|
In specific conditions, enabling 'cli-diagnose' from the CLI will return an error with a -672 discard code.
Conditions that will trigger this situation:
- A new admin profile with all CLI options enabled (cli-get, cli-show, cli-exec, cli-config).
config system accprofile
edit "test_admin_profile"
set secfabgrp read-write
set ftviewgrp read-write
set authgrp read-write
set sysgrp read-write
set netgrp read-write
set loggrp read-write
set fwgrp read-write
set vpngrp read-write
set utmgrp read-write
set wanoptgrp read-write
set wifi read-write
set cli-get enable
set cli-show enable
set cli-exec enable
set cli-config enable
next
end
- The user part of this new admin profile:
config system admin
edit "test"
set accprofile "test_admin_profile"
set vdom "root"
set password ENC SH22jwJ46fFCMCCLIcRHJhm17XuQz4L4SxADKdMiUW
next
end
- Executing CLI commands from the 'test' user.
FGT (test_admin_profile) $ set cli-diagnose enable
FGT (test_admin_profile) $ next
object set operator error, -672 discard the setting
Command fail. Return code 1
FGT (accprofile) $
To fix this issue, log in with an admin account that is a member of the super_admin profile.
This is because an accprofile from the same user that is part of that profile cannot be changed. Another user with higher privileges is required to make this change.
Related Documents:
Technical Tip: Unable to run debug command
Administrator profiles
|
