Fortinet Document Library

Version:


Table of Contents

Admin Password Recovery Guide

6.0.0
Download PDF
Copy Link

How to reset admin password

Note: This functionality is only available on versions 5.3.6, 5.4.4, and 6.0.0 or newer.

Periodically a situation arises when FortiADC needs to be accessed or the admin account’s password needs to be changed but no one with the existing password is available. If physical access to the device is possible, this feature enables the admin password to be reset.

A new maintainer user account is made available after a cold boot for 60 seconds after the system clock starts to tick. This account only has access to reset admin accounts’ password and a few other commands to execute as detailed below. A maintainer user login is limited to console access and cannot log in via any other method.

Once logged into FortiADC as a maintainer user, FortiADC can be reset to factory default settings. This can be useful if the admin administrator account was deleted.

Maintainer user access is enabled by default.

Required items

  • Console cable
  • Terminal software (e.g. Putty.exe for Windows, Terminal for MacOS)
  • Serial number of the FortiADC unit

Configuration

To enable/disable maintainer user account access:

CLI:

config system global

set admin-maintainer enable/disable

end

Caveats

  • Maintainer user account is only available after a cold reboot.
  • Maintainer user account is not available after a warm reboot or upgrade.
  • Maintainer user account is only available for 60s after the device powers up. In some cases, this may translate to less than 15s after the login prompt is displayed.
  • Maintainer user has console access only.
  • Maintainer user can only be used to reset admin password.
  • For some VM platforms, cold reboot is labeled “Reset”.
  • For hardware systems, physical access is required. To cold reboot in cases when power switch is not available, unplug power cable and plug back in after 10s.
  • For security purposes, using the maintainer account and resetting a password will cause a log to be created, making these actions traceable.

Steps

  1. Connect to the ADC console port or access the VM console.
  2. Cold reboot the ADC as described above.
  3. Wait for ADC login prompt to appear.
  4. FortiBootLoader

    FortiADC-200F ( 0:56-09.26.2017)

     

    FortiADC-200F (17:05-06.08.2017)

    Ver:00010002

     

    Serial number:FAD2HF3A17000103

    Total RAM: 8192MB

    Boot up, boot device capacity: 1968MB.

    Press any key to display configuration menu...

     

    Reading boot image 6393140 bytes.

    Initializing FortiADC...

     

    System is started.

     

    FAD2HF3A17000103 login:

  5. Type in username: maintainer
  6. The password is bcpb<serial number> (e.g. bcpbFAD2HF3A17000103)
  7. Now logged in as maintainer, type the following commands to change the admin password.
    1. In a FortiADC unit where VDOMs are not enabled:
    2. # config system admin

      edit admin

      set password

      end

    3. in a FortiADC unit where VDOMs are enabled:
    4. # config global

      config system admin

      edit admin

      set password

      end

  8. If the admin account was deleted, execute factory reset to recover.
  9. # execute factoryreset

  10. If the admin account was not deleted, then reboot.
  11. # execute reboot

  12. New admin password should now be in effect.

How to reset admin password

Note: This functionality is only available on versions 5.3.6, 5.4.4, and 6.0.0 or newer.

Periodically a situation arises when FortiADC needs to be accessed or the admin account’s password needs to be changed but no one with the existing password is available. If physical access to the device is possible, this feature enables the admin password to be reset.

A new maintainer user account is made available after a cold boot for 60 seconds after the system clock starts to tick. This account only has access to reset admin accounts’ password and a few other commands to execute as detailed below. A maintainer user login is limited to console access and cannot log in via any other method.

Once logged into FortiADC as a maintainer user, FortiADC can be reset to factory default settings. This can be useful if the admin administrator account was deleted.

Maintainer user access is enabled by default.

Required items

  • Console cable
  • Terminal software (e.g. Putty.exe for Windows, Terminal for MacOS)
  • Serial number of the FortiADC unit

Configuration

To enable/disable maintainer user account access:

CLI:

config system global

set admin-maintainer enable/disable

end

Caveats

  • Maintainer user account is only available after a cold reboot.
  • Maintainer user account is not available after a warm reboot or upgrade.
  • Maintainer user account is only available for 60s after the device powers up. In some cases, this may translate to less than 15s after the login prompt is displayed.
  • Maintainer user has console access only.
  • Maintainer user can only be used to reset admin password.
  • For some VM platforms, cold reboot is labeled “Reset”.
  • For hardware systems, physical access is required. To cold reboot in cases when power switch is not available, unplug power cable and plug back in after 10s.
  • For security purposes, using the maintainer account and resetting a password will cause a log to be created, making these actions traceable.

Steps

  1. Connect to the ADC console port or access the VM console.
  2. Cold reboot the ADC as described above.
  3. Wait for ADC login prompt to appear.
  4. FortiBootLoader

    FortiADC-200F ( 0:56-09.26.2017)

     

    FortiADC-200F (17:05-06.08.2017)

    Ver:00010002

     

    Serial number:FAD2HF3A17000103

    Total RAM: 8192MB

    Boot up, boot device capacity: 1968MB.

    Press any key to display configuration menu...

     

    Reading boot image 6393140 bytes.

    Initializing FortiADC...

     

    System is started.

     

    FAD2HF3A17000103 login:

  5. Type in username: maintainer
  6. The password is bcpb<serial number> (e.g. bcpbFAD2HF3A17000103)
  7. Now logged in as maintainer, type the following commands to change the admin password.
    1. In a FortiADC unit where VDOMs are not enabled:
    2. # config system admin

      edit admin

      set password

      end

    3. in a FortiADC unit where VDOMs are enabled:
    4. # config global

      config system admin

      edit admin

      set password

      end

  8. If the admin account was deleted, execute factory reset to recover.
  9. # execute factoryreset

  10. If the admin account was not deleted, then reboot.
  11. # execute reboot

  12. New admin password should now be in effect.