Description
This article explains what to do if the admin user loses his FortiToken or if the Token is not working.
Scope
FortiGate.
Solution
If FortiGate is registered to FortiGate Clould and has 'FortiGate Cloud Subscription' refer to article: Technical Tip: Recover access to FortiGate via FortiCloud.
Otherwise, the remaining option is to Flash Format the device and upload a previously existing backup file.
Refer to the attached KB to format the boot device and reload the firmware image.
After reloading the image, before uploading the latest config file, remove the "Two-factor" lines/config from the backup as mentioned below :
- Open the config file and search for a particular 'Admin' using the name:
It will look like below :
config system admin
edit "Test"
set accprofile "super_admin"
set vdom "root"
set two-factor fortitoken
set fortitoken "FTKxxxxxxxxxx"
set email-to "adminxzx@fortixie1233.com"
set password ENC <*****encrypted password******>
next
end
The admin name is the name that is usually entered while logging in to FortiGate in the 'Username' field.
'Test' is shown in the example just for the representation, change the name according to the settings.
Replace the commands above by removing a few lines like below:
In the below example from configuration Fortitoken is removed in order to bypass the two-factor token.
config system admin
edit "Test"
set accprofile "super_admin"
set vdom "root"
set password ENC <*****encrypted password******>
next
end
If FortiManager manages the FortiGate, remove the FortiToken assigned to the super admin from FortiManager, allowing access to the FortiGate without a token request.
On the FortiManager:
Go to Policy & Objects -> User Definition edit the user and uncheck/disable the Fortitoken.
Install a policy package to the FortiGate using the steps: Install a policy package.
Related articles:
