If you need to collect data from FortiGate but can't use a super-admin account, there's good news. Since FortiOS 7.4.2, the set cli-diagnose enable command allows you to grant diagnostic access to non-admin users. This example shows how to create a read-only access profile and assign it to a RADIUS group—ideal for organizations with strict access controls.
With the below config I create a read-only profile called prof-nonadmin and assign it to a user called remote (which is my RADIUS group name).
Make sure the account being used to perform collection is one that
will hit the new access-profile that was just created
The command doing the work is set cli-diagnose enable and I set all the others to read-only.
I left out one command completely which was set cli-config enable.
pop1-mfw01 $ sh sys accprofile
config system accprofile
edit "prof_nonadmin"
set secfabgrp read
set ftviewgrp read
set authgrp read
set sysgrp read
set netgrp read
set loggrp read
set fwgrp read
set vpngrp read
set utmgrp read
set wanoptgrp read
set wifi read
set cli-diagnose enable
set cli-get enable
set cli-show enable
set cli-exec enable
next
end
pop1-mfw01 $ sh sys admin
config system admin
edit "remote"
set remote-auth enable
set accprofile "prof_nonadmin"
set vdom "root"
set wildcard enable
set remote-group "RADIUSUSERS"
next
end
New to Custom Commands? Check out these resources:
Forward Docs - Custom Commands
