Skip to main content
acvaldez
Staff
acvaldez
Staff
November 23, 2020

Technical Tip: Prof_Admin admin profile will not be able to back up the Super_Admin

  • November 23, 2020
  • 0 replies
  • 13167 views

Description


This article discusses why restoring a backup configuration taken by an administrator who was not a super_admin removes any existing super_admin accounts.

 

Scope

 

FortiGate.


Solution

Administrators with the super_admin accprofile are hidden from administrators who do not have this profile. If care is not taken with restoring only configuration backups taken by super_admin accounts, it is possible to upload a valid configuration file that will remove all existing super_admin administrators.

In v7.2.1 and later, a similar consideration exists for backup files taken with the 'Password Mask' toggle selected. Such files should not be used to restore configuration to the FortiGate. See 'New Features: Support backing up configurations with password masking'.

Example Scenario:
Two users are present in the Fortigate’s Administrator configuration 'System -> Administrators'.

  • UserA – has a super_admin profile assigned.
  • UserB – has a prof_admin profile assigned.

 
Back up the configuration of the FortiGate using 'userB' account, which has the prof_admin profile assigned to it.
 
 
 
Result:
Open the backup configuration file in any text editor and search for 'config system admin'. Only userB will be visible.
 
 
 
 
If any administrator restores the configuration using this file, all super_admin administrators will be removed. This will prevent some management functions, such as restoring backup configuration, until a super_admin is recovered.
 
There are multiple ways to recover from this state, depending on firewall configuration.
 
With the default configuration, any administrator with the prof_admin accprofile has permission to restore the device to factory configuration using 'execute factoryreset2'. This should only be done during a maintenance window since it will remove the existing firewall configuration, including removing existing administrators and restoring the default 'admin' super_admin account. See 'Recover admin password without maintainer account'.

Where factory reset is not an option, it is possible to load new firmware to the device to restore the default configuration. See 'Formatting and loading FortiGate firmware image using TFTP'
 
    Terms & ConditionsAccessibility statement