FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Chandra_FTNT
Staff & Editor
Staff & Editor
Article Id 345061
Description This article describes how to restrict admin users from taking only configuration backups on FortiGate.
Scope FortiGate v7.2.9, v7.4.4, 7.6 onwards.
Solution

Requirement:

Create a dedicated administrator account to take configuration backup on FortiGate and not have any access privileges to modify or change the configuration.

 

Create a custom Admin Profile under System -> Admin Profiles and select 'Create new'. 

 

Screenshot 2024-09-27 150405.jpg

 

Configure the Admin profile's access permissions as follows:

 

image.png 

  • In the Access Permissions settings, assign 'Read' permissions to all Access Controls except for the 'System' Access Control, which should be configured with 'Custom' permissions.
  • System -> Administrator Users section should be configured as Read/Write Access Control. Other System Access Controls should be set to 'Read' permissions.

 

Create a new administrator and assign it the new administrator profile.

 Screenshot 2024-09-27 151152.jpg

 

Log in to FortiGate using the new administrator account and verify a backup can be taken.

 

Screenshot 2024-09-27 1513232152.jpg

 

CLI Reference:

 

config system accprofile

    edit "BackupAdmin"

        set secfabgrp read

        set ftviewgrp read

        set authgrp read

        set sysgrp custom

        set netgrp read

        set loggrp read

        set fwgrp read

        set vpngrp read

        set utmgrp read

        set wifi read

        config sysgrp-permission

            set admin read-write

            set upd read

            set cfg read

            set mnt read

        end

    next

end

 

config system admin

    edit "backup"

        set accprofile "BackupAdmin"

        set vdom "root"

        set password <password>

    next

end

 

Warning:

A backup taken by an administrator who is not a 'super_admin' should be used only for review and change tracking. It must not be used to restore the firewall without further modification, as restoring the configuration will remove existing 'super_admin' accounts as described in the article Technical Tip: How to recover admin account with super_admin profile

 

Administrators with the 'super_admin' admin profile are hidden from administrators who do not have the same profile. As a result, they do not appear in configuration backups performed by this 'backup' administrator.

To take a full configuration backup including administrators with the 'super_admin' profile, it is necessary to log in using an account with the 'super_admin' profile.

 

Note: After setting the user profile, the user will not have the rights to make any changes.

 

Related articles:

Technical Tip: Prof_Admin admin profile will not be able to back up the Super_Admin

Technical Tip: How to recover admin account with super_admin profile