FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nsubramanian
Staff
Staff
Article Id 193487

Description


This article explains what to do if the admin user loses his FortiToken or if the Token is not working.

 

Scope

 

FortiGate.

Solution


If FortiGate is registered to FortiGate Clould and has 'FortiGate Cloud Subscription' refer to article: Technical Tip: Recover access to FortiGate via FortiCloud

 

Otherwise, the remaining option is to Flash Format the device and upload a previously existing backup file.

Refer to the related KB article to format the boot device and reload the firmware image.

After reloading the image, before uploading the latest config file, remove the "Two-factor" lines/config from the backup as mentioned below :

 

  1. Open the config file and search for a particular 'Admin' using the name:

 

It will look like below :

 

config system admin

    edit "Test"
       
set accprofile "super_admin"
       
set vdom "root"
        set two-factor fortitoken
        set fortitoken "FTKxxxxxxxxxx"
        set email-to "adminxzx@fortixie1233.com"
        set password ENC <*****encrypted password******>
    next
end

 

The admin name is the name that is usually entered while logging in to FortiGate in the 'Username' field. 'Test' is shown in the example just for the representation, change the name according to the settings.

Replace the commands above by removing a few lines like below: 
In the below example from configuration Fortitoken is removed to bypass the two-factor token.

 

config system admin

    edit "Test"
       
set accprofile "super_admin"
       
set vdom "root"
        set password ENC <*****encrypted password******>
    next
end

 

Note:

When uploading the old backup config file always make sure that current FortiOS matches the firmware mentioned in the backup file. If not perform a downgrade or upgrade to align with backup file and then perform the config file upload.

 

If FortiManager manages the FortiGate, remove the FortiToken assigned to the super admin from FortiManager, allowing access to the FortiGate without a token request.

 

On the FortiManager:

Go to Policy & Objects -> User Definition edit the user and uncheck/disable the Fortitoken.
Install a policy package to the FortiGate using the steps: Install a policy package

 

Related articles:

FortiToken configuration | FortiManager 7.4.4 | Fortinet Document Library

Technical Tip: Formatting and loading FortiGate firmware image using TFTP

Technical Tip: Resetting a lost Admin password

Technical Tip: FortiGate Resource Lists