- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Lock Out of My FG800C, Missing "admin" User
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lock Out of My FG800C, Missing "admin" User
I have a FG 800C that was working fine
I Backup my configuration, edit it and restore it
now I cannot login to the unit,
every try resolve i wrong user and password
I Try to Login using Fortiexplorer with user "maintainer" to recover my password.
I can login, but when trying to reset password i get this massage:
FG800C # config system admin
FG800C (admin) # edit admin 'maintainer' account can only edit existing admins. node_check_object fail! for name admin
value parse error before 'admin' Command fail. Return code -37
It seems like there is no user name "admin"
is there any way to recover the user? or even restore everything to default?
Solved! Go to Solution.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You've got a (hopefully) valid backup config file. There is no other way to break into a FGT than using the maintainer access (physical access required).
Check the config file (text file) for gross mistakes, like missing routing section (at the end), and especially that the 'config system admin' section is complete and valid.
Then I would
- reboot
- interrupt boot sequence
- format flash disk
- reload the same firmware via TFTP
- reload the config
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not bad, well spotted! I wonder how that happened...
For the boot sequence rebuild you need to have a serial console connection and terminal emulation running. Then you can see the messages on boot and interrupt the process by hitting <SPACE> (or any key, haven't tried).
You will enter a small menu where you select items by their first letter.
Proceed from there, it's obvious.
One more caveat: you need to have a TFTP server running in your LAN, to reload the firmware image. I recommend 'tftpd32' from Philippe Junot for a Windows host.
Actually there is a second way to restore firmware and config: via USB stick. Requirement is that this is enabled in the config (which you can probably do via 'maintainer'):
config system auto-install
set auto-install-config enable
set auto-install-image enable
set default-config-file fgt_system.conf
set default-image-file image.out
end
You put the config file and firmware image file onto a USB stick (FAT32 formatted) and connect that to the USB port of the FGT. On reboot, firmware version and config file are compared to the existing ones, and reloaded if different. This might take a couple of reboots.
In essence, you're not required to set up a TFTP server this way.
In the code above, I've given the default filenames. Just rename yours and you're good.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You've got a (hopefully) valid backup config file. There is no other way to break into a FGT than using the maintainer access (physical access required).
Check the config file (text file) for gross mistakes, like missing routing section (at the end), and especially that the 'config system admin' section is complete and valid.
Then I would
- reboot
- interrupt boot sequence
- format flash disk
- reload the same firmware via TFTP
- reload the config
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would double check that admin is or is not present
show sys admin | grep admin
It would not hurt to see what other accounts are present at the same time.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ede_pfau wrote:Thank you for replayingYou've got a (hopefully) valid backup config file. There is no other way to break into a FGT than using the maintainer access (physical access required).
Check the config file (text file) for gross mistakes, like missing routing section (at the end), and especially that the 'config system admin' section is complete and valid.
Then I would
- reboot
- interrupt boot sequence
- format flash disk
- reload the same firmware via TFTP
- reload the config
I found the mistake in the config file
there was a wrong type of quotes in one of the Vlans
It seem to ignore all the setting that is writing after the quotes like the 'config system admin' parts
Wrong:
edit "Vlan10" set vdom "root" set ip 10.10.10.1 255.255.255.0 set role lan set snmp-index 35 set interface "port4” set vlanid 10 Right:
edit "Vlan10" set vdom "root" set ip 10.10.10.1 255.255.255.0 set role lan set snmp-index 35 set interface "port4" set vlanid 10
I don't have experience with this process (interrupt boot sequence | reload firmware via TFTP
Can you please refer me to some details instructions?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not bad, well spotted! I wonder how that happened...
For the boot sequence rebuild you need to have a serial console connection and terminal emulation running. Then you can see the messages on boot and interrupt the process by hitting <SPACE> (or any key, haven't tried).
You will enter a small menu where you select items by their first letter.
Proceed from there, it's obvious.
One more caveat: you need to have a TFTP server running in your LAN, to reload the firmware image. I recommend 'tftpd32' from Philippe Junot for a Windows host.
Actually there is a second way to restore firmware and config: via USB stick. Requirement is that this is enabled in the config (which you can probably do via 'maintainer'):
config system auto-install
set auto-install-config enable
set auto-install-image enable
set default-config-file fgt_system.conf
set default-image-file image.out
end
You put the config file and firmware image file onto a USB stick (FAT32 formatted) and connect that to the USB port of the FGT. On reboot, firmware version and config file are compared to the existing ones, and reloaded if different. This might take a couple of reboots.
In essence, you're not required to set up a TFTP server this way.
In the code above, I've given the default filenames. Just rename yours and you're good.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you!
I manager to get my system up and running again using the TFTP
note user maintainer cannot set "config system auto-install"
Related Posts
- Tunnel through main building to connected... 101 Views
- Missing Client certificate in Forticlient drop... 267 Views
- Missing "Security Profiles" menu in Fortigate... 462 Views
- EMS TAG synchronisation Problems 299 Views
- Facebook Just Wont Die 547 Views
Labels
-
FortiGate
6,420 -
FortiClient
1,280 -
5.2
801 -
5.4
639 -
FortiManager
557 -
6.0
416 -
FortiAnalyzer
408 -
5.6
362 -
FortiSwitch
329 -
FortiAP
322 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
102 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
81 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
IPsec
62 -
Wireless Controller
56 -
SSL-VPN
52 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
FortiPortal
17 -
VLAN
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
Interface
10 -
VDOM
10 -
FortiWeb v5.0
9 -
BGP
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
Security profile
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
Web application firewall profile
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
OSPF
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.