Disable the maintainer admin account
Administrators with physical access to a FortiGate appliance can use a console cable and a special administrator account called maintainer to log into the CLI.The maintainer account allows you to log into a FortiGate if you have lost all administrator passwords.
Once you have logged in with the maintainer account you can:
- Change the password of the admin administrator account (if it exists).
- Reset the FortiGate to the factory default configuration using the
execute factoryreset
command. This is the only way to get access to the FortiGate if you have deleted the admin administrator account.
See the Fortinet knowledge base or Resetting a lost Admin password for details about using the maintainer account to regain access to your FortiGate if you have lost all administrator account passwords.
The methodology for using the maintainer account is publicly available. As long as someone with physical access to the device has the serial number of the device, which is labeled on the device, they can change the admin administrator account password and access the FortiGate. This may be an unacceptable risk in some circumstances, especially where the hardware is not physically secured. As an added security measure, the maintainer account can be disabled using the following setting:
config system global
set admin-maintainer disable
end
If you disable this feature and lose your administrator passwords you will no longer be able to log into your FortiGate.The only way to access your FortiGate will be to start over with a new firmware installation and default configuration file. All of your settings will be lost. |