Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sgurminder
Staff
Staff

Created on ‎10-12-2025 10:49 PM

Article Id 412972

Technical Tip: Why FortiManager Purges Local Users (Including 'admin') After Device Import

Description This article details the reason FortiManager prompts to purge local users (including local administrators) after importing a policy package for a newly added device and attempting the first policy installation to the FortiGate.
Scope FortiGate, FortiManager.
Solution When installing a policy package to a newly added FortiGate from FortiManager, administrators may see the following lines in the Install Preview:

config user local
purge
end​


This behavior can raise concerns about losing administrative access to the firewall. This article explains why this occurs, what it affects, and how to interpret the difference between config system admin and config user local.


Understanding Why This Happens:

When FortiManager installs a policy package to a FortiGate, it only installs used/referenced objects (such as addresses, address groups, web filter profiles, etc.). Any unused objects that exist on the FortiGate but are not referenced in the imported policy package will be deleted (purged) during the installation.

As shown in Figure 1, several objects are being deleted (e.g., 106 objects) because they are not referenced in any firewall policy. This includes config user local entries.

Figure 1Figure 1

 

 

Key Difference: config system admin vs. config user local:

 


config system admin
 Stores administrator accounts used to log in to the FortiGate (GUI/CLI). Includes the default admin account.

No impact from this purge. The current admin username and password can still be used for login.

 
config user local
 Stores local user accounts for firewall authentication (for policies), captive portal, or SSL VPN access. Purged if they are not referenced by any active policy or configuration object.

 

Important Note:

  • If the config user local contains users that are not referenced anywhere (in firewall policies, SSL VPN, or authentication rules), they will be deleted as part of the object cleanup.

  • This is expected behavior by design. FortiManager ensures that FortiGate contains only objects that are actively in use.

  • The presence of an admin entry under config user local does not impact the user's ability to log in as an administrator. Admin accounts are defined under the config system admin, which remains untouched.

  • By default, the config user local is empty unless users have been manually created.

In conclusion:

  • Unused local users will be purged during policy package installation. This is normal.

  • Local users are not the same as administrators.

    • Local users = firewall/SSL VPN users (config user local).

    • Administrators = GUI/CLI login accounts (config system admin).

It will still retain full administrative access to the firewall after the policy package installation.
56
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.