Description

This article details the effect of disabling the 'maintainer' account on a FortiGate.

Scope

FortiGate.

Solution

Before v7.2.4, the 'maintainer' account can be used to reset the admin password on FortiGate if the admin password has been lost. If a user has physical access to the FortiGate, the serial number (which is labeled on the unit), can be leveraged to use the 'maintainer' account to reset the admin password. 

Once access to the FortiGate has been attained after resetting the admin password, full access to the device will be granted and the user who reset the password can now make configuration changes to the FortiGate including performing a factory reset.

This may be an unacceptable risk in some circumstances, especially where the hardware is not physically secured. To avoid this risk the 'maintainer' account can be disabled using the following CLI commands:

config system global
    set admin-maintainer disable
end

Note:
If this feature is disabled, and the administrator password has been lost, access to the unit will not be possible unless a TFTP format and firmware reload are performed to get the FortiGate back to factory default settings.  A saved configuration backup can then be restored to the device.