Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
satoh
Staff
Staff

Created on ‎12-24-2025 09:39 AM

Article Id 424308

Technical Tip: Refleshing the hash function for administrator accounts after a FortiOS upgrade

Description

This article describes how to update the hash function for administrator accounts after upgrading FortiOS.
Scope FortiGate v7.2, v7.4, v7.6.
Solution

Starting from FortiOS 7.2.11, 7.4.11, and 7.6.1, a new hash function, PBKDF2, is introduced in the 'config system admin' settings.
After upgrading to these versions, the default admin account automatically switches from SHA256 to PBKDF2.
Other administrator accounts continue to use SHA256 until their passwords are changed.
Changing the password of a non-default administrator account updates the hash function from SHA256 to PBKDF2.

Note:

  • In FortiOS 7.2.10, 7.4.7, 7.6.0, and earlier, the hash function is SHA256.
  • 'SH2' denotes SHA256.
  • 'PB2' denotes PBKDF2.
     

Example:
 

  • Before Upgrade (FortiOS 7.2.10)

 

config system admin

    edit "admin"                                        <----- default admin

        set accprofile "super_admin"

        set vdom "root"

        set password ENC SH24F2uMH  -----snip-----   <----- SHA256

    next

    edit "test"

        set accprofile "super_admin"

        set vdom "root"

        set password ENC SH2aZtOA3  -----snip-----   <----- SHA256

    next

    edit "test10"

        set accprofile "prof_admin"

        set vdom "root"

        set password ENC SH2r7JR7v  -----snip-----    <----- SHA256

    next

end
 

  • After the upgrade (FortiOS 7.2.11):

 

config system admin

    edit "admin"                                       <----- Default admin.

        set accprofile "super_admin"

        set vdom "root"

        set password ENC PB2XCp/xu   -----snip-----   <----- PBKDF2

    next

    edit "test"

        set accprofile "super_admin"

        set vdom "root"

        set password ENC SH2aZtOA   -----snip-----    <----- SHA256

    next

    edit "test10"

        set accprofile "prof_admin"

        set vdom "root"

        set password ENC SH2r7JR7v  -----snip-----    <----- SHA256

    next

end
 

Updating the hash function by changing the password.
Changing the password of a non-default administrator account updates the hash function to PBKDF2:
 

FortiGate# config system admin

FortiGate (admin) # edit test

FortiGate (test) # set password fortinet                <----- Changing the password of a non-default admin.
 

FortiGate (test) # show

config system admin

    edit "test"

        set accprofile "super_admin"

        set vdom "root"

        set password ENC PB2N/Htll  -----snip-----   <----- PBKDF2

    next

end
 

Related articles:

New features or enhancements | FortiGate / FortiOS 7.2.11 | Fortinet Document Library

Enhanced administrator password security NEW | FortiGate / FortiOS 7.2.11 | Fortinet Document Librar...
55
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.