Created on
‎09-27-2024
02:53 AM
Edited on
‎08-06-2025
07:36 AM
By
Stephen_G
Description | This article describes how to restrict admin users from taking only configuration backups on FortiGate. |
Scope | FortiGate v7.2.9, v7.4.4, 7.6 onwards. |
Solution |
Requirement: Create a dedicated administrator account to take configuration backup on FortiGate and not have any access privileges to modify or change the configuration.
Create a custom Admin Profile under System -> Admin Profiles and select 'Create new'.
Configure the Admin profile's access permissions as follows:
Create a new administrator and assign it the new administrator profile.
Log in to FortiGate using the new administrator account and verify a backup can be taken.
CLI Reference:
config system accprofile edit "BackupAdmin" set secfabgrp read set ftviewgrp read set authgrp read set sysgrp custom set netgrp read set loggrp read set fwgrp read set vpngrp read set utmgrp read set wifi read config sysgrp-permission set admin read-write set upd read set cfg read set mnt read end next end
config system admin edit "backup" set accprofile "BackupAdmin" set vdom "root" set password <password> next end
Warning: A backup taken by an administrator who is not a 'super_admin' should be used only for review and change tracking. It must not be used to restore the firewall without further modification, as restoring the configuration will remove existing 'super_admin' accounts as described in the article Technical Tip: How to recover admin account with super_admin profile
Administrators with the 'super_admin' admin profile are hidden from administrators who do not have the same profile. As a result, they do not appear in configuration backups performed by this 'backup' administrator. To take a full configuration backup including administrators with the 'super_admin' profile, it is necessary to log in using an account with the 'super_admin' profile.
Note: After setting the user profile, the user will not have the rights to make any changes.
Related articles: Technical Tip: Prof_Admin admin profile will not be able to back up the Super_Admin Technical Tip: How to recover admin account with super_admin profile |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.