FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Chandra_FTNT
Staff
Staff
Article Id 345061
Description This article describes how to restrict admin users to take only configuration backups on FortiGate.
Scope FortiGate v7.2.9, v7.4.4 onwards
Solution

Requirement:

Restrict admin users to take configuration backup on FortiGate and not have any access privileges to modify or change the configuration.

 

Create a custom Admin Profile under System -> Admin Profiles and select 'Create new'. 

 

Screenshot 2024-09-27 150405.jpg

 

Specify the Admin profile name example above 'BackupAdmin'. Next Permissions needs to be enabled to provide only access to take backup configuration which is as below:

 

image.png 

In the Access Permissions settings, assign 'Read' permissions to all Access Controls except for the 'System' Access Control, which should be configured with 'Custom' permissions. Grant 'Read/Write' permissions exclusively to the 'Administrator Users' Access Control, while ensuring that all other Access Controls are assigned 'Read' permissions.

 

Create a new Admin User example named 'Backup' and select the Admin profile which was created above as 'BackupAdmin':

 Screenshot 2024-09-27 151152.jpg

 

Once the admin user is created, log in to FortiGate using the 'backup' user and verify if a backup can be taken:

 

Screenshot 2024-09-27 1513232152.jpg