While an upgrade from v7.2.11 to v7.4.7 is not a downgrade, it counts as one for the purposes of the 'login-lockout-upon-downgrade' setting. This is because v7.4.7 and earlier v7.4 versions do not support the safer password storage change.

Before upgrading from v7.2.11 to v7.4.7, if 'login-lockout-upon-downgrade' is enabled, disable it. After disabling the setting, log in and log out once with each administrator account. If this is not done, administrators who did not log in may be locked out after the upgrade.

config system password-policy
    set login-lockout-upon-downgrade disable
end

If this setting was never enabled, no further action is required before the upgrade.

Expected lockout behavior:

Beginning in FortiOS v7.2.11, v7.6.1, and upcoming in v7.4.8, the security of stored system administrator passwords has been enhanced in Issue ID# 752946. By default for backward compatibility, the old version of the password is also retained. To improve the security of system administrator passwords, FortiGate now employs the PBKDF2 hashing algorithm with randomized for password hashing and storage. This is reflected in the following setting.

config system password-policy
    set login-lockout-upon-downgrade { enable | disable }
end

When enabling login-lockout-upon-downgrade, a warning message will appear. To apply the configuration, an administrator must confirm the setting manually.

erbium-kvm147 # config system password-policy

erbium-kvm147 (password-policy) # set login-lockout-upon-downgrade enable

erbium-kvm147 (password-policy) # end
The setting "login-lockout-upon-downgrade" enhances the resistance of stored passwords against brute force attacks.
Once enabled, downgrading the FortiOS firmware to a lower version where safer passwords are unsupported will lock out administrative users.
Do you want to continue? (y/n)y

When 'login-lockout-upon-downgrade' is enabled, stored passwords do not immediately change. Instead, the FortiGate will track future administrator log in events. Administrators that log in will have the old version of their stored password removed.

Once an administrator account only has the safer stored password, it will not be able to log in if the firewall is later downgraded or upgraded to firewall versions that do not support them.

Firmware versions that do not support safer stored passwords:

FortiOS v7.0 and previous firmware branches.

FortiOS  v7.2.10 and earlier.

FortiOS  v7.4.7 and earlier.

FortiOS  v7.6.0.

Upgrade from v7.2.11 to future v7.4 releases such as upcoming v7.4.8 is not affected by this issue unless the upgrade path includes v7.4.7.

If login-lockout was enabled previously but is disabled to support a downgrade: 

Each administrator must log in and log out once after the configuration change to generate the old version of the stored password again.

If one or more administrators could be locked out after upgrade or if 'login-lockout-upon-downgrade' is enabled, a warning message will be displayed when attempting the upgrade or downgrade.

If the upgrade is completed via FortiManager or other scheduled process the warning will not be shown. In such environments, it is recommended to disable 'login-lockout-upon-downgrade' setting before the upgrade and login once with each administrator that must be retained after the upgrade. 

config system password-policy
    set login-lockout-upon-downgrade disable
end

Refer to the following New Features page for more information: Enhanced administrator password security.