Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff

Created on ‎11-23-2020 03:47 AM Edited on ‎10-21-2024 09:32 PM By Community Manager

Article Id 196878

Technical Tip: Prof_Admin admin profile will not be able to back up the Super_Admin

Description


This article discusses why restoring a backup configuration taken by an administrator who was not a super_admin removes any existing super_admin accounts.

 

Scope

 

FortiGate.


Solution

Administrators with the super_admin accprofile are hidden from administrators who do not have this profile. If care is not taken with restoring only configuration backups taken by super_admin accounts, it is possible to upload a valid configuration file that will remove all existing super_admin administrators.

In v7.2.1 and later, a similar consideration exists for backup files taken with the 'Password Mask' toggle selected. Such files should not be used to restore configuration to the FortiGate. See 'New Features: Support backing up configurations with password masking'.

Example Scenario:
Two users are present in the Fortigate’s Administrator configuration 'System -> Administrators'.

  • UserA – has a super_admin profile assigned.
  • UserB – has a prof_admin profile assigned.

 
Back up the configuration of the FortiGate using 'userB' account, which has the prof_admin profile assigned to it.
 
 
 
Result:
Open the backup configuration file in any text editor and search for 'config system admin'. Only userB will be visible.
 
 
 
 
If any administrator restores the configuration using this file, all super_admin administrators will be removed. This will prevent some management functions, such as restoring backup configuration, until a super_admin is recovered.
 
There are multiple ways to recover from this state, depending on firewall configuration.
 
With the default configuration, any administrator with the prof_admin accprofile has permission to restore the device to factory configuration using 'execute factoryreset2'. This should only be done during a maintenance window since it will remove the existing firewall configuration, including removing existing administrators and restoring the default 'admin' super_admin account. See 'Recover admin password without maintainer account'.

Where factory reset is not an option, it is possible to load new firmware to the device to restore the default configuration. See 'Formatting and loading FortiGate firmware image using TFTP'
 
Labels:
9413
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.