Understanding Access Profiles and Users
Access Profiles
Fortinet Firewall Software uses the concept of Access Profiles to define the access level of a user. Access profiles control which CLI commands an administrator account can access. Access profiles can assign either read, write, or no access to each area of the FortiGate software. You need read access level rights in order to view configurations. To make configuration changes, you must have write access level rights. Write Access is required in order to view configurations & troubleshoot using the get, diagnose and exec commands.
Unlike other Administrator Accounts, the Default Administrator account named “admin” exists by default and cannot be deleted. The “admin” account is similar to a root administrator account. This administrator account always has full permission to view and change all FortiGate configuration options, including viewing and changing all other administrator accounts. However, its name and permissions cannot be changed.
Setting up the LiveAssurance User
This user can be assigned to the predefined super_admin level profile to execute all the required “get <x>”, “exec <x> ” and “diagnose <x>” FortiOS CLI commands. It should be noted that the “get ” and “exec ” FortiOS commands can be executed with a Read-Only user but not the “diagnose” commands. Therefore it is strongly recommended to create, or use an existing account, with admin (read-write) level rights so the LiveAssurance automation platform can provide more content around potential issues and remediation steps for all Fortinet Rules.
Configuring the LiveAssurance User
This example adds a new FortiGate administrator account that uses a new administrative access profile with full read-write access. Account access to the firewall will be limited to connections from a specific IP subnet. The configuration is applied via https access to the Fortinet firewall so a user with admin privilege rights is required to perform the following steps (e.g. the default admin user). Finally, it should be noted that an existing user account can be reused by the LiveAssurance Monitoring Platform; such as the default admin account name “admin” for example.
Step 1: Creating a New Administrative Profile
Go to . Create a new Administer Profile that allows the User with this profile to run all the “get ”, “exec” and “diagnose” FortiOS CLI commands.
Step 2: Creating and Assigning a New User
A new administrator is added and assigned to the new admin-profile by going to . Create a new administrator account for the User and assign it to the profile that was just created (i.e indeni-user in this example). You can restrict access to the firewall to login from Trusted Hosts Only by adding the IP address range to one of the Trusted Host fields. You can use the IP address of the LiveAssurance Server in case that this account is used only by LiveAssurance.
Step 3: Verification & Results
Once you have successfully added the credentials and successfully interrogated a device, login to the FortiGate unit using an account with admin rights such as the default admin account. Go to , and view the System Information widget.
Select Details for the Current Administrator to view all administrators logged in. You should note that the LiveAssurance server has logged in to the Fortinet firewall by using the newly created user and a ssh session.
Go to . Look at the upper pane so see more activity, such as the successful login of the LiveAssurance account. Select the entry for the new administrator login to get more detailed information to be displayed in the lower pane. The details show that the new administrator account logged in from an IP address that is within the ranges specified in the Trusted Hosts field.
Frequently Asked Questions
Does LiveAssurance support Fortinet Management Servers?
No. LiveAssurance currently only support Fortigate Firewalls.
How does LiveAssurance communicate with FortiGate firewalls?
The LiveAssurance platform collects the information from the Fortinet Firewalls via direct ssh access to the devices. Now, let’s see that in action.
As is illustrated above, LiveAssurance has been installed and configured with the private IP address 10.10.8.116.
Here we see that a Fortigate VM64 has been discovered and is now being monitored by the LiveAssurance platform. Remember, LiveAssurance uses the admin Fortinet user to get direct access via SSH to the Fortigate. As a result, an admin user with the source IP address of 10.10.8.116 is logged in to the firewall.
In summation, LiveAssurance collects all the required information for analysis via SSH access to a Fortinet Firewall, so a user with super-admin rights should be assigned to the user.
What does LiveAssurance do to ensure that it is not negatively impacting the performance of the device?
Thorough testing has been performed at the LiveAssurance Lab to determine the recommended minimum CPU and Memory requirements of a Fortinet firewall required to be monitored by the LiveAssurance platform.
It was noted that an increased demand for Memory and CPU utilization was recorded during the discovery (interrogation) of the Fortinet firewall by the LiveAssurance platform. This is expected behavior. We recorded a drop, and stabilization, of systems resources after discovery and normal Rule interrogation against the devices began.
It is strongly recommended that the Fortinet Firewall have a minimum 4 CPU cores and 4GB RAM to ensure peak device performance. All mid-range Fortinet Firewalls, starting from the FG-100E Series, have the minimum hardware requirements to be effectively monitored by LiveAssurance.
You can review the CPU/RAM resources and utilization of a firewall by running the following command: “get system performance status”
If I already have FortiManager, why do I still need LiveAssurance?
If I already have FortiAnalyzer, why do I still need LiveAssurance?