Description

This article describes how to factory reset the FortiGate to erase the current configuration using the external reset button on low-end FortiGate models.

Scope

FortiGate/FortiWifi/-DSL:  80F, 81F, 70F, 71F, 60E/61E, 60F/61F, 40F, 80E, 60C, 100F/101F, 70G, 90G, 120G, and other models intended for small businesses.

Solution

Note:

To Factory format a FortiGate unit without losing management access or changing its FortiOS version, follow the steps in this article: Technical Tip: How to reset a FortiGate with the default factory settings/without losing management ...

• This button is labelled 'RESET' or 'BLE/RESET' (located either on the Back Panel near the power connector or on the Front Panel, like in 80F) and is enabled by default but usable only during the first 30 seconds after boot up. Successful use of this button will erase the current configuration.
• Hard reboot the device (unplug, wait for at least 10 seconds, and plug it back online). In the first 30 to 60 seconds, wait until the 'status' light is blinking slowly, then press and hold the reset button until the 'status' light is blinking faster.
• In mid to high-end models (not in the scope of this article), this button can be easily confused with the non-marked NMI button (non-maskable interrupt) watchdog feature. The NMI button does not offer the factory reset functionality. Refer to the following article, Technical Tip: NMI Button for Troubleshooting Kernel Issues, for more info. 
• To confirm the purpose of this external button on the FortiGate:

diagnose hardware test button

The output will show if it is used as a Reset Button or as an NMI Button. It is possible to press 'N' to stop the test.

• The behavior of the reset button will also depend on the firmware version that is being used. One of the options below will factory default the unit:

1. Reboot FortiGate: It should be noted that a power cycle is required and that using the CLI command to execute a reboot may not be sufficient to enable the reset button.

2. Wait until the FortiGate OS is running again: The FortiGate OS is at the running stage when the 'STATUS'/'STA' LED is blinking slowly. It means that the console prompts for the login.

3. Once the STATUS LED is blinking slowly (typically between the first 30 to 60 seconds of boot), press the external button 'RESET', then the 'STATUS'/'STA' LED will blink faster until the FortiGate reboots itself. If the device does not reboot even after holding the reset button for 30 seconds to one minute, the next step is to release and try to hold the 'RESET' button again for one minute until the device reboots. 

• It can also be used as a reference that the login prompt on a Putty session is shown at the same time that the status light turns on:

• The reset button can only be used in the first 30 or 60 seconds, depending on the model, after a power cycle.
• If the uptime of the unit is more than 30 or 60 seconds, the RESET button is disabled, and when pressed, the console output will prompt with the following message, and no action is taken if pressed at this stage.
  
• A console cable can be connected and used to verify the reset process. After pressing the 'RESET' button, the following output can be seen on the CLI to confirm the device has been factory reset.

Note:
If the 'STATUS/STA' LED does not blink after waiting a while, this indicates that the device cannot boot up, and there may be boot image corruption. Access the device using a serial connection with the console cable to verify this. Refer to this document for more information: Technical Tip: How to connect to the FortiGate and FortiAP console port.

4. If the external button is pressed on time, the unit reboots, and the default configuration will be active.

1. The reset button can be pressed anytime, and the unit will perform a factory reset.
2. After the unit reboots, the default configuration will be active in the same way as if the CLI command execute factoryreset had been used.

The FortiGate logs as follows when the reset button is pressed:

date="2024-08-24" time="16:08:15" id=7135583482205437973 bid=5898939 dvid=1155 itime=1661382495 euid=3 epid=3 dsteuid=3 dstepid=3 logver=702010000 logid="0100032252" type="event" subtype="system" level="critical" action="factory-reset" msg="User reset to the factory settings from forticron" logdesc="Factory settings reset" ui="forticron" eventtime=1661382495134259444 tz="-0700" devid="FGT61Exxxxxxxxxx" vd="root" devname="FGT61Exxxxxxxxxx" devgrps="{NULL}"

date="2024-08-24" time="16:08:22" id=7135583516565176327 bid=5898939 dvid=1155 itime=1661382503 euid=3 epid=3 dsteuid=3 dstepid=3 logver=702010000 logid="0100032138" type="event" subtype="system" level="critical" action="reboot" msg="User rebooted the device from forticron. The reason is 'factory reset'" logdesc="Device rebooted" ui="forticron" eventtime=1661382502832782205 tz="-0700" devid="FGT61Exxxxxxxxxx" vd="root" devname="FGT61Exxxxxxxxxx" devgrps="{NULL}"

How to disable the hardware reset button:

config system global
(global) # show full | grep "reset"
    set admin-reset-button enable <----- This would disable the reset button.
    set check-reset-range disable
    set reset-sessionless-tcp disable

This is not a recommended setting, as sometimes FortiGate enters a boot loop, and the RESET button helps to factory reset the settings.

There is an observation on a rare scenario where when the Boot interrupt sequence process did not show up (for example any option for flash format/TFTP) the last option would be to press the reset button on the back of the FortiGate and get the FortiGate back to factory default and on this case the FortiGate can be logged in using default account but make sure a good known config file is already available to restore after accessing the FortiGate.

This option is to be considered only when the admin password is lost or is not working. After this, try to perform an upgrade to the latest version and observe the behavior. If the same issue is observed, consider performing Hardware tests (HQIP).

No Boot interrupt sequence seen after factory format or reboot FortiGate:

After a factory reset, the default credentials would be :

• Username: admin.
• Password: (blank).

FortiGate will ask to create a new password after entering the username admin with no password upon first-time login.

Note:

It is recommended to have a console connection during the entire procedure to confirm if the device is taking the factory reset by pressing the pin hole or not.

Related article:

Technical Tip: How to reset a FortiGate with the default factory settings/without losing management ...