I have a FG 800C that was working fine
I Backup my configuration, edit it and restore it
now I cannot login to the unit,
every try resolve i wrong user and password
I Try to Login using Fortiexplorer with user "maintainer" to recover my password.
I can login, but when trying to reset password i get this massage:
FG800C # config system admin
FG800C (admin) # edit admin 'maintainer' account can only edit existing admins. node_check_object fail! for name admin
value parse error before 'admin' Command fail. Return code -37
It seems like there is no user name "admin"
is there any way to recover the user? or even restore everything to default?
Solved! Go to Solution.
You've got a (hopefully) valid backup config file. There is no other way to break into a FGT than using the maintainer access (physical access required).
Check the config file (text file) for gross mistakes, like missing routing section (at the end), and especially that the 'config system admin' section is complete and valid.
Then I would
- reboot
- interrupt boot sequence
- format flash disk
- reload the same firmware via TFTP
- reload the config
Not bad, well spotted! I wonder how that happened...
For the boot sequence rebuild you need to have a serial console connection and terminal emulation running. Then you can see the messages on boot and interrupt the process by hitting <SPACE> (or any key, haven't tried).
You will enter a small menu where you select items by their first letter.
Proceed from there, it's obvious.
One more caveat: you need to have a TFTP server running in your LAN, to reload the firmware image. I recommend 'tftpd32' from Philippe Junot for a Windows host.
Actually there is a second way to restore firmware and config: via USB stick. Requirement is that this is enabled in the config (which you can probably do via 'maintainer'):
config system auto-install
set auto-install-config enable
set auto-install-image enable
set default-config-file fgt_system.conf
set default-image-file image.out
end
You put the config file and firmware image file onto a USB stick (FAT32 formatted) and connect that to the USB port of the FGT. On reboot, firmware version and config file are compared to the existing ones, and reloaded if different. This might take a couple of reboots.
In essence, you're not required to set up a TFTP server this way.
In the code above, I've given the default filenames. Just rename yours and you're good.
You've got a (hopefully) valid backup config file. There is no other way to break into a FGT than using the maintainer access (physical access required).
Check the config file (text file) for gross mistakes, like missing routing section (at the end), and especially that the 'config system admin' section is complete and valid.
Then I would
- reboot
- interrupt boot sequence
- format flash disk
- reload the same firmware via TFTP
- reload the config
I would double check that admin is or is not present
show sys admin | grep admin
It would not hurt to see what other accounts are present at the same time.
PCNSE
NSE
StrongSwan
ede_pfau wrote:Thank you for replayingYou've got a (hopefully) valid backup config file. There is no other way to break into a FGT than using the maintainer access (physical access required).
Check the config file (text file) for gross mistakes, like missing routing section (at the end), and especially that the 'config system admin' section is complete and valid.
Then I would
- reboot
- interrupt boot sequence
- format flash disk
- reload the same firmware via TFTP
- reload the config
I found the mistake in the config file
there was a wrong type of quotes in one of the Vlans
It seem to ignore all the setting that is writing after the quotes like the 'config system admin' parts
Wrong:
edit "Vlan10" set vdom "root" set ip 10.10.10.1 255.255.255.0 set role lan set snmp-index 35 set interface "port4” set vlanid 10 Right:
edit "Vlan10" set vdom "root" set ip 10.10.10.1 255.255.255.0 set role lan set snmp-index 35 set interface "port4" set vlanid 10
I don't have experience with this process (interrupt boot sequence | reload firmware via TFTP
Can you please refer me to some details instructions?
Not bad, well spotted! I wonder how that happened...
For the boot sequence rebuild you need to have a serial console connection and terminal emulation running. Then you can see the messages on boot and interrupt the process by hitting <SPACE> (or any key, haven't tried).
You will enter a small menu where you select items by their first letter.
Proceed from there, it's obvious.
One more caveat: you need to have a TFTP server running in your LAN, to reload the firmware image. I recommend 'tftpd32' from Philippe Junot for a Windows host.
Actually there is a second way to restore firmware and config: via USB stick. Requirement is that this is enabled in the config (which you can probably do via 'maintainer'):
config system auto-install
set auto-install-config enable
set auto-install-image enable
set default-config-file fgt_system.conf
set default-image-file image.out
end
You put the config file and firmware image file onto a USB stick (FAT32 formatted) and connect that to the USB port of the FGT. On reboot, firmware version and config file are compared to the existing ones, and reloaded if different. This might take a couple of reboots.
In essence, you're not required to set up a TFTP server this way.
In the code above, I've given the default filenames. Just rename yours and you're good.
Thank you!
I manager to get my system up and running again using the TFTP
note user maintainer cannot set "config system auto-install"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.