Description
This article describes password recovery for AWS FortiGate.
Scope
FortiGate runs as an AWS EC2 instance with Xen hypervisor CPU types v7.2.4, including v7.0 and v6.4.
Solution
FortiGate virtual machines deployed in AWS EC2 using Xen hypervisor CPU types do not allow serial/console access, therefore it is not possible to use the maintainer account while using the instance that is using these CPU's.
Note: EC2 instances built on the AWS Nitro Hypervisor cpu types do support serial/console access. See 'How to connect to a FortiGate VM deployed in AWS using a serial/console connection' for how to temporarily change to these cpu types if needed. Reference third-party AWS documentation for the AWS account requirements to use serial access.
Note:
FortiOS versions v7.2.4 and later have the maintainer account removed, see 'Remove maintainer account 7.2.4'. In such cases, it is not possible to reset the default admin password using console access, regardless of whether Xen, Nitro, or bare-metal CPU types are in use.
Example CPU types using Xen hypervisor:
General purpose: M1, M2, M3, M4, T1, T2.
Compute optimized: C1, C3, C4.
When using such CPU types, only SSH-based connections are available. The maintainer account cannot be used over SSH connections, only over serial/console connections.
If the default administrator 'admin' password hasn't been changed, the password will be the EC2 instance ID. If the default password is lost and there is no backup of the instance, it won't be possible to recover it if the appliance is running v7.2.4 or later. The only solution in such cases is to redeploy the instance. Hence, it is important to keep the password safe.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.