Description
This article provides the minimum permissions required to perform several common or important operational activities.
Scope
FortiGate v7 and later.
Solution
|
Function |
Minimum required permissions |
Related documents |
|
Backup or restore the global configuration |
super_admin |
FortiOS Administration Guide: Configuration backups and reset |
|
View or edit super_admin accounts |
super_admin |
Technical Tip: Admin cannot see super-admin profile when create another Admin user |
|
Backup VDOM configuration |
VDOM scope and all read permissions |
FortiOS Administration Guide: Backing up and restoring configurations in multi-VDOM mode |
|
Restore VDOM configuration |
VDOM scope and System Configuration read/write |
FortiOS Administration Guide: Backing up and restoring configurations in multi-VDOM mode |
|
Backup configuration without super_admin accounts |
Read/Write: System -> Administrator Users
All other sections. |
Technical Tip: Restrict admin users to take configuration backup only on FortiGate
|
|
Backup limited configuration |
Read/Write: System -> Administrator Users Read: Any required sections. |
|
|
Trigger a manual FortiGuard update |
Read/Write: |
Technical Tip: Verifying and troubleshooting FortiGuard updates status and versions |
|
Upgrade firmware from the GUI |
Read/Write: System -> Maintenance Read: |
|
|
Manually upgrade the IPS attack engine or AV engine |
Read: System -> Configuration |
Technical Tip: How to manually upgrade the IPS Engine Technical Tip: How to downgrade or rollback IPS engine or FMWP Database
|
|
Log in to the HA secondary device using ‘execute ha manage’ |
Read/Write: System -> Maintenance
‘execute’ CLI commands |
Technical Tip: Managing individual cluster units with the CLI command 'execute ha manage' |
|
Reboot or shut down the device |
Read/Write for System -> Configuration |
Technical Tip: How to properly shut down or reboot a FortiGate |
|
Factory Reset |
Read/Write for System -> Administrators ‘execute’ CLI commands |
|
|
Rollback to the previous boot partition |
Read/Write for System -> Configuration ‘execute’ CLI commands |
Technical Tip: Selecting an alternate firmware for the next reboot
|
|
Download debug logs or ‘execute tac report’ |
super_admin |
|
|
Initial troubleshooting steps for dropped traffic |
Read:
CLI commands. |
Troubleshooting Tip: Initial troubleshooting steps for traffic blocked by FortiGate |
|
TFTP firmware load from the boot menu |
No administrator permissions required- acts as a 'reset of last resort' in case of system or credential loss.
Requires serial console access during boot as well as FortiGate access to a managed TFTP server. |
Technical Tip: Formatting and loading FortiGate firmware image using TFTP |
Administrator permissions are configured by creating and assigning an Administrator Profile, see Administrator profiles
