Fortigate 60...how to set back to factory default ?

Forum|Forum|15 years ago
November 16, 2010
5 replies
12954 views

Hello all, I recently recieved an old Fortigate 60 to use as a backup firewall for a small remote office. The IT group does not have the admin password for me to get into the configuration portal via the browser, so I was attempting to reset the unit back to factory defaults using the console port. After setting my serial port to 9600,8,1, none, I watch the bootup process and can get the login screen. From what I' ve been able to find, I should be entering the following to access the CLI to execute a reset to factory default settings: 1- at the console login prompt, type in " maintainer" for userid 2- Type in " bcpbFGTxxxxxxxxxxxxx" for password (XXXXXXXXXXX will be the S/N of the Fortigate) 3- after a successful login, now do changes to admin password My s/n is 602104401672, so for the password I' m entering " bcpbFGT602104401672" ...which returns the following message: " The hashed password length is invalid. Login incorrect" I also read where you can also use the device MAC address in place of the s/n but that has failed as well (MAC 00090F0B1734). I have also tried entering " bcpbFGT-602104401672" to no avail. Any other ideas or ways to reset this device' s admin account back to default (no password) ? Thanks

ede_pfau

SuperUser

Hi, and welcome to the forums! You come up with a hard question to start. Basically, all of the steps you list are what I know how to do it. The password to enter for " maintainer" is " bcpb" + the full serial number which may be " FGT60..." or " FGT-..." sometimes. That depends on the model. One more hint: I think there is only a limited time span after booting in which you can enter the override credentials. I would love to try the procedure on my own FG but then I' d be without internet access...we' ll see.

ede_pfau

SuperUser

confirmed that this is the correct sequence. The password is case sensitive, of course.

rwpatterson

New Member

It has to be done from a cold boot. A reset/reboot will not work.

ede_pfau

SuperUser

I watch the bootup process and can get the login screen

Bob, a) he did that and b) how could he reset/reboot from the CLI if he has no access to the box? One more way to get would be to interrupt the boot process and TFTP an older firmware onto the FG. The Release Notes all sing that you' ll lose all settings if you do that; alas, I' ve seen the opposite though.

rwpatterson

New Member

Hey, I just woke up. Give me a break! ;) Just extraneous, information. Not wrong, just redundant.... If you' re using a Windows based terminal emulator, I would suggest copying and pasting the serial number upon bootup. It has to be done within 30 or 40 seconds, I believe. Also, the dash is required, as in your last entry. The serial number starts with FGT-60[xxxxxxxxxx]. Good luck

ede_pfau

SuperUser

sorry if I stirred you up...better redundant info than none :-) about with/without a dash: depending on the model the serial no. contains a dash, or it doesn' t. The lead-in " FGT" or " FGT-" is part of the serial number so you only have to remember the prefix " bcpb" plus the full serial.

rwpatterson

New Member

Upon bootup, the full serial is displayed to the CLI. Copy it from there, with or without the dash.

A

Anonymous_UserAuthor

Contributor

Good morning all, Thanks for all your input, and I can report that I was successful in getting in with login " maintainer" with the password " bcpb<device s/n>" . There appears to be a timer involved and you must attempt to login with the maintainer account immediately after the device goes on-line. I was performing the attempts yesterday that must have fell outside the window of opportunity. I have performed the ' execute factoryreset' command, logged back in after the reboot with the admin account, and followed the steps to configure the device' s internal IP interface to 192.168.1.99 and to allow https access. I will now go thru the web portal to take a look at how to perform one-to-one NAT' s, add static routes (route specific subnet traffic thru a local Cisco router hooked to another data circuit), and to set access rules. If I have any questions on these, I' ll create seperate post. Thanks again for the assistance and insight into this product. Victor DSI

abelio

SuperUser

There appears to be a timer involved and you must attempt to login with the maintainer account immediately after the device goes on-line.

Indeed Victor, you' ve 30 sec to perform the typing stuff... However, this is useless now, I' ve not read your earlier post before. regards,

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded