Disable super admin account

darryl_marquez · ‎06-21-2017

Hi

Is there a chance to temporarily disable one (1) super admin account? I have created a super admin account for our vendor access and I wanted to disable it once in a while after the support. Thank you.

ede_pfau · ‎06-23-2017

or, in the 'conf sys admin' section, define a bogus 'TrustedHosts' network. Which is visible in the GUI...

Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

ede_pfau · ‎06-27-2017

bogus = non-existant, with certainty. Like 10.11.12.0/30 if you don't use 10.x networks inhouse.

I would choose a private address range (192.168.x, 172.16.y, 10.z.t) as these are not routed via Internet and can only occur on your LAN.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Toshi_Esumi · ‎06-22-2017

Try "set schedule none" in the account config. Since the setting doesn't show up in GUI, you need to remember what you did then "unset schedule" or "set schedule always" to re-enable it.

emnoc · ‎06-22-2017

You could do this

config firewall schedule recurring edit "none" set day none next end

config sys admin

edit adminname

set schedule none

end

Alternatively you could enable two-factor with a bogus email_address and that would technically keep them out also.

Ken

PCNSE

NSE

StrongSwan

ede_pfau · ‎06-23-2017

or, in the 'conf sys admin' section, define a bogus 'TrustedHosts' network. Which is visible in the GUI...

Ede

"Kernel panic: Aiee, killing interrupt handler!"

darryl_marquez · ‎06-27-2017

Hi Sir,

What do you mean by "define a bogus 'TrustedHosts' network"

currently all admin have a trusted host value of 0.0.0.0/0

ede_pfau · ‎06-27-2017

bogus = non-existant, with certainty. Like 10.11.12.0/30 if you don't use 10.x networks inhouse.

I would choose a private address range (192.168.x, 172.16.y, 10.z.t) as these are not routed via Internet and can only occur on your LAN.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

darryl_marquez · ‎06-27-2017

Thank you very much, If our vendor will need to login using their account I will just edit the trusted host again to o.o.o.o/o?

ede_pfau · ‎07-02-2017

Yes, exactly.

Use zeroes ("0"), not 'oh's ("o") :)

'0.0.0.0/0' is a Fortinet-specific wildcard for a subnet, meaning 'any'. Just like '*' in other contexts.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Chris · ‎07-02-2017

Another solution is to create a profile with no Access. If you want to disable the account you only switch the user to this profile. He can login but do nothing. I have tested it now with a 60D and it works as expected. I think this is much easier. Regards Chris