Sometimes, when using third-party management tools, it is required to restrict the service account's permissions to the minimum needed. 

The sections of firewall configuration that appear in a backup file depend on the read permissions granted by an administrator's assigned Admin Profile. However, if an account has only read permissions, it will be able to view but not back up the configuration.

The minimum permissions required for an administrator to back up a configuration via CLI or GUI are as follows:

config system accprofile

edit "new"

set sysgrp custom

set cli-exec enable

config sysgrp-permission

set admin read-write

set mnt read-write

end

next

end

If any of these options are not set, the administrator account will not be permitted to retrieve a configuration backup.

An administrator with 'set sysgrp read-write' instead of customized sysgrp permissions is also able to generate a configuration backup file, but this is more permissive than needed. 

The configuration generated by the minimum permissions set does not include interface configuration, routing, firewall policies, and many other important sections for firewall operation. For a somewhat more complete configuration backup, see the article 'Technical Tip: Restrict admin users to take configuration backup only on FortiGate'.

Only configuration taken by a super_admin account should be used to restore the firewall; otherwise, super_admin accounts are removed by the restoration, see 'Technical Tip: Prof_Admin admin profile will not be able to back up the Super_Admin'.

Only super_admin accounts can restore the global firewall or single-VDOM mode configuration, see 'FortiOS Administration Guide: Configuration backups and reset'.

Related article:

Technical Tip: Minimum permissions for FortiGate operations