Description
In some network management environment it is important to prevent some admins of FortiGate to avoid from accessing to FortiGate diagnose commands.
This article describes how to disable diagnose command access for specific admin profile.
Solution
To address this requirement, on the FortiOS v6.4, 'Permit usage of CLI diagnostic commands' option has been introduced in GUI under ‘admin profiles’.
In some network management environment it is important to prevent some admins of FortiGate to avoid from accessing to FortiGate diagnose commands.
This article describes how to disable diagnose command access for specific admin profile.
Solution
To address this requirement, on the FortiOS v6.4, 'Permit usage of CLI diagnostic commands' option has been introduced in GUI under ‘admin profiles’.
This option has to enable specific admin group to prevent from accessing to diagnostic commands.
Map this admin-profile to the required administrators
Map this admin-profile to the required administrators
.
This also can be configured under CLI with following commands.
This also can be configured under CLI with following commands.
The system-diagnostics command in an administrator profile can be used to control access to diagnose commands for global and VDOM level administrators.
To block an administrator's access to diagnose commands:
Create an admin profile that cannot access diagnose commands:
To block an administrator's access to diagnose commands:
Create an admin profile that cannot access diagnose commands:
# config system accprofileApply the profile to an administrator:
edit "nodiagnose"
set system-diagnostics disable
end
# config system adminLog in as the administrator and confirm that others cannot access diagnose commands:
edit "nodiag"
set accprofile "nodiagnose"
set vdom "root"
set password ********
end
