Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jstan
Staff
Staff

Created on ‎09-14-2022 12:49 AM Edited on ‎03-27-2025 10:37 PM By Community Manager

Article Id 223742

Technical Tip: Granting read only admins with diagnose commands

Description

This article describes how to grant read-only admins with diagnose commands so that it is possible to perform basic diagnostics.
Scope

FortiGate v6.4.0 or above.
Solution
  • Before v6.4.0, read-only admins did not have any rights to run diagnostic commands such as diagnose sniffer and diagnose debug.

  • In v6.4.0, a new CLI configuration command has been introduced for the admin profiles:

 

config system accprofile

    edit read-only

        set system-diagnostics enable

end

 

config system admin

    edit readonly

        set accprofile read-only

        set vdom root

        set password xxxx

end

 

  • Read only admins with system-diagnostics disable:

 

FortiCarrier-3200D $

get        <----- Get dynamic and system information.

show       <----- Show configuration.

execute    <----- Execute static commands.

alias      <-----  Execute alias commands.

exit       <----- Exit the CLI.

 

  • Read only admins with system-diagnostics enable:

 

FortiCarrier-3200D $

get                <----- Get dynamic and system information.

show        <----- Show configuration.

diagnose    <----- Diagnose facility.  ß Diagnose command is available for read only admin.

execute     <----- Execute static commands.

alias       <----- Execute alias commands.

exit        <----- Exit the CLI.

 

  • From v7.4.2 and later, the CLI diagnostics command name has changed from 'system-diagnostics' to 'cli-diagnose'.
  • By default, the use of the 'cli-diagnose' permission is disabled, except for admins making use of the 'super_admin" profile.
  • Enable permission to run the CLI diagnostic commands.
    From CLI:

 

config system accprofile
    edit "Test"
        set cli-diagnose enable
    next
end


From GUI , Navigate to System -> Admin Profiles and select Profile:

CLI_diagnostic.JPG

 

Related document: CLI system permissions

Note: Certain diagnostic commands will need Read/Write permissions on the admin profile as they will not function with Read-Only permissions and the "system-diagnostic" or 'cli-diagnose' settings enabled on the Admin Profile.

 

A few examples of specific diagnostic commands can be seen below:

 

System category

diagnose cp soc3

diagnose snmp

diagnose disktest
User & Device category diagnose radiustest
VPN category diagnose forticlient
Wifi & Switch category diagnose wireless-controller wlac -c sta
diagnose wpad

 
3478
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.