While an upgrade from v7.2.11 to v7.4.7 is not a downgrade, it counts as one for the 'login-lockout-upon-downgrade' setting. This is because v7.4.7 and earlier v7.4 versions do not support the safer password storage change.

Upgrade from v7.2.11 to v7.4.8 or later is not affected by this issue unless the given upgrade path includes v7.4.7.

Resolution:

Before upgrading from v7.2.11 to v7.4.7, verify if 'login-lockout-upon-downgrade' is enabled. If this setting was never enabled, no further action is required.

config system password-policy
    set login-lockout-upon-downgrade { enable | disable }
end

FortiOS v7.6.3 and later:

config system password-policy
    set login-lockout-upon-weaker-encryption { enable | disable }
end

If login-lockout-upon-downgrade was enabled previously:

Disable the setting as follows.

config system password-policy
    set login-lockout-upon-downgrade disable
end

Each administrator must log in and log out once after the configuration change to generate the old version of the stored password.

If one or more administrators could be locked out after the upgrade, or if 'login-lockout-upon-downgrade' or 'login-lockout-upon-weaker-encryption' is enabled, a warning message will display when attempting the upgrade or downgrade.

If the upgrade is completed via FortiManager or another scheduled process, the warning will not be shown. If planning a downgrade in such environments, it is recommended to disable the 'login-lockout-upon-downgrade' setting before the upgrade and log in once with each administrator that must be retained after the upgrade. 

config system password-policy
    set login-lockout-upon-downgrade disable
end

Expected lockout behavior:

Beginning in FortiOS v7.2.11, v7.4.8, and v7.6.1, the security of locally-stored system administrator passwords has been enhanced in to use PBKDF2 hashing, see Enhanced administrator password security. By default for backward compatibility, the old SHA256 version of the password is also retained. This is reflected in the following setting:

FortiOS v7.2.x, v7.4.x:

config system password-policy
    set login-lockout-upon-downgrade { enable | disable }
end

If this setting is enabled, affected administrators will not be able to log in after a downgrade. When enabling the setting, a warning message will appear. To apply the configuration, an administrator must confirm the setting manually.

erbium-kvm147 # config system password-policy

erbium-kvm147 (password-policy) # set login-lockout-upon-downgrade enable

erbium-kvm147 (password-policy) # end
The setting "login-lockout-upon-downgrade" enhances the resistance of stored passwords against brute force attacks.
Once enabled, downgrading the FortiOS firmware to a lower version where safer passwords are unsupported will lock out administrative users.
Do you want to continue? (y/n)y

When 'login-lockout-upon-downgrade' is enabled, stored passwords do not immediately change. Instead, the FortiGate will track future administrator login events. Administrators who log in will have the old version of their stored password removed.

Once an administrator account only has the PBKDF2 hashed password, it will not be able to log in if the firewall firmware changes to a version that does not support them.

This lockout behavior only applies to locally stored administrator accounts.
Administrators that authenticate using a remote authentication methods such as LDAP, RADIUS, or SAML are not affected.

Firmware versions that do not support safer stored passwords:

FortiOS v7.0 and previous firmware branches.

FortiOS  v7.2.10 and earlier.

FortiOS  v7.4.7 and earlier.

FortiOS  v7.6.0.

Related article: