnostics enable

end

config system admin

    edit readonly

        set accprofile read-only

        set vdom root

        set password xxxx

end

• Read only admins with system-diagnostics disable:

FortiCarrier-3200D $

get        <----- Get dynamic and system information.

show       <----- Show configuration.

execute    <----- Execute static commands.

alias      <-----  Execute alias commands.

exit       <----- Exit the CLI.

• Read only admins with system-diagnostics enable:

FortiCarrier-3200D $

get                <----- Get dynamic and system information.

show        <----- Show configuration.

diagnose    <----- Diagnose facility.  ß Diagnose command is available for read only admin.

execute     <----- Execute static commands.

alias       <----- Execute alias commands.

exit        <----- Exit the CLI.

• From FortiOS 7.4.2 and above the CLI diagnostics command name has changed from 'system-diagnostics' to 'cli-diagnose'.
  
  
• By default, the use of the 'cli-diagnose' is disabled, except for the 'super_admin profile users'.

• Enable permission to run the CLI diagnostic commands.
  From CLI:

config system accprofile
    edit "Test"
        set cli-diagnose enable
    next
end

From GUI:

Related document:

CLI system permissions