Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hbouddine
New Contributor

Manager Fortigate

Hello,

I have a question in relation to the fortimanager, I have several UTMs on different sites and that are managed by the local IT but with a user profile with only the rights to modify the Webfilter and to consult the logs. When adding the UTM to the Fortimanager, the local IT no longer have the hand to manage the FGT since they do not have the admin rights to resume control. Can you tell me if this is normal or if there is a configuration to make Fortimanager side to allow them to manage the Fortigate via the Fortimanager and also with direct access, knowing well that one can not give them access With admin rights instead of the Fortimanager.

Thank you in advance.

Best regards,

5 REPLIES 5
emnoc
Esteemed Contributor III

If your question is access-profiles I'm sure you can  add access profile and account for the UTM "admin" and restrict him to that  device via the pkg and adom

 

You might have to look at your FMG-ver and admin settings an admin profiles.

 

 

config system admin profile

    edit "UTM"

        set system-setting none

        set adom-switch none

        set global-policy-packages none

        set assignment none

        set read-passwd none

        set intf-mapping none

        set device-manager none

        set device-config none

        set device-op none

        set device-wan-link-load-balance none

        set device-ap none

        set device-forticlient none

        set device-profile none

        set policy-objects none

        set deploy-management none

        set import-policy-packages none

        set config-retrieve none

        set config-revert none

        set term-access none

        set adom-policy-packages none

        set vpn-manager none

        set realtime-monitor none

        set consistency-check none

        set fgd_center none

        set fgd-center-licensing none

        set fgd-center-fmw-mgmt none

        set fgd-center-advanced none

        set log-viewer none

        set report-viewer none

        set event-management none

    next

end

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
chall_FTNT

When using the FortiManager is Normal Mode (default), it is discouraged to make changes directly on the FortiGate.

 

That is why, by design, the FGT GUI default to Read-Only access when the FGT is managed by FMG.  Only a super-admin FGT account is giving the option to switch to Read-Write.

 

Those wishing to make regular changes directly on the FGT GUI & only wanting FMG as a configuration repository should consider using FMG in Backup Mode.

Chris Hall
Fortinet Technical Support
emnoc
Esteemed Contributor III

Only a super-admin FGT account is giving the option to switch to Read-Write.

 

 

That's not 100% correct. Take this user it's not technically a super_admin in fact it has a custom access_profile

 

 

GETCOMRKT1 (GCP) $ get system  admin list username   local    device                         vdom     profile      remote                 started      kfelix.socpuppets  ssh      N/A                            GCP       PROFILE1  192.168.77.11:51427      2017-07-25 18:18:58 kfelix.socpuppets  https    N/A                            GCP      PROFILE1   192.168.77.11:51482      2017-07-25 18:20:21

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
chall_FTNT

Hmm, interesting.  Our development team has confirmed that is *should* only be "super admin" profiles which are presented with that override option.  Thanks for your finding. 

 

In any case, the restriction is there to help discourage admin users from making direct changes on the FGT that are then alot of work to resync with the FMG.  Device-level settings are no problem.  Changes to policies & objects require resyncing with the ADOM level & thus are more work afterward.

Chris Hall
Fortinet Technical Support
emnoc
Esteemed Contributor III

 I  still think the OP could have a account that gives just  limited access for the role via  profile. I would need to tried and proof

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors