This article describes the scenario when the admin access is lost to the FortiGate, and the possibility to recover access with a maintainer account (reset password) exists.

However, this procedure will not allow changing the two-factor authentication (for example: in case FortiToken Mobile is lost).

If the unit is configured to connect to FortiCloud and Management Connectivity is UP, there is a possibility to add a new admin account from FortiCloud.

The second requirement for the procedure is to have a FortiCloud subscription (the Configuration management is not included in the free version).

If the above conditions are met, it is possible to create a new admin user in the FortiCloud management and push the configuration to the FortiGate.

This procedure will regain local access and can modify the original admin account.

The guide on how to change the config on the unit: Config.

Select FortiGate Cloud -> Select the device -> Group Management -> Run script.

To add a new admin create and execute a new script: Script.

Use the following syntax:

config system admin
    edit "name-of-new-admin"
        set accprofile "super_admin"
        set vdom "root"
        set password yourpassword
    next
end

If the FortiGate is running a multi-VDOM configuration, use the following syntax instead:

config global
    config system admin
        edit "name-of-new-admin"
            set accprofile "super_admin"
            set vdom "root"
            set password yourpassword
        next
    end

Alternatively, enabling the SSO FortiCloud administration access makes it possible to regain access to the FortiGate. Use the following syntax:

config system global

    set admin-forticloud-sso-login enable

    set admin-forticloud-sso-default-profile "super_admin"

end

If the unit is not yet added to the FortiCloud, but there is physical access to the unit, it is possible to add it with the FortiCloud key: Deployment.