FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rtanagras
Staff
Staff
Article Id 298658

Description

 

This article describes how to remove MultiFactor Authentication for admin users in FortiGate FortiToken, which can be used to regain lost access to the FortiGate.

 

Note: Completely disabling MFA poses significant security risks and should be avoided whenever possible.

 

Scope

 

FortiGate.

 

Solution

 

Disabling Multi-Factor Authentication (MFA) for FortiGate admin access can pose security risks to your firewall. However, there are specific scenarios where removing MFA may become necessary, such as when a co-worker leaves the company, or if issues are encountered such as being unable to receive push authentication codes, or the admin forgetting to set up an emergency access account and subsequently locking themself out. Even attempting to recover the account using the Maintainer account for FortiGate (which was removed starting FortiOS 7.2.4) may not be possible due to Multi-Factor Authentication (FortiToken). This article provides a guide through the process of removing Multi-Factor Authentication to regain access to the FortiGate.

 

The following are required to perform this task:

  • Serial Cable.
  • Ethernet cable.
  • TFTP Server.
  • The most recent backup configuration file.

 

First, format the device and ensure that the correct image is used for the FortiGate model. To accomplish this task, follow the steps outlined in Technical Tip: Formatting and loading FortiGate firmware image using TFTP. This process will ensure that the FortiGate device is properly formatted and ready for the subsequent steps.

 

Now that a fresh image has been installed, the default credentials will revert back to their original state.

 

Secondly, open backup configuration in Notepad and locate the 'config system admin' section. After, modify the Admin account (in this example, the default Admin account) by removing the specified lines and setting a new password.

 

config sys admin

edit "admin"

set accprofile "super_admin"

set vdom "root"

set two-factor fortitoken <- Remove.

set fortitoken "FTKMOB13A9B5CE9E" <- Remove.

set email-to "rtanagras@fortinet.com" <- Remove.

set password ENC SH2Aaf8mFKUDykH9flvWT60K8rCXUy2owDUdjYcO/qS8gEE6D4Loq4Xb5S5pgY= <- Set a new password again.

next

end

 

It will look like this:

 

config sys admin

edit "admin"

set accprofile "super_admin"

set vdom "root"

set password P@ssw0rd!

next

end

 

Save the config file and then restore it to the new FortiGate configuration.

 

Afterwards, log in using the account.

Contributors