Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

default admin account

friends good day
One question: For security reasons we have to remove all admin accounts from fortigate.

 

Screenshot_3.jpg

 

However, the following is displayed on the dashboard:

 

Screenshot_2.jpg

 

It is observed that the admin account is associated with the ip 172.0.0.1, which is a local host.

Would deleting the admin account have any impact?

5 REPLIES 5
chauhans
Staff
Staff
unknown1020
New Contributor III

Thanks for answering, so it doesn't generate any impact by deleting that account? since in the second image it is displayed that the IP 172.0.0.1 associated with the admin account appears. And from what I understand, that IP is a local host.

Toshi_Esumi
SuperUser
SuperUser

Actually, from some point of 6.0.x, you can delete "admin" admin user directly without renaming it to something else. We do that all the time to virtually all FGTs we install for our customers. No particular side effect I'm aware of.

Just need to create a new admin user, then re-login in to it with the new user name. Then you can remove the "admin".

 

config sys admin

   edit "new-admin"

     set accprofile "super_admin"

     set password <whaterver_the_password_is>

  next

end

exit

 

Then login with "new_admin".

 

config sys admin

  delete admin

end

 

Toshi

pgautam
Staff
Staff

Hi @unknown1020 

 

 

In Foritgate you can rename or delete an admin account without any bad consequences whatsoever.

Here is how to do it on CLI of the FortiGate.

1) Before diving into the config, you may want to know a few facts about the procedure:

2) You cannot rename/delete the admin user while logged in with it.

3) You have to create first another user privileged enough (super_admin) to make changes to admin. This way Fortigate prevents you from locking yourself out of the management.

4) Just renaming the admin does NOT alter its password, so you can still log in with the existing one.

5)You can rename the user back to admin if you want to, i.e. the renaming is reversible.

6) If you delete admin, you can later create a new user named admin again.


Regards

Priyanka

 

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

ede_pfau
SuperUser
SuperUser

First, you are currently logged in as 'admin'. Your sessions are shown in the screenshot.

As long as you are logged in, you cannot remove the account.

Create a new administrative account with profile 'super_admin', log out, log in as the new user and delete the 'admin' account.

This will have no adverse effects whatsoever.

Second, what you observe is sessions to '127.0.0.1', not '172.0.0.1'. The first is the 'localhost' address, that is, the PC you are currently logged in to. The second is indeed a private address of a LAN which is unknown to you (no wonder). So in short, this is perfectly OK.


Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors