Privilege level for FortiOS

We use Unix authentication for scanning hardware devices that use the FortiOS operating system. The account you provide for authentication must have permission to run certain commands.

This help will describe how to set up an administrator profile with the network group configuration set to read or read/write permission and then assign that profile to the scan user account.

Commands required for scanning

get system status
show full-configuration system accprofile
show full-configuration system admin
show full-configuration system auto-install
show full-configuration system global
show full-configuration system interface
show full-configuration system ntp
show full-configuration system password-policy
show full-configuration system replacemsg admin pre_admin-disclaimer-text

Scan user account requirements

The user account you provide for authentication must have access to run the commands mentioned above.

You can provide any Administrator user with the network group configuration set to read or read/write permissions.

Steps using CLI:

1) Create a new profile or edit an existing profile with the following configuration or higher:

Fortinet # config system accprofile
Fortinet (accprofile) # edit <Profile Name>
Fortinet (<Profile Name>) # set netgrp custom
Fortinet (<Profile Name>) # config netgrp-permission
Fortinet (netgrp-permission) # set cfg read
Fortinet (<Profile Name>) # config sysgrp-permission
Fortinet (netgrp-permission) # set admin read-write
Fortinet (netgrp-permission) # set cfg read

edit "<Profile Name>"
   config netgrp-permission
       set cfg read
   end
   config sysgrp-permission
       set admin read-write
       set cfg read
   end

 

2) Add the above created profile to the scan user account.

Fortinet # config system admin
Fortinet (admin) # edit <Scan User>
Fortinet (scanuser) # set accprofile <Profile Name>

config system admin
  edit "<User Name>"
      set accprofile "<Profile Name>"
  next
end

 

Steps using web UI:

1) Create a new profile or edit an existing profile with the following permissions:

Network > Configuration section to Read
System > Administrator Users to Read/Write
System > Configuration to Read

Admin Profiles

 

2) Go to System > Administrators. Add a new user or update an existing user for the scan user account and add the profile you created in the previous step.

Edit Administrator

 

Quick Links

Why use host authentication?

Set Up Unix Authentication