Technical Tip: Least-Privilege Administrator Profile to Factory-Reset the FortiGate
| Description | This article describes how to create an administrator profile with least-privileges that can be assigned to an administrator who can run the command 'execute factory-reset' for the device. |
| Scope | FortiGate. |
| Solution | If the FortiGate needs an urgent factory reset or cannot be accessed due to the main Administrator account getting locked out because of lost password or 2FA issues, normally a separate super-admin account can be used to make some changes and regain access.
However, providing high privileges to multiple administrators imposes security risks and account management concerns. It is possible in FortiGate to create an administrator with the minimum account of privilege to at least factory reset the device.
To set up this factory-reset admin account, create a new administrator profile with Read/Write privilege for System -> Administrator Users.
Then create a separate administrator account and assign the factory-reset administrator profile. It is optional to enable 2FA to this user for additional security.
Do not forget to verify if the FortiGate is accessible with the newly created administrator account.
The command to factory reset the FortiGate to default settings is 'execute factoryreset'.
Reset a FortiGate to default factory settings without losing management access |
