FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jackie_T
Staff
Staff
Article Id 190123

Description


This article describes password recovery for AWS FortiGate.

Scope


FortiGate runs as an AWS EC2 instance with Xen hypervisor CPU types v7.2.4, including v7.0 and v6.4.

Solution


FortiGate virtual machines deployed in AWS EC2 using Xen hypervisor CPU types do not allow serial/console access, therefore it is not possible to use the maintainer account while using the instance that is using these CPU's.

Note: EC2 instances built on the AWS Nitro Hypervisor cpu types do support serial/console access. See 'How to connect to a FortiGate VM deployed in AWS using a serial/console connection' for how to temporarily change to these cpu types if needed. Reference third-party AWS documentation for the AWS account requirements to use serial access.

 

Note:

FortiOS versions v7.2.4 and later have the maintainer account removed, see 'Remove maintainer account 7.2.4'. In such cases, it is not possible to reset the default admin password using console access, regardless of whether Xen, Nitro, or bare-metal CPU types are in use.


Example CPU types using Xen hypervisor:

  • General purpose: M1, M2, M3, M4, T1, T2.

  • Compute optimized: C1, C3, C4.


When using such CPU types, only SSH-based connections are available. The maintainer account cannot be used over SSH connections, only over serial/console connections.

 

If the default administrator 'admin' password hasn't been changed, the password will be the EC2 instance ID. If the default password is lost and there is no backup of the instance, it won't be possible to recover it if the appliance is running v7.2.4 or later. The only solution in such cases is to redeploy the instance. Hence, it is important to keep the password safe.