Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jefazo92
Contributor

Created on ‎07-19-2024 08:57 AM

Is it possible to disable "shutdown" in Fortigate?

Hi everyone,

 

I want to prevent anyone from being able to shutdown the Fortigate from GUI or CLI. Is there a command which can allow me to implement this on the Fortigate 100F?

Labels:
829
0 Kudos
5 REPLIES 5
ozkanaltas
Valued Contributor III

Created on ‎07-19-2024 09:13 AM Edited on ‎07-19-2024 09:16 AM

Hi @jefazo92 ,

 

As far as I know, Fortigate does not allow restricting a specific command. However, you can turn off the use of the execute command for a specific admin profile. The user will not be able to run any command that starts with the execute command.

 

https://docs.fortinet.com/document/fortigate/7.4.0/new-features/98190/cli-system-permissions-7-4-2

 

I could not test this, but if you give the user the prof_admin role, he can be prevented from turning off the device. But as I said, I haven't tried it before, you need to try it.

 

As an alternative, if you remove the configuration and maintenance privileges in the admin profile, the shutdown command will not work.

 

image.png

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
813
0 Kudos
amrit
Staff
Staff

Created on ‎07-20-2024 08:01 AM Edited on ‎07-20-2024 12:16 PM

It is not possible to restrict the execution of a particular command in Fortigate. However, you can handle this using the below settings 

1. Give read-only permission in the maintenance section of the admin profile 

system-admin profiles-->select profile--customize permission in the system

This will disable the shutdown from GUI

 

AdminProfiles.JPG

 

2. Disable the execution commands-- Will disable the shutdown from CLI

config system accprofile

edit <name>

set cli-exec disable

end

Amritpal Singh
749
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎07-20-2024 10:56 AM

I feel it should be mentioned that while disabling the "exec" command in the admin profile will solve the problem, it will block a lot of 'innocent' commands as well. Like ping, ping-options, traceroute. Whether an admin could live with that, or should just respect the rule not to ever shutdown the firewall, is debatable.

I mean, there is a security prompt in this command, both in GUI and CLI, before it is executed, for a good reason.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
732
0 Kudos
amrit
Staff
Staff

Created on ‎07-20-2024 12:23 PM

Thanks for raising your concern regarding the exec command.
As mentioned in my last post, It is impossible to restrict the execution of a particular command in Fortigate so disabling the exec functionally will disable all executable commands. 

 

Amritpal Singh
723
0 Kudos
johnlloyd_13
Contributor II

Created on ‎07-21-2024 02:20 AM

hi,

yes, you can setup access profile for read/write in order to disable a reboot or shutdown of the FG.

see sample photo below where we've disabled access to "system"

image.png

 

 

 

 

683
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.