Technical Tip: Minimum permissions for FortiGate operations

Function

Minimum required permissions

Related documents

Backup or restore the global configuration

super_admin

Configuration backups and reset

View or edit super_admin accounts

super_admin

Technical Tip: Admin cannot see super-admin profile when create another Admin user

Backup VDOM configuration

VDOM scope and all read permissions

Backing up and restoring configurations in multi-VDOM mode

Restore VDOM configuration

VDOM scope and System Configuration read/write

Backing up and restoring configurations in multi-VDOM mode

Backup configuration without super_admin accounts

Read/Write:

System -> Administrator Users

Read:

All other sections.

Technical Tip: Restrict admin users to take configuration backup only on FortiGate

Backup limited configuration

Read/Write:

System -> Administrator Users

Read:

Any required sections.

Trigger a manual FortiGuard update

Read/Write:
System -> FortiGuard Updates

Technical Tip: Verifying and troubleshooting FortiGuard updates status and versions

Upgrade firmware from the GUI

Read/Write:
System -> Administrator Users

System -> Maintenance

Read:
System -> FortiGuard Updates
System -> Configuration

Upgrading individual devices

Manually upgrade the IPS attack engine or AV engine

Read:
System -> FortiGuard Updates

System -> Configuration

If needing to load an earlier version of the engine, ‘diagnose autoupdate downgrade enable’ is also required.

Technical Tip: How to manually upgrade the IPS Engine

Technical Tip: How to downgrade or rollback IPS engine or FMWP Database

Log in to the  HA secondary device using ‘execute ha manage’

Read/Write:

System -> Maintenance
System -> Configuration

‘execute’ CLI commands

Technical Tip: Managing individual cluster units with the CLI command 'execute ha manage'

Reboot or shut down the  device

Read/Write for System -> Configuration

Technical Tip: How to properly shut down or reboot a FortiGate

Factory Reset

Read/Write:

System -> Administrator Users

‘execute’ CLI commands

Restore Factory Defaults

Rollback to the previous boot partition

Read/Write:

System -> Configuration

‘execute’ CLI commands

Technical Tip: Selecting an alternate firmware for the next reboot

Download debug logs or ‘execute tac report’

super_admin

Technical Tip: Download Debug Logs and 'execute tac report'

Initial troubleshooting steps for dropped traffic

Read:
Firewall
Log & Report
Network
System
VPN

CLI commands.

Troubleshooting Tip: Initial troubleshooting steps for traffic blocked by FortiGate

TFTP firmware load from the boot menu

No administrator permissions required- acts as a 'reset of last resort' in case of system or credential loss.

Requires serial console access during boot as well as FortiGate access to a managed TFTP server.

Technical Tip: Formatting and loading FortiGate firmware image using TFTP

Read/Write administrator access when the FortiGate is managed by FortiManager

Read/Write:
System -> Configuration, as well as any sections that the administrator should be allowed to read/modify.

Technical Tip: Custom admin profiles show read-only access on FortiGate when managed by FortiManager

View SSID Passphrase

Starting FortiOS v7.4.10 and v7.6.5:

super_admin

Previous firmware versions:

Read/Write:

WiFi & Switch

Read-only:
Network

Enable or disable private-data-encryption

Starting FortiOS v7.2.11, v7.4.6, and v7.6.1:
super_admin

Previous firmware versions:
Read/Write:
System -> Configuration.

'config' CLI commands.