2.4.3 Ensure admin accounts with different privileges having their correct profiles assigned

Information

Verify that users with access to the Fortinet should only have the minimum privileges required for that particular user.

Rationale:

In some organizations, there are needs to create different levels of administrative accounts. For example, technicians from tier 1 support should not have total access to the system as compared with a tier 3 support.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

In this example, I would like to provide the profile 'tier_1' the ability to view and modify address objects. This sub-privilege is under fwgrp privilege.
In CLI

FGT1 # config system accprofile
FGT1 (accprofile) # edit 'tier_1'
FGT1 (tier_1) # set fwgrp custom
FGT1 (tier_1) # config fwgrp-permission
FGT1 (fwgrp-permission) # set address read-write
FGT1 (fwgrp-permission) # end
FGT1 (tier_1) # end
FGT1 #

For the GUI, go to System -> Admin Profiles, select 'tier_1' and click 'Edit'. On 'Firewall', click on 'Custom' and then click on 'Read/Write' option for 'Address'.
In the next example, I would like to assign the profile 'tier_1' to the account 'support1'.
In the CLI

FGT1 # config system admin
FGT1 (admin) # edit 'support1'
FGT1 (support1) # set accprofile 'tier_1'
FGT1 (support1) # end
FGT1 #

For the GUI, go to System -> Adminstrators, select 'support1' and click 'Edit'. Under 'Administrator Profile', select 'tier_1'.

Default Value:

By default, there are only 2 profiles: prof_admin and super_admin. You have to select a profile to create an admin account, the system will not automatically choose for you.

See Also

https://workbench.cisecurity.org/files/4077