Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
Contributor

Minimum permissions for updating signatures

Hi,

 

I need to use someone to update signatures on Fortigate firewalls and not willing to give him super admin admin account. Is there any way to create an account with the minimum permissions just to be able to use execute restore ... command and update the firewall?

 

Regards,

 

 

2 Solutions
kcheng

Hi @mhdganji 

 

You may want to try with the following setting:

config sysgrp-permission
set upd read-write
set cfg read
set mnt read-write
end

 

Cheers,
Kayzie Cheng

View solution in original post

mhdganji

I'm using this except set admin ...

 

upd read/write

cfg read

mnt read/write

set scope global

 

This is the output

 

Get antivirus database from tftp server ok

command fail return code -85

 

Seems to be working but what is the -85 error code? Anyway to find the details about this error code and the results of the command?

 

View solution in original post

11 REPLIES 11
Anonymous
Not applicable

Hello @mhdganji ,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Anonymous
Not applicable

Hello @mhdganji ,

 

As per my research, I have found a link which shows how to configure "Administrator Profile". Let me know if this helps.

 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/294491/administrator-profiles

 

Thanks,

mhdganji

Hello there

Thanks but which commands or section gives me the ability to permit a user to be able to just update the firewall signatures with execute restore command?

 

Maybe we should use:

config sysgrp-permission
set admin {none | read | read-write} – Administrator Users.
set upd {none | read | read-write} – FortiGuard Updates.
set cfg {none | read | read-write} – System Configuration.
set mnt {none | read | read-write} – Maintenance.

 

mhdganji

I will give this a try and share the results

mhdganji

I'm using this except set admin ...

 

upd read/write

cfg read

mnt read/write

set scope global

 

This is the output

 

Get antivirus database from tftp server ok

command fail return code -85

 

Seems to be working but what is the -85 error code? Anyway to find the details about this error code and the results of the command?

 

Muhammad_Haiqal

Hi mhdganji,

 

Fortigate itself will do periodic signature update. No need to update manually.
May i know what do you mean by execute restore? What you want to achieve with that command?

haiqal
mhdganji

Hi,

Because I don't want to connect some of my devices to Internet and this is the way we update them.

Muhammad_Haiqal

Hi mhdganji,

can you explain further about your scenario, so i can provide some idea to achieve your requirements?

haiqal
mhdganji

Hi @Muhammad_Haiqal 

 

I cannot let some of my firewalls go through Internet. Therefore, to update some of their signatures like AV, IPS, I use offline files and execute restore command. I've written a simple script to connect via SSH, run the mentioned command and use an FTP address to find the files and update the firewall. This script uses superadmin user to SSH and run the commands which I'm not happy with. So, I need a more privileged account (not superadmin) to be able to SSH and only run some specific commands, specifically execute restore ...

 

I hope my elaboration of the problem has been clear.

 

Regards,