I'm trying to set up a read only user that would be used to back up configurations and apparently setting read only rights on all options in the admin profile will cause it to deny SSH connections in from that user. Is there a specific access control item that needs to be read-write for you to be able to use the cli?
CISSP, NSE4
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You have to look at the accessprofile and the categories. Just test it b4 you release it. Keep in mind that they can still get access to fnsysctl and if you allow scp you can have anybody conduct a restoral.
I haven't found any method for a use to just "backup" only with no other means. Let us know what you do. In thelong run you would find the fortimanager a better solution for this but at the cost of $$$$.$$ ;)
PCNSE
NSE
StrongSwan
I don't think that getting hold of a firewall backup corresponds well to a 'I-dont-trust-you-so-you-work-readonly' admin. You can either have one or the other.
A backup file plus physical access is all one needs to get total control of a firewall.
well it would be mostly for an automated tool to access the firewall and we want to have its own admin account. The desire to restrict access to that account is so that if someone were to get the password, they would have limited ability to do anything bad. The more likely scenario is that the software has some bug and causes a change in the configuration unexpectedly.
Either way, the admin guide specifically mentions that depending on your access level, parts of the cli structure may be unavailable but it does not specify that in order to access the CLI at all, you need x,y, and z permissions.
CISSP, NSE4
Sorry!
Apparently the problem was we had the wrong line ending in the setup. read only access dumps you to the CLI with a $ at the end instead of the # a super user would get. That was the problem all along.
CISSP, NSE4
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.