Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jtatis
Staff
Staff

Created on ‎09-04-2024 10:59 AM Edited on ‎02-26-2025 09:54 PM By Community Manager

Article Id 338840

Technical Tip: Recommendations and common scenarios for Administrator access on FortiGate

Description This article describes how to resolve most common scenarios faced when administrating the FortiGate, including some items such as what to do when an admin password is lost, and how to create alternative login options for emergencies.
Scope FortiGate.
Solution

The solution varies depending on the FortiOS version and the scenario.

 

Admin password is lost (no MFA enabled):

  • The unit is running FortiOS version 7.2.3 or below: password reset procedure can be performed through console. See Technical Tip: Resetting a lost admin password  for further details.
  • The unit is running FortiOS version 7.2.4 or above: the default 'maintainer' user is no longer available, so the only way to regain access is to perform a hard reset. See Technical Tip: How To Reset To Factory Default Configuration using external button for further details.
  • Restoring backup firmware: This option in particular only applies to physical boxes, console connection is required to the unit, so, when connected, proceed with a power cycle to then stop the booting process and access the configuration menu. Being there, use option B to boot with the backup firmware(typically will be the latest version installed before the current one) and this will bypass the login when the unit comes up. Then, proceed to modify one of the administrator users entering a new password for it. See: Technical Tip: Boot the backup firmware and config via console for further details.

 

The admin password is lost (MFA enabled):

Regardless of the FortiOS version running on a given FortiGate unit, MFA cannot be disabled using the password reset method, so the only remaining option is to hard reset the unit. The procedure is the same as mentioned on the previous item.

 

Additional info: when a hard reset is done, the unit will return to default settings:

IP Address: 192.168.1.99

username: admin

password: <no password, leave this field blank>

 

It is recommended to have a backup config file stored on the system to avoid having to start configuring the unit from scratch. Now, it will not be necessary to modify it to avoid losing administrator access again after restoring it. To modify the config file as needed, refer to the steps below:

  1. Locate it in the computer (will use the .conf extension) and open it using a text editor program such as WordPad, Microsoft Word, Notepad++, etc.
  2. After opening the file, locate the 'config system admin' menu to find all the administrator users listed there:

 

 

kb1.PNG

 

  1. Pick at least one of the administrator users listed on the config file using the super_admin account profile and edit the password field. Notice the 'set password' field followed by the ENC keyword to get it encrypted: overwrite it and remove the ENC command so it can be taken in plain text as written. See the example below:

 

kb2.PNG

 

When editing a username that has two-factor enabled, it will be necessary to remove the configuration associated to the login with it by using only a username and password combination:

 

kb3.PNG

 

  1. Save the changes done over the config file and proceed to restore it on the FortiGate unit. See Backing up and restoring configurations from the GUI for further details.

 

Tips and general recommendations for administrator users:

  • It is always recommended to have more than a single administrator user with different passwords for both. This will help with cases where the password is lost for the main user. Be sure to have both accounts using the super_admin account profile to access full control of the device when using the backup administrator username:

 

kb5.PNG

 

  • Using two-factor authentication for administrator access is recommended: this will minimize the risk of malicious agents logging in to the unit. It is also recommended to not only have at least one other administrator user as a contingency method but also to keep two-factor authentication disabled on that user. In cases where two-factor authentication is mandatory on the network for administrator access, make sure to have a different method assigned to that backup user. See the example below:

 

kb6.PNG

 

 

  • The usage of trusted-host will add an extra security layer to the administrative access of the unit, but consider the same scenario mentioned above: try to not enable this feature for all administrator users, to always have a backdoor during emergencies.

 

At any time, refer to the System administrator best practices documentation to get more info about how to secure administrative access to FortiGate: Technical Tip: System administrator best practices

 

An alternative when there is no backup configuration file, and there is a paid subscription to the FortiGate with FortiGate Cloud:Technical Tip: Recover access to FortiGate via FortiCloud 

 

This guide explains how to create a temporary 'super_admin' user to regain access to the FortiGate. If the FortiGate has not been added yet to the FortiGate cloud, it can be added using the FortiCloud Key: FortiCloud or FortiDeploy key 

 

828
Suggest New Article
Article Feedback
Comments
MaryBolano
Staff
Staff
‎09-04-2024 12:03 PM

Great article @jtatis !! Keep it up!!

 

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.