Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sarafianl
New Contributor

Diag command missing

Hi All,

 

Fairly new to Fortigate and seem help please.

 

I've noticed on our v5.4 1500D's the diag command is missing when going into the global vdom.  On the same hardware using v5.2 or below the diag command is present in global.

 

Any idea's why there is difference in 5.4?  I was trying to perform the diag netlink command and cannot do this on 5.4.

 

Thanks

5 REPLIES 5
Toshi_Esumi
Esteemed Contributor III

I don't remember 5.2 well. Those days were more than 5 year ago I guess. But I'm almost sure the design with multi-vdom environment was the same. Are you sure the 5.2 box has "vdom-admin" enabled under "config sys global"?

Global is NOT a vdom. It's ouside of all vdoms, which defines insterfaces and box-wide system settings and others. Since it's not a vdom, it doesn't have routing tables, policies, security profiles that all vdoms have. There fore not diag commands for those features.

 

emnoc
Esteemed Contributor III

I'm sure that command was available in global context at one time also.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jhouvenaghel_FTNT

There has been a change in 5.4.3 and 5.6.0 which requires that all admin access (mntgrp, admingrp, .....) in an access profile need to be read-write if an admin using this profile want to issue diag commands. This behavior has been changed in 6.0.4 (and should be in 6.2.0) to be granular and take into account for which access category the value is read-write or no.

sarafianl

Thanks all. I think jhouvenaghel_FTNT is onto something.  The command appears in the same appliances running anything earlier than 5.4.  So versions with 5.2 and 5.0 I have do have the command present.

 

Could this be a TACACS related issue?

jhouvenaghel_FTNT

I don't believe it is related to the kind of authentication you use . Only related to the access profile you use which does not give the same rights for diag command after upgrading to 5.4.3/5.6.0

Labels
Top Kudoed Authors