Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ighita
Staff
Staff

Created on ‎03-22-2019 01:14 AM Edited on ‎03-21-2025 01:32 AM By Community Manager

Article Id 197045

Technical Tip: Resetting a lost admin password

Description

 
This article describes the situation where the FortiGate needs to be accessed or the admin account’s password needs to be changed but no one with the existing password is available. This article describes the use of a 'maintainer' account.
Warning: This procedure will require rebooting the FortiGate.
 
Scope
 
Any supported version of FortiGate with a FortiOS version before v7.2.4.


Solution

 

Note

Starting with v7.2.4, the 'maintainer' account was removed, meaning this method to reset a password will no longer work.


See FortiOS 7.2.4 - Release Notes - Changes in default behavior.

 

Alternative Method for FortiOS 7.2.4 and Later:

 

For FortiOS versions 7.2.4 and later, where the maintainer account is no longer available, follow these steps to reset the admin password:

 

Prerequisites:

  • Recent working configuration backup of the FortiGate.
  • Notepad++ or any text-comparing tool.
  • Console access to FortiGate.
  • Maintenance Window.

 

Step1:

  • Edit the existing configuration using Notepad++.
  • Turn on the YAML by selecting Language -> YAML from the main menu. This will help collapse the configuration.
  • Search for 'config system admin' and select '-' symbol in 'config gui-dashboard' line to collapse the gui-dashboard configuration.

 

197045_1.png

  197045_2.png

 

Delete the 'set password' line from the configuration and save the file as new with .conf extension.

 

197045_3.png

 

 

Step2:

Do the flash format of the device and load the same firmware version as the one in the existing configuration backup.

Refer to Technical Tip: Formatting and loading FortiGate firmware image using TFTP

 

Step3:

Access the device with the default management address 192.168.1.99 and login to the device using the default credentials username: admin /password: <no password>.

 

Upload the modified configuration file to the FortiGate.

 

197045_4.png

 

The device will get rebooted and be accessible with the previously configured management ip.

Login to device with using default credentials username: admin / password: <no passoword>

Post-login, reset the admin account password.

 

197045_5.JPG

 

Additional info:

If having access to the firewall with another 'super_admin' and want to reset the 'admin' account password that has been lost/forgotten, follow the below steps:

  1. Take config backup with existing logged-in 'super_admin'.
  2. Under account admin remove the whole line of 'set password ENC ---what ever hash----' and prepare the configs like below config system admin:

 

edit "admin"
    set accprofile "super_admin"
    set vdom "root"
next
end

 

Restore the config from the existing logged-in 'super_admin', after reboot it will prompt to set the password, and it is possible to set the new password.

Once logged into the FortiGate with the maintainer account (as described below), if the FortiGate is running FortiOS 6.0.3 or later, enter the 'execute factoryreset' command to return the FortiGate to its default configuration. 


This can be useful if the admin administrator account is deleted.

In newer versions of the BIOS, expect some changes to the behavior of the maintainer account. These changes will include:

  • The countdown timer for how to log enter the credentials has increased. Starting from when the device powers up, there will be 60 seconds instead of 30.
  • Using the maintainer account and resetting a password cause a log to be created; making these actions traceable for security purposes.
  • The account will be able to reset the password for any super-admin profile user in addition to the default admin user.  This takes into account the possibility that the default account has been renamed.
  • The only thing the maintainer account has permission to do is reset the passwords of super-admin profile accounts.

If maintainer is no longer supported by FortiGate and there's an existing copy of backup configuration, resetting the admin password is still possible by following this article.

 

Prerequisites:

  • A console cable.
  • Terminal software such as Putty.exe (Windows) or Terminal (MacOS).
  • The serial number of the FortiGate.


Procedure:
Step 1: Connect the computer to the firewall via the Console port on the back of the unit. In most units, this is done either by a Serial cable or an RJ-45 to Serial cable. Some units use a USB cable and FortiExplorer to connect to the console port.

Resetting a lost admin password for the VM-s using the maintainer account is not possible.
In this case, reverting to a snapshot or re-provisioning the VM and restoring the configuration (without a password for the admin account) is the only solution.
But resetting the Admin password for the VMs in Azure and AWS can be done as shown in the link at the bottom


Step 2: Start the terminal software.
Step 3: Connect to the firewall using the following:

  • Setting - Value.
  • SpeedBaud - 9600.
  • Data Bits - 8 Bit.
  • Parity - None.
  • Stop Bits - 1.
  • Flow Control - No Hardware Flow Control.
  • Com Port - the correct COM port.


Step 4: The firewall should then respond with its name or hostname. (If it does not, try pressing 'enter').
Step 5: Reboot the firewall. If there is no power button, disconnect the power adapter and reconnect it after 10 seconds. Plugging in the power too soon after unplugging it can cause corruption in the memory in some units.

Step 6: Wait for the Firewall name and login prompt to appear. The terminal window should display something similar to the following:
 
FortiGate (08:52-08.16.2024)
Ver:04000010
Serial number: FGTxxxxxxxxxxxxx
CPU(00): 525MHz
Total RAM: 512 MB
NAND init... 128 MB
MAC Init... nplite#0
Press any key to display configuration menu...
......
reading boot image 1163092 bytes.
Initializing firewall...      
System is started.
login:
 
Step 7: Type in the username 'maintainer'.
Step 8: The password is bcpb + the serial number of the firewall (the letters of the serial number are in UPPERCASE format). For example bcpbFGT60C3G10xxxxxx.

Note:
On some devices, after the device boots, only an entry window of 14 seconds or less is available to type in the username and password. 
It might therefore be necessary to have the credentials ready in a text editor to copy and paste into the login screen. 
There is no indicator of when the time runs out, so it may take more than one attempt to succeed.
 
Step 9: A connection to the firewall should be established. To change the admin password, type the following:

In a unit where VDOMs are not enabled:
 
config system admin
    edit admin
        set password <new password>
end

In a unit where VDOMs are enabled:
 
config global
    config system admin
        edit admin
            set password <new password>
end
 
If a user has deleted the default 'admin' account and has another super_admin profile account, then also using this method super_admin profile admin user password can be reset.
 
    config system admin
              edit ? <----- Will show all the super_admin accounts.
sadmin
edit sadmin
set password <new password>
end
 
If the FortiGate is running v6.0.3 or later, enter the following command to reset the FortiGate to its factory default configuration. 
 
This can be useful if the admin administrator account has been deleted.
 
execute factoryreset
 
Warning:
Some users may be concerned that this process offers a backdoor into the system. 
The maintainer feature/account is enabled by default, but there is an option to disable it. However, if the feature is disabled and the password is lost without any users who can log in as a super admin profile administrator, there will be no options available to access FortiGate.

If 'PASSWORD RECOVERY FUNCTIONALITY IS DISABLED' shows on the console while attempting to access the maintainer account, the maintainer account has been disabled.
 
To disable the maintainer feature/account, run the following command in the CLI:
 
config system global
    set admin-maintainer disable
end
 
To enable it:
 
config system global
    set admin-maintainer enable
end
 
In case it is a cluster: 
The process to reset a lost admin password should consider the following steps.
Turn off the secondary unit, unplug the cables from the same secondary unit. At this point Customer can use the maintainer user account as described at the beginning of this document, then change the admin password (the device password recovery done should be primary again), it will sync with another cluster member.
 
Additional info:
The admin password can also be recovered if the FortiGate has a 'FortiGate Cloud paid Subscription' and is currently connected/managed on FortiGate Cloud.:Technical Tip: Reset FortiGate admin password via FortiGate Cloud.
The admin password can also be recovered for the FortiGate VM in azure: Technical Tip: Guide to Resetting Azure FortiGate-VM Password via Azure Cloud Shell and GUI.
The admin password can also be recovered for the FortiGate VM in AWS: Technical Tip: AWS FortiGate Password Recovery.
 

Related documents:

Labels:
523370
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.