This article describes this scenario:

1) FortiGate admin ID has been accidentally assigned with a 2FA FortiToken which does not work or the 2FA FortiToken for Admin stops working.

2) There are no other super admin profiles to access back to the firewall.

3) This will cause GUI access to be broken and we will need to perform the password recovery to recover the admin access.

The FortiGate would require a FortiGate Cloud paid subscription for remote management.

Related document:

Feature comparison | FortiGate Cloud 23.1.0 (fortinet.com)]

Requirements.

1) FortiGate should already be registered with FortiCloud with the status UP in FortiCloud.

2) During registration and management to FortiCloud, the admin credentials should already have been applied in FortiCloud.

3) If the Admin password does not match, we will not be able to reset the 2FA for admin.

Ensure the requirement above is fulfilled.

Go to the FortiCloud portal and manage the intended firewall:

- Go to System -> Administrator and select 'Create New'.

- Create a new admin1.

- Type Local user.

- Administrator Profile is super_admin.

- Assign a password.

- Assign email address.

-Select 'Save'.

Once saved, select 'Deploy' to push new changes to the FortiGate from FortiCloud:

- Once deployed is selected, select 'Schedule'.

- Check to deploy immediately.

- Select 'Apply'.

- Wait for log summary and ensure no errors during deployment.

- Login to the Firewall with the newly created admin and unset admin 2factor FortiToken.

- Delete temp admin created once admin account is recovered.