FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 197045



Occasionally, a situation may arise where the FortiGate needs to be accessed or the admin account’s password needs to be changed but no one with the existing password is available. 
If physical access to the device is available, the password can be reset with a few other tools.

Warning: This procedure will require rebooting the FortiGate unit.
Any supported version of FortiGate with a FortiOS version before 7.2.4.



Note: Starting with FortiOS 7.2.4 the maintainer account was removed, meaning this method to reset a password will no longer work. Users must instead have physical access to the FortiGate and perform a TFTP restore of the firmware in order to regain access to the FortiGate.


Additional info:

Once logged into the FortiGate with the maintainer account (as described below), if the FortiGate is running FortiOS 6.0.3 or later, enter the execute factoryreset command to return the FortiGate to its default configuration. 
This can be useful if the admin administrator account was deleted.

In newer versions of the BIOS, expect some changes to the behavior of the maintainer account. These changes will include:

- The countdown timer for how log enter the credentials has increased. Starting from when the device powers up, there will be 60 seconds instead of 30.
- Using the maintainer account and resetting a password cause a log to be created; making these actions traceable for security purposes.
- The account will be able to reset the password for any super-admin profile user in addition to the default admin user.  This takes into account the possibility that the default account has been renamed.
- The only thing the maintainer account has permission to do is reset the passwords of super-admin profile accounts.



- A console cable.
- Terminal software such as Putty.exe (Windows) or Terminal (MacOS).
- The serial number of the FortiGate device


Step 1

Connect the computer to the firewall via the Console port on the back of the unit.
In most units, this is done either by a Serial cable or an RJ-45 to Serial cable. There are some units that use a USB cable and FortiExplorer to connect to the console port.

Resetting a lost admin password for the VM-s using the maintainer account is not possible.
In this case, reverting to a snapshot or re-provisioning the VM and restoring the configuration (without a password for the admin account) is the only solution.

Step 2

Start the terminal software.

Step 3

Connect to the firewall using the following:

- Setting - Value
- SpeedBaud - 9600
- Data Bits - 8 Bit
- Parity - None
- Stop Bits - 1
- Flow Control - No Hardware Flow Control
- Com Port - the correct COM port

Step 4

The firewall should then respond with its name or hostname. (If it doesn’t try pressing “enter”.)

Step 5

Reboot the firewall.
If there is no power button, disconnect the power adapter and reconnect it after 10 seconds. Plugging in the power too soon after unplugging it can cause corruption in the memory in some units.
Step 6

Wait for the Firewall name and login prompt to appear. The terminal window should display something similar to the following:
FortiGate-60C (18:52-06.18.2010)
Serial number: FGT60C3G10xxxxxx
CPU(00): 525MHz
Total RAM: 512 MB
NAND init... 128 MB
MAC Init... nplite#0
Press any key to display configuration menu...
reading boot image 1163092 bytes.
Initializing firewall...      
System is started.
Step 7

Type in the username 'maintainer'.

Step 8

The password is bcpb + the serial number of the firewall (letters of the serial number are in UPPERCASE format).
For example: bcpbFGT60C3G10xxxxxx

Note: On some devices, after the device boots, only an entry window of 14 seconds or less is available to type in the username and password. 
It might therefore be necessary to have the credentials ready in a text editor to copy and paste into the login screen. 
There is no indicator of when the time runs out, so it is possible that it may take more than one attempt to succeed.
Step 9

A connection to the firewall should be established.
To change the admin password, type the following:

In a unit where VDOMs are not enabled:
# config system admin
edit admin
set password

In a unit where VDOMs are enabled:
# config global
# config system admin
edit admin
set password
If the FortiGate is running FortiOS 6.0.3 or later, enter the following command to reset the FortiGate to its factory default configuration. 
This can be useful if the admin administrator account has been deleted.
# execute factoryreset
Some users may be concerned that this process offers a backdoor into the system. 
The maintainer feature/account is enabled by default, but there is an option to disable this feature. However, if the feature is disabled and the password is lost without any users that can log in as a superadmin profile administrator, there will be no options available to access the FortiGate.

If 'PASSWORD RECOVERY FUNCTIONALITY IS DISABLED' shows on the console during attempt to access the maintainer account, the maintainer account has been disabled.
To disable the maintainer feature/account, run the following command in the CLI:
# config system global
set admin-maintainer disable
To enable it:
# config system global
set admin-maintainer enable

This article is applicable for 7.0 fortiOS also.


Note:- Starting with FortiOS 7.2.4 the maintainer account was removed.


829544 Remove the maintainer account (which allowed users to log in through the console after a hard reboot). Users who lose their password must have physical access to the FortiGate and perform a TFTP restore of the firmware in order to regain access to the FortiGate.