Fortinet black logo

New Features

Home FortiGate / FortiOS 7.2.0 New Features

Remove maintainer account 7.2.4

7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:482897
Download PDF

Remove maintainer account 7.2.4

Note

This information is also available in the FortiOS 7.2 Administration Guide:

The maintainer account, which allowed users to log in through the console after a hard reboot, has been removed. For security reasons, users who lose their password must have physical access to the FortiGate and perform a TFTP restore of the firmware in order to regain access to the FortiGate. They will not have access to the current running configurations through the FortiGate. Configurations will be reset to the factory default once the firmware is reloaded. See Installing firmware from system reboot in the FortiOS Administration Guide for detailed instructions. This process requires a connection to the TFTP server where the firmware image is stored.

To restore the FortiGate:
Note

This procedure may vary depending on whether the FortiGate is a physical appliance or a VM.

  1. Connect to the console port.

  2. Ensure you can see the FortiGate prompt from the console terminal.

  3. Physically power off the device, then power on the device.

  4. Boot into the boot menu by pressing a key when prompted.

  5. Follow the steps in Installing firmware from system reboot to reload the firmware. Configurations will be reset to the factory default once the firmware is installed.

  6. Once the firmware reload is complete, log in to the FortiGate to reconfigure the settings.

It is recommended to preform regular configuration backups and to store the backup on a secure server (see Configuration changes in the FortiOS Best Practices for more details). In the event that a password is lost, the configuration backup can be used to restore a configuration after the user completes the firmware installation process. This assumes the user knows the password from the previous backed up configuration. If the user does not know the password, they can still reload the configuration if it is not encrypted.

The following procedure describes how to edit an unencrypted backup configuration file so that the administrator password can be replaced before restoring the file.

To edit the configuration file when a password is lost:

  1. Locate the line in the configuration file where config system admin is defined.

  2. Edit an administrator account with an accprofile set to super_admin. This will ensure you can log in and perform any operations afterward.

  3. Locate the line with set password ENC xxxxxx, and edit it to set a temporary new password in clear text (such as set password cleartextpassword).

  4. Reload the configuration file.

  5. Log in to the console using the temporary password, and then change the password.

Note

The configuration backup allows the administrator to confirm the firmware that the FortiGate is running, so the same firmware can be restored. This information is listed in the first line of the configuration: config-version=FGT61F-7.2.4-FW-build1396-230131:opmode=0:vdom=0:user=admin.
Previous
Next

Remove maintainer account 7.2.4

Note

This information is also available in the FortiOS 7.2 Administration Guide:

The maintainer account, which allowed users to log in through the console after a hard reboot, has been removed. For security reasons, users who lose their password must have physical access to the FortiGate and perform a TFTP restore of the firmware in order to regain access to the FortiGate. They will not have access to the current running configurations through the FortiGate. Configurations will be reset to the factory default once the firmware is reloaded. See Installing firmware from system reboot in the FortiOS Administration Guide for detailed instructions. This process requires a connection to the TFTP server where the firmware image is stored.

To restore the FortiGate:
Note

This procedure may vary depending on whether the FortiGate is a physical appliance or a VM.

  1. Connect to the console port.

  2. Ensure you can see the FortiGate prompt from the console terminal.

  3. Physically power off the device, then power on the device.

  4. Boot into the boot menu by pressing a key when prompted.

  5. Follow the steps in Installing firmware from system reboot to reload the firmware. Configurations will be reset to the factory default once the firmware is installed.

  6. Once the firmware reload is complete, log in to the FortiGate to reconfigure the settings.

It is recommended to preform regular configuration backups and to store the backup on a secure server (see Configuration changes in the FortiOS Best Practices for more details). In the event that a password is lost, the configuration backup can be used to restore a configuration after the user completes the firmware installation process. This assumes the user knows the password from the previous backed up configuration. If the user does not know the password, they can still reload the configuration if it is not encrypted.

The following procedure describes how to edit an unencrypted backup configuration file so that the administrator password can be replaced before restoring the file.

To edit the configuration file when a password is lost:

  1. Locate the line in the configuration file where config system admin is defined.

  2. Edit an administrator account with an accprofile set to super_admin. This will ensure you can log in and perform any operations afterward.

  3. Locate the line with set password ENC xxxxxx, and edit it to set a temporary new password in clear text (such as set password cleartextpassword).

  4. Reload the configuration file.

  5. Log in to the console using the temporary password, and then change the password.

Note

The configuration backup allows the administrator to confirm the firmware that the FortiGate is running, so the same firmware can be restored. This information is listed in the first line of the configuration: config-version=FGT61F-7.2.4-FW-build1396-230131:opmode=0:vdom=0:user=admin.
Previous
Next