Home → How to → FortiGate Firewall → Reset a lost admin password on a FortiGate unit (password recovery)
10.1. Reset a lost admin password on a FortiGate unit (password recovery)
Description
This article explains how to reset a lost admin password on a FortiGate, with a physical access to the unit and a few other tools.
Periodically a situation arises where the FortiGate needs to be accessed or the admin account’s password needs to be changed but no one with the existing password is available.
This procedure will require the reboot of the FortiGate unit.
Solution
This article explains how to reset a lost admin password on a FortiGate, with a physical access to the unit and a few other tools.
Periodically a situation arises where the FortiGate needs to be accessed or the admin account’s password needs to be changed but no one with the existing password is available.
This procedure will require the reboot of the FortiGate unit.
Solution
Will be needed:
- Console cable
- Terminal software such as Putty.exe (Windows) or Terminal (MacOS)
- Serial number of the FortiGate unit
Step 1:
Connect the computer to the firewall via the Console port on the back of the unit.
In most units this is done either by a Serial cable or a RJ-45 to Serial cable. There are some units that use a USB cable and FortiExplorer to connect to the console port.
Virtual instances will not have any physical port to connect to so the supplied VM Hosts’ console connection utility will have to be used.
Step 2:
Start the terminal software. (For example: putty)
Step 3:
Connect to the firewall using the following:
Step 4:
The firewall should then respond with its name or hostname. (If it does not try pressing "enter")
Step 5:
Reboot the firewall.
- Terminal software such as Putty.exe (Windows) or Terminal (MacOS)
- Serial number of the FortiGate unit
Step 1:
Connect the computer to the firewall via the Console port on the back of the unit.
In most units this is done either by a Serial cable or a RJ-45 to Serial cable. There are some units that use a USB cable and FortiExplorer to connect to the console port.
Virtual instances will not have any physical port to connect to so the supplied VM Hosts’ console connection utility will have to be used.
Step 2:
Start the terminal software. (For example: putty)
Step 3:
Connect to the firewall using the following:
Setting Value
Speed Baud 9600
Data Bits 8Bit
Parity None
Stop Bits 1
Flow Control No Hardware Flow Control
Com Port The correct com-port
Step 4:
The firewall should then respond with its name or hostname. (If it does not try pressing "enter")
Step 5:
Reboot the firewall.
If there is no power button, disconnect the power adapter and reconnect it after 10 seconds.
Plugging in the power too soon after unplugging can cause corruption in the memory in some units.
Step 6:
Wait for the Firewall name and login prompt to appear.
Step 6:
Wait for the Firewall name and login prompt to appear.
The terminal window should display something similar to the following:
Versions prior to 5.2:
FortiGate-60C (18:52-06.18.2010)Versions after 5.2:
Ver:04000010
Serial number: FGT60C3G10xxxxxx
CPU(00): 525MHz
Total RAM: 512 MB
NAND init... 128 MB
MAC Init... nplite#0
Press any key to display configuration menu...
......
reading boot image 1163092 bytes.
Initializing firewall...
System is started.
login:
FortiGate-101E (16:16-01.25.2019)
Ver:05000010
Serial number: FG101ETKxxxxxxx
CPU(00): 1000MHz
Total RAM: 4 GB
Initializing boot device...
Initializing MAC... nplite#0
Please wait for OS to boot, or press any key to display configuration menu.........
Booting OS...
Reading boot image... 2880394 bytes.
Initializing firewall...
System is starting...
Starting system maintenance...
Scanning /dev/mmcblk0p1... (100%)
Scanning /dev/mmcblk0p3... (100%)
login:
Step 7:
Type in the username: maintainer
Step 8:
The password is bcpb plus the serial number of the firewall (the letters of the serial number are in uppercase format)
For example: bcpbFGT60C3G10xxxxxx or bcpbFGT101ETKxxxxxx
Type in the username: maintainer
Step 8:
The password is bcpb plus the serial number of the firewall (the letters of the serial number are in uppercase format)
For example: bcpbFGT60C3G10xxxxxx or bcpbFGT101ETKxxxxxx
On some units, after the unit boots, a time period of only 14 seconds or less will be permitted to type in the username and password.
It might, therefore, be necessary to have the credentials ready in a text editor, and then copy and paste them into the login screen.
There is no indicator of when the time runs out so it is possible that it might take more than one attempt to succeed.
Step 9:
Now the connection to the firewall should be completed. To change the admin password, type the following:
In a unit where vdoms are not enabled:
In a unit where vdoms are enabled:
There is no indicator of when the time runs out so it is possible that it might take more than one attempt to succeed.
Step 9:
Now the connection to the firewall should be completed. To change the admin password, type the following:
In a unit where vdoms are not enabled:
#config system admin
edit admin
set password <psswrd>
end
In a unit where vdoms are enabled:
#config globalIf there is a backdoor into the system, then disable the maintainer account.
config system admin
edit admin
set password <psswrd>
end
The maintainer account is enabled by default, there is an option to disable this feature. However, if the feature is disabled and the password is lost without having someone else that can log in as a superadmin profile user, there won't be any other options.
If there's an attempt to use the maintainer account and see the message on the console, “PASSWORD RECOVERY FUNCTIONALITY IS DISABLED”, the maintainer account has been disabled.
Disabling the maintainer account:
Use the following command in the CLI to change the status of the maintainer account.
To disable:
To enable:
If there's an attempt to use the maintainer account and see the message on the console, “PASSWORD RECOVERY FUNCTIONALITY IS DISABLED”, the maintainer account has been disabled.
Disabling the maintainer account:
Use the following command in the CLI to change the status of the maintainer account.
To disable:
#config system global
set admin-maintainer
disable
end
To enable:
#config system global
set admin-maintainer
enable
end
This page was: Helpful |
Not Helpful