FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jtatis
Staff
Staff
Article Id 338840
Description This article describes how to resolve most common scenarios faced when administrating the FortiGate, including some items such as what to do when an admin password is lost, and how to create alternative login options for emergencies.
Scope Any supported version of FortiGate.
Solution

The solution varies depending on the FortiOS version and the scenario.

 

Admin password is lost (no MFA enabled):

 

Admin password is lost (MFA enabled):

 

Regardless of the FortiOS version running on a given FortiGate unit, MFA cannot be disabled using the password reset method, so the only remaining option is to hard reset the unit. The procedure is the same as mentioned on the previous item.

 

Additional info: when a hard reset is done, the unit will return to default settings:

IP Address: 192.168.1.99

username: admin

password: <no password, leave this field blank>

 

It is recommended to have a backup config file stored on the system to avoid having to start configuring the unit from scratch. Now, it will not be necessary to modify it to avoid losing administrator access again after restoring it. To modify the config file as needed, refer to the steps below:

 

 

  1. Locate it in the computer (will use the .conf extension) and open it using a text editor program such as WordPad, Microsoft Word, Notepad++, etc.
  2. After opening the file, locate the 'config system admin' menu to find all the administrator users listed there:

 

 
 

kb1.PNG

 

 

  1. Pick at least one of the administrator users listed on the config file using the super_admin account profile and edit the password field. Notice the 'set password' field followed by the ENC keyword to get it encrypted: overwrite it and remove the ENC command so it can be taken in plain text as written. See the example below:

 

 

kb2.PNG

 

When editing a username that has two-factor enabled, it will be necessary to remove the configuration associated to the login with it by using only a username and password combination:

 

kb3.PNG

 

 

  1. Save the changes done over the config file and proceed to restore it on the FortiGate unit. See Backing up and restoring configurations from the GUI for further details.

 

 

Tips and general recommendations for administrator users:

  • It is always recommended to have more than a single administrator user with different passwords for both. This will help with cases where the password is lost for the main user. Be sure to have both accounts using the super_admin account profile to access full control of the device when using the backup administrator username:

 

kb5.PNG

 

  • Using two-factor authentication for administrator access is recommended: this will minimize the risk of malicious agents logging in to the unit. It is also recommended to not only have at least one other administrator user as a contingency method, but also to keep two-factor authentication disabled on that user. In cases where two-factor authentication is mandatory on the network for administrator access, make sure to have a different method assigned to that backup user. See the example below:

 

kb6.PNG

 

  • The usage of trusted-host will add an extra security layer to the administrative access of the unit, but consider the same scenario mentioned above: try to not enable this feature for all administrator users, so as to always have a backdoor during emergencies.

 

At any time, refer to the System administrator best practices documentation to get more info about how to secure the administrative access to FortiGate: Technical Tip: System administrator best practices,

Comments
MaryBolano
Staff
Staff

Great article @jtatis !! Keep it up!!

 

Contributors