Information
Verify that users with access to the Fortinet should only have the minimum privileges required for that particular user.
Rationale:
In some organizations, it is necessary to create different levels of administrative accounts. For example, technicians from tier 1 support should not have total access to the system compared to a tier 3 support.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
In this example, the goal is to provide the profile 'tier_1' the ability to view and modify address objects. This sub-privilege is under fwgrp privilege.
In CLI:
FGT1 # config system accprofile
FGT1 (accprofile) # edit 'tier_1'
FGT1 (tier_1) # set fwgrp custom
FGT1 (tier_1) # config fwgrp-permission
FGT1 (fwgrp-permission) # set address read-write
FGT1 (fwgrp-permission) # end
FGT1 (tier_1) # end
FGT1 #
For the GUI, go to:
1. System -> Admin Profiles, select 'tier_1' and click 'Edit'.
2. On 'Firewall', click on 'Custom'.
3. Click on 'Read/Write' option for 'Address'.
In the next example, assign the profile 'tier_1' to the account 'support1'.
In the CLI:
FGT1 # config system admin
FGT1 (admin) # edit 'support1'
FGT1 (support1) # set accprofile 'tier_1'
FGT1 (support1) # end
FGT1 #
For the GUI, go to:
1. System -> Administrators.
2. Select 'support1' and click 'Edit'.
3. Under 'Administrator Profile', select 'tier_1'.
Default Value:
By default, there are only 2 profiles: prof_admin and super_admin. You must select a profile to create an admin account. The system will not automatically choose for you.