Resetting a Lost Admin Password

Posted by on | Featured

Resetting a Lost Admin Password

Description

This article is, about what to do when you need to get into the FortiGate or change the admin account password. Nobody who knows the password is around. It talks about using an account called the maintainer account.Warning:

You will have to restart the FortiGate to do this.

Scope

FortiGate after v7.2.4.

Solution

Note:
Starting with v7.2.4, the 'maintainer' account was removed, meaning this method to reset a password will no longer work.
See the FortiOS v7.2.4 Release

Alternative method for v7.2.4 and later:

For v7.2.4 and later, where the maintainer account is no longer available, follow these steps to reset the admin password:

Prerequisites:

I need a things to get started.First I need the working configuration backup of the FortiGate.
Then I need something, like Notepad++ or any other tool that can compare text.I also need to get into the FortiGate through the console.
All of this has to happen during the Maintenance Window of the FortiGate.

Step 1:

Edit the existing configuration using Notepad++.
Turn on the YAML by selecting Language -> YAML from the main menu. This will help collapse the configuration.
Search for 'config system admin' and select the '-' symbol in the 'config gui-dashboard' line to collapse the gui-dashboard configuration.

I need to make a change, to the configuration. I will remove the line that says 'set password'. Then I will save this configuration in a new file. This new file is going to have a.conf extension.

Note:

When the backup file is exported, it will be possible to see the super_admin accprofile in the results of the 'config system admin' command. However, the results of the 'config system accprofile' command will not show the super_admin accprofile, as it is device-specific.

Administrator accounts with the super_admin profile will not appear in a configuration file if the file is exported by an admin with a lower privilege profile.
In this case, the admin account will be missing and must be added manually to the configuration file.

Step 2:

Do the flash format of the device and load the same firmware version as the one in the existing configuration backup

Step 3:

Type your paragraphFirst I need to get into the device.The default management address is 192.168.1.99
To log in I use the default username which's admin. There is no password.Next I will upload the modified configuration file to the FortiGate device. here

The device will restart.It will then be available using the management IP that was set up before.You can log in with the default username: admin.
There is no default password.After logging in change the account password to something new.

Additional info:

If having access to the firewall with another 'super_admin' and want to reset the 'admin' account password that has been lost/forgotten, follow the steps below:
Take a config backup with the existing logged-in 'super_admin'.
Under account admin, remove the whole line of 'set password ENC ---whatever hash----' and prepare the configs like below: config system admin:
edit "admin"
set accprofile "super_admin"
set vdom "root"
next
end
Restore the config from the existing logged-in 'super_admin', after reboot, it will prompt to set the password, and it is possible to set the new password.
Once logged into the FortiGate with the maintainer account (as described below), if the FortiGate is running v6.0.3 or later, enter the 'execute factoryreset' command to return the FortiGate to its default configuration.
This can be useful if the administrator account is deleted.
In newer versions of the BIOS, expect some changes to the behavior of the maintainer account. These changes will include:
The countdown timer for how to log in has increased. Starting from when the device powers up, there will be 60 seconds instead of 30.
Using the maintainer account and resetting a password causes a log to be created, making these actions traceable for security purposes.
The account will be able to reset the password for any super-admin profile user in addition to the default admin user. This takes into account the possibility that the default account has been renamed.
The only thing the maintainer account has permission to do is reset the passwords of super-admin profile accounts.
If the maintainer is no longer supported by FortiGate and there is an existing copy of the backup configuration, resetting the admin password is still possible by following this article: Technical Tip: How to restore the default admin account.

Prerequisites:

A console cable.
Terminal software such as Putty.exe (Windows) or Terminal (macOS).
The serial number of the FortiGate.
Procedure: step 1
Connect the computer to the firewall via the Console port on the back of the unit. In most units, this is done either by a Serial cable or an RJ-45 to Serial cable. Some units use a USB cable and FortiExplorer to connect to the console port.

Resetting a lost admin password for the VMs using the maintainer account is not possible. However, the admin password reset with the maintainer account works for the firewall with the Azure VM.

In this case, reverting to a snapshot or re-provisioning the VM and restoring the configuration (without a password for the admin account) is the only solution.But resetting the Admin password for the VMs in Azure and AWS can be done as shown in the link at the bottom.

Step 2

Start the terminal software.

Step 3:

Connect to the firewall using the following:
Setting - Value.SpeedBaud - 9600.
Data Bits - 8 Bit.
Parity - None.Stop Bits - 1.
Flow Control - No Hardware Flow Control.
Com Port - the correct COM port.

Step 4:

The firewall should then respond with its name or hostname. (If it does not, try pressing 'enter').

Step 5:

Reboot the firewall. If there is no power button, disconnect the power adapter and reconnect it after 10 seconds. Plugging in the power too soon after unplugging it can cause corruption in the memory in some units.

Step 6:

Wait for the Firewall name and login prompt to appear. The terminal window should display something similar to the following:

FortiGate (08:52-08.16.2024)
Ver:04000010
Serial number: FGTxxxxxxxxxxxxx
CPU(00): 525MHz
Total RAM: 512 MB
NAND init... 128 MB
MAC Init... nplite#0
Press any key to display configuration menu.........
reading boot image 1163092 bytes.
Initializing firewall...
System is started.
login:

Step 7:

Type in the username 'maintainer'.

Step 8:

The password is bcpb + the serial number of the firewall (the letters of the serial number are in UPPERCASE format). For example, bcpbFGT60C3G10xxxxxx.

Note:

On some devices, after the device boots, only an entry window of 14 seconds or less is available to type in the username and password.
It might therefore be necessary to have the credentials ready in a text editor to copy and paste into the login screen.
There is no indicator of when the time runs out, so it may take more than one attempt to succeed.

Step 9:

A connection to the firewall should be established. To change the admin password, type the following:
In a unit where VDOMs are not enabled:
config system admin
edit admin
set password <new password>
end
In a unit where VDOMs are enabled:
config global
config system admin
edit admin
set password <new password>
end
If a user has deleted the default 'admin' account and has another super_admin profile account, then using this method, the super_admin profile admin user password can also be reset. Usually shows an error like below if trying to edit the admin:

config system admin
edit ? <----- Will show all the super_admin accounts.
name User name
sadmin<----- The username that the firewall has for a super_admin account.
edit sadmin
set password <new password>
end

If the FortiGate is running v6.0.3 or later, enter the following command to reset the FortiGate to its factory default configuration.
This can be useful if the administrator account has been deleted.
execute factoryreset

Warning:

Some people might think that this way of doing things is a way into the system.
The maintainer feature is turned on by default. You can turn it off if you want to. However if you turn it off and then you forget your password and there is no one who can log in as the admin for FortiGate you will not be able to get into FortiGate at all.
If you see the message 'PASSWORD RECOVERY FUNCTIONALITY IS DISABLED', on the screen when you try to get into the maintainer account that means the maintainer account is turned off.

To turn off the maintainer feature you need to use the following command in the FortiGate command line interface:
config system global
set admin-maintainer disable
end
To enable it:
config system global
set admin-maintainer enable
end

In case it is a cluster:
To reset an admin password you need to do a few things.
First turn off the unit and unplug all the cables from this secondary unit.
Now you can use the maintainer user account, which was explained at the start of this document to change the admin password.
You have to make sure the device password recovery is set to primary.
When you do this the new admin password will sync with the cluster member.

Additional info :

The admin password can also be recovered if the FortiGate has a 'FortiGate Cloud paid Subscription' and is currently connected/managed on FortiGate Cloud

Note:

The maintainer account, which allowed users to log in through the console after a hard reboot, has been removed. For security reasons, users who lose the password must have physical access to the FortiGate and perform a TFTP restore of the firmware in order to regain access to the FortiGate. Find additional information on the following link:

Tags: , , , ,
Comments are closed.