Understanding Access Profiles and Users
Fortinet Firewall Software uses the concept of Access Profiles to define the access level of a user. Access profiles control which CLI commands an administrator account can access. Access profiles can assign either read, write, or no access to each area of the FortiGate software. You need read access level rights in order to view configurations. To make configuration changes, you must have write access level rights. Write Access is required in order to view configurations & troubleshoot using the get, diagnose and exec commands.
Unlike other Administrator Accounts, the Default Administrator account named “admin” exists by default and cannot be deleted. The “admin” account is similar to a root administrator account. This administrator account always has full permission to view and change all FortiGate configuration options, including viewing and changing all other administrator accounts. However, its name and permissions cannot be changed.
Setting up the Indeni User
The Indeni User can be assigned to the predefined super_admin level profile to execute all the required “get <x>”, “exec <x> ” and “diagnose <x>” FortiOS CLI commands currently supported by Indeni 6.0. It should be noted that the “get ” and “exec ” FortiOS commands can be executed with a Read-Only user but not the “diagnose” commands. Therefore it is strongly recommended to create, or use an existing account, with admin (read-write) level rights so the Indeni Monitoring platform can provide more content around potential issues and remediation steps for all Fortinet Rules.
Configuring the Indeni User
This example adds a new FortiGate administrator account that uses a new administrative access profile with full read-write access. Account access to the firewall will be limited to connections from a specific IP subnet. The configuration is applied via https access to the Fortinet firewall so a user with admin privilege rights is required to perform the following steps (e.g. the default admin user). Finally, it should be noted that an existing user account can be reused by the Indeni Monitoring Platform; such as the default admin account name “admin” for example.
Step 1: Creating a New Administrative Profile
Go to System > Admin > Admin Profile. Create a new Administer Profile that allows the Indeni User with this profile to run all the “get ”, “exec” and “diagnose” FortiOS CLI commands currently supported by the Indeni 6.0.
PLEASE NOTE: Read-Write should be selected for all the fields in order for the Indeni Platrom to run exec, get and diagnostic commands via CLI. The default prof_admin and super_admin can also be used.
Step 2: Creating and Assigning a New User
A new administrator is added and assigned to the new admin-profile by going to System > Admin > Administrators. Create a new administrator account for the Indeni User and assign it to the profile that was just created (i.e indeni-user). You can restrict access to the firewall to login from Trusted Hosts Only by adding the IP address range to one of the Trusted Host fields. You can use the IP address of the Indeni Server in case that this account is used only by Indeni.
Step 3: Verification & Results
Once you have successfully added the credentials and successfully interrogated a device, login to the FortiGate unit using an account with admin rights such as the default admin account. Go to System > Dashboard > Status, and view the System Information widget.
Select Details for the Current Administrator to view all administrators logged in. You should note that the Indeni server has logged in to the Fortinet firewall by using the newly created user and a ssh session.
Go to Log & Report > Event Log > System. Look at the the upper pane so see more activity, such as the successful login of the Indeni account. Select the entry for the new administrator login to get more detailed information to be displayed in the lower pane. The details show that the new administrator account logged in from an IP address that is within the ranges specified in the Trusted Hosts field.
Frequently Asked Questions
How does Indeni communicate with FortGate firewalls?
The Indeni platform collects the information from the Fortinet Firewalls via direct ssh access to the devices. Now, let’s see that in action.
As is illustrated above, Indeni has been installed and configured with the private IP address 10.10.8.116.
Here we see that a Fortigate VM64 has been discovered and is now being monitored by the Indeni platform. Remember, Indeni uses the admin Fortinet user to get direct access via SSH to the Fortigate. As a result, an admin user with the source IP address of 10.10.8.116 is logged in to the firewall.
In summation, Indeni collects all the required information for analysis via SSH access to a Fortinet Firewall, so a user with super-admin rights should be assigned to the Indeni user.
What does Indeni do to ensure that it is not negatively impacting the performance of the device?
Thorough testing has been performed at the Indeni Lab to determine the recommended minimum CPU and Memory requirements of a Fortinet firewall required to be monitored by the Indeni platform.
It was noted that an increased demand for Memory and CPU utilization was recorded during the discovery (interrogation) of the Fortinet firewall by the Indeni platform. This is expected behavior. We recorded a drop, and stabilization, of systems resources after discovery and normal Rule interrogation against the devices began.
It is strongly recommended that the Fortinet Firewall have a minimum 4 CPU cores and 4GB RAM to ensure peak device performance. All mid-range Fortinet Firewalls, starting from the FG-100E Series, have the minimum hardware requirements to be effectively monitored by Indeni.
You can review the CPU/RAM resources and utilization of a firewall by running the following command: “get system performance status”
If I already have FortiManager, why do I still need Indeni?
If I already have FortiAnalyzer, why do I still need Indeni?
Fortigate has a number of licenses, which licenses do you check for expiration?
The Indeni Platform regularly checks the status of the Fortinet licenses and triggers a message either when the license is near expiration, or has expired. This information is also easily accessible from the dynamic configure tab of each Fortinet firewall. Once you have a device connected navigate to to the Devices icon > search for the Fortinet device > Once selected, click on More Device Info. Here you can get a full list of your Certificates and Licenses Status; e.g. Anti-Spam AV definitions, IPS, etc.
As soon as the status of a license is either expired or close to expires a message is triggered and delivered to the Indeni platform.
If you have additional questions, feel hop on over to our community and pose your question there!