Description
This article will describe the IPS profile enhancement under FortiManager.
Scope
FortiManager v7.4.2 and upward.
Solution
IPS object is introduced to separate the Firewall administrator from the IPS administrator and is an enhancement of the administrator profile.
Added the below as part of the profile configuration:
config system admin profile
policy-ips-attrs : none
After the profile for the new user is prepared, it can be assigned to the new user.
When the new user interacts with policies that had IPS and SSH they are grayed out, which means that the access to them is restricted.
If the new user tries to create a new policy through GUI, CLI script, or API calls with the IPS profile to Policy Package or ADOM Database, an error would be shown that this user has no written permission to set it up.
Example:
Troubleshooting:
Connect with a local 'admin' account under CLI and start the following debugs.
After that try to connect with the password change user:
diagnose debug reset
diagnose debug application auth 255
diagnose debug timestamp enable
diagnose debug enable
diagnose debug disable
diagnose debug reset
After reviewing the connected user/s, disable the debugs.
Related article:
