Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
azhunissov
Staff
Staff

Created on ‎05-07-2010 01:33 AM Edited on ‎09-06-2023 09:05 PM By Community Manager

Article Id 192340

Technical Tip: Multiple ways to list and disconnect administrators logged in to a FortiGate

Description


This article explains multiple ways to list and disconnect administrators currently logged in to a FortiGate.

 

Scope

 

FortiGate.

Solution

 

There are three ways to list and disconnect administrators currently logged in to a FortiGate.

 

  1. GUI: To list administrators logged into the FortiGate via GUI.

Go to Dashboard -> Status, select the Administrators widget and then, select ‘Show active administrator sessions’.

 

syadav_0-1694025732596.png

 

In order to disconnect an administrator, select the administrator and then select the Disconnect button.

 

syadav_1-1694025732609.png

 

Note that non-super_admin users cannot disconnect super_admin sessions and that administrators in general cannot disconnect their own session via the GUI method. In both cases, the Disconnect button will be greyed out/unavailable.

 

syadav_2-1694025732625.png

 

  1. CLI: To list administrators logged into the FortiGate in CLI, run the following command:

HomeGate # get system info admin  status

Index  User name   Login type  From

Logged in users: 6

USERNAME        TYPE    FROM             TIME

admin           ssh     10.0.12.103      Tue Sep  5 11:13:19 2023

admin           https   10.0.12.103      Tue Sep  5 11:14:06 2023

admin01         ssh     10.0.12.103      Tue Sep  5 11:12:47 2023

admin02         ssh     10.0.12.103      Tue Sep  5 11:13:02 2023

admin00         https   10.0.12.103      Tue Sep  5 11:17:04 2023

admin           jsconsole 10.0.12.103      Tue Sep  5 11:19:38 2023

 

In order to disconnect an administrator, run execute disconnect-admin-session <index-of-admin>

 

HomeGate # execute  disconnect-admin-session

<integer>       Index of admin to be disconnected

Currently connected admins:

INDEX USERNAME        TYPE    VDOM     PROFILE      FROM             TIME

    0 admin           ssh     root     super_admin  10.0.12.103      Tue Sep  5 11:13:19 2023

    1 admin           https   root     super_admin  10.0.12.103      Tue Sep  5 11:14:06 2023

    2 admin01         ssh     root     prof_admin   10.0.12.103      Tue Sep  5 11:12:47 2023

    3 admin02         ssh     root     admin_no_access 10.0.12.103      Tue Sep  5 11:13:02 2023

    4 admin00         https   root     super_admin_readonly 10.0.12.103      Tue Sep  5 11:17:04 2023

    5 admin           jsconsole root     super_admin  10.0.12.103      Tue Sep  5 11:19:38 2023

HomeGate # execute  disconnect-admin-session 4

Disconnecting administrator admin00

 

Note:

The CLI method allows administrators to disconnect their own sessions. Ensure that the correct session index is chosen before proceeding with the disconnection.

 

  1. REST API: To list administrators logged in to the FortiGate via REST API.

The following REST API endpoint can be used to retrieve a list of logged-in administrators: ‘/api/v2/monitor/system/current-admins’

 

Before the API can be utilized, administrators must authenticate themselves to the FortiGate using either a REST API Administrator account (Token-based authentication) or a regular Administrator account (Session-based authentication).

Rest API administrator (Token-based authentication) is used for this example; It generates an Authorization token used in the API calls.

 

The following is an example GET request to retrieve the logged-in admins using Curl. Note that the Header includes the previously-mentioned Authorization token:

 

curl --insecure  --location 'https://10.0.0.254/api/v2/monitor/system/current-admins' \

--header 'Authorization: Bearer rcfmgytpncdwNsfcHs5qssm7hk0sQm'

 

root@debian:~# curl --insecure  --location 'https://10.0.0.254/api/v2/monitor/system/current-admins' \

--header 'Authorization: Bearer rcfmgytpncdwNsfcHs5qssm7hk0sQm'

{

  ‘http_method’:’GET’,

  ‘results’:[

    {

      ‘id’:17764,

      ‘admin’:’admin’,

      ‘profile’:’super_admin’,

      ‘intf’:’vlan_12’,

      ‘method’:’ssh’,

      ‘srcaddr’:’10.0.12.103’,

      ‘time’:1693938052,

      ‘disconnect_enabled’:false,

      ‘is_current’:false

    },

    {

      ‘id’:5,

      ‘admin’:’admin’,

      ‘profile’:’super_admin’,

      ‘intf’:’vlan_12’,

      ‘method’:’https’,

      ‘srcaddr’:’10.0.12.103’,

      ‘time’:1693937646,

      ‘disconnect_enabled’:false,

      ‘is_current’:false

    },

    {

      ‘id’:17649,

      ‘admin’:’admin01’,

      ‘profile’:’prof_admin’,

      ‘intf’:’vlan_12’,

      ‘method’:’ssh’,

      ‘srcaddr’:’10.0.12.103’,

      ‘time’:1693937567,

      ‘disconnect_enabled’:true,

      ‘is_current’:false

    },

    {

      ‘id’:8,

      ‘admin’:’admin00’,

      ‘profile’:’super_admin_readonly’,

      ‘intf’:’vlan_12’,

      ‘method’:’https’,

      ‘srcaddr’:’10.0.12.103’,

      ‘time’:1693938510,

      ‘disconnect_enabled’:true,

      ‘is_current’:false

    },

    {

      ‘id’:17885,

      ‘admin’:’admin02’,

      ‘profile’:’admin_no_access’,

      ‘intf’:’vlan_12’,

      ‘method’:’ssh’,

      ‘srcaddr’:’10.0.12.103’,

      ‘time’:1693938595,

      ‘disconnect_enabled’:true,

      ‘is_current’:false

    }

  ],

  ‘vdom’:’root’,

  ‘path’:’system’,

  ‘name’:’current-admins’,

  ‘action’:’’,

  ‘status’:’success’,

  ‘serial’:’FGAABBTKxxxyyyzz’,

  ‘version’:’v7.4.1’,

  ‘build’:2463

}

 

In the above list, each admin entry has a ‘disconnect_enabled’ attribute. This flag is dependent on the permissions of the REST API Administrator relative to the admin’s permissions (i.e. non-super_admins cannot disconnect super_admins).

 

For example, if the REST API Administrator is a ‘prof_admin’ then this flag will be False for all the super_admins and the REST API Admin will not be able to disconnect any of them.

 

In order to disconnect an administrator, make sure that the ‘disconnect_enabled’ attribute is True for that specific administrator. You can then make an API call to ‘/api/v2/monitor/system/disconnect-admins/select’ with the following payload:

 

{

‘admins’: [ { ‘id’:<interger>, ‘method’:<string> } ]

}

 

‘admins’ is a list which consists of the Admin ID (admin with disconnect_enabled flag as True) and the method of login (https, ssh, jsconsole).

 

The CURL command for this API call will look something like this:

 

curl --insecure --location 'https://10.0.0.254/api/v2/monitor/system/disconnect-admins/select' \

--header 'Content-Type: text/plain' \

--header 'Authorization: Bearer rcfmgytpncdwNsfcHs5qssm7hk0sQm' \

--data '{‘admins’:[{‘id’:8,’method’:’https’}]}'

 

root@debian:~#curl --insecure --location 'https://10.0.0.254/api/v2/monitor/system/disconnect-admins/select' \

--header 'Content-Type: text/plain' \

--header 'Authorization: Bearer rcfmgytpncdwNsfcHs5qssm7hk0sQm' \

--data '{‘admins’:[{‘id’:8,’method’:’https’}]}'

{

  ‘http_method’:’POST’,

  ‘status’:’success’,

  ‘http_status’:200,

  ‘vdom’:’root’,

  ‘path’:’system’,

  ‘name’:’disconnect-admins’,

  ‘action’:’select’,

  ‘serial’:’FGAABBTKxxxyyyzz’,

  ‘version’:’v7.4.1’,

  ‘build’:2463

}

 

Note: 

If admin with disconnect_enabled flag set as True is provided in the data payload. The API call will return 200 OK as the response code and success in the response. However, that admin will not be disconnected.

58449
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.