Created on
08-23-2019
02:02 AM
Edited on
03-18-2025
06:03 AM
By
Anthony_E
Description
This article explains what to do if the admin user loses his FortiToken or if the Token is not working.
Scope
FortiGate.
Solution
If FortiGate is registered to FortiGate Clould and has 'FortiGate Cloud Subscription' refer to article: Technical Tip: Recover access to FortiGate via FortiCloud
Otherwise, the remaining option is to Flash Format the device and upload a previously existing backup file.
Refer to the related KB article to format the boot device and reload the firmware image.
After reloading the image, before uploading the latest config file, remove the "Two-factor" lines/config from the backup as mentioned below :
- Open the config file and search for a particular 'Admin' using the name:
It will look like below :
config system admin
edit "Test"
set accprofile "super_admin"
set vdom "root"
set two-factor fortitoken
set fortitoken "FTKxxxxxxxxxx"
set email-to "adminxzx@fortixie1233.com"
set password ENC <*****encrypted password******>
next
end
The admin name is the name that is usually entered while logging in to FortiGate in the 'Username' field. 'Test' is shown in the example just for the representation, change the name according to the settings.
Replace the commands above by removing a few lines like below: In the below example from configuration Fortitoken is removed to bypass the two-factor token.
config system admin
edit "Test"
set accprofile "super_admin"
set vdom "root"
set password ENC <*****encrypted password******>
next
end
Note:
When uploading the old backup config file always make sure that current FortiOS matches the firmware mentioned in the backup file. If not perform a downgrade or upgrade to align with backup file and then perform the config file upload.
If FortiManager manages the FortiGate, remove the FortiToken assigned to the super admin from FortiManager, allowing access to the FortiGate without a token request.
On the FortiManager:
Go to Policy & Objects -> User Definition edit the user and uncheck/disable the Fortitoken.
Install a policy package to the FortiGate using the steps: Install a policy package
Related articles:
FortiToken configuration | FortiManager 7.4.4 | Fortinet Document Library
Technical Tip: Formatting and loading FortiGate firmware image using TFTP