Description
This article describes how to recover access to FortiManager/FortiAnalyzer Hardware when the admin password is lost, to restore access, download and install firmware from a local TFTP server, via Console on the FortiManager/FortiAnalyzer hardware.
To restore the old config back on the FortiManager/FortiAnalyzer, it is necessary to have a backup of the config and contact Fortinet Support to remove the password if unknown, before the restore process.
Note.
Installing firmware from a local TFTP server via console resets the FortiManager/FortiAnalyzer system settings to default.
Disclaimer.
After reloading the firmware image on the Hardware unit, make sure to reconfigure the System Settings accordingly, as explained at the end of this article.
Otherwise, it risks data loss and corruption.
Any action taken upon the information in this article is strictly at its own risk.
Scope
FortiAnalyzer.
Components.
- Null modem, or DB9 to DB9 console connector cable. See also the related article, Serial cable pinouts for console access to Fortinet devices.
- Ethernet RJ45 cable (depending on the hardware model).
- Terminal client, such as a PC running HyperTerminal (Windows).
TFTP server (the following is the recommended TFTP software).
Recommended TFTP software.
- Windows users :
TFTPD32 - Open Source tftp server for Windows there: Tftpd64.
- Linux users:
Ubuntu v8.04 LTS, v8.10, v9.04 and v9.10.
Fedora Core 9.
CentOS 5.
tftpd-hpa: Open Source Windows Software Development Software.
Solution
Steps to reset and push the new Firmware.
- Download the image for the FortiManager/FortiAnalyzer from the Fortinet Support Site. On the same website, download the <image name>.md5 file that contains the MD5 checksum for the firmware image downloaded. Make sure to download the firmware version that is currently running on the machine to avoid any possible issues caused by a downgrade or unwanted upgrade.
- Check that the image is successfully downloaded and is not corrupted. Compare the generated MD5 sum against the one in the .md5 file.
- Windows users can download and use the md5sum.exe <filename> (such as md5summer).
- Linux users can accomplish this with md5sum <filename>.
- Mac OS X users can also use md5sum <filename>.
Notes.
Some console prompts in this procedure include a default value in square brackets, for example, [image.out]. To use this default value, press Enter.
- Connect the computer to the FortiManager/FortiAnalyzer unit using the null modem cable.
Terminal client communication parameters.
8 bits
no parity
1 stop bit
9600 baud
Flow Control = None
-
Restart the FortiManager/FortiAnalyzer.
-
When the console displays 'Press any key to display configuration menu...', press the space bar or any other key.
-
When a list of choices with the letter of Alphabet comes up, press G to continue.
-
Connect the computer running the TFTP server to the FortiManager/FortiAnalyzer unit. The port is prompted in the console output as below:
Please connect TFTP server to Ethernet port "1"
- Type the IP address of the computer running the TFTP server and press Enter.
The console displays:
Enter TFTP server address [192.168.1.168]:
- Type the IP address of the FortiManager/FortiAnalyzer port that is on the same subnet as the TFTP server and press Enter.
The console displays:
Enter Local Address [192.168.1.188]:
- Type the firmware image file name and press Enter.
The console displays:
Enter File Name [image.out]:
The console periodically displays a "#" (pound or hash symbol) to show the download progress.
11. When the download completes, the console displays a message similar to below: Press D.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?D
The FortiManager/FortiAnalyzer unit installs the new firmware image and restarts. The installation may take a few minutes to complete.
Note: 'H' can be pressed to highlight the available options. This menu can be displayed on newer hardware models:
This will change the System Settings configuration back to the default status.
If any config has been saved to provide to Fortinet Support, it will be necessary to reconfigure the unit.
If a backup is present, open a support ticket asking for password removal and reload the provided config on the same version as the original one.
Re-configure the port IP address/allowaccess and a static route to have access to the unit via GUI and SSH.
Re-enable ADOMs, Advanced Mode, workspace/workflow mode, Workflow Approval, re-configure Administrators, profiles, SNMP, Mail Server, or Syslog server if needed.
Note that the workflow sessions are not preserved, and they will be purged after reloading the firmware image.
It is possible to extract the system-level configuration from the backup file by using a decompression utility such as tar, 7-Zip, or WinRar.
If any config has been saved to provide to Fortinet Support, it will be necessary to reconfigure the unit.
If a backup is present, open a support ticket asking for password removal and reload the provided config on the same version as the original one.
Re-configure the port IP address/allowaccess and a static route to have access to the unit via GUI and SSH.
Re-enable ADOMs, Advanced Mode, workspace/workflow mode, Workflow Approval, re-configure Administrators, profiles, SNMP, Mail Server, or Syslog server if needed.
Note that the workflow sessions are not preserved, and they will be purged after reloading the firmware image.
It is possible to extract the system-level configuration from the backup file by using a decompression utility such as tar, 7-Zip, or WinRar.
The system configuration file is stored under /var/fwclienttemp/system.conf filename.
The CLI configuration can then be copied & pasted via a serial or terminal session.
The CLI configuration can then be copied & pasted via a serial or terminal session.
It is best to do this in chunks of not more than 30 text lines at a time.
The rest of the configuration remains untouched, logs remain untouched.
The rest of the configuration remains untouched, logs remain untouched.
Optional: Restore System Level Settings using Backup Config File: (only working if the backup is not password-protected, mandatory since v7.0.13, v7.2.10, v7.4.6).
Additional note: If the backup is encrypted, it is possible to decrypt it with tools.
First, connect to the VPN to Ottawa, then enter:
https://tools.ott.fortilab.net/config-decrypt
Provide backup file and current password. It will generate a file with a .tar.gz file.
It is possible to extract the system-level configuration from the backup file by using a decompression utility such as tar, 7-Zip, or WinRar.
The system configuration file is stored under /var/fwclienttemp/system.conf filename.
If a recent backup of the config file exists, the admin password can be removed, and the system-level settings can be restored once the above steps have been completed.
- Make sure the backup config file is the same version as the firmware image.
- Edit the system.conf from the backup config file. See this article: Technical Tip: Viewing and editing the FortiManager/FortiAnalyzer system configuration file (system.... for more information on how to edit the file.
- Search 'config system admin user' and look for the admin username.
- Remove the 'set password ENC …..' line. For example:
Before removal:
After removal:
- Save the system.conf file -> Exit -> Update both archive files.
- Restore using the updated backup config file.
- Once the hardware is running again, log in with the username and the password: <<blank>>.
- Navigate to the respective ADOM/Device Logs and verify the status.
Related articles:
Technical Tip: Formatting and loading FortiGate firmware image using TFTP
Technical Note: FortiManager Tips and Best Practices Guide
Technical Tip: Resetting the admin password for FortiManager/FortiAnalyzer hardware
