- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Change .conf backup file to insert deleted super_a...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change .conf backup file to insert deleted super_admin user
Hi guys!
We had an administrator in the environment whose work methods were somewhat questionable and he chose to delete the super_admin accounts, leaving only accounts with the prof_admin profile on the appliance.
A FORTINET analyst through ticket 9306777 reported that through the .conf backup file, it would be possible to insert or modify an existing user by changing the profile from prof_admin to super_admin.
Example of my configuration file:
next
edit "ffranca"
set trusthost1 172.16.250.0 255.255.255.0
set trusthost2 172.16.253.0 255.255.255.0
set trusthost3 192.168.30.0 255.255.255.0
set trusthost4 192.168.10.0 255.255.255.0
set accprofile "prof_admin"
set vdom "root"
Would changing just the profile and uploading to restore the appliance from this new .conf file change mine from prof_admin to super_admin?
Thanks!
Felipe S Franca
Felipe S Franca
Labels:
- Labels:
-
FortiGate
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @ffranca ,
Yes, that's right. You can change the admin profile on the config file without any problem. After this change, your FortiGate starts with a new configuration, and your admin user becomes a super_admin.
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you login using "prof_admin" account, you will not be able to see accounts with higher privilege like "super_admin".
Changing the accprofile from "prof_admin" to "super_admin" on backup configuration and restoring it on the firewall will make your account to be super_admin.
The option to restore configuration will only be available if you are using super_admin when you login to the firewall.
Therefore, on your current situation you need to:
1. Perform factory reset of the device. You can use factoryreset2. This option will reset the device to factory settings except for VDOM, interface, and static route settings.
This means that after resetting, FortiGate will not have any firewall policies, IPsec settings, but it will be possible to access the FortiGate remotely on its IP address.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-reset-a-FortiGate-with-the-default-...
2. Access the firewall with default admin account (username admin with no password).
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/241541/connecting-using-a-we...
3. Restore the modified configuration with your account on super_admin profile.
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/702257/configuration-backups...
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/294491/administrator-profile...
Best Regards,
Arnold Dimailig
TAC Engineer
Arnold Dimailig
TAC Engineer
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did this on one of my customer and it work perfectly fine.
Best Regards,
Arnold Dimailig
TAC Engineer
Arnold Dimailig
TAC Engineer
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ozkanaltas,
No, changing the profile from "prof_admin" to "super_admin" in the .conf backup file alone will not suffice to grant a user super_admin privileges.
The .conf backup file contains configuration settings for the FortiGate device, including user accounts and their associated profiles. However, simply modifying the profile setting in the backup file won't grant a user additional privileges. The permissions and privileges associated with each profile are controlled by the FortiGate device itself and are not solely determined by the configuration file.
To grant a user super_admin privileges, you typically need to have administrative access to the FortiGate device itself. From there, you can either:
- Use an existing account with super_admin privileges to create a new user account and assign it the super_admin profile.
- Modify the permissions of an existing user account to grant it super_admin privileges.
If all super_admin accounts have been deleted and only accounts with the prof_admin profile remain, you'll need to have access to an existing account with prof_admin privileges and then perform one of the above actions to grant super_admin privileges to a user.
Thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Durga_Ashwath ,
Are you sure about this? Your colleague @adimailig , said the same thing as me.
I'm sure about this. You can change admin profile on the config file. After that, you can restore your FortiGate with this file. That's all. Your user became super admin.
Also, you can see people who have the same problem and their solutions in these link.
https://community.fortinet.com/t5/Support-Forum/All-superadmin-is-deleted/m-p/212711
https://community.fortinet.com/t5/Support-Forum/Lost-super-admin-how-to-exec-factoryreset/m-p/303818
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Related Posts
- Fortigate Automation Stitch Backup autoscript stop 744 Views
- Remote RADIUS Group and wildcard admin... 666 Views
- FreeRADIUS authentication for admins. 3235 Views
- Delete Super_Admin user from other profiles 4149 Views
Labels
-
FortiGate
6,529 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.