Created on
03-22-2019
01:14 AM
Edited on
11-28-2024
11:18 PM
By
Jean-Philippe_P
Description
Solution
Note:
Starting with v7.2.4, the 'maintainer' account was removed, meaning this method to reset a password will no longer work.
See FortiOS 7.2.4 - Release Notes - Changes in default behavior.
Additional info:
If having access to the firewall with another 'super_admin' and want to reset the 'admin' account password that has been lost/forgotten, follow the below steps:
- Take config backup with existing logged-in 'super_admin'.
- Under account admin remove the whole line of 'set password ENC ---what ever hash----' and prepare the configs like below config system admin:
edit "admin"
set accprofile "super_admin"
set vdom "root"
next
end
Restore the config from the existing logged-in 'super_admin', after reboot it will prompt to set the password, and it is possible to set the new password.
Once logged into the FortiGate with the maintainer account (as described below), if the FortiGate is running FortiOS 6.0.3 or later, enter the 'execute factoryreset' command to return the FortiGate to its default configuration.
This can be useful if the admin administrator account is deleted.
In newer versions of the BIOS, expect some changes to the behavior of the maintainer account. These changes will include:
- The countdown timer for how to log enter the credentials has increased. Starting from when the device powers up, there will be 60 seconds instead of 30.
- Using the maintainer account and resetting a password cause a log to be created; making these actions traceable for security purposes.
- The account will be able to reset the password for any super-admin profile user in addition to the default admin user. This takes into account the possibility that the default account has been renamed.
- The only thing the maintainer account has permission to do is reset the passwords of super-admin profile accounts.
Prerequisites:
- A console cable.
- Terminal software such as Putty.exe (Windows) or Terminal (MacOS).
- The serial number of the FortiGate.
Procedure:
Step 1: Connect the computer to the firewall via the Console port on the back of the unit. In most units, this is done either by a Serial cable or an RJ-45 to Serial cable. Some units use a USB cable and FortiExplorer to connect to the console port.
Resetting a lost admin password for the VM-s using the maintainer account is not possible.
In this case, reverting to a snapshot or re-provisioning the VM and restoring the configuration (without a password for the admin account) is the only solution.
But resetting the Admin password for the VMs in Azure and AWS can be done as shown in the link at the bottom
Step 2: Start the terminal software.
Step 3: Connect to the firewall using the following:
- Setting - Value.
- SpeedBaud - 9600.
- Data Bits - 8 Bit.
- Parity - None.
- Stop Bits - 1.
- Flow Control - No Hardware Flow Control.
- Com Port - the correct COM port.
Step 4: The firewall should then respond with its name or hostname. (If it does not, try pressing 'enter').
Step 5: Reboot the firewall. If there is no power button, disconnect the power adapter and reconnect it after 10 seconds. Plugging in the power too soon after unplugging it can cause corruption in the memory in some units.
Ver:04000010
Serial number: FGTxxxxxxxxxxxxx
CPU(00): 525MHz
Total RAM: 512 MB
NAND init... 128 MB
MAC Init... nplite#0
Press any key to display configuration menu...
......
reading boot image 1163092 bytes.
Initializing firewall...
System is started.
login:
Step 8: The password is bcpb + the serial number of the firewall (the letters of the serial number are in UPPERCASE format). For example bcpbFGT60C3G10xxxxxx.
Note:
In a unit where VDOMs are not enabled:
edit admin
set password <new password>
In a unit where VDOMs are enabled:
Some users may be concerned that this process offers a backdoor into the system.
If 'PASSWORD RECOVERY FUNCTIONALITY IS DISABLED' shows on the console while attempting to access the maintainer account, the maintainer account has been disabled.
Related documents:
Remove maintainer account 7.2.4
Installing firmware from system reboot
Reset FortiGate admin password via FortiGate Cloud
Technical Tip: Guide to Resetting Azure FortiGate-VM Password via Azure Cloud Shell and GUI
Technical Tip: AWS FortiGate Password Recovery
Technical Tip: Recommendations and common scenarios for Administrator access on FortiGate
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
This article is applicable for 7.0 fortiOS also.
Note:- Starting with FortiOS 7.2.4 the maintainer account was removed.