Technical Tip: How to clear disabled admin lockout

This article describes how to clear the 'Admin login disabled' lockout due to multiple login failures on earlier FortiOS versions.

FortiGate v6.4.12 and earlier, v7.0.10 and earlier, v7.2.3 and earlier.

In v7.2.3 and earlier, it is possible to clear a locked-out source IP by re-configuring the admin-lockout-duration value to a lower value and waiting for the new lower value.

FGT# config system global
FGT(global) set admin-lockout-duration 600 <-----  Lockout is 600 secs and the login is disabled.
FGT end

FGT# config system global
FGT(global) set admin-lockout-duration 5 <----- Change to lower value and let pass to clear.
FGT end

After the 5-second lockout duration, the disabled admin would have access again. Re-configure the value back to the previous lockout-duration once the disabled admin is cleared.

The lockout duration is based on the IP address. The same admin user may still log in from a different IP source.

Note:

The method detailed above is no longer permitted beginning in v6.4.13, v7.0.11, v7.2.4, and v7.4.0.

In later firmware versions, the only options to mitigate an administrative lockout for a particular source IP address are:

• Wait for the originally configured lockout duration.
• Access the device using a different source IP address.
• Access the device using a console cable.
• Reboot the device, or power-cycle if reboot is not possible.

For admin best practice, refer to the following document.

System administrator best practices