- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Diag command missing
Hi All,
Fairly new to Fortigate and seem help please.
I've noticed on our v5.4 1500D's the diag command is missing when going into the global vdom. On the same hardware using v5.2 or below the diag command is present in global.
Any idea's why there is difference in 5.4? I was trying to perform the diag netlink command and cannot do this on 5.4.
Thanks
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't remember 5.2 well. Those days were more than 5 year ago I guess. But I'm almost sure the design with multi-vdom environment was the same. Are you sure the 5.2 box has "vdom-admin" enabled under "config sys global"?
Global is NOT a vdom. It's ouside of all vdoms, which defines insterfaces and box-wide system settings and others. Since it's not a vdom, it doesn't have routing tables, policies, security profiles that all vdoms have. There fore not diag commands for those features.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm sure that command was available in global context at one time also.
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There has been a change in 5.4.3 and 5.6.0 which requires that all admin access (mntgrp, admingrp, .....) in an access profile need to be read-write if an admin using this profile want to issue diag commands. This behavior has been changed in 6.0.4 (and should be in 6.2.0) to be granular and take into account for which access category the value is read-write or no.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks all. I think jhouvenaghel_FTNT is onto something. The command appears in the same appliances running anything earlier than 5.4. So versions with 5.2 and 5.0 I have do have the command present.
Could this be a TACACS related issue?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't believe it is related to the kind of authentication you use . Only related to the access profile you use which does not give the same rights for diag command after upgrading to 5.4.3/5.6.0