Fortinet black logo

New Features

Home FortiManager 7.4.0 New Features
7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.7
6.2.3
6.2.2
6.2.1
6.2.0

Granular admin permission grants IPS Admin access to only IPS objects and prevents changes for regular Firewall Admin on IPS Profiles 7.4.2

Granular admin permission grants IPS Admin access to only IPS objects and prevents changes for regular Firewall Admin on IPS Profiles 7.4.2

Note

This information is also available in the FortiManager 7.4 Administration Guide:

Granular admin permission grants IPS Admin access to only IPS objects and prevents changes for regular Firewall Admin on IPS Profiles.

To configure Firewall and IPS administrators with role separation:

  1. Create Firewall administrators:

    1. Go to System Settings > Admin Profiles. Create a new Firewall admin profile with Read Only permissions for IPS Objects and Edit Policy IPS Attributes.

    2. Go to System Settings > Administrators. Create a Firewall administrator using the previously created admin profile.

    3. Firewall administrators can create and update Policies, but cannot set or change IPS sensors and SSH/SSL inspection profiles in Policies.

    4. Firewall administrators can set and change Profile Groups and apply them to a Policy, but cannot set or change the IPS sensors and SSH/SSL inspection profiles in a Profile Group.

    5. Firewall administrators are granted read-only permission for IPS objects.

  2. Create an IPS administrator:

    1. Go to System Settings > Admin Profiles. Create a Restricted Admin profile with permission for Intrusion Prevention.

    2. Go to System Settings > Administrators. Create a restricted IPS administrator.

    3. IPS administrators can set and change IPS sensors and SSH/SSL inspection profiles in Policies after the Firewall administrator has created the Policy.

    4. IPS administrators can set and change IPS sensor and SSH/SSL inspection profiles in Profile Groups after the Firewall administrator has created the Profile Group.

    5. IPS administrators can create and update IPS sensors and SSH/SSL inspection profiles and their settings within Policies.

    6. IPS administrators can pick individual IPS sensors or SSH/SSL inspection profiles to install to devices.

To configure a firewall administrator in the CLI:

config system admin profile

edit "FirewallAdmin"

set system-setting read-write

...

...

set ips-objects read <------ this is for IPS and SSH/SSL Inspection objects

...

set policy-ips-attrs read <------ this is for IPS and SSH/SSL Inspection attributes setting in policy

next

To configure an IPS administrator in the CLI:

config sys admin profile

edit IPSadmin

show

config system admin profile

edit "IPSadmin"

set type restricted

set web-filter enable

set ips-filter enable

set app-filter enable

set device-fortiextender none

set update-incidents none

set triage-events none

set run-report none

set fgt-gui-proxy disable

set ips-lock none

set policy-ips-attrs none

next

end

Previous
Next

Granular admin permission grants IPS Admin access to only IPS objects and prevents changes for regular Firewall Admin on IPS Profiles 7.4.2

Note

This information is also available in the FortiManager 7.4 Administration Guide:

Granular admin permission grants IPS Admin access to only IPS objects and prevents changes for regular Firewall Admin on IPS Profiles.

To configure Firewall and IPS administrators with role separation:

  1. Create Firewall administrators:

    1. Go to System Settings > Admin Profiles. Create a new Firewall admin profile with Read Only permissions for IPS Objects and Edit Policy IPS Attributes.

    2. Go to System Settings > Administrators. Create a Firewall administrator using the previously created admin profile.

    3. Firewall administrators can create and update Policies, but cannot set or change IPS sensors and SSH/SSL inspection profiles in Policies.

    4. Firewall administrators can set and change Profile Groups and apply them to a Policy, but cannot set or change the IPS sensors and SSH/SSL inspection profiles in a Profile Group.

    5. Firewall administrators are granted read-only permission for IPS objects.

  2. Create an IPS administrator:

    1. Go to System Settings > Admin Profiles. Create a Restricted Admin profile with permission for Intrusion Prevention.

    2. Go to System Settings > Administrators. Create a restricted IPS administrator.

    3. IPS administrators can set and change IPS sensors and SSH/SSL inspection profiles in Policies after the Firewall administrator has created the Policy.

    4. IPS administrators can set and change IPS sensor and SSH/SSL inspection profiles in Profile Groups after the Firewall administrator has created the Profile Group.

    5. IPS administrators can create and update IPS sensors and SSH/SSL inspection profiles and their settings within Policies.

    6. IPS administrators can pick individual IPS sensors or SSH/SSL inspection profiles to install to devices.

To configure a firewall administrator in the CLI:

config system admin profile

edit "FirewallAdmin"

set system-setting read-write

...

...

set ips-objects read <------ this is for IPS and SSH/SSL Inspection objects

...

set policy-ips-attrs read <------ this is for IPS and SSH/SSL Inspection attributes setting in policy

next

To configure an IPS administrator in the CLI:

config sys admin profile

edit IPSadmin

show

config system admin profile

edit "IPSadmin"

set type restricted

set web-filter enable

set ips-filter enable

set app-filter enable

set device-fortiextender none

set update-incidents none

set triage-events none

set run-report none

set fgt-gui-proxy disable

set ips-lock none

set policy-ips-attrs none

next

end

Previous
Next