Hello,
I have a question in relation to the fortimanager, I have several UTMs on different sites and that are managed by the local IT but with a user profile with only the rights to modify the Webfilter and to consult the logs. When adding the UTM to the Fortimanager, the local IT no longer have the hand to manage the FGT since they do not have the admin rights to resume control. Can you tell me if this is normal or if there is a configuration to make Fortimanager side to allow them to manage the Fortigate via the Fortimanager and also with direct access, knowing well that one can not give them access With admin rights instead of the Fortimanager.
Thank you in advance.
Best regards,
If your question is access-profiles I'm sure you can add access profile and account for the UTM "admin" and restrict him to that device via the pkg and adom
You might have to look at your FMG-ver and admin settings an admin profiles.
config system admin profile
edit "UTM"
set system-setting none
set adom-switch none
set global-policy-packages none
set assignment none
set read-passwd none
set intf-mapping none
set device-manager none
set device-config none
set device-op none
set device-wan-link-load-balance none
set device-ap none
set device-forticlient none
set device-profile none
set policy-objects none
set deploy-management none
set import-policy-packages none
set config-retrieve none
set config-revert none
set term-access none
set adom-policy-packages none
set vpn-manager none
set realtime-monitor none
set consistency-check none
set fgd_center none
set fgd-center-licensing none
set fgd-center-fmw-mgmt none
set fgd-center-advanced none
set log-viewer none
set report-viewer none
set event-management none
next
end
PCNSE
NSE
StrongSwan
When using the FortiManager is Normal Mode (default), it is discouraged to make changes directly on the FortiGate.
That is why, by design, the FGT GUI default to Read-Only access when the FGT is managed by FMG. Only a super-admin FGT account is giving the option to switch to Read-Write.
Those wishing to make regular changes directly on the FGT GUI & only wanting FMG as a configuration repository should consider using FMG in Backup Mode.
Only a super-admin FGT account is giving the option to switch to Read-Write.
That's not 100% correct. Take this user it's not technically a super_admin in fact it has a custom access_profile
GETCOMRKT1 (GCP) $ get system admin list username local device vdom profile remote started kfelix.socpuppets ssh N/A GCP PROFILE1 192.168.77.11:51427 2017-07-25 18:18:58 kfelix.socpuppets https N/A GCP PROFILE1 192.168.77.11:51482 2017-07-25 18:20:21
PCNSE
NSE
StrongSwan
Hmm, interesting. Our development team has confirmed that is *should* only be "super admin" profiles which are presented with that override option. Thanks for your finding.
In any case, the restriction is there to help discourage admin users from making direct changes on the FGT that are then alot of work to resync with the FMG. Device-level settings are no problem. Changes to policies & objects require resyncing with the ADOM level & thus are more work afterward.
I still think the OP could have a account that gives just limited access for the role via profile. I would need to tried and proof
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.